Restrictions Eased on Encryption Software Exports
The Clinton administration on Monday further eased the remaining restrictions on selling high-powered encryption products overseas, clearing the way for American firms to export to the European Union and several other key trading partners.
The new policy drops a requirement that U.S. companies get a special license to sell encryption products--a process that previously involved a technical review or a 30-day delay.
In addition, the rules allow companies to sell their products not only to businesses and consumers, but also to government agencies, which used to require a special license.
The rules apply to encryption exports to the 15 nations of the European Union, as well as Australia, Norway, Czech Republic, Hungary, Poland, Japan, New Zealand and Switzerland.
The new rules follow the administration’s major turnaround in January, when it finally opened the way for companies to export the hardest-to-crack scrambling technology.
American technology companies and privacy advocates had fought for years for permission to export its encryption technology abroad.
The industry argued that the spread of strong encryption would fuel electronic commerce and reassure consumers that their credit card numbers and other private communications would not be compromised.
White House Chief of Staff John Podesta, speaking at the National Press Club, described the changes announced on Monday as part of an ongoing effort to update U.S. policy.
“The Internet, like Morse’s telegraph, brings with it new possibilities,” he said. “It also brings new challenges to our most fundamental values and the need for new laws and new protections to maintain them.”
Industry and security experts welcomed the latest announcement as another sign of the federal government’s new-found support of liberalizing encryption exports.
“It’s obviously very important if U.S. software companies are going to compete in the global market,” said Amit Yoran a former Department of Defense security official and president of RipTech, a security company in Alexandria, Va.
According to Scott Schnell, senior vice president of RSA Data Security, a top encryption software producer, the new rules are important because they remove restrictions to selling to national governments.
Governments are often the biggest buyers of security software, particularly in the recently democratized nations of Eastern Europe.
“Both the relaxation and normalization around government use of the technology is a realization of the core importance of the security over the Internet,” Schnell said. “This is a tremendous boost for the U.S. software industry.”
But others said that until the regulations can be thoroughly reviewed by legal experts, their impact would be uncertain.
“The devil in this case is in the details,” said Jeff Schiller, a leading security expert and network manager for Massachusetts Institute of Technology. Law enforcement and safety concerns remain, he said. “How are those addressed? I’d be very surprised if they were just lifting the controls.”
He said that he suspects hidden restrictions could still bar the export of such products to the wrong countries.
“Let’s say someone in one of the forbidden countries gets an account on America Online,” Schiller said. “When they use their Web browser to get on the Net, it’s going to say Virginia [where many AOL server computers that route Internet traffic are located]. I don’t know they are from Libya. Under those circumstances who is responsible?”
But Schiller said that any relaxation of export controls is an acknowledgment of reality.
“You cannot turn the tide of technology back,” he said.
*
UPDATING THE RULES
The White House wants to protect e-mail under wiretap laws. A16
