24 November 1999: Add Gladman, Simpson, Bellovin messages.
23 November 1999. Thanks to Will Rodger.
For comparison of the new draft regs with the current see the current:
http://cryptome.org/ear-crypto.htm
By Will Rodger, USATODAY.com
Critics Tuesday attacked a new Clinton administration proposal that was supposed to relax controls on the export of encryption technologies crucial to online business and individual privacy.
A draft of those regulations, written by the Commerce Department, was obtained by USATODAY.com.
Representatives of online businesses and public interest groups say they are deeply dissatisfied with the plan.
"This is a very modest step forward cloaked in the guise of a great advance," said David Banisar, an attorney in the Washington DC area and author of several books on encryption policy.
It's designed "solely to relieve pressure for Congress to step in" and take stronger action, he said.
"A lot of questions remain," added Ed Gillespie, executive director of the industry-backed Americans for Computer Privacy. "Two months ago we were talking about a clean lifting of export restrictions. Today we're looking at a complex morass of regulations."
Bill Reinsch, undersecretary for export administration at Commerce, defended the proposal. "So far most (critics) have chosen to make their comments to the press," he said. "It sounds to me like most people are doing the press release first and the careful analysis second."
The proposal, he added, is a work in progress. "We don't have any illusions here at Commerce that it's a finished product," he said. "I take all the complaint with good cheer because we want to make some repairs."
As the White House explained it Sept. 16, American businesses would soon be allowed to export most encryption technologies to all but a handful of countries starting sometime next year. With that permission in hand, US companies would be free to compete with foreign companies that are increasingly taking over computer security markets abroad.
Nonetheless, the Administration has continued to insist on banning export of the most powerful encryption technologies for fear terrorists and criminals would hide their online activities from police and the eavesdropping capabilities of the National Security Agency.
The new proposal, critics say, leaves confusion in its wake:
The regulations say companies can export "retail" encryption software that does not require extensive support by the manufacturer. Yet in a world in which even difficult-to-use network software is available at the corner software store, no one seems sure what does and does not fit this definition.
The administration promised to decontrol exports to non-government entities, but even that definition is vague. For example, is Italy's car manufacturer Fiat, with less than 10% government ownership, considered a governmental entity?
Some language lifts restrictions on software for "low-end" Internet servers. Yet industry representatives who have met with the Commerce Department say no one knows what "low-end" really means.
Administration backers insist time will smooth out the details.
"Everybody was afraid the government wasn't going to deliver," said Stewart D. Baker, former counsel to the National Security Agency. "This utterly changes the encryption control landscape. This means very strong encryption is going to become widespread."
In addition to lifting controls on encryption products most people use to secure e-mail and bank accounts to protect against online hackers, the proposal would also permit export of so-called "open source" computer code that programmers write before converting it into a program others can use.
That much, at least, draws praise.
"If that's true that's very good for the open source community," said Erik Troan Director of Engineering at Red Hat Software in Research Triangle, N.C. "I suppose that's very good for the proprietary companies as well, as so much encryption technology is well understood and widely disseminated in the academic press."
[Brian Gladman is a former communications security official in the UK MOD, now a prominent critic of crypto restrictions.]
From: "Brian Gladman"
<gladman@seven77.demon.co.uk>
To: "UK Crypto List" <ukcrypto@maillist.ox.ac.uk>
Subject: Proposed US Relaxation of Encryption Export Controls
Date: Wed, 24 Nov 1999 12:17:37 -0000
A leaked copy of the proposed changes to US export controls has appeared on many lists in the last 24 hours.
These changes were preceeded by a great publicity drive by the US administration to convince us all that there was about to be a radical change in direction in the US in respect of encryption export controls.
There may be some important relaxations but I must admit I am less than certain of this because the document is obscure in the extreme.
I have quickly been through what is a truly ghastly document that seems quite deliberetely intended to obscure rather than clarify the US encryption export control situation. There are a lot of restrictions on exports to the seven 'nasty' countries but ignoring these, here are my conclusions:
(1) Publicly available source code, not owned by anyone, is no longer subject to control provided BXA are informed of its existence.
(2) But binaries derived from such software are still subject to licensing constraints.
