|
Encryption: Balancing the Issues |
by Matt Johnson, Consumer Electronics Vision (09/2001) |
|
Until recently,
encryption technology and the laws surrounding its export had the industry
in somewhat of a lather, waiting for the Clinton administration to accomplish
more to liberalize these exports. These days, it's hard to find an outraged
Congress member or a self-righteous lobbying firm arguing about the potential
death of the high-tech industry if it can't compete with other companies
on the encryption export front.
Encryption exporting still is a tricky minefield of regulations to work through, one that requires close work with the Commerce Department, which runs the export licensing system. Still making headlines in the technology community, however, is the exporting of high-performance computers, otherwise known by the seemingly quaint term "supercomputer," which in a few years couldusing today's government-denoted definitionmean your PlayStation or Microsoft Xbox. The Basics First, what is encryption? It is software that comes in various flavors and strengths, that an individual or business can use to hide the contents of their e-mail and other sensitive electronic communications. Second, why would anyone care about how encryption is exported and where it eventually goes? Simply put, the U.S. government has an ongoing concernone that is not unanimous throughout Congress or all the administration agenciesthat terrorists or menacing parties could use it to encrypt their own communications, keeping them secret from international and American law enforcers, including the National Security Agency, Interpol and the Central Intelligence Agency (CIA). The reason for the apparent passing of the encryption export debate as a controversial topic, apparently, is that the United States government and the executive branch in particular finally seem to have gotten the message that it's all right to export many types of encryption software without making it available to every terrorist in the world with a bone to pick with Uncle Sam. Actually, any worst-case scenario that could have come about with encryption technology already technically could have happened and still could. The argument that high-tech companies used to throw at the Clinton administration when Defense Department officials, Attorney General Reno and other high-ranking officials would claim that encryption export controls should not be relaxed is that potential terrorists already could obtain the technology from any number of companies operating in other countries. And these high-tech companies definitely have a point. The United States also is aware of this. What resulted from this way of thinking during the past decades was a stratified system of export controls for a number of technology devices, from encryption to so-called supercomputers. Restricting Technology When it came to encryption export controls, the government established regulations allowing for the export of encryption software up to a certain strength, which was algorithms, measured in bits. The problem with this, high-tech companies claimed, is that the government only began to restrict the export licenses for the software when it reached strengths that were considered effective. Eventually, the industry rallying cry developed into the argument that encryption technology worldwide had reached a level of sophistication so far above the still limited strength that the United States government would allow, that the industry as a whole would lose its valuable role as the No. 1 technology market in the world. The crux of the dispute boils down to two basic ideas: economic superiority in the high-tech field vs. a strong national defense, electronic communications included. This is when Congress got in on the act. Rep. Robert Goodlatte, (R-VA), a prominent member of the Judiciary Committee triedbut failedseveral times to pass legislation that would mandate the relaxation of encryption controls. Nevertheless, influential intelligence community and other national security interests and their allies in both the House and Senate conspired to keep the encryption export regime firmly in place. Before the thaw eventually commenced, the United States even tried the opposite of the "if you can't beat 'em, join 'em" game, by urging nations that were participating in international treatiesnotably the 26-nation Wassenaar Arrangement on munitions controlsto restrict their own encryption export laws. The measure failed by most standards, and the United States increasingly found itself starting to bow to the pressure of technology companies, especially with their newfound prominence due to the Internet revolutionwhich now seems to be in a general slowdown. Gradually, with then Vice President Al Gore starting to make vague promises of running in the 2000 presidential election and positioning himself as a technology-friendly candidate, the Commerce Department began to increase the strength of encryption devices allowed for export and the tech industry responded with appropriate gusto. Even Goodlatte's attempts to move his Security and Freedom Through Encryption (SAFE) Act to the House floor were stymied by Rules Committee Republican and House Permanent Select Committee on Intelligence Chairman Porter Goss, (R-FL) who was willing to set aside the bill to see what the administration would do. A Balancing Act One of the chief weaknesses of the administration's initial proposal was that it would allow mainly unfettered strong U.S. encryption product sales abroad, but would restrict their online availability. By January 2000, however, the administration debuted draft language that seemed to strike the right balance with even staunch Clinton critic House Majority Leader Dick Armey, (R-TX). It said that the administration, "under intense prodding from Congress," recognized that "expanding the personal use of strong encryption is the most effective way for Internet users to protect their online privacy." The issue flared up during the 2000 presidential election during an ad hoc-style debate between Gore and former-Texas Gov. George W. Bush on the White and Blue website. In response to a question, Bush wrote on the website that "The Clinton administration has repeatedly been slow to recognize the realities of the international market for encryption products regulated by our nation's export laws. . .Rather than