Slashdot Mirror
US Relaxes Crypto Regulations
Guru Meditation writes "CNN reports in an article that Clinton has decided to relax the export restrictions on crypto products, both hardware and software. " The Washington Post also has some good coverage of this. As part of the deal, the FBI will get funds to create a new "code cracker" unit. The Administration, however, did drop the proposal to require backdoor entrance for the government. The new regulations will allow selling to virtually any country, with a few exceptions for nations deemed a national security threat.
Here is the actual whitehouse briefing. The articles had no info on online or free software distribution, because the press release had no information. Our media has gotten so absurdly lazy, they don't bother to inquire about anything.
It would be good if someone could find an online copy of the actual Executive Order.
----
----
Open mind, insert foot.
>mathematicians and computer scientists, and the clock cycles to help 'em?
Be afraid.
The FBI is chartered for domestic survailance. The NSA is not. This new unit is to spy on you.
----
Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
The FBI's charter however is:
The NSA's goal is to provide signal intelligence from foreign sources while the FBI's goal is uphold federal law and protect the US against foreign threats. They can be a consumer of information from the NSA if it relates to protecting us from foreign threats but not for residents breaking federal law.
If I'm forced to have an orginization trying to spy on my signals I'd rather have the FBI do it, they won't have near the resources of the NSA (the worlds leading employer of mathematicians). To reduce the chances of me being spyed on I avoid breaking any federal laws.
Second, the text of the bill indicates that software designed for end-users will be more readily approved. This indicates a bias against products that will protect whole networks and provide a secure infrastructure; insuring that secure communications will remain the exception rather than the default.
Third, the timing of this decree is obviously designed to kill the SAFE bill. The SAFE bill not only goes further in liberating crypto exports, but also carries the force of law. Repealing a law is a large affair, requiring a vote of congress and thus allowing the public time to lobby, cuss and complain. This decree does not dismantle the export regs, and they can be tightened to previous standards with a stroke of a pen and no opportunity for public comment.
Do not let this kill SAFE! Lobby your congresscritter!
Not so much a sig as a lack of one.
"Serving the national security interest" and "protecting law enforcement capabilities" were apparently not the reasons for restricting export in the first place. We have always been at war with Eurasia.
--
Fuck the system? Nah, you might catch something.
One thing that I never understood about the US crypto laws was this:
...
Is it OK for a US citizen to *import* strong encryption?
If the US laws state ony that crypto shouldn't be exported, then the law is becoming a bit of a non-issue. There arc plenty of good encryption algorithms and sopftware coming from outside the US, from places like Israel, etc.
Perhaps this change of heart is to prevent other countries adopting draconian export licenses which would hinder US software houses. Of course, export laws will never hinder covert organisations who will use the best available crypto code regardless of laws
Chris Wareham
Something that just occurred to me upon reading that the FBI is getting concessions, and recalling that Louis Freeh (the FBI director) has been so anti-crypto.
The US government does not prohibit US citizens from using cryptography, no matter how strong, as far as I know. PGP and so on are just fine for US citizens to use. The government just doesn't allow their export.
So, the crypto regulations that the US has are, in theory, supposed to prevent foreign interests from getting strong crypto. The regulations don't work, of course, but that's the motivation for them.
The FBI is a domestic law-enforcement agency. Practically everybody it's supposed to be watching is already allowed to use crypto. The people who would benefit from the export regs (if they actually did anything) would be the CIA and the NSA, which monitor international communication.
So, why is the FBI in a position to receive concessions when the export regs are relaxed? They shouldn't be in a position to benefit from the regulations in the first place!
The NSA doesn't officially have a charter. Or at least, if it does, you, I, and everyone else are not allowed to see it. The desription on the web page is filtered through some rose-colored glasses. NSA does not, and is not legeally required to, stick solely to foreign SIGINT. They tend to, because otherwise they piss off other US spy agencies, but they will do, and have done, whatever they feel is necessary, including domestic snooping on many occasions.
In general, though, your conclusions are sensible. The FBI is not nearly as competent, so I'd much rather have them trying to decode my bomb plans, or laundry list, or whatever. :-)
----
We all take pink lemonade for granted.
