A US Congresswoman will re-introduce a bill this year to eliminate encryption export control while the Clinton administration considers easing export restrictions in areas that play a part in electronic commerce, officials said late last week.
"We're looking at areas including ISPs (Internet service providers) and telecommunications," said William Reinsch, Under Secretary for Export Administration, during a meeting of the US President's Export Council Subcommittee on Encryption (PECSE), held Friday in Cupertino, California. "We are asking ourselves -- are there things we can do to help e-commerce?" he added.
The US administration will begin discussions on the topic later this month, according to James Lewis, director of the Office of Strategic Trade and Foreign Policy Controls at the Bureau of Export Administration. Lewis said government officials would also discuss whether to liberalise restrictions on APIs (application programming interfaces).
While the administration considers those issues, Zoe Lofgren, a Democratic Congresswoman from California, said she and Congressman Bob Goodlatte, a Virginia Republican, will re-introduce their Security and Freedom Through Encryption (SAFE) Act, which failed last year.
Lofgren said she did not know when she will re-introduce the bill, explaining that she and her colleagues are all playing catch-up after being busy with impeachment proceedings against the US President Bill Clinton. The Senate impeachment trial started last week following the vote by the House to impeach President Clinton on charges of perjury and obstruction of justice related to his alleged affair with a White House intern.
Lofgren, Reinsch and Lewis were among the guests invited to speak at the PECSE meeting on Friday. The group meets about every two to three months to discuss encryption policy on which it advises the US administration.
The meeting foreshadows policy debates that will take place at the RSA Data Security Conference in San Jose, California, this week. The issue is a hot topic pitting law enforcement, arguing for strong export controls for national security reasons, against privacy rights groups and software vendors who contend that they are losing money by not being able to sell products with strong cryptography outside the US.
In September 1998, the US government relaxed its policy on encryption by allowing companies to export products with cryptographic key lengths of 56 bits or less without obtaining an export license, and by easing the export of any strength cryptography for insurance companies and medical and health organizations and US companies with subsidiaries outside the country. The government also dropped its key recovery requirement under which a third-party organisation would hold "keys" to unscramble the data and the government could get access to it with a court order.
The US encryption policy over the last decade "has been like sticking a finger in a dike," said Kevin McCurley, a cryptographer who works for IBM. The policies have resulted in "impeding progress, obfuscating regulations and confusing people."
Some US companies are still managing to sell strong cryptography outside the country by creating joint ventures with foreign firms where the technology is developed at non-US labs. However, US export officials are troubled by gray areas in these situations where companies may be transferring development information, if not actual technology, to the outside ventures. The Export Administration has investigated at least five companies for allegedly shipping technology abroad, but has found no evidence of violations yet, said Under Secretary Reinsch.
And while officials and vendors grapple with the policies inside the US, the US administration has managed to persuade other governments to impose controls on their exportation of encryption -- even many countries where cryptography was never restricted. This was accomplished as part of the Wassenaar Arrangement signed by 33 countries in December.
Under the Wassenaar pact, which is not a treaty and therefore not effectively enforceable, the countries agreed to restrict export of 64-bit and higher cryptography in mass-market software and hardware and 56-bit and higher cryptography in general encryption products. The pact also decontrolled the export of consumer electronics.
"One positive aspect is that it's woken up the international community," John Gilmore, co-founder of the Electronic Freedom Frontier, told the PECSE group Friday in reference to the Wassenaar pact. "They all now realise that the long arm of the US government is attempting to squash freedom in their own countries."