The Center for Democracy and Technology Volume 2, Number 15 Among other things, the "Pro-CODE" would: * Allow the export of "generally available" or "public domain" encryption software such as PGP and popular World Wide Web browsers without requiring NSA authority.
* Allow the export of encryption hardware and software not available in the "mass market" or "public domain" under an export scheme that would allow up to roughly DES-strength (i.e., 56 bit key-length) security. if a product of similar strength is commercially available from a foreign supplier
What, exactly, is the point of such a provision that would limit key length? Since the classifications of encryption export software seem to allow any keylength, why should there be an exception for others? I think they should give specific examples of hardware or software whose export would not be allowed, and more particularly an explanation why an exception is needed in those cases. We really need to know what they're thinking about, here. It isn't obvious why, and generally I've found that whenever laws carve out exceptions, there are substantial reasons for those exceptions, although not necessarily "good" reasons. Notice, for example, that there appears to be a distinction between hardware and software. (although, in the bill, it does list both hardware and software.) As we all should understand, the distinction ought to be meaningless, but one of our goals should be to allow the unrestricted export of good-encryption telephones which have their encryption done in hardware. That doesn't appear to be the case, and I think this is a telling limitation. The law will practically guarantee that no factories to build good crypto phones get sited in the US. However, a look at the actual bill shows nothing which specifically limits things to 56-bit keys, although it seems to make an unusual distinction, allowing exports "in any foregin country to which those exports of computers software and computer hardware of similar capability are permitted for use by financial institutions..." The problem, as I see it, is that this is practically an open invitation to foreign countries to pass laws which are specifically intended to restrict encryption. We should not be encouraging them to do this. Some explanation is definitely in order! BTW, that brings us to another issue: The bill should specifically prohibit restrictions on the IMPORTATION of any kind of encryption systems, either hardware and software.
* Prohibit the government from imposing mandatory key-escrow encryption schemes domestically, or from restricting the sale of commercial encryption products within the United States
Redundant. The 1st amendment should already do this. I have no objection to them re-stating Constitutional protections, but it should label them as such.
* Prohibit the Department of Commerce from imposing government designed standards for encryption technologies (such as Clipper and Clipper II).
Ditto. But more importantly, I think it ought to be prohibited from even _encouraging_ the use of such systems, which as we all know the government can do by abusing its power. It should be prohibited from spending any money to develop those standards, as well as prohibiting government from encouraging the use of those standards, etc. All in all, a substantial improvement over the Leahy bill, but it could still use a little work. Jim Bell jimbell@pacifier.com Jim Bell jimbell@pacifier.com