Rules governing the export of encryption are in a state of turmoil. Traditionally, the U.S. Government treated encryptionolong regarded as the domain of spies, diplomats and the militaryoas a defense article on the U.S. Munitions List. However, with the advent of public key cryptography and the rapidly increasing commercial need for encrypted transactions over the Internet, the Clinton Administration has been under intense pressure from a variety of players in the electronic commerce industry to loosen restrictions. At the same time, the national security and law enforcement communities want to maintain their ability to decrypt the communications of hostile governments, terrorists and organized crime; they have opposed liberalization of export controls. KEY RECOVERY. As a result, the Administration has issued an interim rule which authorizes the export of 56-bit encryption, up from 40 bits, based on a one-time review of the product, provided the exporter commits to developing and implementing "key recovery" procedures within the next two years. It also allows the export of encryption of unlimited strength, also subject to key recovery procedures. The interim rule not only transferred export licensing authority over commercial encryption products from the State to the Commerce Department, but also gave the Justice Department review authority over encryption exports for the first time. The Administration views key recovery as a "market-driven" solution. But market demand for key recovery hasn't been proven. It also is unclear how key recovery will function if the U.S. government wants access to keys located in a foreign country which does not want to provide access (The U.S. intends to try to negotiate bilateral agreements, but they are not yet in place.). Nonetheless, the Commerce Department has moved quickly over the last few months to make key recovery a reality by approving several dozen applications from companies such as IBM, V-ONE and Sybase. Some of these products allow for self-escrow and no involvement by trusted third parties. In addition, the Commerce Department recently approved applications to export 128-bit cryptography without key recovery to wholly owned foreign subsidiaries of major U.S. companies, as well as to banking end-users abroad. Not all exporters, however, have sought approval from Commerce. In May, Sun Microsystems announced that it had licensed an encryption product from Moscow, Russia-based Elvis+ Co. that offers 128-bit and triple-DES encryption. Sun plans to resell it worldwide without either key recovery or the Department of Commerce's approval. The Commerce Department is reportedly looking closely at the matter. Congress has joined the fray. In late June, the Senate Banking Committee approved the "Secure Public Networks Act of 1997" (S.909), jointly introduced by Senators John McCain and Bob Kerrey and supported by the Administration. The bill was largely drafted by the Justice Department and has drawn criticism from the industry because of its strongly pro-law enforcement provisions. It would provide, among other things, a partial limitation on liability for key recovery agents; require key recovery for all secure networks built with federal funds; make key recovery agents register and disclose keys to the government (even without a court order); create some 15 new federal crimes relating to encryption; and authorize extensive new regulations and the imposition by the government of fees on the industry to pay for such regulation. CONFLICTED CONGRESS. In contrast, the "Security and Freedom through Encryption (SAFE) Act," introduced by Rep. Bob Goodlatte, would significantly liberalize encryption export controls and prohibit mandatory key recovery. Working its way through the committee process, it could go to the floor for a vote later this year. The Administration opposes it. With the prospect of irreconcilable measures emerging from the Senate and House, the likelihood of a Congressional fix appears increasingly remote and irrelevant to the Commerce Department's game plan. Internationally, the United States has tried unsuccessfully to convince the Organization for Economic Cooperation and Development to endorse key recovery. In March the OECD issued its non-binding Guidelines for Cryptography Policy, which show a lack of consensus in the group. Several OECD countries, such as the United Kingdom and France, are joining the United States in promoting key recovery on a unilateral basis. Other countries, such as Japan, are developing strong encryption products without key recovery. Multilateral consensus having so far failed, foreign availability may prove the final arbiter.n
