Canada's Entrust does end-run around ITAR

["Vladimir Z. Nuri" <vznuri@netcom.com>]

------- Forwarded Message

Date: Fri, 01 Aug 1997 18:13:20 -0700
From: kalliste@aci.net (J. Orlin Grabbe)
To: snetnews@world.std.com
Subject: SNET: [Fwd: Another torpedo slams into Clinton crypto policy]


- ->  SearchNet's   SNETNEWS   Mailing List

Path: news.alt.net!news1.alt.net!news-chi-13.sprintlink.net!news-east.sprintlink.net!news-dc-26.sprintlink.net!news-peer.sprintlink.net!news-pull.sprintlink.net!news-in-east.sprintlink.net!news.sprintlink.net!Sprint!205.185.79.4!zdc!super.zippo.com!lotsanews.com!szdc!newsp.zippo.com!news1
From: jqp@globaldialog.com
Newsgroups: alt.current-events.clinton.whitewater,alt.politics.clinton
Subject: Another torpedo slams into Clinton crypto policy
Date: Fri, 01 Aug 1997 00:21:25 -0500
Organization: None
Message-ID: <33E17255.18BB@globaldialog.com>
Reply-To: jqp@globaldialog.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Mailer: Mozilla 3.0Gold (Win95; I)
Xref: news.alt.net alt.current-events.clinton.whitewater:189839 alt.politics.clinton:338125

NY Times
August 1, 1997

Canadian Product Puts New Spin on Encryption Debate

By PETER WAYNER 

Canadian company's recent release of a new 
encryption product and subsequent announcement 
that it had received a license from Canada to 
export the product has surprised many companies 
and U.S. officials. 

The release was startling because the United States 
and Canada historically regulated the encryption-
exporting issue in synchrony. 

The company, Entrust Technologies Ltd., released 
a free version of its Entrust/Solo software on 
Tuesday, and announced that they had received a 
license from the Canadian government to export 
it to almost all of the world. 

- -=- [TABLE] -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

THE MOVE BY ENTRUST SEEMS TO EXPLOIT A DIFFERENCE 
IN THE REGULATIONS BETWEEN THE UNITED STATES AND 
CANADA.

- -=- [TABLE] -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

This decision by Canada could signal a major rift 
developing between two allies over an issue that 
is becoming increasingly important to the computer 
software industry. 

In fact, the move seemed to startle the [*]Bureau 
of Export Affairs at the U.S. Department of Commerce. 
James Lewis, director of strategic trade at the 
bureau, would only issue a one-sentence statement 
through a spokeswoman: "This is under review as 
a potential enforcement matter." He offered no 
insight into which American laws were being violated. 
Shauna White, a spokeswoman for the company, said 
"We believe we are in full compliance with all 
the Canadian laws that apply." 

In the past, the United States and Canada enforced 
their encryption regulations with such cooperation 
that most controlled products are shipped in boxes 
announcing, "For U.S. and Canada only." The U.S. 
government was certain that Canadian regulations 
would block anyone from shipping the product out 
of Canada. 

Those regulations are still in place and there 
has been no change in the effect on products built 
in the United States. Programs written by Canadians,
however, are another matter. Entrust was able to 
qualify for a license because their software contained 
what John Ryan, the company president and chief 
executive, said was "100 percent Canadian content." 
That is, it was developed in Canada by Canadian 
citizens. 

Entrust Technologies Inc. was spun off on Jan. 
2, 1997, from Nortel (Northern Telecom) after Nortel 
developed the Entrust product. Entrust Technologies 
Inc. is based in Dallas, but most of the development 
work is done in Ottawa, Ontario, where the Canadian 
subsidiary, Entrust Technologies Ltd. has its offices. 
Ryan, for instance, is a Canadian citizen. 

The move by Entrust seems to exploit a difference 
in the regulations between the United States and 
Canada. Both countries are members of the Wassenar 
Arrangement on Arms Export Controls, a set of loosely 
controlled rules that took the place of Cold War-
era regulations designed to reign in conventional 
arms and dual-use technologies. 

The arrangement regulates the export of encryption 
software but provided an exemption for general-
use software that was freely available through 
either the public domain or widespread public channels 
like stores. Ryan explained: "Many countries have 
chosen to 'to turn that part off.' Canada has not 
chosen to turn that part off." 

The existence of this regulatory difference may 
have come as a surprise to many people in the United 
States because the Canadian software industry has 
not yet produced a top-rank international competitor. 
The academic computer science departments at colleges 
like the University of Toronto are first rate, 
but there are no companies with the same public 
presence as Microsoft or IBM. 

But Entrust Technology's emergence shows how quickly 
the public perception can become obsolete in the 
swiftly moving world of technology. The company 
is clearly hoping that its free version of the 
Entrust/Solo software will build acceptance for 
the commercial versions, which are also freely 
exportable. Many other companies follow the same 
strategy of releasing free versions to the public 
in order to publicize the commercial versions, 
which usually come with more features. 

Entrust allows people to download free copies of 
Entrust/Solo for personal use from their Web site,
but they block requests from seven restricted countries:
Libya, Iran, Iraq, Cuba, Angola, Syria and North 
Korea. France and Singapore are also blocked because 
they have restrictions on the import of technology. 

Entrust is already in heavy competition against 
a U.S. company, [*]Pretty Good Privacy Inc., which 
is circulating a free version of its encryption 
package, PGP 5.0. This version is available for 
home and non-commercial use without charge. The 
software, however, was developed in the United 
States and can't be exported without a license. 
The company has worked closely with the U.S. Commerce 
Department to smooth licenses for major U.S. companies 
seeking to use the software with their subsidiaries,
but an individual license must still be granted 
in each case. 

