Log in

Encryption Law Is A Tough Area

Friday, January 1st, 2016 by

Peter Browne is a casualty in the encryption wars.

entecFor the past year, Browne, senior vice president of information security for First Union Corp., has been unable to move aggressively on plans to implement an ambitious brokerage application on the bank’s Internet site. Why? Because, despite a red-hot battle between the White House on one side and encryption vendors and many Congress members on another, current law prohibits U.S. companies from “exporting” any product containing strong encryption. This means it would be illegal for $103 billion First Union, the nation’s sixth largest bank, to use strong (greater than 40-bit) encryption to encode financial transactions originating with customers outside the United States.

“Strong encryption technology is absolutely critical for all the product and system plans we have,” says Browne, in Charlotte, N.C. “These restrictions have hampered us from expanding our higher-risk [Internet-based] transactions like brokerage.” Without the ability to use strong cryptography to encrypt messages going overseas, First Union would have to pass up the opportunity to expand its electronic commerce applications.

Every company hanging out a shingle on the Internet is courting customers outside the United States–even if the company doesn’t officially bill itself as “global.” This means millions of companies–both within and outside the financial industry–are having to delay or even scrap plans to expand electronic commerce initiatives because of the restrictions on deploying products containing strong encryption to their foreign subsidiaries. (Companies can apply for a license to deploy or “export” products containing encryption technology to their offices abroad, but the process may be time-consuming and is easier in some industries, such as finance, than others.)

Although battle-scarred as of a few weeks ago, Browne is no longer a victim in the fight over encryption-policy reform. On May 8, William Reinsch, Undersecretary of the Bureau of Export Administration for the Department of Commerce, issued a press release saying the DOC would allow the export of the strongest available data encryption products to support global electronic commerce–specifically for financial transactions.

That’s certainly good news for First Union, because the newly relaxed policy applies directly to the bank’s plans for an Internet brokerage application. But while Browne moves ahead, he remains skeptical of the Reinsch initiative, because it’s not a full-blown regulation. Says Browne, “The restrictions are allegedly lifted for financial transactions. But the regulations haven’t even been drafted yet,” so companies won’t know the details on the new policy for some time.

For another thing, the new regulations will apply only to commercial transactions. “The new relaxation on the rules of export is only for electronic commerce. For us, it’s very helpful. For some other multinational corporations, they’re still hamstrung,” says Browne.

Browne is far from the only one to feel the squeeze of the encryption laws. Merrill Lynch has shelved the international version of its Merrill Lynch Online financial service, which has been a tremendous success with more than 150,000 subscribers in the first six months of the offering. “We decided this would be a domestic-only offering until the laws change,” says Randal Langdon, director of interactive sales technologies for Merrill Lynch, in Princeton, N.J.

That is, unless or until the SAFE (Security and Freedom through Encryption) Act and the Pro-CODE (the Promotion of Commerce Online in the Digital Era) Bill–now making their way through the legislative process–become law. These bills would substantially relax the current encryption restrictions and give companies more freedom of choice in choosing the type of encryption they prefer.

SAFE and Pro-CODE are at the heart of another aspect of the encryption fight: the Clinton administration’s mandate that companies provide the government with keys to “unlock” any data that is encoded with strong encryption so it could be quickly deciphered if a crime were committed. Encryption vendors and privacy advocates remain vehemently opposed to any scheme that makes the government a third-party trustee for the keys to encrypted data.

News of the coming relaxation on encryption exports comes amid further advances in the fight to reform current law. Introduced in March, the Clinton administration’s Electronic Data Security Act of 1997–which proposed government access to encrypted data through a key-escrow program–fizzled out in April after failing to get any support.

Then, on May 14, the House Judiciary Committee unanimously passed the SAFE Act, which would eliminate the current export restrictions on products containing strong (i.e., greater than 40-bit) encryption. The act now moves to the House International Relations Committee for debate before continuing through the legislative process.

Even CIOs not drawn to the vagaries of legislative reform will be interested in the upcoming changes that will make it easier to protect E-mail messages and deploy Web browsers containing strong encryption–both priority security concerns for most in corporate IT.

“The No. 1 concern is E-mail. Nothing else is even close,” says Jim Bidzos, president of security vendor RSA Data Security Inc., in Redwood City, Calif. “Their employees are communicating with foreign branch offices, suppliers, etc. The vulnerability is there.”

The new S/MIME (Secure Multipurpose Internet Mail Extension) standard will extend encryption and authentication capabilities, giving the equivalent of signatures and envelopes to E-mail. Netscape Communications Corp. and Microsoft Corp. have announced plans to support S/MIME in the next versions of their browsers, due in the fall. Companies also will be able to deploy the next versions of Netscape and Microsoft browsers containing 56-bit encryption overseas, due to special approval from the DOC –a sign that things are definitely loosening up on the encryption front.

Yet observers still question why White House attempts to address the issue of strong encryption still fall short. The White House position on encryption is suspiciously similar to the administration’s doomed 1993 Clipper Chip proposal. The Clipper Chip would have guaranteed government “trap door” access to encrypted data. “We call this Clipper 4.2.1,” says Kelly Hubner Blough, director of government relations for Pretty Good Privacy Inc., an encryption vendor in San Mateo, Calif.

Privacy advocates are likewise baffled by the obstinacy of the government position against strong encryption. “The administration seems to go through bouts of policy masochism where they resurrect a policy like Clipper that everyone said was a brain-dead idea and dress it up and say, ‘Isn’t this fine?'” says Marc Rotenberg, director of the Electronic Privacy Information Center, a Washington public interest research group.

Protecting national security and law enforcement are the two major concerns cited by the Clinton administration in justifying the need for tight controls on encryption exports. “We have a gigantic machine, called the NSA [National Security Agency], that collects information all around the world. They want to keep that machine running for as long as they can,” says RSA’s Bidzos.

Although things are unsettled on the legislative front, one thing is clear: Something will happen, soon, to change the status quo of U.S. encryption law.

Leave a Reply