(3) Applications that are licensed for export with key lengths of up to 56 bits (symmetric) and up to 512 bits (asymmetric) can have their key lengths increased to 64 and 1024 bits respectively provided that nothing else has changed.
(4) Complete applications containing encryption designed for retail use (i.e. finance and e-commerce applications) can be exported without restriction (except to nasty countries) provided thet they are not easily modifiable for other purposes.
(5) Parts of the document appear to say that commodity encryption software can be freely exported without licenses to anyone except foreign governments but this seems inconsistent with (3) above. I find the clauses here almost impossible to interpret because the primary clauses define exclusions that are then covered by secondary clauses even though the primary clause has already excluded them. It's basically a complete mess. BXA needs to chuck this lot out, learn to write in clear english (or even american but not in this legal gobbledegook), and start again.
(6) Commercial encryption source code and general purpose toolkits for non-government end users can be exported SUBJECT to classification (and hence control) by BXA.
(7) But all products derived from these items are subject to BXA licensing no matter where they are produced (i.e. US extra territorial controls on the use of US encryption source code).
(8) All encryption components offering open interfaces and all products offering holes into which such components can be put remain subject to license controls.
I have to admit that I am confused by several items and I hope the Lawyers who are used to reading this sort of stuff will comment. In particular I am not clear whether restrictions remain in place on commodity encryption products with long keys (>64/1024). However it IS clear that constraints on encryption components remain and this is a serious continuing constraint.
The other interesting development is that item (1) appears to be a massive boost for the development of a secure linux kernel since Microsoft proprietary OS products are still unable to offer good encryption without a license and cannot be delivered with a 'crypto shaped hole' in them. So all the problems of crypto code signing in the US remain.
In contrast it appears that the international community will be able to freely exchange publicly available source code, including encryption source code, without restriction. Binaries cannot be exported but this hardly matters since parallel independent compilation in and outside the US from common source code will be possible. It will mean that distribution companies such as RedHat, SuSe etc. will have to have independent US and non-US distribution chains with 'Chinese Walls' if they distribute from the US but if they move elsewhere for just the compilation and binary distribution steps they can have just one distribution base that is not subject to licensing provided that all the code involved is public.
I knew that the USG had it in for Microsoft but I did not realise that they wanted to put the company out of business completely! But maybe all Microsoft has to do is publish the source of the Windows 2000 kernel and make it money from all higher level code. For security reasons Microsoft needs to do this anyway so these regulations may push security provision in exactly the right direction. Maybe we will thank the USG after all!
Of course I may have all of this wrong since the whole document is a complete mess so I would appreciate any observations that others may have on these issues.
Brian
Date: Tue, 23 Nov 1999 19:48:56 -0500
From: William Allen Simpson <wsimpson@greendragon.com>
To: cryptography@c2.net
Subject: draft regulations?
>From: Alan Davidson <abd@cdt.org>
>The draft regulations are available now on CDT's web site at:
>
>
http://www.cdt.org/crypto/regs112399.shtml
(2) Source code released under this provision remains of U.S. origin even when used or commingled with software or products of any origin, and any encryption product developed with source code released under this provision is subject to the EAR (see Section 740.17).
Looks like they are reinventing the GPL, except to infect other sources.
(4)(i) for encryption source code (including published source code which is subject to proprietary commercial agreements or other restriction), any new product developed with this source code must be classified by BXA (see paragraph (e) of this section) prior to re-export.
A little slap in the face to PGP -- and may make GPG code classifiable.
WSimpson@UMich.edu
Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
From: "Steven M. Bellovin" <smb@research.att.com>
To: William Allen Simpson <wsimpson@greendragon.com>
Cc: cryptography@c2.net
Subject: Re: draft regulations?
Date: Tue, 23 Nov 1999 21:44:28 -0500
[Snip Simpson message]
I was about to make a snide comment that they're just endorsing open source software -- but is there any definition of "other restriction"? Does the GPL count? Are they trying to ban any publication of anything that isn't flat-out public domain? And if something is flat-out public domain, how can the "exporter" impose the viral restrictions? For that matter, what is "export"? Posting something to Usenet? Putting it up on a Web page or FTP server? The act of downloading it?
--Steve Bellovin