|
|
|
|
|
Administration Relaxes Restrictions on Encryption Software By David M. Nadler and Valerie M. Furman* On September 16, 1999, in a move that represents a major shift in a long-standing policy, the Clinton administration announced a relaxation in the restrictions on exports of encryption software and hardware products. The announcement sets aside a history of warnings from law enforcement and defense officials that such action would endanger national security, and is being viewed as a victory for high-tech industry — particularly those companies that sell encryption software. Encryption is technology used to scramble computer data and requires a "key" to decode. The debate over encryption products has been brewing since 1996, when the Clinton administration moved encryption export control policy from State Department jurisdiction to Commerce Department jurisdiction. The move resulted in an export control policy preventing U.S. computer companies from exporting encryption products with bit strengths greater than 56 bits with restrictions, and 40 bits without restrictions. These bit strengths are considered weak by the computer industry, which has developed stronger products with bit strengths of at least 128 bits. In the past, companies were required to obtain federal licenses for each individual shipment of encryption products before those products could be exported. Under the new policy, exporters of the strongest encryption products (i.e. those with keys of 128 bits or greater) will no longer have to license each shipment, and instead will, in most cases, only need to have a one-time certification for those products. The new policy will nonetheless require companies to submit detailed lists of the clients that buy encryption products from them. The new policy will not, however, lift the current ban on sending encryption products to Iran, Iraq, Libya. Syria, Sudan, North Korea and Cuba, which are considered by the U.S. to be "terrorist nations," and will require a case-by-case review of sales of high-power custom encryption to foreign governments. Software companies had fought a futile fight for decades for the right to export encryption products that scramble electronic communications without strict license requirements, but have essentially taken a back seat to concerns that these codes could be used by terrorists and other criminal elements to hide their communications. In an effort to assuage the worries voiced by law enforcement and defense officials over the new policy, the Clinton administration concurrently announced the introduction of legislation that is intended to give law enforcement greater resources to combat the use of computers by criminals and terrorists. The legislation, entitled the Cyberspace Electronic Security Act of 1999 ("CESA") proposes to give the FBI $80 million over the next four years to create a new unit to focus on cracking codes. CESA was devised pursuant to a May, 1998 Presidential Order mandating the creation of a national plan for surveillance of government computer networks. The Order had been issued after numerous unrelated incidents of both domestic and international terrorism. In addition to the proposed legislation, the administration will give $500 million to the Defense Department over the next several years to enhance its information security, which will then become a model for other government agencies and the private sector. A controversial provision intended to be a component of the new policy was dropped after concerns about its legality were raised. That provision would have permitted law enforcement officers to secretly search private computers and disable secrecy codes as a preface to wiretapping. Many questioned whether the provision would allow the government to weaken the constitutional protections against unreasonable searches and seizures provided under the Fourth Amendment. Encryption software is seen by many as critical to the continued growth of electronic commerce, fostering security as more people use their credit card numbers over the Internet, and also as prevention for the theft of intellectual property. Administration officials believe that the new policy will allow strong U.S. encryption products to now be marketed to the entire commercial sector, enabling the U.S. high-tech industry to compete fairly in the international marketplace. The announcement of the new policy comes in the wake of an increasing trend toward relaxing government restrictions on encryption. Court decisions, such as the May 6, 1999 decision of the United States Court of Appeals for the Ninth Circuit holding that encryption codes contain expressions of ideas and cannot be suppressed indefinitely, have overturned U.S. government restrictions on encryption used over the Internet and for other telecommunications purposes. A number of cases on the subject are still pending, but will likely have similar results. In addition, pending legislation introduced by Representative Robert Goodlatte (R-Va,), entitled the Security and Freedom Through Encryption Act (SAFE), would go even farther to remove export limits than has the administration’s new policy. These recent events seem to have waived a red flag at the administration, and the new policy appears to be an attempt by the administration to salvage its control over the issue. Goodlatte has stated that, despite the administration’s new policy relaxing encryption export controls, he will not withdraw his bill because the exact text of the new regulations will not be released until December. The Clinton administration, meanwhile, has made no secret of the fact that it will veto the bill if passed, characterizing it as a serious rollback of law enforcement authority. * David M. Nadler is a partner in the law firm of Dickstein Shapiro Morin & Oshinsky LLP where he practices Technology Law. He may be contacted at NadlerD@dsmo.com. Ms. Furman is an associate with the firm. |
