After reading the text of Senator Burns's pro-CODE bill (S.1726), I'm not convinced that the bill would actually remove the barriers to the export of PGP and other strong encryption software. I'd like to know whether you agree with my concerns, or if you think that the bill would adequately protect encryption software exports. shabbir@vtw.org (Voters Telecommunications Watch) writes:

DESCRIPTION OF S.1726, PRO-CODE BILL

The Pro-CODE Act resolves to:

1. Allow for the *unrestricted* export of "mass-market" or "public-domain" encryption programs, including such products as Pretty Good Privacy and popular World Wide Web browsers.

2. Requires the Secretary of Commerce to allow the less restricted export of other encryption technologies if products of similar strength are generally available outside the United States, roughly up to DES strength.

3. Prohibits the federal government from imposing mandatory key-escrow encryption policies on the domestic market and limiting the authority of the Secretary of Commerce to set standards for encryption products.

I'm not sure that this interpretation of the pro-CODE bill is correct, at least as far as points (1) and (2) are concerned. It appears to me that the bill allows the goverment to retrict all exports of cyptographic software for general use, as long as similar retrictions are imposed on the export of software for use by foreign banks. PGP could still be prohibited. I will quote the relevant sections of the bill, with my comments.

From the text of the Pro-CODE Bill:

SEC.3 DEFINITIONS.

(8) GENERAL LICENSE- The term "general license" means a general authorization that is applicable to a type of export that does not require an exporter of that type export to, as a condition to exporting- (A) submit a written application to the Secretary; or (B) receive prior written authorization by the Secretary.

In other words, a "general license" means that rules may be established regulating the export of certain materials, as long prior written application or prior written authorization for the export is not required. For example, "Permission is hereby granted to export all encryption software with a key length not exceeding 40 bits; no written application is necessary." would be an example of a general license to export a particular type of software.

SEC. 5. PROMOTION OF COMMERCIAL ENCRYPTION PRODUCTS.

(c) CONTROL OF EXPORTING BY SECRETARY.- (2) ITEMS THAT DO NOT REQUIRE VALIDATED LICENSES.- Only a general license may be required, except as otherwise provided under the Trading With The Enemy Act (50 U.S.C. App.1 et seq.) or the International Emergency Economic Powers Act (50 U.S.C. 1701 et seq.) (but only to the extent that the authority of the International Emergency Economic Power Act is not exercised to extend controls imposed under the Export Administration Act of 1979), for the export or reexport of- (A) any computer software, including computer software with encryption capabilities, that is- (i) generally available, as is, and designed for installation by the user or purchaser; or (ii) in the public domain (including on the Internet) or publicly available because it is generally accessible to the interested public in any form; or (B) any computing devise or computer hardware solely because it incorporates or employs in any form of computer software (including computer software with encryption capabilities) that is described in subparagraph (A).

I interpret this to mean that export of this type of software can still be restricted by the terms of a "general license". Even though prior written permission cannot be required for export, export is permitted only if the terms of the general license are complied with. This is not the same as "unrestricted export of mass market software"; in fact, for some types of software, the "general license" rules could still forbid export entirely. The following section describes the conditions under which the Secretary of Commerce is required to grant a general license allowing export:

(3) COMPUTER SOFTWARE AND COMPUTER HARDWARE WITH ENCRYPTION CAPABILITIES.- (A) IN GENERAL.- Except as provided in subparagraph (B), the Secretary shall authorize the export or reexport of computer software and computer hardware with encryption capabilities under a general license for nonmilitary end-users in any foreign country to which those exports of computers software and computer hardware of similar capability are permitted for use by financial institutions that the Secretary determines not to be controlled in fact by United States persons.

In other words, the Secretary must define the terms of the general license in such a way that software of "similar capability" to software that is exportable to foreign banks is also exportable for general use. Note that the requirement is that the software must be similar to software that can already be exported for use by foreign banks; it is neither necessary nor sufficient that similar products be available from foreign sources. The "similar products available from foreign competitors" rule was in the Leahy bill, but I see nothing like it in the pro-CODE bill. PGP could be held not to be of "similar capability" to the banking software, and not exportable under the terms of the general license, because it uses a different encryption algorithm, a different key length, and is capable of encrypting arbitrary data, not just financial transactions. In the future, if key escrow requirements were imposed on software exported to foreign banks, the same restriction could be imposed on software exported for general use. It seems to me that the idea behind section 3(A) is that if foreign bankers are willing to accept a certain level of encryption, then everyone else will accept it too, so the software industry will be able to make money exporting it; the few people who want something better (e.g. to protect their privacy against government wiretapping) don't have to be protected, because denying them protection won't cost the software companies any money. I include section 3(B) only for completeness, because it is mentioned in section 3(A):

(B) EXCEPTION.-The Secretary shall prohibit the export or reexport of computer software and computer hardware described in subparagraph (A) to a foreign country if the Secretary determines that there is substantial evidence that such software and computer hardware will be- (i) diverted to a military end-use or an end- use supporting international terrorism; (ii) modified for military or terrorist end- use; or (iii) reexported without the authorization required under Federal law.

Do other people agree with this interpretation of the bill? Are most people satisfied that the bill would actually protect the right to export PGP and other strong encryption software? I haven't seen this discussed in this group before. I realize that this may be academic, because the bill is unlikely to pass now.