31 December 1998. Thanks to AD.

Center for Democracy and Technology

December 30, 1998

New Encryption Regs Fail To Change Debate

The U.S. government is expected to publish new encryption export regulations in the Federal Register tomorrow that once again grant only limited relief for encryption exports. The new regulations implement the policy announcement on encryption made by the White House last September.

While providing welcome incremental relief allowing export of 56-bit encryption, and stronger products to certain industry sectors, the Administration's latest liberalization effort leaves individual privacy at risk and fails to resolve the broader issues surrounding U.S. encryption policy.

"These latest encryption regulations are like rearranging the deck chairs on the Titanic," said CDT Staff Counsel Alan Davidson. "While any export relief is welcome, the U.S. government continues to embrace a failed encryption policy based on export controls and backdoor plaintext access features that threaten privacy and prevent people from protecting themselves online. Today's announcement does little to change the broader policy debate over how to give people the security tools they need to protect their privacy in the Information Age.  We expect to continue the policy debate, and the push for sensible encryption legislation, in Congress next year."

Major features of the September White House policy, implemented in the new regulations, include:

* Decontrol of 56-bit DES products or equivalent (hardware and software)

* Export of higher strength products for:

  * Subsidiaries of U.S. firms

  * Sectoral relief allowing export of strong encryption products to insurance companies and health and medical organizations

  * Limited relief allowing export of strong encryption products to online merchants for certain electronic commerce server applications only.

  * License exceptions allowing export of strong encryption product if they contain "recovery" or other "plaintext access" features (such as "private doorbells") that allow law enforcement access to plaintext without the notice or consent of the end user.

While CDT welcomes efforts by the Administration to grant greater export relief, the new regulations leave privacy and security concerns unresolved, particularly for individuals. These include:

* 56-bit DES is Not Strong Enough -- Expert cryptographers have argued for years that 56-bit encryption is not sufficient to protect privacy online. Just last summer, a group of California researchers created a "DES Cracker" that broke a 56-bit length encrypted message in just 56 hours, using minimal resources. RSA, the data security company, just this week offering a new prize to anyone who can crack DES in one day. The new Administration policy prohibits the export of far stronger 128-bit encryption products that are becoming the world standard for security.

* Individual End-Users are Left Vulnerable -- While the relief offered for particular industry sectors is welcome, individuals seeking to encrypt securely abroad face are left vulnerable. The new policy begs the questions: When do everyday computer users get encryption relief?

* U.S Policy Continues Push for Key Recovery and "Plaintext Access" -- The new policy continues to push for adoption of key recovery and other plaintext access products, granting broad relief for products "that, when activated, allow[] recovery of the plaintext of encrypted data without the assistance of the end user." Such access systems create new vulnerable backdoors, jeopardizing personal privacy and creating security concerns where none need exist. (See "The Risks of Key Recovery, Key Escrow, and Trusted Third Party Encryption" experts report, available at http://www.crypto.com/key_study.)

CDT remains committed to seeking broad relief from export controls and to promoting the freedom of people to use whatever encryption tools they need to protect their privacy online. For more information on this or other encryption policy and Internet civil liberties issues, please contact Alan Davidson or Ari Schwartz at CDT, (202) 637-9800.