U.S. Controls On Encryption Technology Could Cost $9 Billion

21 May 1998
Thanks to RH
Investor's Business Daily

NATIONAL ISSUE

THE ENCRYPTION EXPORT DEBATE 

U.S. Controls On Technology Could Cost $9 Billion

Date: 5/21/98

Author: Reinhardt Krause

Is the Clinton administration finally ready to relax controls on exports of
computer-security technology?

Signs that the White House is rethinking its policy is stirring some hope in
the high-tech industry, after more than five years of frustration.

Others warn, however, that the White House is leaving the door open to
imposing tighter encryption controls within the U.S., as well as restricting
exports.

Encryption scrambles computer data to provide security and privacy. It plays
a key role in electronic commerce over the Internet by protecting digital
communications - such as corporate e-mail and credit- card and bank-account
data - from tampering.

Computer companies want the U.S. to ease export controls on advanced
encryption hardware and software so they can take part in the booming market
in global e-commerce.

That stance puts them at odds with law enforcement agencies. They say
rolling back controls could let criminals, terrorists or computer hackers
conceal illegal activities.

It's high time to hammer out a compromise, Commerce Department Secretary
William Daley said last month.

"While our policy goal - balance -is the right one, our implementation has
been a failure," Daley said. "The global market is rendering our
(encryption) policy obsolete. And I fear that will soon make our products
obsolete as well."

U.S. firms could lose out on $9 billion in encryption-product sales over the
next five years if export policy isn't revised, says a study released last
month by the Economic Strategy Institute in Washington.
It pegs overall cost to the economy at a minimum of $35 billion through
2002.

The government now restricts U.S. companies to selling what many experts
regard as low-level encryption. For high-level encryption sales, the policy
requires the use of ''key recovery'' systems.

These systems give law enforcement agencies access to special keys -through
third parties - that unscramble data so they can be read.

If you look at encrypted, or protected, data, all you see is a soup of
letters, numbers and symbols. To make sense of it, you need a set of
instructions called a key. The longer the key, the stronger the encryption.

A strong encryption key is 128 digital bits long. It's virtually impossible
for government agents to break, which is why the administration wants to
control its sale and use.

But in March, Vice President Al Gore left some wriggle room in a letter to
Sen. Tom Daschle, D-S.D., the Democratic leader in the Senate.
"The administration is not wedded to any single technology solution," Gore
wrote.

The high-tech industry hopes Daley's frank admission that encryption policy
isn't working and Gore's letter point to new flexibility.

But some leading encryption firms are wary.

"The National Security Agency and Federal Bureau of Investigation are still
orchestrating the administration's position behind the scenes," said Jim
Bidzos, president of RSA Data Security, a Redwood City, Calif.- based unit
of Security Dynamics Technologies Inc.

Administration officials "continually play this game of offering some
meaningless relief, promising more and never delivering," Bidzos added.
"They're gridlocked. When pressed to make concessions, the NSA and FBI
never find any compromises acceptable."

Still, Congress is set to review several encryption bills this year. And a
new high-tech-backed group, Americans for Computer Privacy, plans to spend
several million dollars on lobbying and ads to change encryption policy.

"We need a more creative approach," said ACP's executive director, Ed
Gillespie. "The policy is outdated and ineffective. You're not going to
stop demand for encryption technology or its spread."

The computer industry has been let down before, says Kenneth Dam, a
University of Chicago law professor. He headed a study released by the
National Research Council two years ago that urged the government to relax
its export controls on encryption products.

"There's been no leadership at the center of the government to resolve
this," Dam said. "There hasn't been enough high-level staff attention to
knock heads together and get a resolution. The administration doesn't have a
really clear position."

In '93, the administration's "clipper chip" proposal would have required
every computer to include an encryption chip whose keys - or code to unlock
encrypted data - would have been held by the government. That proposal fell
flat with civil libertarians.

Two years later, the administration proposed that a third party control the
keys to encrypted data and the government could gain access to them with
proper warrants.

There are basically two ways to set up third- party control. One is similar
to giving a neighbor a copy of a house key. The other is like giving parts
of a treasure map to different people.

Often, the third parties are makers of encryption products.

The Justice Department went further last year, pushing for the use of key
recovery systems within the U.S. And Sens. John McCain, R-Ariz., and Robert
Kerrey, D-Neb., drafted bills for tighter domestic controls over encryption
products.

In March of this year, Justice appeared to soften its stance. Gore's letter,
though, implies that the administration may yet support domestic encryption
controls if a new compromise isn't reached, warn some in the high-tech
industry.

"We're dead set against domestic controls," said Aaron Cross, public
policy director at International Business Machines Corp.

"We need to get a new dialogue started," Cross added. "As long as there
is posturing by law enforcement on one side and people advocating total
freedom to use and export strong encryption on the other, you're going to
end up in this area of paralysis."

To make matters worse, U.S. firms stand to lose business to foreign rivals
that are able to sell advanced encryption products with no strings attached.

"Our policy encourages the growth of foreign producers at the same time it
retards growth here," said Commerce's Daley.

The Economic Strategy Institute figures that at the end of '97, 653
encryption products were being made in 29 countries outside the U.S. Major
producers are in Germany, Ireland, Canada, Israel and Great Britain.

"Encryption policy is severely hampering the competitiveness of U.S.
companies, especially software suppliers," said Carl Howe, an analyst at
consultancy Forrester Research Inc. in Cambridge, Mass. "We need to relax
our export policy, or see that business go overseas."

Manufacturers second that.

"The driving force (behind loosening export limits) is electronic commerce,
which creates a demand for encryption technology," said Douglas McGowan,
Hewlett-Packard Co.'s director of Internet business development. "We have
customers overseas that want access to the same kind of technology our U.S.
customers can buy. That's why it's an important issue to us."

Many other high-tech companies also have a stake in the encryption debate.
Encryption code is embedded in much software used in e-commerce and Net
browser software to protect engineering diagrams and proprietary data.

[End]