[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Pro-CODE bill may not help much



After reading the text of Senator Burns's pro-CODE bill (S.1726), I'm
not convinced that the bill would actually remove the barriers to the
export of PGP and other strong encryption software.  I'd like to know
whether you agree with my concerns, or if you think that the bill
would adequately protect encryption software exports.

[email protected] (Voters Telecommunications Watch) writes:

>DESCRIPTION OF S.1726, PRO-CODE BILL

>The Pro-CODE Act resolves to:
>
>1.  Allow for the *unrestricted* export of "mass-market" or "public-domain"
>    encryption programs, including such products as Pretty Good Privacy and
>    popular World Wide Web browsers.
>
>2.  Requires the Secretary of Commerce to allow the less restricted export
>    of other encryption technologies if products of similar strength are
>    generally available outside the United States, roughly up to DES
>    strength.
>
>3.  Prohibits the federal government from imposing mandatory key-escrow
>    encryption policies on the domestic market and limiting the authority
>    of the Secretary of Commerce to set standards for encryption products.

I'm not sure that this interpretation of the pro-CODE bill is correct,
at least as far as points (1) and (2) are concerned.  It appears to me
that the bill allows the goverment to retrict all exports of
cyptographic software for general use, as long as similar retrictions
are imposed on the export of software for use by foreign banks.  PGP
could still be prohibited.  I will quote the relevant sections of the
bill, with my comments.

>From the text of the Pro-CODE Bill:

>SEC.3 DEFINITIONS.
>
>          (8) GENERAL LICENSE- The term "general license" means a
>        general authorization that is applicable to a type of
>        export that does not require an exporter of that type
>        export to, as a condition to exporting-
>               (A) submit a written application to the Secretary;
>                   or
>               (B) receive prior written authorization by the
>                   Secretary.

In other words, a "general license" means that rules may be
established regulating the export of certain materials, as long prior
written application or prior written authorization for the export is
not required.  For example, "Permission is hereby granted to export
all encryption software with a key length not exceeding 40 bits; no
written application is necessary." would be an example of a general
license to export a particular type of software.

>SEC. 5. PROMOTION OF COMMERCIAL ENCRYPTION PRODUCTS.
>
>      (c) CONTROL OF EXPORTING BY SECRETARY.-
>          (2) ITEMS THAT DO NOT REQUIRE VALIDATED LICENSES.-
>        Only a general license may be required, except as
>        otherwise provided under the Trading With The Enemy Act
>        (50 U.S.C. App.1 et seq.) or the International Emergency
>        Economic Powers Act (50 U.S.C. 1701 et seq.) (but only to 
>        the extent that the authority of the International 
>        Emergency Economic Power Act is not exercised to extend
>        controls imposed under the Export Administration Act of 
>        1979), for the export or reexport of-
>               (A) any computer software, including computer 
>                   software with encryption capabilities, that is-
>                   (i) generally available, as is, and designed
>                       for installation by the user or purchaser; or
>                   (ii) in the public domain (including on the 
>                       Internet) or publicly available because it
>                       is generally accessible to the interested
>                       public in any form; or
>               (B) any computing devise or computer hardware 
>                   solely because it incorporates or employs in 
>                   any form of computer software (including 
>                   computer software with encryption capabilities)
>                   that is described in subparagraph (A).

I interpret this to mean that export of this type of software can
still be restricted by the terms of a "general license".  Even though
prior written permission cannot be required for export, export is
permitted only if the terms of the general license are complied with.
This is not the same as "unrestricted export of mass market software";
in fact, for some types of software, the "general license" rules could
still forbid export entirely.

The following section describes the conditions under which the
Secretary of Commerce is required to grant a general license allowing
export:

>          (3) COMPUTER SOFTWARE AND COMPUTER HARDWARE WITH
>         ENCRYPTION CAPABILITIES.-
>               (A) IN GENERAL.- Except as provided in subparagraph
>                   (B), the Secretary shall authorize the export
>                   or reexport of computer software and computer
>                   hardware with encryption capabilities under a
>                   general license for nonmilitary end-users in
>                   any foreign country to which those exports of
>                   computers software and computer hardware of
>                   similar capability are permitted for use by
>                   financial institutions that the Secretary
>                   determines not to be controlled in fact by
>                   United States persons.

In other words, the Secretary must define the terms of the general
license in such a way that software of "similar capability" to
software that is exportable to foreign banks is also exportable for
general use.  Note that the requirement is that the software must be
similar to software that can already be exported for use by foreign
banks; it is neither necessary nor sufficient that similar products be
available from foreign sources.  The "similar products available from
foreign competitors" rule was in the Leahy bill, but I see nothing
like it in the pro-CODE bill.

PGP could be held not to be of "similar capability" to the banking
software, and not exportable under the terms of the general license,
because it uses a different encryption algorithm, a different key
length, and is capable of encrypting arbitrary data, not just
financial transactions.  In the future, if key escrow requirements
were imposed on software exported to foreign banks, the same
restriction could be imposed on software exported for general use.

It seems to me that the idea behind section 3(A) is that if foreign
bankers are willing to accept a certain level of encryption, then
everyone else will accept it too, so the software industry will be
able to make money exporting it; the few people who want something
better (e.g. to protect their privacy against government wiretapping)
don't have to be protected, because denying them protection won't cost
the software companies any money.

I include section 3(B) only for completeness, because it is mentioned
in section 3(A):

>               (B) EXCEPTION.-The Secretary shall prohibit the
>                   export or reexport of computer software and
>                   computer hardware described in subparagraph (A)
>                   to a foreign country if the Secretary
>                   determines that there is substantial evidence
>                   that such software and computer hardware will
>                   be-
>                      (i) diverted to a military end-use or an end-
>                   use supporting international terrorism;
>                      (ii) modified for military or terrorist end-
>                   use; or
>                      (iii) reexported without the authorization
>                   required under Federal law.


Do other people agree with this interpretation of the bill?  Are most
people satisfied that the bill would actually protect the right to
export PGP and other strong encryption software?  I haven't seen this
discussed in this group before.  I realize that this may be academic,
because the bill is unlikely to pass now.