There is no K5 cabal.
I am not the real rusty.
What we know so far:
Few details have been released. The only official words on the subject seem to be yesterday's White House briefing, which is more like press release cheerleading than hard policy. The briefing was conducted by:
Reinsch's role in the briefing was mainly to answer procedural questions about Wassenaar and technical review. Swire spoke very briefly in support of the upcoming Cyberspace Electronic Security Act, and talked about how key escrow will make all our lives better.
That leaves Steinberg, Reno and Hamre -- noted opponents of private crypto, all three -- to express their support for the Administration's decision to relax export controls.
I smell a rat.
As others have noticed, the closest thing to a firm commitment that has been made is that a "license exception" can be made for products that pass a "one-time technical review." The details of the technical review are not forthcoming: Secretary Daley says, "That will be developed over the next number of weeks." Nor do we know under what circumstances a license exception will be granted. This has all the earmarks of being all talk and no action.
Maybe this is the most telling part of the briefing:
I am not getting my hopes up. The right thing for us to do is to contact our Congresscritters and make sure they understand that it is still important to pass SAFE -- maybe more than ever.
Slightly offtopic to the article, but relevant:
One of the great things about electronic communication is that it gives the common man instant lobbying power.
One of the greatest things Slashdot:YRO could do is to post a tool, or a permanent link to a tool, that lets you quickly and easily determine who represents you. I have occasionally seen posts with links to sites like Project Vote Smart that provide this ability. More frequently I have seen posts where people have formatted excellent letters to send to your congressional representatives that address various issues (UCITA, Microsoft trial, etc.), but I still have to do a lot of rooting around to find out who my current representatives are.
This process could all be streamlined right here on YRO, if there was some kind of simple tool (enter your ZIP, up pop the email addresses of everyone who represents you).
There are a lot of intelligent opinions on Slashdot. We need to make them visible in the political arena.
Microsoft will find it far easier to export W2K (which includes e&e Kerberos)
My company *might* be able get an export license for a Kerberized Linux distribution. Or it might not, since my company is still at the "one person in the garage" stage. Red Hat wouldn't have this problem, but if the export license prohibited export of source code they're still dead in the water due to the GPL.
Debian wouldn't have a snowball's chance in Redmond of being able to carry my (US) Kerberos packages on their pages.
To me, this proposal is proof that "social engineering" isn't limited to crackers. This proposal will get industry lobbyists off the administration's back, and it gives them the perceived moral high ground on the Sunday morning talk shows. ("We've removed all but token obstacles to American businesses competing in the world market. Only drug running child pornography terrorists will be impacted, and We Don't Want To Help THEM, Do We?!")
WE know that it also hurts us, but we also know that we're all a bunch of pinko communists. Just look at the "exposes" that appear on a regular basis.
Finally, as others have pointed out Executive Orders can be rescended, often with no basis in reality. E.g., I'm still showing my passport to board domestic flights because TERRORISTS BLEW UP TWA 800. That theory has been discredited for years, but the EO that grew from it is still in effect. I would not be surprised if this EO blocked passage of SAFE, then in 6 months some crisis is manufactured which justifies slamming the door again. Naturally products with licenses (e.g., W2K) will be grandfathered.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Can anyone with better insight into this whole soap opera answer the question that is notably missing from the press coverage, namely what this means for open development and online publishing?
:-) )
/. is like a steer's horns, a point here, a point there and a lot of bull in between.
I understand that is means companies like AOL, NA and co. can now get one license to export crypto products that would cover all shipments of the product, but it doesn't say anywhere that the regime will actually grant that license, or anything about the terms required. And while a company might be able to negoiate the terms with the american regime, that is completely out of the question for an open source effort, right? (I mean, they would still need to have it re-evaluated with every version).
What about the proffessor who posted his crypto routines on his webpage? As I understand the new law, he might actually be able to do it, but only after applying for a license and being granted one. Wow, that is sooo much better.
