Crypto compromise a lawyers' delight

It's supposed to ease encryption export controls. But have the Clinton Administration's new regs instead created a legal maze?

Even as industry celebrated the Clinton Administration's new, more liberal rules on export of encryption technology, civil libertarians said Thursday that the new regulations raise some of the same issues as the old ones. "These regulations are preserving the ability of the government to get in the way of the export and the use of strong cryptography," said ACLU Associate Director Barry Steinhardt. "They've been unwilling to simply deregulate, I think because of pressure from the NSA and the FBI who are unwilling to give up the ghost."

The US Commerce Department has long held tight restrictions on the export of strong cryptography, largely at the behest of law enforcement and intelligence agencies, who argue that untappable communications could enable terrorists and criminals to plot in secret. Technology companies, mindful of overseas competition in the security and privacy field, have generally been aligned with civil liberties groups who support the privacy enhancing technology.

With the new rules, scheduled to go into effect Friday, software makers have unprecedented freedom to offer strong encryption software overseas. But civil libertarians, while hailing the new regulations as a major advance, aren't ready to celebrate.

"The problem is the government still has the power to review, and presumably deny, the distribution of information relating to encryption," said David Sobel, general counsel at the Electronic Privacy Information Centre. "Industry has the clout in this debate, much more so that average users and privacy advocates ... What we have always sought is decontrol of this technology, and this is not that.

"They have substantially liberalised export rules, but there are still export rules," Sobel said.

The old export rules were ruled unconstitutional by a federal appeals court in the case of mathematician Daniel J. Bernstein, who sought the right to publish his cryptography research on the Internet despite it's international reach. The case is ongoing, and Bernstein's lawyer has until 4 February to brief the 9th Circuit Court of Appeals on how the new regulations affect the arguments.

"On one hand the government has really done some good things here, it looks like a lot of cryptography is going to go out and that's a good thing," said plaintiff attorney Cindy Cohn. "But I don't think there's anything about the subject matter of encryption that justifies treating it differently than any other software, and there's no justification for treating things in electronic media differently that any other media."

"It's a step forward," acknowledged ACLU's Steinhardt, "But the regulations create a maze that only the well heeled with a battery of lawyers are going to be able to navigate."

Noted cryptographer Bruce Schneier, president of Counterpane Systems, agrees. "It's certainly a good thing -- the ability to export mass market software is a good deal," said Schneier. "But it doesn't address the fundamental Constitutional issues, so that still has to be dealt with ... and it's too complicated for anybody except lawyers who know the field and that's really bad."

But to Schneier, who's book, "Applied Cryptography", was exportable in paper form while restricted on disk, the new rules have a more immediate impact. "It now means I can sell my source code disks to anybody," Schneier said.

What do you think? Tell the Mailroom. And read what others have said.