|
|
| |
| Regulation
Update on US Software Exports |
| by Fred Greguras, Fenwick & West of Palo Alto,
CA (06/03/1995) |
| |
| This memorandum relates to the changes
to the U.S. export licensing requirements for software under the Export
Administration Regulations ("EAR") that have been implemented
by the Bureau of Export Administration ("BXA") of the Department
of Commerce over the last few years. The export controls on software
have indeed been integrated into the Commerce Control List ("CCL")
along with those for hardware and technology rather than addressed
separately outside of the list. The consequence is that requirements
for software have been relaxed which has benefited international software
distribution, particularly for mass-marketed software. Still, the
export of software is still "controlled" by the EAR, and
the issue being discussed in this memorandum is about what type of
export license is needed. After presenting the currently available
export licenses and the general restrictions on exports for prohibited
end uses and customers, this report explains how these licenses apply
to specific software products under various export scenarios. It also
describes the particular case of encryption software, for which the
jurisdiction of the ITAR must be considered in priority. |
| |
| The
Case for Clipper (Clipper Chip offers escrowed encryption) |
| by Dorothy E. Denning, MIT's Technology Review
(07/1995) |
| |
| This article
presents the Clipper Chip proposal, a program launched by the US Government
in order to expand security and privacy protection for electronic
communications while preserving the government's hability to conduct
authorized wiretaps. Despite attacks from civil libertarians as well
as other academic experts, the author argues that the Clipper Chip
is the best approach to balance individual privacy woth the social
good. First of all, Clipper's key escrow system presents safeguards
for key secrecy, especially the fact that keys are always stored and
transmitted in encrypted form. Second, physical security is used extensively
to protect the computer workstations at NIST and the Department of
Treasury that are used for key escrow functions and the floppy disks
where keys are stored. Finally, to limit the power of a single individual
to abuse the system, various measures are taken, such as the separation
of duties, the definition of detailed usage procedures and the split
of each chip's device-unique key. Despite these arguments in favor
of the Clipper Chip proposal, Denning understand the public concern
about the fact that the Skipjack encryption algorithm on which Clipper
is based is classified, which does not allow everyone to review its
strength. She also acknowledges the fact that the existence of other
encryption means may allow criminals to just bypass clipper-based
products but also underlines the fact that Clipper's advantages could
as well make it a de facto standard for industry. Yet, since there
are also other escrow alternatives that might might be more acceptable
encryption alternative for private-sector organizations, as well as
considerable opposition to Clipper, it still remains to be seen whether
Clipper will catch on or not. |
| |
| The
Metaphor is the Key: Cryptography, the Clipper Chip, and the Constitution |
| by A. Michael Fromkin, U. Penn. L. Rev. 709 (1995) |
| |
| This article is about the clash between
the desire of law enforcement and intelligence agencies to have the
capability to penetrate secrets at will, and private citizens to keep
these secret from the state. It addresses three main issues. First,
it outlines some of the promises and dangers of encryption, by describing
advances in encryption technology that are increasing personal privacy
but reducing the U.S. government's ability to wiretap telephones,
read e-mail, and decrypt computer disks and other encrypted information.
Second, it analyzes the constitutional implications of a major government
proposal, the Escrowed Encryption Standard, premised on the theory
that it is reasonable for the government to request private persons
to communicate in a manner that makes governmental interception practical
and preferably easy. Third, it speculates as to how the legal vacuum
regarding encryption in cyberspace shortly will be, or should be,
filled. |
| |
| The
Future of Cryptography |
| by Dorothy E. Denning, Internet Security Review
(10/1995) |
| |
| In this essay, Denning defends a new
paradigm of cryptography, key escrow, that is slowly emerging and
gaining acceptance in industry. According to her, key escrow is a
technology that would maybe assure no individual absolute privacy
or untraceable anonymity in all transactions, but would arguably allow
individuals to live in a safer, civil society, with some just restraints
but also the ability to protect sensitive information. On the contrary,
crypto anarchy provides the benefits of confidentiality protection
but does nothing about its harms, particularly the protection of criminal
communications, untraceability of electronic payments, or impossibility
of recovering data due to the loss of keys. According to Dorothy Denning,
the key escrow alternative, which has been promoted by Clinton Administration
since 1993, is a policy that could accommodate the privacy and security
needs of citizens and businesses, the ability of authorized government
officials to access communications and data under proper court or
other legal order, the effective and timely use of modern technology
to build the National Information Infrastructure, and the need of
U.S. companies to manufacture and export high technology products.
Moreover, it could also be a mutually agreeable approach for governments
of OECD nations which aim at deifning a global information infrastructure
which allows to fight crime and terrorism and meets the confidentiality
and data recovery needs of organizations. |
| |
| Decoding
Encryption Policy |
| by Dorothy Denning and William E. Baugh Jr. (1995) |
| |
| This article
reviews current encryption policy, the Clipper Chip proposal and the
changes to the key escrow policy proposed by the Clinton Administration
in the end of 1995. In the new proposal, encryption keys would be
held by trusted parties within the private sector rather than by government
agencies. While some concerns remain, such as the possibility of government
access to an escrowed key or the restrictions on key length, the new
proposal represents a major step forward in national encryption policy
with potential benefits to businesses, individuals, and the government.
Indeed, the proposal accommodates industry's request to use unclassified
algorithms, software, and private sector escrow agents that would
support emergency decryption for both registered users and authorized
government officials. Furthermore, legitimate privacy interests can
be protected through access procedures, auditing, and other technical,
legal, and operational safeguards that could be made mandatory in
any investigative process. |
| |
|
