September 16, 1999 6:35 PM PDT
White House proposes looser crypto exports
Under newly proposed rules, the government would allow companies to export their strongest retail security software without obtaining individual licenses for each customer. Exceptions would be made for destinations in seven "enemy" countries.
Companies would still have to seek a one-time license for their software and help the government track the sales of the strongest security products around the world.
The proposed changes, which have yet to be drafted in full, have long been sought by Silicon Valley companies and privacy rights activists. The new rules are among the most significant moves the government has taken in backing away from its original hard-line stance on the encryption issue.
Encryption software--found in computer programs as common as email and Web browsers--scrambles computer files and messages to make them unreadable by an unauthorized person.
Law enforcement officials have long opposed the overseas export of the strongest encryption software, fearing that it would fall into the hands of terrorists and other criminals who would use it to hide illegal activities. U.S. rules have barred technology companies from selling their most secure products overseas largely for this reason, a policy that has galvanized fierce Silicon Valley opposition in Washington.
Randy Terbush, chief executive of Covalent Technologies, said the announcement could expand his market by at least 25 percent. But he remained cautious, a sentiment shared by many who have faced years of stop-and-start export policy changes.
"While I would love to see these restrictions loosened, I guess I have a wait-and-see approach," Terbush said. "If...the one-time reviews happen in an expedited manner, it could be a big benefit, but a lot of that is the same language we've heard."
Covalent, based in Lincoln, Nebraska, sells software that lets companies offer encrypted connections over the Web. The company also sells single-purpose computers designed to plug into a network to easily add that capability, and it has taken on a new initiative to provide 24-hour support for popular Apache Web servers now used for free.
The White House's move comes just a few weeks before a key piece of legislation was scheduled to be taken up in Congress that also sought to relax the export rules on data-encryption software. Sponsored by Rep. Bob Goodlatte (R-Virginia), the bill already had gained the support of more than half of the House.
"Today's announcement from the administration represents a major shift in U.S. encryption policy--changes that are long overdue," Goodlatte said in a press statement today.
But he warned that Congress will closely scrutinize the White House's final regulations, which are due December 15. "This announcement is long on potential but short on detail, and Congress will be watching carefully to make sure that the regulations issued in December match the policy announced today," he said.
Another probable beneficiary is Vice President Al Gore, whose appeal to deep-pocketed Silicon Valley donors in his presidential campaign has been sharply limited by his administration's support for a policy widely reviled in technology business circles. Key Silicon Valley figures have rallied around Republican presidential candidate George W. Bush, an ominous sign for Democrats.
Good for companies, not consumers
The new White House rules, however, are largely geared toward companies, not consumers.
For the most part, strong data-security software has already been available in the United States. Software created in the United States has been difficult to get overseas, but many foreign firms have already written comparable programs that are sold in other countries.
As part of the new policy, Clinton will ask Congress to approve legislation setting up a framework dealing with law enforcement's access to encrypted messages.
Dubbed the Cyberspace Electronic Security Act of 1999, the measure would protect the encryption "keys" obtained by law enforcement through the courts to unscramble suspects' computer files or email messages.
The bill also would set up a technical support center that would serve as a resource for the FBI and other law enforcement agencies seeking to combat encryption used by criminals.
But it also contains protections for law enforcement that would keep agencies from being required to divulge how they gained access to files or other messages once protected by data-encryption software. That provision caused some concern among privacy rights groups, which reacted to Clinton's announcement with some skepticism.
The American Civil Liberties Union said it will fight to ensure that law enforcement can only gain access to citizens' encrypted files through a court process.
"Today's announcement is a step forward," Barry Steinhardt, associate director of the ACLU, said in a statement. "The battle now becomes whether the ability to use encryption is a meaningful one. Without protections against illegal searches, this change will benefit industry and leave the average computer user out in the cold."
News.com's Stephen Shankland contributed to this report.