From...
Government restrictions on encryption pose obstacles for Internet
security
May 18, 1998
by Ellen Messmer
Your
global-minded organization has decided to use an IP encryption gateway
or secure e-mail to protect traffic exchanged with subsidiaries and
trading partners around the world.
This seems like a simple enough decision. By using the Internet, everyone
will save money, and communications will be secure. However, the move
will be anything but simple if you are the network manager charged with
shipping the encryption products abroad and getting them installed.
That's because government agencies here and around the world often
view strong encryption technology as a military weapon.
So before you ship that "virtual private network" with strong encryption
abroad, you'll first need to get an encryption export license from the
U.S. government. And quite possibly, you'll need to get an encryption
permit to use the technology in other countries, such as France or Russia,
which prohibit unregistered encryption use. Some countries, such as
Saudi Arabia, simply ban encryption.
Just finding out what the cryptography ground rules are can be bewildering
because many governments don't bother to spell them out. Why? Because
the spy agencies and national defense organizations that set the guidelines
want to have complete freedom when it comes to approving use of strong
cryptography.
Even in the U.S., "what's written or published is only about 40 percent
of what you need to know," said Ken Bass, a partner at Washington, D.C.
law firm Venable, Baetjer, Howard & Civelletti.
In the U.S., you'll have to apply foryour export license through the
Department of Commerce. But behind the scenes, you'll also have to curry
favor with the National Security Agency (NSA), the Federal Bureau of
Investigation and the State Department.
About the only clear rule when it comes to shipping encryption technology
is that you shouldn't even think of exporting anything to what the U.S.
government considers to be pariah countries, such as Iraq, Cuba and
Libya.
Otherwise, "from a regulatory standpoint, it's chaos," Bass said.
"But the NSA has determinative powers at [the] Commerce [Department]
today," Bass said. Therefore, he makes regular trips to the NSA at Fort
Meade, Maryland, to plead the case for his clients who want to ship
equipment out of the country.
Under the known rules, financial institutions get special treatment
to export strong 128-bit encryption technology. There is ardent debate
in government circles about whether insurance companies should also
get special treatment.
But even banks are restricted to encrypting only financial transactions
and can't use their equipment for general-purpose communication, Bass
said.
"In theory, you can get a special license for your trading partners,
vendors or consultants," he added. "The most complicated [licenses]
are for general-purpose public communications at 128-bit [Data Encryption
Standard] levels. But [the feds are] not approving those."
Getting the necessary export licenses to use strong encryption with
your trading partners isn't easy, said Roszel Thomsen, an attorney at
Baltimore-based Thomsen & Burke LLP.
For a company to convince U.S. encryption-export bureaucrats to allow
it to conduct secure communications with its trading partners, "you
get into multiple applications and extensive justifications," Thomsen
said. "You have to show a long-term relationship with the business partner
and provide evidence, such as contracts."
If your trading partner happens to be based in another country, getting
approval can be mission impossible. The expert lawyers in this field
all say they just won't take cases that are hard to get approved.
"Of course, this makes the Commerce Department look good because they
can say they approved a large percentage of export licenses," Thomsen
added. But this view overlooks the licenses that companies neglected
to apply for because the companies figured they had no chance of getting
the licenses approved.
Encryption regulations greatly complicate electronic commerce at firms
that take security seriously. One of Wall Street's largest investment
firms now conducts some high-stakes global trading on the Net, but cryptography
rules require that some of the firm's international trading partners
only use 40-bit encryption in their browser-based digital certificates.
"We know [the encryption is] breakable, but we can't do anything about
it except add another layer of security, dynamic password tokens, for
authentication," said the Wall Street firm's director of global security
services.
Although encryption export remains a combination of "law and lore,"
as Thomsen calls it, he tells his clients there are five basic ways
to get a U.S. export license.
If a company decides to go the route of using NSA-approved key-recovery
systems, the company can probably export whatever level of encryption
tech-nology it wants to use.
However, the Gauntlet firewall from Network Associates, Inc.'s Trusted
Information Systems division, available with an option for encryption
key recovery, may be the only product on the market that meets the NSA's
criteria. And most customers just don't seem to want to buy key-recovery
systems, which could allow governments around the world to eavesdrop
on their data.
"Customers strongly want to be in control over their own systems,"
said Kelly Blough, Network Associates' director of government relations.
"They want to determine how and when they can recover their encrypted
data."
Global challenge
Figuring out U.S. encryption rules is tough, but figuring out other
countries' rules can be nearly impossible.
Israel, France, Singapore and Hong Kong have restrictions on encryption
import. And like the U.S., Europe is in the early stages of investigating
how to set up key-recovery centers to hold digital certificates or encryption
keys.
Cryptography used strictly for authenticating users' identities, such
as digital signatures, is usually not subject to encryption export or
domestic-use rules. But Germany and Malaysia appear to be among the
few countries with rules pertaining to the provision of digital certificate
services, according to Stewart Baker, an attorney here at international
law firm Steptoe and Johnson LLP.
With the notable exception of France, most European countries don't
make it hard for corporations to use encryption technology as they wish.
In France, where rules seem to be spelled out decently, users have
to get encryption permits. Companies can also expect to have French
authorities hold their encryption keys if they are not 40-bit, which
is breakable, or if they are not based on key-recovery technology.
Corporations should be prepared to have their data intercepted and
decrypted by French authorities, Baker said.
"Wiretapping has a long history of enthusiastic use in France," said
Baker, claiming that French authorities pass on decrypted competitive
secrets to local firms.
In areas of the world where few rules are written down, local government
attempts to regulate encryption can get bizarre. "In Africa, I've had
officials tell us if you bring in encryption equipment, they'll throw
you in jail," said Baker, who next month will issue a book on encryption
export called The Limits of Trust.
"The point is, you can't be sure if you're legal in a lot of areas,"
Baker added.