On Thursday Clinton administration officials announced they had persuaded representatives from 32 other countries to impose strict new export controls on the computer data-scrambling technology known as encryption.
"If this becomes the standard, then we will see a lot of companies opting out of e-commerce," said David Banisar, policy director of the consumer group Electronic Privacy Information Center and co-author of The Electronic Privacy Papers. "The level of trust companies have in today's encryption [software] is definitely hurt by the agreement."
At a meeting in Vienna Thursday, the 33 nations that have signed the Wassenaar Arrangement -- a military policy forum limiting arms exports -- agreed to impose controls on the software that includes encryption using key lengths of 64 bits or longer. For the first time, the Wassenaar signatories also agreed to limit mass-market software, said U.S. special envoy for cryptography David Aaron.
Aaron claimed the agreement went "a long way in levelling the playing field for exporters and promoting e-commerce." Companies that might be affected by the agreement felt differently. "The Clinton administration current policy contains burdensome reporting requirements on 56-bit exports," said Americans for Computer Privacy in a statement released late Thursday. The ACP is an organisation formed by companies with a vested interest in relaxing export controls on encryption software.
The ACP hopes the U.S. and other countries will eventually remove export restrictions on all mass-market encryption products. Leading U.S. high-tech companies, including Microsoft Corp. and Intel Corp., have complained that the lack of restrictions in other countries hampered their ability to compete abroad. The industry has sought to have U.S. restrictions relaxed or repealed, but has not asked for tighter controls in other countries.
Technically adept countries that aren't part of the Wassenaar Arrangement, such as China and Israel, could create competing encryption products and be more competitive than U.S. companies. "If there are to be constraints, they ought to be evenly applied," said Jeff Smith, the ACP's general counsel, in an interview.
Observers also pointed out that Wassenaar representatives are typically from a country's military or foreign service organisations, so they hardly represent broad interests. "Countries can implement the agreement as they want," said Banisar. "Most of these countries probably won't do anything at first. Since many have just finished drafting encryption policy, they may ignore the agreement completely." Wassenaar signatories include the United Kingdom, Japan, and Germany.
The agreement also raises a question of trust, said EPIC's Banisar. By resetting the level of "acceptable" encryption at 64 bits, watchers now know that all the Wassenaar countries will be able to crack such encryption. "By allowing a 64-bit standard, the U.S. is saying that it is not secure," he said.
Encryption uses mathematical formulas to scramble information and render it unreadable without a password or software "key.'' One important measure of the strength of the encryption is the length of the software key, measured in bits -- the ones and zeros that make up the smallest unit of computer data. With the increasing speed and falling prices of computers, data encrypted with a key 40 bits long, considered highly secure several years ago, can now be cracked in a few hours. Cutting-edge electronic commerce and communications programs typically use at least a 1,024-bit key.
Privacy advocates have staunchly opposed U.S. export controls on encryption, arguing that data-scrambling technologies provided a crucial means of protecting privacy in the digital age. "It's ironic, but the U.S. government is leading the charge internationally to restrict personal privacy and individual liberty around the world,'' said Alan Davidson, staff counsel at the Center for Democracy and Technology, a Washington-based advocacy group.
Special envoy Aaron said the Wassenaar countries agreed to end an exemption for widely available software containing encryption capabilities. "They plugged a loophole,'' he said. The new policy could also reduce reporting and paperwork requirements and specifically excluded from export controls products that used encryption to protect intellectual property -- such as movies or recordings sent over the Internet -- from illegal copying.
Reuters contributed to this report.