[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
New Crypto Export Rules Monday
27-DEC-1996 18:59
U.S. export encryption rules to be published Monday
By Aaron Pressman
WASHINGTON, Dec 27 (Reuter) - The Commerce
Department will issue final rules on Dec. 30 to implement
its new policy on export of computer encoding products,
but the proposal is unlikely to mollify the software
industry and privacy advocates who objected to a draft
version.
Some changes were made in the final rules, available
Friday at a government printing office, from the earlier
draft. But the bulk of the proposal remains the same,
including portions strongly criticized by the software
industry that applied to real-time communications.
Commerce undersecretary William Reinsch had said
two weeks ago that the draft rules would be modestly
revised, but warned that some objections could not
be addressed.
Under the previous rules dating from the Cold war, the
administration severely limited the export of products
containing encryption, programs that use mathematical
formulas to scramble information and render it unreadable
without a password or software "key."
In the past, products could be exported using "keys" as
long as 40 digital bits, a string of forty ones and zeros.
But as the speed of computers has grown, 40-bit keys
have become easy to crack and longer keys have come
into general use.
At the same time, with the growth of the Internet and
online commerce, demand for encryption-capable
products is growing worldwide. Coded messages can
keep a business' e-mail confidential or protect a
consumer's credit card number sent on the Internet.
The Commerce Department rules were intended as a
compromise, allowing U.S. companies to compete in the
encryption market while protecting the interests of
law enforcement officials.
The policy relies on so-called key recovery features
which allow government officials to decode encrypted
messages when acting under proper legal authority.
Under the policy to be issued Monday, products
containing key recovery features will be eligible for
export after a one-time review.
Software firms had hoped the key recovery exception
would only apply to stored data, like a document on a
hard drive. But the final rules, like the draft rules, also
require key recovery for real-time data transamission such
as coded phone calls.
Non-key recovery software with keys of up to 56 bits
will be exportable under six-month, renewable licenses
until the end of 1998, but only if the manufacturer
commits to producing software with key recovery by then.
Some companies had complained that the government
was asking for too much information about their future
plans, but the final rules still require submission of
detailed plans and committments.
All other encryption products, such as state-of-the art
128-bit software without key recovery features, would
continue to be treated as munitions. Such products include
ordinary e-mail programs and even the recently
introduced set-top box for surfing the Internet with a
television.
The rules deleted a draft provision allowing keys to be
stored with a recovery agent located outside of the United
States.
The final rules also made clear that an applicant's
public support of the administration's policy would not be
a factor in export license decisions. Rather, helping build
the necessary infrastructure would be a factor, the final
rules said.
A criteria listed as "public support for a key
management infrastructure," was changed to "or other
support for the key management infrastructure."
http://www.aci.net/kalliste/