U.S. Encryption Policy

The U.S. government published encryption export regulations in the Federal Register on December 31, 1998 that once again granted only limited relief for encryption exports. The regulations implemented the policy announcement on encryption made by the White House in September 1998. While they provided welcome incremental relief allowing export of 56-bit encryption, and stronger products to certain industry sectors, the Administration's liberalization effort left individual privacy at risk and failed to resolve the broader issues surrounding U.S. encryption policy.

The rapid pace of developments on the Internet made it clear that broader reform of U.S. policy was urgently needed. Dramatic cracking efforts have underscored the weaknesses in even the newly liberalized 56-bit encryption products. Research has revealed the vulnerabilities of key recovery systems, and the marketplace has failed to embrace these systems even for stored data. Foreign governments have proven increasingly unwilling to adopt U.S. export control and key recovery policies, and in fact are moving in the opposite direction, toward liberalization. Foreign availability of strong encryption products is rising, and U.S. companies are desperately scrambling for ways to export the products their customers want. On many fronts, U.S. encryption export policy is failing.

• Decontrol of 56-bit DES products or equivalent (hardware and software)

• Export of higher strength products for:
  • Subsidiaries of U.S. firms
    
  • Sectoral relief allowing export of strong encryption products to insurance companies and health and medical organizations
    
  • Limited relief allowing export of strong encryption products to online merchants for certain electronic commerce server applications only.
    
  • License exceptions allowing export of strong encryption product if they contain "recovery" or other "plaintext access" features (such as "private doorbells") that allow law enforcement access to plaintext without the notice or consent of the end user.
    

• CDT comments on the Bureau of Export Administration's December 1998 Interim Rule
• White House press release announcing the December 1998 encryption policy
• White House Fact Sheet
• CDT's analysis of September 1998 policy announcement.
• Press Briefing by the Vice President, Deputy Chief of Staff John Podesta, and others

Privacy and Security Concerns

While CDT welcomed efforts by the Administration to grant greater export relief, the new regulations left privacy and security concerns unresolved, particularly for individuals. These included:

• 56-bit DES is Not Strong Enough -- Expert cryptographers have argued for years that 56-bit encryption is not sufficient to protect privacy online. At the January 1999 RSA Data Security Conference, a group of encryption enthusiasts broke a 56-bit code in 22 hours and 15 minutes, using minimal resources. The new Administration policy prohibits the export of far stronger 128-bit encryption products that are becoming the world standard for security.

• Individual End-Users are Left Vulnerable -- While the relief offered for particular industry sectors is welcome, individuals seeking to encrypt securely abroad face are left vulnerable. The new policy begs the questions: When do everyday computer users get encryption relief?

• U.S Policy Continues Push for Key Recovery and "Plaintext Access" -- The new policy continues to push for adoption of key recovery and other plaintext access products, granting broad relief for products "that, when activated, allow[] recovery of the plaintext of encrypted data without the assistance of the end user." Such access systems create new vulnerable backdoors, jeopardizing personal privacy and creating security concerns where none need exist. (See "The Risks of Key Recovery, Key Escrow, and Trusted Third Party Encryption" experts report, available at http://www.cdt.org/crypto/risks98/.)

  CDT remains committed to seeking broad relief from export controls and to promoting the freedom of people to use whatever encryption tools they need to protect their privacy online.

Free Speech | Data Privacy | Government Surveillance | Cryptography | Domain Names | International | Bandwidth | Security | Internet Standards, Technology and Policy Project | Terrorism | Authentication | Right to Know | Spam

Our Mission / Get Involved / Staff / Publications / Links / Search CDT / Jobs / Action! Previous Headlines | Legislative Tracking | CDT's Privacy Policy