Nettime mailing list archives

<nettime> US crypto policy, dox and comments
t byfield on Fri, 17 Sep 1999 17:39:58 +0200 (CEST)

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

<nettime> US crypto policy, dox and comments

[1] dave farber         16 sept statement by US press secretary on crypto (1)
[2] hudson barton       16 sept statement by US press secretary on crypto (2)
[3] robert harper       d. mccullagh, wired news: crypto law: little guy loses
[4] john gilmore        john gilmore: re: admin updates encryption policy

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


Date: Thu, 16 Sep 1999 15:32:09 -0400
To: ip-sub-1 {AT} admin.listbox.com
From: David Farber <farber {AT} cis.upenn.edu>
Subject: IP: Statement By The Press Secretary: Administration Announces New
  Approach to Encryption

                              THE WHITE HOUSE

                       Office of the Press Secretary
For Immediate Release
September 16, 1999


            Administration Announces New Approach to Encryption

     One year ago today, Vice President Gore announced updates to the
Administration's encryption policy to serve the full range of national
interests: promoting electronic commerce, supporting law enforcement and
national security, and protecting privacy.  The announcement permitted the
export of strong encryption to protect sensitive information in the
financial, health, medical, and electronic commerce sectors.  It also
included support for the continued ability of the nation's law enforcement
community to access, under strictly defined legal procedures, the plain
text of criminally related communications and stored information.  At that
time the Administration committed to reviewing its policy in one year.
Today, the Administration announces the results of that review, conducted
in consultation with industry and privacy groups and the Congress.

     The strategy announced today continues to maintain the balance among
privacy, commercial interests, public safety and national security.  This
approach is comprised of three elements ? information security and privacy,
a new framework for export controls, and updated tools for law enforcement.
First, the strategy recognizes that sensitive electronic information ?
government, commercial, and privacy information -- requires strong
protection from unauthorized and unlawful access if the great promise of
the electronic age is to be realized.  Second, it protects vital national
security interests through an updated framework for encryption export
controls that also recognizes growing demands in the global marketplace for
strong encryption products.   Finally, it is designed to assure that, as
strong encryption proliferates, law enforcement remains able to protect
America and Americans in the physical world and in cyberspace.

     With respect to encryption export controls, the strategy announced
today rests on three principles: a one-time technical review of encryption
products in advance of sale, a streamlined post-export reporting system,
and a process that permits the government to review the exports of strong
encryption to foreign government and military organizations and to nations
of concern.  Consistent with these principles, the government will
significantly update and simplify export controls on encryption.

     The updated guidelines will allow U.S. companies new opportunities to
sell their products to most end users in global markets.  Under this

*    Any encryption commodity or software of any key length may be exported
     under license exception (i.e., without a license), after a technical
     review, to individuals, commercial firms, and other non-government end
     users in any country except for the seven state supporters of

*    Any retail encryption commodities and software of any key length may
     be exported under license exception, after a technical review, to any
     end user in any country, except for the seven state supporters of

*    Streamlined post-export reporting will provide government with an
     understanding of where strong encryption is being exported, while also
     reflecting industry business models and distribution channels.

*    Sector definitions and country lists are eliminated.

     The Administration intends to codify this new policy in export
regulations by
December 15, 1999, following consultations on the details with affected

   In support of public safety, the President is today transmitting to the
Congress legislation that seeks to assure that law enforcement has the
legal tools, personnel, and equipment necessary to investigate crime in an
encrypted world.  Specifically, the Cyberspace Electronic Security Act of
1999 would:

*  Ensure that law enforcement maintains its ability to access decryption
   information stored with third parties, while protecting such information
   from inappropriate release.

*  Authorize $80 million over four years for the FBI's Technical Support
   Center, which will serve as a centralized technical resource for
   Federal, State, and local law enforcement in responding to the
   increasing use of encryption by criminals.

*  Protect sensitive investigative techniques and industry trade secrets
   from unnecessary disclosure in litigation or criminal trials involving
   encryption, consistent with fully protecting defendants? rights to a
   fair trial.

