Slashdot Mirror
Feature: WH Panel Calls for Crypto Export Reform
White House Subcommittee Endorses Crypto Reform.
Will Someone Please Listen?
By Kathleen Ellis
Another shot was fired in one of the longest-lasting and most contentious battles regarding Internet policy last Wednesday, when a White House advisory subcommittee announced it has recommended that the Clinton Administration all but reverse its restrictive stance on the export of encryption products.
The President's Export Council Subcommittee on Encryption (PECSENC) was formed earlier this year by the White House to provide guidance in the U.S. Government's development of encryption policy, which has been the subject of heated debate. As many Slashdot readers already know, the government has insisted for years that liberalizing encryption export could cause serious problems for national security by giving terrorists and criminals access to the technology. Of course, net activists and industry folk assert that the right to privacy supercedes the wishes of any bureaucrat, and that terrorists and criminals can just as easily get their crypto from any other country that does not restrict cryptographic exports.
Critics of the Administration's policy had expected to gain little support through the subcommittee's recommendations. William Crowell, the subcommittee's chairman, is currently President and CEO of Cylink Corporation, an internet security firm, but previously served as Deputy Director for the National Security Agency. Several committee members also had ties to law enforcement or other government agencies; Stewart Baker, an attorney with the Washington-based Steptoe & Johnson, is former general counsel to the NSA and is a vocal opponent of loosening restrictions on encryption. Steve Walker is former president of Trusted Information Systems (now owned by Network Associates), a leading producer of key escrowed encryption products, which the FBI has lobbied to make mandatory even for domestic use.
Despite these ties, however, the subcommittee cited a need for the U.S. government to "recognize market realities" and reverse its course on encryption policy. Among its recommendations:
- License-Free Zones: Recognizing that the European Union is planning to drop all cryptographic export rules between member countries, the US should likewise identify a list of countries which do not pose any major terrorist threat, and allow encryption export (hardware and software products) without a license.
- On-Line Merchants: On-line merchants based in other countries will be added to the list of business types permitted to have encryption products exported to them from the US. Banks and a limited number of other financial institutions currently enjoy this license exception.
- Mass-market hardware and software: Mass-market products which utilize up to 128-bit key length triple DES will enjoy license exception. "The US government should recognize the difficulty of controlling mass-market products once they are allowed to be exported to even limited sectors".
The subcommittee also suggests eliminating cumbersome reporting requirements for manufacturers of encryption products, as well as removal of source code, cryptographic Application Programming Interfaces and devices such as encrypting routers from the list of restricted technologies.
So cypherpunks across the nation will soon be free to export their code at will? Subcommittee chairman William Crowell is hesitant to say yes. "The Administration will have its own ideas about which of these recommendations are implementable. Vice President Gore has said that the administration would consider additional liberalization over what they announced last year, so it was important to get these recommendations to the table while they were thinking about it". He expects that the administration will make further changes to its export policy based on the recommendations sometime in September.
There are other signs of change on the horizon regarding the government's attitude toward encryption. The successor to the current Data Encryption Standard algorithm, which will be used by the U.S. Government for a multitude of purposes, will be chosen by the National Institute of Standards and Technology with the next few months. Four out of the five Advanced Encryption Standard finalists were developed, at least in part, by cryptographers based overseas or holding foreign citizenships. The fact that such decisions could be made by NIST requires the acknowledgement, at least on some level, that good encryption can be produced in countries not affected by U.S. export law, and hence, can be made available around the world.
However, one prominent activist is still skeptical about the potential effect this announcement may actually have on U.S. policy. "This doesn't change policy, this is just yet another group that has come forward and said 'the U.S. policy is abysmal, it needs to be scrapped'" says David Banisar, Deputy Director of Privacy International, and co-author of "The Electronic Privacy Papers". "Many distinguished groups in the past have made similar recommendations...the Clinton Administration has thus far rejected any attempts to dramatically reform export control laws".
Banisar likened the potential influence of the PECSENC recommendations to those of a report published by the National Research Council in 1996. Much more conservative than the PECSENC subcommittee's suggestions, "Cryptography's Role In Securing the Information Society" was written by a committee comprised of government officials, representatives from the computing industry, and academics. The NRC committee's recommendation that 56-bit DES encryption took two years for the Bureau of Export Administration to implement, and many of the other valuable points in the report have never been implemented. The NRC report suggested that U.S. policy should take into account the "nonconfidentiality uses" encryption has to offer. U.S. policy still does not support the use of encryption for the purposes of authentication, which the committee identified as an "important crime-fighting measure". Indeed, one would think that the F.B.I. and the Department of Commerce would hasten to encourage the use of such technologies.