It seems to me that this is a bit out of touch with reality. It makes it clear how to export shrink wrapped crypto software, but how many of you bought your crypto software in a shrinkwrap anyways? The real issue is online, I couldn't care less if I will now start seeing american crypto products in stores here.
Good for Microsoft though... (they can dump the whole key thing and include the crypto modules in NTs installation now - just in time when the PR damage has been done, how sweet
-
Yeah. I read the wired article and had the same reaction you did. I thought I'd post the link since it is a very good article: http://www.wired.com/news/news/politics/story/2181 0.html
I think the Clinton administration is just throwing the dog a bone on this one. They have eased up only slightly on large companies with existing export agreements on crypto previously approved for export. In the future, a company will have to go through an export review only once before being allowed to ship crypto inside of another product. There is clearly no mention of freeware or OSS products in these press releases.
What this bill does not cover includes sales to any foreign government, military, or ISP. Those will still require a case-by-case review. Only products that meet the requirements for law-enforcement intercept will get this one time approval, so key-escrow and door-bell systems will quickly get the green light, others will have to slog through a years long process. They will still criminalize exports to "terrorist" countries, such as Cuba, but allow it to friendly nations like Columbia.
Nobody gets to see the wording of this new policy until December, so it is hard to tell why Hamre and Reno are smiling at this announcement. I have a feeling there is nothing new here except a minor improvement for big companies in return for a drop-in-the-bucket US$80million for a dedicated cryptanalysis team for the FBI. Its just a PR move.
For another slightly pessimistic view, go read this San Jose Merc article. Given the track record of the administration, I really don't think they've suddenly given up the fight and want strong crypto everywhere.
the AC
Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
The Bureau of Export Administration (BXA) has updated its encryption web site to include information on the new policy. In the question and answer page appears the following :
8. Is source code allowed to be exported under a license exception or does this policy only authorize the export of encryption object code?
Source code will continue to be reviewed under a case-by-case basis. This update will allow the global export of object code encryption software under a license exception.
This confirms the fears of many posing here that OSS crypto is NOT covered under the new policy.
They also had an item this morning that seemed to imply that they were still hoping for some sort of key escrow for law enforcement, but it has since been pulled.
It should be interesting to see how contined restrictions on the export of crypto source code are rationalized. The stated reason source (and object) code was treated differently from printed matter in the past was that such code represented an encryption "device". Clearly this continued restriction on source code export is designed to hobble freely available packages such as SSH, PGP and GnuPG. Why? So that export of crypto can be confined to business entities that can be pressured to play ball with the Government. Paranoid rant? I don't think so.
Howard Owen hbo@egbok.com Everything's Gonna Be OK Consulting
"Even if you are on the right track, you'll get run over if you just sit there" - Will Rogers
Besides the "party line", which I'm sure we'll hear plenty about, what's really going on? Why so sudden? Which of the following options have come to pass?
1) NSA can factor prime numbers?
2) NSA/FBI finally gave in after the finalists for AES (successor to DES which they can brute-force) were announced since they can crack them all (and PGP, and RSA, and elliptic curve)?
3) The U.S. military has become so heavily dependent on TCP/IP that they need a secure infrastructure throughout the Internet.
4) NSA has developed effective nano-mites which effectively render all encryption obsolete via a physical side-channel attack?
5) Intel's microprocessor dominance is now assured. And the NSA has inserted a microcode hook (can you say, "mask technician?") in all Intel processors (cf Ken Thompson, "A well installed microcode bug will be almost impossible to detect.")
Reply with your speculative other options. Remember "only the paranoid survive."
--LinuxParanoid
That's debatable.
First of all, I am not sure the Wassenaar agreement has anything to do with crypto. I thought it was more about intellectual property (but I may be wrong).
Second, don't forget that some extremely good crypto has been issued from Europe and the rest of the world. For instance, IDEA (which is used by PGP) came from Switzerland. Another crypto proposal, which is currently under review as one of the possible US federal standard, issued from a group of researcher in the Netherlands. Some scandinavian firms, such as DataFellows which is from Finland (I think) already produce some pretty good crypto software, based on Blowfish and IDEA.
