Policy Post 6.02 | New U.S. Encryption Rules Are Privacy Breakthrough

CDT POLICY POST Volume 6, Number 2 January 21, 2000

A BRIEFING ON PUBLIC POLICY ISSUES AFFECTING CIVIL LIBERTIES ONLINE
from
THE CENTER FOR DEMOCRACY AND TECHNOLOGY

CONTENTS:
(1) New U.S. Encryption Rules Are Privacy Breakthrough
(2) Export Of Strong Crypto Begins
(3) Significant Concerns Remain
(4) Policy Post Administration

_______________________________________________________________________

(1) NEW U.S. ENCRYPTION RULES ARE PRIVACY BREAKTHROUGH

The new export rules issued by the U.S. Commerce Department represent a major step forward for online privacy by significantly easing restrictions on the encryption products used to protect security online. The new regulations, published in the Federal Register on January 14 and immediately effective, make it much easier for consumers all over the world to get strong encryption in the U.S.-designed products they use everyday -- regardless of the bit length or algorithm used. However, the rules do not fully decontrol encryption and leave significant free speech concerns unresolved.

The regulations, along with CDT analysis and further information, are available at http://www.cdt.org/crypto/admin/

Major features of the new regulations include:

Broad relief for export of "retail" encryption products - including many popular browsers, email programs, consumer applications, personal computers, low-end servers and routers, and mass market chips - regardless of bit length or algorithm used. The rules prohibit export to seven designated "terrorist" nations, and require a one-time technical review and classification as well as reporting of destinations, but these rules are not expected to stop mass market dissemination.

Mass market encryption products employing key lengths up to 64 bits require the one-time technical review and classification, but no reporting.

Non-retail products are also exportable to individuals and businesses after review, but a license is required for export to foreign governments.

Certain non-proprietary source code can be posted on the Internet and exported to all but the 7 terrorist countries, with exporters required to send a copy of the code or a URL to the Commerce Department. (Commerce officials have stated that a posting on the Web in downloadable form does not constitute an export to one of the seven prohibited countries; knowingly sending an email to them probably does; and the status of email lists remains unclear.)

__________________________________________________________________

(2) EXPORT OF STRONG CRYPTO BEGINS

The rules are already having an impact on mass market products. On Tuesday, January 18, CDT helped launch the new PGP export site, http://www.pgp.com/asp_set/products/tns/jump_page_011800.asp. PGP developer Phil Zimmerman once faced criminal prosecution because his software had been posted on the Internet. Now PGP's owner, Network Associates, can email it worldwide.

Also on Tuesday, Microsoft said it would release its Windows 2000 operating system worldwide with strong encryption built in. http://www.wired.com/news/technology/0,1282,33745,00.html

________________________________________________________________

(3) SIGNIFICANT CONCERNS REMAIN

The new rules do not decontrol encryption products, and users are cautioned to consult the new regulations carefully before exporting encryption. The complex restrictions are likely to burden those who wish to share security tools or encryption source code with those abroad, and leave many constitutional free speech objections and privacy concerns unresolved. Also uncertain is the impact of the new rules on the Bernstein case's First Amendment challenge to crypto export limits.

Much work remains to be done. Vigilant monitoring of implementation is needed to ensure that the promised relief materializes. Ambiguities in the rules must be clarified. The free speech concerns remaining must be addressed. And a whole new debate is opening up on the other aspects of the Administration's September announcement, including new authorities for law enforcement access to decryption keys and other personal information. CDT encourages those interested to stay involved by being a part of CDT's activist network. Visit http://www.cdt.org/join/ for more details. _______________________________________________________________________

(4) POLICY POST ADMINISTRATION

To subscribe to CDT's Policy Post list, send mail to majordomo@cdt.org In the BODY of the message type "subscribe policy-posts" without the quotes.

To unsubscribe from CDT's Policy Post list, send mail to majordomo@cdt.org In the BODY of the message type "unsubscribe policy-posts" without the quotes.

Detailed information about online civil liberties issues may be found at http://www.cdt.org/.

This document may be redistributed freely in full or linked to http://www.cdt.org/publications/pp_6.02.shtml. Excerpts may be re-posted with prior permission of ari@cdt.org