Kelly Huebner Blough, director of government relations 
for Pretty Good Privacy, said: "Well, of course 
we would like the U.S. to license exports more 
liberally. Most of the other countries in the world 
license encryption software more freely. They may 
have strong policies on the books, but when it 
comes to implementation, the U.S. is the most restrictive." 

- -=- [TABLE] -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

ALL OF THE MAJOR SOFTWARE COMPANIES LIKE MICROSOFT,
IBM AND SUN CONTINUE TO PRESS THE U.S. GOVERNMENT 
FOR RELIEF OF THE EXPORT CONTROL LAWS, ARGUING 
THAT BETTER AND BETTER SOFTWARE IS EMERGING THROUGHOUT 
THE WORLD.

- -=- [TABLE] -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Other companies will also be feeling the pressure. 
Ray Ozzie, the president of Iris, the developer 
of Lotus Notes, which is now owned by IBM, said:
"This is further proof that easy-to-use, high-grade 
encryption products are available worldwide, and 
that U.S. companies continue to be at a disadvantage 
in the world marketplace. U.S. policy needs to 
change in order to take these realities into account." 

One of the most vexing parts of the regulatory 
equation involves unraveling whether the U.S. government 
can exert any pressure on Entrust Technologies 
Ltd. through its U.S.-based corporate parent, Entrust 
Technologies Inc. The current version of the regulations 
restrict U.S. companies from providing "technical 
assistance" to their foreign companies--a rule 
that would seemingly not apply to a product developed 
completely by Canadians. Earlier drafts were more 
vague and seemed to target any relationship or 
aid, but the final version focused on technical 
assistance. 

Companies with close relationships with the U.S. 
government are still circumspect. Steve Walker,
president of the Glenwood, Md.-based [*]Trusted 
Information Systems, works closely with the Commerce 
Department to seek approval for all of its work 
done in Europe. They ask for a license for all 
of the software being developed by their subsidiary 
in Britain. "We've tried to be very careful about 
this, perhaps more careful about it than we need 
to be," Walker said and then pointed out, "We're 
getting approval." 

[*]Sun Microsystems is pursuing a strategy with 
a different corporate structure. The company bought 
a minority stake in a Russian network software 
company in 1993 and recently asked them to develop 
encryption software for the world market. The deal 
is undergoing scrutiny from the U.S. Department 
of Commerce, but no announcement has been made 
about the resolution. Sun announced that they hope 
to ship the software on August 15. 

Still, the range of a government is hard to measure. 
Greg Katsas, a lawyer in the Washington office 
of Jones, Day, Reavis, and Pogue, said: "Generally,
the rules of jurisdiction of the place of incorporation 
apply, but there are cases where U.S. law reaches 
outside the boundaries. For instance, anti-trust 
law can cover acts done outside the U.S. intended 
to have an impact inside the U.S." 

All of the major software companies like Microsoft,
IBM and Sun continue to press the U.S. government 
for relief of the export control laws, arguing 
that better and better software is emerging throughout 
the world. In the House of Representatives, legislation 
sponsored by Representative Bob Goodlatte, a Republican 
from Virginia, to liberalize export laws has found 
wide support, while similar legislation in the 
Senate has died. 

One of the major initiatives offered by the Clinton 
administration would ease export licenses for software 
that made it possible for law enforcement officials 
to obtain the software's keys with a court order. 
They propose lifting the restrictions for exporting 
the software using 56-bit keys with DES. 

A number of businesses have joined together what 
they call the Key Recovery Alliance to help negotiate 
with the government about the final implementation 
of this plan. Most major software vendors, including 
Entrust and Sun, are part of the alliance. While 
the companies are committed to producing software 
that helps recover encryption keys in emergencies,
there is a great deal of debate about how this 
will be carried out. 

Entrust's product for office groups does offer 
key recovery, but it is a far cry from what the 
U.S. government would like to see implemented. 
Copies of the keys are only stored on the hard 
disk of the employee responsible for overseeing 
the network. There is no capability right now for 
interfacing with trusted third parties who would 
serve as recovery agents for the police. 

Still, Entrust also seems to be working to meet 
U.S. regulations. Their enterprise-wide system 
for larger companies has been granted a license 
for U.S. export even though it uses 56-bit keys. 
This license was recently granted as part of the 
United States' push for key recovery. It signifies 
that the U.S. Commerce Department felt that Entrust 
was moving toward compliance with the policy of 
smoothing access for the police. In two years, 
Entrust may integrate their key recovery system 
with licensed recovery agents or it could face 
losing its U.S. license. 

In the long run, this strategy continues to receive 
heavy resistance. While many businesses welcome 
key-recovery solutions for internal use, they seem 
to resist making it too easy for the police to 
access their documents. Corporations, after all,
can be found guilty as well. 

The same rules apply to countries, which are finding 
themselves in an increasingly brutal worldwide 
competition for dominance. Countries with the most 
liberal export laws may be rewarded with a strong 
fraction of the market share and this is the crucial 
time when the decisions about product acceptance 
are being decided. Many MIS managers may choose 
Entrust's products simply because they don't need 
to fill out forms with the U.S. government in order 
to supply it to all of their foreign subsidiaries. 

Andrew Csinger is the President of Xcert, a Vancouver-
based Canadian software company that manufactures 
encryption technology used for certification authorities. 
He expects that any difference between U.S. and 
Canadian encryption laws will be short-lived. "I 
think that market pressures are going to force 
the U.S. administration to respond more quickly,
" he said. "In reality, cryptography is widely 
available throughout the world." 


Copyright 1997 The New York Times Company


- -> Send "subscribe   snetnews " to majordomo@world.std.com
- ->  Posted by: kalliste@aci.net (J. Orlin Grabbe)


------- End of Forwarded Message