     In contrast to an early draft version of the bill, the
Administration's legislation does not provide new authorities for search
warrants for encryption keys without contemporaneous notice to the subject.
The bill does not regulate the domestic development, use and sale of
encryption.  Americans will remain free to use any encryption system

     The Administration looks forward to continuing to work with the
Congress, industry, and privacy and law enforcement communities to ensure a
balanced approach to this issue.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Date: Thu, 16 Sep 1999 14:36:39 -0400
To: mac-crypto {AT} vmeng.com
From: Hudson Barton <hhbv {AT} highwinds.com>
Subject: Administration Updates Encryption Policy

Office of the Press Secretary

For Immediate Release

September 16, 1998


Administration Updates Encryption Policy

The Clinton Administration today announced a series of steps to
update its encryption policy in a way that meets the full range of
national interests: promotes electronic commerce, supports law
enforcement and national security and protects privacy. These steps
are a result of several months of intensive dialogue between the
government and U.S. industry, the law enforcement community and
privacy groups that was called for by the Vice President and
supported by members of Congress.

As the Vice President stated in a letter to Senator Daschle, the
Administration remains committed to assuring that the nation's law
enforcement community will be able to access, under strictly defined
legal procedures, the plain text of criminally related communications
and stored information. The Administration intends to support FBI's
establishment of a technical support center to help build the
technical capacity of law enforcement - Federal, State, and local -
to stay abreast of advancing communications technology.
The Administration will also strengthen its support for electronic
commerce by permitting the export of strong encryption when used to
protect sensitive financial, health, medical, and business
proprietary information in electronic form. The updated export policy
will allow U.S. companies new opportunities to sell encryption
products to almost 70 percent of the world's economy, including the
European Union, the Caribbean and some Asian and South American
countries. These changes in export policy were based on input from
industry groups while being protective of national security and law
enforcement interests.

The new export guidelines will permit exports to other industries
beyond financial institutions, and further streamline exports of key
recovery products and other recoverable encryption products. Exports
to those end users and destination countries not addressed by today's
announcement will continue to be reviewed on a case-by-case basis.
Very strong encryption with any key length (with or without key
recovery) will now be permitted for export under license exception,
to several industry sectors. For example, U.S. companies will be able
to export very strong encryption for use between their headquarters
and their foreign subsidiaries worldwide except the seven terrorist
countries (Iran, Iraq, Libya, Syria, Sudan, North Korea and Cuba) to
protect their sensitive company proprietary information.

On-line merchants in 45 countries will be able to use robust U.S.
encryption products to protect their on-line electronic commerce
transactions with their customers over the Internet.

Insurance companies as well as the health and medical sectors in
those same 45 countries will be able to purchase and use robust U.S.
encryption products to secure health and insurance data among
legitimate users such as hospitals, health care professionals,
patients, insurers and their customers.

The new guidelines also allow encryption hardware and software
products with encryption strength up to 56-bit DES or equivalent to
be exported without a license, after a one time technical review, to
all users outside the seven terrorist countries. Currently,
streamlined exports of DES products are permitted for those companies
that have filed key recovery business plans. However, with the new
guidelines, key recovery business plans will no longer be required.
The Administration will continue to promote the development of key
recovery products by easing regulatory requirements. For the more
than 60 companies which have submitted plans to develop and market
key recovery encryption products, the six month progress reviews will
no longer be required. Once the products are ready for market they
can be exported, with any bit length -- without a license --
world-wide (except to terrorist nations) after a one-time review.
Furthermore, exporters will no longer need to name or submit
additional information on a key recovery agent prior to export. These
requirements will be removed from the regulations.

Finally, industry has identified other so-called "recoverable"
products and techniques that allow for the recovery of plaintext by a
system or network administrator and that can also assist law
enforcement access,subject to strict procedures. The administration
will permit their export for use within most foreign commercial
firms, and their wholly-owned subsidiaries, in large markets,
including Western Europe, Japan and Australia, to protect their
internal business proprietary communications.

