Industry takes new look at crypto regs
Now, one month before the new encryption-export regulations are to be formally adopted, companies and privacy advocates are giving them a Bronx cheer. The companies claim the government's laborious regulation-writing process has excised the gains offered in September.
"There are some people who think that the final regulations could be worse than current law," says Ed Gillespie, president of Americans for Computer Privacy, a lobbying group here that represents commercial exporters.
Narrowed thinking
What's got the industry worried is a series of meetings the Commerce Department, law-enforcement and national-security agencies have initiated with high-tech representatives in the process of writing the rules. The government officials have indicated that they're not thinking as broadly as the industry thought they were in September.
The administration is expected to begin circulating a draft of the new encryption-export policy as early as Monday. The industry will then have roughly a month to haggle over the details before they become final.
The nub of the problem is that the high-tech community believes the final rules won't let them export computer source code --- the digital recipe for a program. According to people familiar with the back and forth, some people at the National Security Agency and the Federal Bureau of Investigation want to ban online sales of encryption software and hardware, an area the industry sees as poised for explosive growth.
'Paranoid' talk
Commerce Undersecretary William Reinsch said the worries are unfounded. "This is the paranoid caucus talking," he said. "We haven't yet drawn a lot of these lines. [Industry representatives] are anticipating things based on ideas people have suggested, not on anything real. In regulations -- writing, lots of people put things on the table that are frankly very stupid."
Both sides, however, are entangled in definitions, including what constitutes a "retail" product. The industry is pushing for a broad definition that would let them sell a wide range of products without a government license.
Another rough spot is defining a "government" entity. If a U.S. firm wants to sell encryption products to an overseas telecommunications company that's partly government-owned -- a fairly common occurrence -- would the exporter need to obtain a Commerce Department license? The administration's answer may be yes, depending on the level of government ownership.
"We're trying to sell things on Internet time," says Ken Glueck, director of government affairs for Oracle Corp. (Nasdaq:ORCL). "What do we say to a customer? 'Thanks for your order. We'll get back to you in seven days once we analyze your ownership structure'? "
Policy change
Pinning the government down has been its own frustration. "It's misleading to think that the government has a unified voice at this time," said Roszel Thomsen, counsel for Alliance for Network Security, which represents Cisco Systems Inc. (Nasdaq: CSCO), Lucent Technologies Inc. (NYSE: LU), Microsoft Corp. (Nasdaq: MSFT) and Sun Microsystems Inc. (Nasdaq: SUNW), among others, in the negotiations. "The intelligence agencies would prefer a narrow definition of 'retail' and a broad definition of 'government,' " he said. "They certainly have an influential voice, and in between a two-page announcement and a 40-page regulation there's room for a lot of mischief."
The Clinton administration's policy change had been announced with great fanfare if few details, and coincided with a Silicon Valley fund-raiser for Vice President Al Gore's presidential bid.
The two-page statement released at the time indicated companies would be able to sell encryption products to commercial firms and non-government users after a one-time technical product review by the Commerce Department. Also after a one-time review, firms could ship specialized, custom encryption products to companies or individuals abroad.
Further, the White House said, companies would need to obtain a Commerce Department license before selling encryption products to foreign governments. They would also have to turn over customer lists, and some countries would be off the list entirely -- notably Cuba, Iran, Libya, North Korea, Sudan and Syria.
Still, the new regulations would be groundbreaking. For years, FBI chief Louis Freeh and other law-enforcement and national-security officials had argued successfully that the United States must restrict the international spread of data-scrambling capabilities. Strong encryption products, they said, would be a boon to terrorists and criminals. To placate the FBI and others, the White House promised to push for extra money to help develop digital-age crime-fighting methods.
Stirring the pot
The high-tech industry, intent on a major relaxation of the export rules, is busily stirring the political pot.
"This is not the time for the administration to be backpedaling," said Greg Garcia, manager of corporate government affairs for 3Com Corp.
(Nasdaq:COMS). The new rules, he noted, are due to be published Dec. 15, just weeks before Gore begins a series of presidential primaries. "We welcomed this with open arms and we would like to keep our arms opened," Garcia said.
Meanwhile, high-tech lobbyists have continued to push for legislation to change the rules, and have found no shortage of lawmakers eager to offer a solution.
Last week, House Majority Leader Dick Armey, Rep. Tom DeLay of Texas and other Republican House leaders fired off a letter to President Clinton, urging him to live up to his promises. "If the regulations in December fail to meet the rhetoric from September," they warned, "the confidence of the high-tech industry, American computer users, or Congress in the administration's ability to establish a balanced and reasonable encryption policy would be severely shaken."