20 March 1998
Thanks to David Crawford and Adam Back

See related Phil Zimmermann message

   The New York Times, March 20, 1998, pp. D1, D5.

   Export Laws Challenged by Sale Of Encryption Software

   By John Markoff

   San Francisco, March 19 -- An American maker of
   data-scrambling software said today that it would
   circumvent United States export policies by allowing its
   Dutch subsidiary to begin selling an international version
   of Pretty Good Privacy, a strong encryption program that
   does not provide a back door for law enforcement

   Because the company, Network Associates, is the nation's
   largest independent maker of computer security software,
   its action could have a serious effect on Unites States
   export policies on software.

   Network Associates' decision to sell a program specifically
   prohibited by the Commerce Department comes at a tine when
   the Clinton Administration is already fighting
   Congressional attempts to end export controls on encryption
   software for fear that such restrictions will hurt the
   ability of American industry to compete internationally.

   "This is the biggest challenge yet to the U.S. policy," Ted
   Julian, an analyst at the Forrester Group in Cambridge,
   Mass., said. "It potentially has a tremendous consumer

   The battle over data scrambling -- software that hides
   everything from love letters to passwords to credit card
   numbers from prying eyes -- has become a bitter struggle in
   recent years between the American software industry and
   privacy advocates on one side and national security and law
   enforcement officials on the other.

   The Clinton Administration, in the name of fighting crime
   and terrorism, has been trying to force the industry to
   build back doors into encryption software to make it
   possible for law enforcement officials to secretly decode
   private messages.

   Opponents argue that the keys to the proposed back doors
   could be too easily stolen, compromising not only privacy
   but also the security of credit card numbers and other
   highly personal information.

   The Government does not restrict powerful encryption
   software domestically but, with very few exceptions, it
   limits export licenses to codes that can be easily cracked.
   Earlier this week, Justice Department officials testified
   before Congress that they had no plans to introduce
   domestic controls on strong encryption technology.

   Government officials said yesterday that they had not yet
   determined whether Network Associates would be violating
   United States laws in selling P.G.P internationally.

   "We'll be looking at this very closely," William A.
   Reinsch, the Under Secretary for export administration,
   said. "The question of whether or not this product is based
   on legal or illegal export of U.S. technology is a question
   to be investigated. If the Government determines that it
   was illegal, then we'll take appropriate action."

   In part, that decision will hinge on whether the entire
   software package was developed independently from the
   United States company, Mr. Reinsch said.

   Network Associates executives said that in developing the
   international version of P.G.P. they took care not to
   violate United States laws. The international version was
   developed by Network Associates in Europe in partnership
   with a small group of cryptographers at Cnlab Software in

   Network Associates said that the international version
   would be marketed by its European subsidiary, Networks
   Associates International B.V., based in the Netherlands.

   "We're not sure what the impact of this will be," Peter
   Watkins, general manager of the company's Net Tools Secure
   Division. said. "This is the first time that a U.S. company
   has taken this approach, but there are no prohibitions
   against this."

   While United States laws restrict the export of strong
   encryption products, there are no restrictions on exporting
   the text of the original source code. This loophole allows
   programmers in other countries to translate the source code
   into new software programs.

   P.G.P was written in the early 1990's by a privacy activist
   and computer programmer, Philip Zimmermann, and was freely
   distributed in the United States.

   Mr. Zimmermann also made his source code available
   internationally in text form. As a result, versions of the
   program have long been widely available in many countries.

   Network Associates' executives said they had met with
   Commerce Department officials earlier this year to explain
   their plan but the department had not responded.

   Mr. Reinsch said that his staff had been briefed by the

   Richard Hornstein, vice president of legal affairs for
   Network Associates, said the Justice Department was
   notified because "we wanted to make sure they felt
   comfortable about this, but there was no way the Commerce
   Department should have a role."

   Network Associates is not the first United States company
   to attempt to use an international partnership to
   circumvent export restrictions. Currently C2net Software
   Inc., an Oakland, Calif., security software concern, sells
   an international version of its Web server which has
   powerful built-in cryptography.

   The company said that the international version of the
   product was developed overseas independently from the
   United States product.

   Sun Microsystems has run into Government opposition to a
   similar project which was based on a cooperative
   development project with Elvis+, a company formed by
   scientists from the former Soviet space program.