[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Interactive Week exclusive - Clinton Admin. to announce new Crypto regs. this PM



-----BEGIN PGP SIGNED MESSAGE-----

Something you might find interesting....

By Will Rodger
Washington Bureau Cheif
Inter@ctive Week

The US government will announce later today that will soon lift controls on
technology crucial to doing business over the Internet, White House advisor
Ira Magaziner said yesterday evening.

Under plans expected to be outlined at a noontime press briefing today, the
federal government will require that producers of specialized, narrowly
focused data scrambling products submit only to one-time government
approval before they sell powerful encryption products abroad. Current
policy requires case-by-case approval in most instances.

"Basically it will say that for basic financial and electronic applications
there will be no export restrictions and no requirement for key recovery,"
Magaziner said.

US Undersecretary of Commerce William Reinsch is expected to give details
of the plan. Reinsch could not be reached for comment.

Computer industry executives and public interest groups said the new
arrangement, though far short of deregulating all encryption, was a step in
the right direction.

"This is evidence that the administration acknowledges that manufacturers
of foreign encryption products do exist," said Peter Harter, public policy
counsel at Netscape Communications Corp. "Their policy has put American
industry in the back seat and now we�re trying to catch up."

David Banisar, policy analyst at the Washington-based Electronic Privacy
Information Center, called the move a "small step forward." Nonetheless,
"it still doesn�t reach the needs for secure e-mail or other purposes," he
said.

Computer software and hardware eligible for decontrol under the proposed
regulations must fit several criteria, said Kawika Daguio, a public affairs
specialist with the American Bankers Association who helped hammer out an
agreement for the new regulations. 

.Though products designed for use by the general public may be unlimited in
the strength of the encryption techniques they employ, they must also be
strictly limited in use, he said. Software written for home banking, for
instance, must be usable only for bank transactions and not easily modified
for general use. Most programs handed out by banks for PC banking at home
fit that criteria, he said. 

Programs that use the industry  SET standard for credit card purchases over
the Internet should easily meet Commerce Department criteria, too, since
the SET standard encrypts only those data essential to making online
purchases; the limited uses of the standard render it all but useless for
general use. Visa, MasterCard and American Express developed the standard.

"I�d expect programs written with SET to get very rapid approval - within
weeks," Daguio said.

In addition, US companies will have leeway to export any kind of encryption
to any bank as long as that encryption is used only for legitimate,
internal bank functions. Products designed for merchant-to-merchant
transactions without a bank in between would still be subject to stricter
controls, including use of weak software routines that make decoding by law
enforcement easy, or deposit of decoding keys with law enforcement bodies
prior to export.

Commerce Department regulations will spell out details this month or next,
Daguio said. 

Though more sweeping in nature than past government regulations, the US
banking industry has long enjoyed more freedom to use powerful encryption
technologies abroad than other industries. Successive administrations have
granted banks that leeway since by definition they must have greater
safeguards over employee behavior than all but a handful of industries. In
addition, financial applications have long been easier to design for export
since they typically require encryption of only a few standard data fields.
If sufficiently limited in design, the reasoning goes, they pose no threat
to law enforcement concerned about smugglers or terrorists who may want to
evade detection by law enforcement.
 
The government and the computer industry have for years been locked in
disputes over the relative importance of encryption technologies and their
potential for misuse.

Since encryption encodes sensitive information like credit card numbers,
voice traffic over public networks and anything else that can be converted
into an electronic stream of ones and zeroes, proponents of electronic
commerce have insisted the technology must be widely deployed to assure the
security of computer networks worldwide. Absent US encryption exports, they
claim, American companies will soon lose their leadership role in a
technology crucial to the country�s competitiveness.

Federal officials, on the other hand, have said export of the technology
threatens global security, since terrorists and criminals in outlaw states
like Libya and North Korea could easily use the technology to defeat
wiretaps and data searches increasingly prized by law enforcement and
national security agencies. In response, they demand that exports of
powerful encryption include so-called key recovery - a method by which law
enforcement can gain access to the encryption keys used to encode messages.
Many public interest groups have condemned the plans, however, saying such
a transfer of power to law enforcement threatens to usher in an era of
ubiquitous and illegal eavesdropping. Several bills pending in Congress
would do away with nearly all controls. Reinsch was expected to testify at
congressional hearings on one of the bills this morning.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQEVAwUBM3HngkcByjT5n+LZAQHL+Af/WdDoOuORps0gkZQmI4B6mgY63HeTzKZH
kW19knlqU6SMC/GSdFrZLiWZhkDec2/wLzq57wdzlPjdPd+5wCvTYWmJAX68Kf6b
9g6cm3AbhZSKmaOtUtwOmUwAtuS5DPaGiPejAc9716K0/U9+0YBNKMZ/qVYAhrLc
yR4yxLqpXd68zhirYIxtjHcB1fDzRO6F91stxvvDsg2bg2pPvLidWOBoknMZmCQt
ALV5Z1yuik6tNOIPx+4ty7kWMMIQ0E3DqVKPxVAbFchCTohcee55U6Pmg3pbYtVg
rrhYr4W8s/juv/9JrVa99+usyt/ohe+N3HcYtJ5WVLF2ED3UT/YDBg==
=Q3/z
-----END PGP SIGNATURE-----