Banisar also expressed concerns about the provisions favoring online merchants. "The e-commerce exports have already been promised to online merchants...they will get what they want, which helps the Clinton Administration divide and conquer their opposition". Banisar stated that civil libertarians lost a powerful lobbying ally when banks were granted the same licensing exemptions now promised to entrepreneurs online. "When a wealthier group gets what they want, they stop fighting, and the everyday users get screwed."
It also seems that the recommendations do not go far enough to help the people who need encryption technology most. Barbara Simons is President of the Association for Computing Machinery and one of the members of the PECSENC committee. "It appears that the recommendations don't address the needs of people working for human rights in countries with repressive regimes," she says.
The human rights issue is a valid one within the debate on U.S. encryption policy. The American Association for the Advancement of Science's Cryptography, Scientific Freedom, and Human Rights program trains human rights workers to use encryption technology in countries like Guatemala and China, where oppressive governments have a way of making insurrectionists disappear. A letter from AAAS to the House or Representatives Committee on International relations states that "human rights activists are killed, tortured, disappeared and jailed for trying to expose horrendous abuses...[they] use encryption to protect themselves, the victims and eyewitnesses they are interviewing, and human rights colleagues around the world when they communicate sensitive information on grave abuses of human rights".
It would be wise and compassionate for the Clinton Administration to authorize a new class of license exceptions for human rights workers travelling into countries that don't fall under the "favored nations" exemptions for encryption exports. If national security were really a concern in these cases, they could add strict guidelines describing who the software could legally be distributed to within those countries. Unfortunately, PECSENC seems to have overlooked this important issue.
Despite these shortcomings, there are some definite gains to be made by following PECSENC's recommendations. Net activists will be keeping their fingers crossed when the White House reviews them next month. Progress has been far too slow in coming, and if there's ever been a time for our government to start making some positive decisions, this certainly is it.
Yep, I'm one of those pinko liberals that voted for Clinton. However....
The issue with technology and the govt. isn't Clinton per se, since he just happened to be around at the time when technology was reaching everyone on the planet. Govt. has never been known for its speed. The Constition is built to make things hard to do for a reason. Thus, govt. (be it republican or democrat) will take a while to adjust to new technology and new ideas.
Back in 1992, Spy magazine had 1000 (or was it 100?) reasons to not vote for George Bush. Top on the list was "What would you think if the head of the KGB was elected president of Russia?". Bush used to run the CIA! Do you seriously think he'd be in favor of personal liberties?
Sure some of Clinton's ideas are whacky. But consider the more frightening alternative.
IMHO, this new recommendation probably won't do anything. In fact, I rather suspect it might even entrench the current position even more. Given the attitudes of the people on the subcommittee, it's crossed my mind that that might be the very reaction they want. (Anyone here ever watch "Yes, Prime Minister"? If I'm correct, Sir Humphrey would be proud of them.)
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Maybe the story's been encrypted. :)
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Ahem. Who shredded the constitution when he declared the War On Drugs? They all suck. Thank you, drive through.
I've finally had it: until slashdot gets article moderation, I am not coming back.
So perhaps, embedding something like "Clinton and his people need a bullet through the head" and "We will make Oklahoma City look like a firecracker" would trip it off? Or would it be smart enough to see the quotes? How about if I just put it at the end without any surrounding sentences?
No, not that smart methinks.
I've finally had it: until slashdot gets article moderation, I am not coming back.
This is really insane, I don't understand why they would censor something like
In syntax checking... please try later
I personally In syntax checking... please try later with everything that they said.
Rest of this message is awaiting syntax checking. Return later for the post!
We need a fourth, fifth, sixth, etc. party.
As I see it, the problem with third parties is that they often hurt one of the two primary parties, but usually not both.
Example: n voters tend to vote Republican, but become disillusioned because they see the party straying from its roots. They support a third-party alternative who draws votes from the Republican party. This results in a Democrat victory. Perhaps the majority did not want a Democratic candidate in office, but their fragmentation put the candidate there.
My example is hypothetical, but I understand that in one case the Green Party actually drew enough votes from a Democratic candidate to put the Republican rival in office.
