From the New York Times cybertimes:
Proposed U.S. Rules Would Slow Encryption Software Downloads By PETER WAYNER Under a proposed set of rules being circulated by the Commerce Department, the Clinton Administration is considering regulating Web servers that allow people to download encryption software. Among the sites that would be affected are those now operated by companies like Netscape, Pretty Good Privacy, and Microsoft, all of which distribute software over the Web. Under the proposed rules, access to such sites would be more tightly controlled or could disappear altogether in the future. The proposed new regulations would be modifications to the Export Administration Regulations used by the Bureau of Export Affairs in the Commerce Department to regulate the flow of encryption software from the United States. The Commerce Department took control of the regulations at the beginning of 1997 from the State Department after the software industry pushed for a more responsive bureaucracy. The version of the regulations being circulated is an interagency draft, a document designed to give other agencies, like the Federal Bureau of Investigation or the National Security Agency, the chance to comment on them. For this reason, Commerce Department refused to comment until the new rules are published in the Federal Register. The spokeswoman from the Commerce Department also refused to check the authenticity of the proposal, a copy of which was given to CyberTimes by a software industry representative. Several other industry representatives confirmed that the document was legitimate. Most of the new regulations involve tuning the details of the administration's key-recovery plan, which would allow industry to export software with a built-in back door for the police to use to gather evidence. For instance, the new regulations would require key-recovery encryption software to be injected into the message stream for law enforcement use at least every three hours. The requirement for Federal approval of a Web server, however, is buried inside the densely written, virtually impenetrable document, and the change is not even noted in the executive summary at the beginning. The new regulation would require that anyone setting up a Web server offering encryption software seek an "advisory opinion" from the Bureau of Export Affairs. The opinions carry no weight in court and only serve as an indication of the agency's view on the matter at a given moment. A company could later be prosecuted for exporting software despite receiving permission in an advisory opinion, although the existence of the opinion should offer some emotional support with the court. The purpose of the rule is to force the Web server to take all prudent steps to ensure that encryption software is not leaving the country. Currently, companies like Netscape or PGP ask anyone requesting encryption software to fill out a form certifying that they were not breaking the law. They also check the destination domain to ascertain whether the receiving computer was located within the United States. They could then deliver the software over the Web without waiting for any government action. The proposed regulations do not set out any hard and fast guidelines for a company to meet. They only suggest that sites that allow encryption downloads include an "access control system either through automated means or human intervention, (that) checks the address of every system requesting or receiving a transfer and verifies that such systems are located within the United States or Canada." When Netscape originally set out to distribute the version of its browser with high-grade encryption over the Internet, the company sought the opinion of the State Department, which gave permission in their version of an advisory opinion. But the new regulations would effectively force Netscape to shut down its Web servers until the Commerce Department could rule again -- a process that can take several months. This waiting time is what worries companies. Although Vice President Al Gore promised that the Commerce Department would reply promptly to all applications, delays have increased for companies since the beginning of the year. Those delays, in turn, stymie widespread distribution of new software. This new regulation frustrates Peter Harter, global public policy counsel at Netscape. "It seems to be inconsistent with the Vice President's 'do no harm' promise to treat commerce online the same as commerce for physical stores," Harter said. "I'm not aware of any procedure that would require retail stores such as Fry's or Egghead to apply to the Commerce Department." Netscape depends heavily on electronic distribution to provide its customers with the latest version of its products. New versions that fix bugs and plug security holes are made available on the Web as soon as possible. The regulations are ambiguous enough that they may require a company to seek separate approval for every new server it installs. Kelly Huebner Blough, director of government relations for Pretty Good Privacy, said: "When we first release a product, it's available off the Web. Then a few weeks later you can order a product in a package." The company currently sells about 15 percent of its new packages through the Web and it hopes to sell more that way, she said. Pretty Good Privacy is also in direct competition with Entrust Technologies Ltd., a Canadian encryption software company that is allowed to sell many of its Entrust products throughout the world. Canadian regulations permit export of full-strength encryption software to most parts of the world if the software is developed entirely within Canada. The company's Web server does check domain names to detect whether the software might be going to Libya, Iran, Iraq, Cuba, Angola, Syria, North Korea, France or Singapore. The software industry worries that the Administration's proposed regulations will restrict the growth of Internet commerce because encryption is a crucial tool for secure transactions. While most software companies do not include encryption technology at this time, many suggest that its use will continue to grow because encryption is the best defense against fraud on the Net. Banks, for instance, may find that the regulation is another regulatory burden to providing online banking. Stewart Baker, a former general counsel for the National Security Agency who now practices at the Washington law firm Steptoe & Johnson, said that the difficulty the regulators face is that the regulations must adapt to a quickly changing Internet environment. "They're saying 'Here's the basic standard. Show us what you're trying to do. If you're doing what we feel is a good faith effort, then we'll approve it,'" Baker said. "They don't quite say that, but I suspect that's what's going on." To draw an analogy, he compared the action to a hand check in basketball, a move by which a defensive player warns someone with a ball that they're there by touching them. Adam Shostack, a Boston-based consultant to several major banks and financial institutions, said that the current rules were already making it difficult for his clients to take care of their foreign customers. The new regulations, Shostack predicted, will just make matters worse. "We've never needed the permission of the government to publish anything in this country," Shostack said. "I don't see where their legal authority comes from. You can't make reasonable business plans when they reserve the right to change the rules in bizarre and unconstitutional ways." The rest of the proposed regulatory changes would provide clarifications to unanswered questions that others have had. For instance, source code could be shipped without restriction to Canada without a license if the new regulations are adopted. Software could also be shipped to Bulgaria, the Czech Republic, Hungary, Poland, Romania and Slovakia without support documentation.