US Report: Clinton administration to ease grip on crypto exports

According to Administration sources, the White House will loosen its grip on the technology in several areas central to the five-year argument over the issue. Among other things, the new policy will relax controls for sales to specific industries, including e-commerce, medicine and insurance.

The liberalisation will fall far short of what Administration critics wanted. Even so, many crypto advocates expressed hope their position will continue to gain ground. "It's not as far along as my bill would go, but it's a significant improvement on our current policy," said Republican, Zoe Lofgren, of California, a sponsor of encryption liberalisation legislation in the House and one of several key Democrats briefed on the issue on the last two days. "It will still give us something to argue about next year."

Electronic encryption, or the process of scrambling information so that only its intended recipient can read it, is widely believed to be the sine qua non of secure commerce and personal information on an insecure Internet. To date, however, Federal policy has required stringent licensing of encryption technology that uses digital codes, or "keys," longer than 40 bits in length. Law enforcement has insisted on that restriction so that the encoding technology cannot be used to thwart surveillance techniques used in investigations.

Under an exception granted in December 1996, however, the government has allowed exports of equipment whose keys are as long as 56 bits, or roughly 64,000 times more powerful than 40-bit products. That exception was granted companies that committed to develop technologies to give law enforcement "lawful access" to messages encrypted with their products through various back doors built into them. Notably free from those restrictions have been foreign financial institutions, which in most cases have been able to buy U.S.-made encryption software of unlimited strength since last year.

That exception will be broadened under the new policy, sources said. Now, insurance companies, handlers of medical records and companies that use specialised transaction software to do business over the Internet will be able to buy American encryption software after a one-time review of their purchase plans by the U.S. Commerce Department. In addition, administration sources confirmed Tuesday evening, the government will no longer require prior approval of "key recovery" agents, who hold spare keys to encoded messages for law enforcement.

Some 45 nations, including Russia, China, Venezuela and Mexico, will likely be ineligible for the relief control as long as the U.S. government believes they harbour money-laundering operations, however.

Finally, administration sources said, any U.S. company will be able to export powerful encryption technology to its own subsidiaries as long as it does not share the technology with non-US companies.

As before, public interest groups said they believe the new policy does not go far enough. Since Vice President Al Gore promised relief for medical records, e-commerce and financial institutions some two years ago, critics said the policy is more a belated catch-up than anything truly new. "It's a divide and conquer strategy," said David Banisar, policy counsel with the Electronic Privacy Information Centre. "This will help a few large users, but the average consumer is out in the cold."

Wednesday's announcement is only the latest step in a years-long journey from complete control to liberalisation. Though the FBI and others within the national security apparatus have insisted on tight controls, information technology companies and public interest groups have fought them bitterly, insisting a flood of foreign products will soon take over a world market which was once almost exclusively America's. As foreign producers have mounted - more than 500 foreign products are now stronger than what can usually be exported from the US - that pressure has increased.

The steady march of computer technology, too, has rendered once-secure products obsolete; the Electronic Frontier Foundation, for instance, unveiled a computer last June which can crack messages encrypted with 56-bit keys in hours. Until recently, the FBI had claimed such messages could be cracked only in a matter of months, if not years. Dan Scheinman, vice president for legal and government affairs at Cisco Systems, said the latest proposal wasn't his company had hoped for. Even so, "Anything that provides broader relief is a step in the right direction," he said.

Meanwhile, the administration has its defenders. Stewart Baker, former counsel to the super-secret, encryption-controlling National Security Agency and an attorney who negotiates export agreements for industry, called on critics to give the administration more credit. "I think this is a significant walking away from an emphasis on law-enforcement access," he said. "What this says is if there's a market for security, we ought to think about liberalising. It's a big step and it foreshadows more.