The Administration welcomes a continued dialogue with U.S. industry
and intends to review its policy in one year to determine if
additional updates may be necessary to continue a balanced approach
that protects the public safety and national security, ensures
privacy, enables continued technology leadership by U.S. industry and
promotes electronic commerce.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Date: 16 Sep 99 15:25:17 EDT
From: ROBERT HARPER <robert-harper {AT} usa.net>
To: Ignition Point <ignition-point {AT} precision-d.com>
Subject: IP: Crypto Law: Little Guy Loses

- - - - - - - - - -

Crypto Law: Little Guy Loses
by Declan McCullagh

Thursday's White House announcement loosening encryption import
standards may make it easier for big businesses, but it won't help
anyone who wants to distribute software freely on the Web.

The new rules, which still require government review and approval,
would mean a programmer or company has to wade through Washington's
bureaucratic swamp and most likely hire a not-inexpensive lawyer as a

See also: Clinton Relaxes Crypto Exports

Complete details aren't available, but the consensus among observers
is that it will continue to be a felony to post programs like PGP or
secure Web browsers like Netscape Navigator or Internet Explorer on a
Web site where foreigners can download them.

Experts say that means firms will still be more hesitant to wire
encyption functionality into products, and online privacy will remain
at risk.

"It still holds back the development of products intended for the mass
market where encryption is integrated into things like word processing
and email," said Solveig Singleton, a telecommunications lawyer at the
Cato Institute. "If you build encryption into them, suddenly it's
subject to [government] review."

It also means that lawyers suing the Clinton administration aren't
giving up.

In May, the Ninth Circuit Court of Appeals ruled that the current
rules violated the First Amendment's guarantee of free speech. The
suit was brought by Daniel Bernstein, a math professor.

"Our experience has been there have been a number of steps over the
last few years that have been described as liberalization that we were
told would resolve the First Amendment and civil liberties problems,"
said Robert Corn-Revere, a lawyer in the Washington office of Hogan
and Hartson who is co-counsel in the Bernstein case. "But these were
more hype than real.

"As long as the government gets prior review ... then you still have a
prior restraint problem. You still have to apply for the government
for permission to engage in protected speech," he said.

Civil liberties groups echoed the criticism, and some said that the
change in rules -- backed by business groups -- would help
corporations, but not necessarily individuals.

They remain especially worried about domestic restrictions on
encryption use, which the FBI has demanded in the past, and which
could be part of proposed legislation that the White House sends to

"The average user cares more about the domestic situation than whether
American companies can export crypto," says David Sobel, general
counsel for the Electronic Privacy Information Center.

Some lobby groups like Americans for Computer Privacy have applauded
the policy change, but other experts say it continues to hurt the

"Industry and investors should be disappointed by the announcement,"
says Jim Lucier, an analyst at Prudential Securities in Arlington,

"Technology stocks and particularly the online financial services
sector, where security is all-important, would have gotten a
substantial long-term boost from a clear signal by the administration
that it was going to adopt a free-market policy on computer security,"

To subscribe or unsubscribe, email:
      majordomo {AT} precision-d.com
with the message:
      (un)subscribe ignition-point email {AT} address

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

cc: cryptography {AT} c2.net, cypherpunks {AT} cyberpass.net, dcsb {AT} ai.mit.edu,
         gnu {AT} toad.com
Subject: Re: Administration Updates Encryption Policy
Date: Thu, 16 Sep 1999 12:39:27 -0700
From: John Gilmore <gnu {AT} toad.com>
cc: cryptography {AT} c2.net, cypherpunks {AT} cyberpass.net, dcsb {AT} ai.mit.edu,
         gnu {AT} toad.com

> For Immediate Release
> September 16, 1998

Robert, that was *last year*'s encryption policy "liberalization".

Great joke though.  I read through four or five paragraphs before
it became too obvious.  Remember what they promised last year, and
what the regulations actually delivered -- as you read this year's


#  distributed via <nettime>: no commercial use without permission
#  <nettime> is a moderated mailing list for net criticism,
#  collaborative text filtering and cultural politics of the nets
#  more info: majordomo {AT} bbs.thing.net and "info nettime-l" in the msg body
#  archive: http://www.nettime.org contact: nettime {AT} bbs.thing.net