The Clinton administration's newly revised policies on the export of encryption technologies look amazingly good. But there are more than a few details to be revealed that may still change the picture.
For years, the Clinton administration seemed to be operating in a fantasyland -- a land where the only smart people lived in the US, and no one outside the US knew enough to develop good encryption technologies.
This was a fantasyland where the bad guys would be too stupid to use readily available, secure encryption software and instead would use administration-approved software that saved a copy of the encryption key for the government's use. For some reason, the administration has suddenly decided to move out of fantasyland.
At a September 17 press conference during which encryption was described as "a privacy- and security-enhancing technology", the Clinton administration announced that it was removing almost all US export controls on encryption technologies. You still won't be able to sell encryption technology to anyone in a country that the US has labelled as a supporter of terrorism. Nor will you be able to sell custom encryption software or hardware to foreign governments or military establishments without specific approval.
You will be able to sell retail products to foreign governments and military establishments, as well as sell custom encryption products to anyone other than those restricted above. But you will need a "meaningful technical review" (in the words of the Department of Defense representative) before you can sell any encryption products overseas, and you'll need to provide the US government with a list of your customers.
Finally the administration was able to understand that good encryption is a necessity for good security. As the Defense Department representative said: "We [the Defense Department] strongly need the sorts of protections that come with strong encryption."
This new policy is one part of a three-part proposal. The other parts are additional funding for an FBI-based Technical Support Centre to help law enforcement agencies "respond to increasing use of encryption by criminals" and new laws that will protect any encryption-related techniques that law enforcement uses from discovery if a case comes to trial.
But it is too early to fully rejoice. The details about what the technical review will consist of, how long it will take and what the government wants to do with your customer lists have yet to be announced. These details are due by December 15.
I don't know what caused reality to seep into the administration's thought process. But whatever the reason, it looks like we may just be getting a Christmas present that will help make the internet and our privacy a lot safer in the next century.
Disclaimer: For Harvard, centuries come and go with many exigencies of the moment along the way, and the above is my view of this one.
Scott Bradner is a consultant with Harvard University's University Information Systems. He can be reached at email@example.com.