There is a lot of money to be made, that's for sure. Which is certainly one of the reasons for this display of crypto love. But I don't think it's the only one.
Then again, what do I know? =)
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
Rejoice, crypto friends! Strong encryption is now about to be legalized in the US... Or is it?
Here is a quote that I like (from the Washington Post):
Pressed to explain the turnabout, Reno and Hamre said their concerns were assuaged by the administration's pending introduction of legislation called the Cyberspace Electronic Security Act of 1999, which would give the FBI $80 million over the next four years to establish the new code-cracking unit.
That's really interesting. Up until now, the NSA was not allowed by the law to conduct SIGINT (code-cracking) operations against US citizens. Now, this new law gives the FBI a spanking, brand new unit, specialised in... tada! code-cracking! I think this little outfit will be more like a joint-venture between NSA and FBI. It happened before -- but now it's going to be legit.
Think about it for a second: who is the ultimate authority in code-cracking? NSA. Who has been playing the little game of crypto for the past 20+ years? NSA. Who has the brain- and CPU power to do some serious code-cracking? NSA. I can't believe, for more than 10 seconds, that this agency is going to just stand there and let the FBI have it its own way, especially since these people have been very cosy for a number of years now. Expect some interesting stories to surface in the near-future... I really expect the NSA to start spying on US citizens. Maybe not on a scale on a par with the "Echelon" project, but certainly a lot more often than what was the case previously.
Another important question is: WHY NOW? Why accept a law these people have been fighting tooth and nail for the past 5 years?
Is it because there really isn't any choice and crypto's Pandora box is open? It's possible. The rest of the world has been doing a great job creating strong crypto, despite (or because of) the silly US ban on export.
Is it because NSA scientists would like to get fat stock options from new Silicon Valley start-ups? That's possible too. Some of these people are incredibly smart, and it must hurt to see so many bad code out there, while they are the cream of the crop, but can't talk because of the security involved. Expect plenty of little, unknown crypto companies to appear overnight if that's the case.
Is it because the NSA has found a new way to factor prime number? That could also be the case... Imagine 2048 bits crypto cracked in 15 seconds flat and 4096 bits in half an hour, due to to some ultra-secret mathematical breakthrough. Why keep on playing the export control game? Just let crypto go free. NSA can read your e-mail anyway. Oh, and your SSL transactions as well. Of course, it's not going to publicize that fact.
Yeah, I know. I *am* getting paranoid... =)
But you have to admit this last scenario makes sense, all of a sudden. It certainly explain the change of heart of this ultra-secretive organization. And the fact that it makes Al "I invented the Internet" Gore looks good doesn't hurt, either.
Just my $0.02...
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
According to the Washington Post article,
* The legislation hasn't been introduced yet; wait 'til December to see if there's a change of heart.
* The backing for it appears to be tied towards some not-yet-introduced "Cyberspace Electronic Security Act of 1999", which includes the FBI code-cracker funding. I'd be curious to see what other provisions are intended.
* Companies still need to get a (one-time) certification for export, so you're still not home-free.
* They still oppose the "Security and Freedom through Encryption Act", on the odd grounds that the only people who would be safe "would be spies"...
Only the dead have seen the end of war.
You can find the full text of the bill itself and an analysis here:
http://www.epic.org/crypto/legislation/cesa/
It appears that 64 bit encryption will be allowed, and 128 `may be' allowed if it is designed for `end users' and does not require very much tech support, and is not being exported to the 7 `terrorist' countries.
I also read in a transcipt of a White House briefing that Wassenaar will be modified to reflect this somehow, but it was somewhat vague...
Something else interesting is this so called 3rd party key repository which people can optionaly deposit thier private keys for `backup' purposes. The Government of course can get access to any key this 3rd party has after getting proper `judicial authorization'. I am sure we will see alot of Government BS to try and convince people to deposit thier keys...
--He who gives up liberty for security ends up with neither. --Benjamin Franklin
Ethan
o yjoml oy jsd dp,yomh yp fp eoyj no;; v;omypmd jrsf nromh dvts,n;rf
-=>>=-