Thanks to Ed Roback, NIST: BXA issued a press release today on new crypto regulations: http://www.bxa.doc.gov/press/98/1230encryption.html (copy below) The regs themselves are available today only in hardcopy in Washington DC on display at the Federal Register, but the electronic version will be published in the Federal Register tomorrow and will be on the BXA Web site <www.bxa.doc.gov>. Anybody in DC who could get a copy of the hardcopy and fax it to us, it would be appreciated: Fax: (212) 799-4003 Vox: (212) 873-8700 ---------- Commerce Updates Export Controls on Encryption Products (Washington, D.C.) The Commerce Department will publish new regulations significantly streamlining government export controls on powerful encryption -- products that scramble computer data -- as part of the Clinton Administration initiatives to make government more efficient and enhance the global competitiveness of U.S. businesses. These amendments to the Export Administration Regulations, on public notice today at the Federal Register, end the need for licenses for powerful U.S. encryption products to companies worldwide in several important industry sectors after a one time review by the Commerce Department. The regulations implement the policy changes announced by Vice President Gore in September. "Through the hard work of industry and government officials to finalize this regulation, U.S. encryption firms will be better able to compete effectively with encryption manufacturers around the world," said William A. Reinsch, Commerce Under Secretary for Export Administration. Virtually eliminated are restrictions on selling powerful computer data scrambling products to subsidiaries of U.S. corporations. There will also be favorable licensing treatment to strategic partners of U.S. companies. Strong U.S.-made encryption products are now available, under license exception, to insurance companies headquartered in 46 countries and their branches worldwide. Sales of powerful encryption to health and medical organizations in the same countries are also eased. To facilitate secure electronic transactions, between on-line merchants in those same countries, and their customers, the updated regulations permit, under a license exception, the export of client-server applications (e.g. SSL) and applications tailored to on-line transactions to on-line merchants. A list of eligible countries is posted on the BXA web-site. Further easing government restrictions are new allowances for U.S. encryption manufacturers to share their source code with their own foreign subsidiaries (while requiring that any resulting new products remain subject to U.S. regulation ) and streamlining reporting requirements for U.S. firms so that compliance is less burdensome. The new regulations expand the policy of encouraging the use of recoverable encryption by removing the requirement to name and approve key recovery agents for exports of key recovery products from regulations. It also defines a new class of "recoverable" encryption products which can now be exported under Export Licensing Arrangements to foreign commercial firms for internal company proprietary use. As part of its stated goal to balance the needs of national security and public safety with the desire to protect personal privacy and strong electronic commercial security, the Administration continues to encourage the development and sale of products which enable the recovery of the unscrambled data, in an emergency situation. Finally, the regulations eliminate the need to obtain licenses for most encryption commodities and software up to 56-bits or equivalent strength. [End]
Here is CDT's statement on the new regs. They should be available in the Federal Register this morning. Happy Holidays to all. Here's hoping for some real relief in 1999. -- Alan Alan Davidson, Staff Counsel 202.637.9800 (v) Center for Democracy and Technology 202.637.0968 (f) 1634 Eye St. NW, Suite 1100 <abd@cdt.org> Washington, DC 20006 PGP key via finger December 30, 1998 New Encryption Regs Fail To Change Debate The U.S. government is expected to publish new encryption export regulations in the Federal Register tomorrow that once again grant only limited relief for encryption exports. The new regulations implement the policy announcement on encryption made by the White House last September. While providing welcome incremental relief allowing export of 56-bit encryption, and stronger products to certain industry sectors, the Administration's latest liberalization effort leaves individual privacy at risk and fails to resolve the broader issues surrounding U.S. encryption policy. "These latest encryption regulations are like rearranging the deck chairs on the Titanic," said CDT Staff Counsel Alan Davidson. "While any export relief is welcome, the U.S. government continues to embrace a failed encryption policy based on export controls and backdoor plaintext access features that threaten privacy and prevent people from protecting themselves online. Today's announcement does little to change the broader policy debate over how to give people the security tools they need to protect their privacy in the Information Age. We expect to continue the policy debate, and the push for sensible encryption legislation, in Congress next year." Major features of the September White House policy, implemented in the new regulations, include: * Decontrol of 56-bit DES products or equivalent (hardware and software) * Export of higher strength products for: * Subsidiaries of U.S. firms * Sectoral relief allowing export of strong encryption products to insurance companies and health and medical organizations * Limited relief allowing export of strong encryption products to online merchants for certain electronic commerce server applications only. * License exceptions allowing export of strong encryption product if they contain "recovery" or other "plaintext access" features (such as "private doorbells") that allow law enforcement access to plaintext without the notice or consent of the end user. While CDT welcomes efforts by the Administration to grant greater export relief, the new regulations leave privacy and security concerns unresolved, particularly for individuals. These include: * 56-bit DES is Not Strong Enough -- Expert cryptographers have argued for years that 56-bit encryption is not sufficient to protect privacy online. Just last summer, a group of California researchers created a "DES Cracker" that broke a 56-bit length encrypted message in just 56 hours, using minimal resources. RSA, the data security company, just this week offering a new prize to anyone who can crack DES in one day. The new Administration policy prohibits the export of far stronger 128-bit encryption products that are becoming the world standard for security. * Individual End-Users are Left Vulnerable -- While the relief offered for particular industry sectors is welcome, individuals seeking to encrypt securely abroad face are left vulnerable. The new policy begs the questions: When do everyday computer users get encryption relief? * U.S Policy Continues Push for Key Recovery and "Plaintext Access" -- The new policy continues to push for adoption of key recovery and other plaintext access products, granting broad relief for products "that, when activated, allow[] recovery of the plaintext of encrypted data without the assistance of the end user." Such access systems create new vulnerable backdoors, jeopardizing personal privacy and creating security concerns where none need exist. (See "The Risks of Key Recovery, Key Escrow, and Trusted Third Party Encryption" experts report, available at http://www.crypto.com/key_study.) CDT remains committed to seeking broad relief from export controls and to promoting the freedom of people to use whatever encryption tools they need to protect their privacy online. For more information on this or other encryption policy and Internet civil liberties issues, please contact Alan Davidson or Ari Schwartz at CDT, (202) 637-9800.
participants (2)
-
Alan Davidson -
John Young