act in a timely way to keep export limits in line with technology available from foreign sources, the administration has threatened exporters with outdated rules blocking sales of widely available commercial technology." Bush also said that his administration would insist on protections in the interests of national security, mainly by allowing "companies to export products when those products are already readily available in foreign or mass markets, while building high walls around technologies of the highest sensitivity." Gore's response was that "the current administration has worked hard to achieve that balancea balanced encryption policy that increases privacy and security for families and businesses, while addressing the legitimate needs of national security and law enforcement." Simplifying the Rules The Clinton administration in its last change to the encryption rules on Oct. 19, 2000, updated the regulations to allow encryption exports for most products to 23 nations, including all 15 members of the European Union, plus Australia, Japan, New Zealand, Norway, Switzerland, the Czech Republic, Poland and Hungary. Companies looking to export still must apply for a license and are thus subject to review by the Commerce Department's Bureau of Export Administration (BXA), as before, but the review process for these countries is far less restrictive than it used to be, especially before 1996, when the State Department handled encryption exports, not the Commerce Department. According to a press statement from the BXA, U.S. companies can send their products as soon as they have submitted a commodity classification to the department, instead of waiting for their review to be completed. "The regulation streamlines and reduces post-export reporting requirements for many products containing or preloaded with encryption, including personal computers, laptops, handheld devices, network appliances and short-range wireless technologies," according to the BXA. The move was a definite catering to the U.S. high-tech industry and was designed to match most EU nations' own encryption export requirements. Encryption products today, as in the past, are banned to what the U.S. government classifies as "terrorist" or "high-risk nations," including Cuba, Iraq, Syria, China, Libya, Sudan and North Korea. Previous versions of the draft language had excluded encryption or encrypted product shipments to companies that included government ownership, something Goodlatte and fellow tech-oriented Rep. Zoe Lofgren, (D-CA), had complained would severely crimp U.S. business interests abroad, and was unnecessarily involved with the cause of preventing state-sponsored terrorism. Risking National Security? Most BXA-defined "retail" encryption products can be shipped at will, though BXA would review their "functionality, sales volume and distribution methods." The BXA also considers 56-bit non-mass market products with key exchanges of more than 512 bits and less than 1,024 bits as mass market products, as well as network-based applications and other products, "which are functionally equivalent to retail products." The rules also allow, in addition to the posting of open source code on the Internet, telecommunications and Internet service providers to use encryption products of any strength, though they will require a license if they service government entities, like a government-run private network. Other high-tech export issues still are on the lobbyist watch, however, to a much greater extent now than encryption exports. Of particular interest to the high-tech industry is the Export Administration Act (EAA), which would change the regulatory scheme for high-tech items earmarked for both military and commercial use, so-called "dual-use" types of technology. A cadre of powerful senators, including Governmental Affairs Committee Ranking Republican Fred Thompson, (R-TN), Commerce Committee Ranking Republican John McCain, (R-AZ), and Intelligence Committee Ranking Republican Richard Shelby, (R-AL), have moved to block the Senate from considering passage of the EAA because they claim that national security takes a back seat to industry under the bill. Because there are so many agencies that want to handle the export processes regarding dual-use items, the senators want to set up an agency dispute resolution process on particular items. They claim that the EAA gives the Commerce Department too much power in this area when national security interests are at stake. The more pro-business Bush administration, however, is drafting an executive order that would try to smooth over some of these concerns in light of the stalled passage on EAA. The high-tech industry as a whole supports EAA because of the same reasons that it supported the ability to export strong encryptionEAA controls a number of high-tech exports, including supercomputers, that the high-tech industry claims are already so widely available both in America and abroad that it would be useless to slap crippling export regulations on American companies. Much of the senators' objections to the EAA also come in a climate in which sensitive exports to China produced the controversy regarding weapons technology exports and the Cox-Dicks report that showed that China had received some important military benefits in technology transfers. Thompson, during floor debate on EAA this April, said that he does not "think this is the time to send the message to China that we are going to engage not only in business as usual, but become even more liberal in our policies of sensitive exports." Uncertain Future The issue remains unresolved at this point, and it is hard to say whether there will be any passage of EAA or even further liberalizations to encryption export policies at this time. The recent Senate shakeup due to Sen. James Jeffords', (I-VT), decision to leave the Republican party and become an independent, placing the Democrats in the majority, also throws an extra kink to an already difficult-to-answer question. What is certain, however, is that even as issues surrounding tax cutseducation and trade take up prime news spacethe high-tech industry is likely to continue its steady hum of persuasion on Capitol Hill to try to make available to the rest of the world what it already has, but with the "Made in the USA" encryption label that they hope speaks to their products' reputations. |
|