Nationally, America still sees things as X vs. Y. There is something in our mindset which makes us more preoccupied with "winning" than with finding a solution. Our press tends to promote this view -- who else is frustrated with the assumption that the 2000 race will be Gore vs. Bush? We're not even to the primaries yet and already these two are being treated as the only viable candidates!
I've heard of some success in local elections where "None of the above" was an option. If NOTA wins, they pick new candidates and do the whole thing over. Can you imagine if they did that on a national level? Millions of dollars in campaign money lost to a public vote of "no confidence" -- what a concept!
Save the whales. Feed the hungry. Free the mallocs.
Has everyone forgotten that the NSA et al might actually be able to break encryption commonly in use? If this were true, their fears re: encryption would not be the obviously illogical "criminals will use it". Perhaps they fear:
I don't have any evidence that the NSA and their panty-boy Clinton actually have the interests of the public in mind, but I see no reason to assume that they are actually stupid enough to think that encryption controls actually work the way they claim.
Congressional members, that's another matter.
Expanding a vast wasteland since 1996.
I think Amnesty International publishes such a ranking annually.
However, I'm sure we would all have cause to quibble with their methodology.
As for your points, yes, taxation must be considered in any reasonable measure. Even export controls would have to be counted, although they might not be weighted very heavily for some obscure items. Cryptography, however, is so central to liberty that it must get some extra consideration.
I live in the U.S. and encounter the limits of my liberty regularly. One of my interests is cryptography, btw, so I just basically sit on my source code. bleah.
Geeky modern art T-shirts
Yeah. And it's a pity. Firearms proponents have sometimes claimed that the right to bear arms was designed to keep the Government in check in case it goes bonkers. (I also think it's not a coincidence given this fact that many cypherpunks are pro-guns.) Although I think there are many reasons to disagree with using firearms to keep a Government in check, I think that self-imposed mechanisms to keep a Democracy from turning into Despotism is a wonderful concept.
Hey, I bet if the USA were founded today, by the same kind of people who founded it and not the current batch of demagogues, Americans would have a constitutional right to strong encryption! :)
But instead, we get a bunch of paranoid politicians knowing their country is not run straight enough not to fear perfectly secure criticism. And so we get Echelon, strong crypto export laws and a paranoid NSA breathing down cryptographer necks.
There, the soapbox is available now, I'm done. :)
"There is no surer way to ruin a good discussion than to contaminate it with the facts."
This law is as much to stop US citizens from getting convenient crypto as for any thoughts on the non-US market: because products that use strong crypto are export-controlled, people simply make fewer products that are based on strong crypto, to avoid limiting their sales and probably incurring legal costs and general hassle. This means US citizens use lots of products that would have been crypto-enabled as a matter of course, but aren't, because of this law.
In that sense, it's quite effective despite being manifestly unenforceable and silly.
--
Xenu loves you!
As long as we're talking about government, did you notice how Echelon has just disappeared from the news?
Just *gone*.
The last I heard, the NSA, get this, REFUSED to tell Congress about Echelon, citing attorney-client privilege. And we have heard NOTHING more.
I don't know about you, but this scares the hell out of me. Something is going on, folks. Something bad. We need to keep digging. *Write* your Congresscritter and ask him/her what the status is of the Echelon inquiry. Don't let it fade from their memories.
Don't let it fade from yours.
I think it's pretty clear that the reason why the administration and the three letter agencies are fighting so hard against easing export controls is because they don't want strong cryptography become part of the communications infrastructure.
As soon as export controls are lifted, even just to "friendly" countries, most phone systems and communications standards and systems will incorporate strong cryptography, and routine monitoring of communications (for law enforcement, corporate intelligence, etc.) would become prohibitively expensive. Widespread use of strong cryptography would bring us back to the old days where wiretapping, bugging, etc., required specific targets and physical access.
This issue won't get resolved until the real underlying issues are recognized widely and the subject gets discussed openly.
"...I think that the government could easily throw enough computing resources to crack *any* imaginable encryption in a surprisingly short time."
...uh, you might want to check my math on that! ;)
heh. You might want to do the math on that. Forget RSA for a moment, as the keylength|security ratio is a special case, and consider a conventional private key system. A 128-bit key has 340282 decillion possibilities. That's 340282000000000000000000000000000000000 if you like digits, or 3.4*10^38. Get out your calculator and see how fast and large a cluster of computers it would take to crack one of those in a year. Then, consider that you'll need 3.4*10^38 times as many such computers to crack a 256-bit key in a year.
Disclaimer:
Geeky modern art T-shirts