20 March 1998
Thanks to David Crawford and Adam Back
See related Phil Zimmermann message
The New York Times, March 20, 1998, pp. D1, D5. Export Laws Challenged by Sale Of Encryption Software Abroad By John Markoff San Francisco, March 19 -- An American maker of data-scrambling software said today that it would circumvent United States export policies by allowing its Dutch subsidiary to begin selling an international version of Pretty Good Privacy, a strong encryption program that does not provide a back door for law enforcement surveillance. Because the company, Network Associates, is the nation's largest independent maker of computer security software, its action could have a serious effect on Unites States export policies on software. Network Associates' decision to sell a program specifically prohibited by the Commerce Department comes at a tine when the Clinton Administration is already fighting Congressional attempts to end export controls on encryption software for fear that such restrictions will hurt the ability of American industry to compete internationally. "This is the biggest challenge yet to the U.S. policy," Ted Julian, an analyst at the Forrester Group in Cambridge, Mass., said. "It potentially has a tremendous consumer base." The battle over data scrambling -- software that hides everything from love letters to passwords to credit card numbers from prying eyes -- has become a bitter struggle in recent years between the American software industry and privacy advocates on one side and national security and law enforcement officials on the other. The Clinton Administration, in the name of fighting crime and terrorism, has been trying to force the industry to build back doors into encryption software to make it possible for law enforcement officials to secretly decode private messages. Opponents argue that the keys to the proposed back doors could be too easily stolen, compromising not only privacy but also the security of credit card numbers and other highly personal information. The Government does not restrict powerful encryption software domestically but, with very few exceptions, it limits export licenses to codes that can be easily cracked. Earlier this week, Justice Department officials testified before Congress that they had no plans to introduce domestic controls on strong encryption technology. Government officials said yesterday that they had not yet determined whether Network Associates would be violating United States laws in selling P.G.P internationally. "We'll be looking at this very closely," William A. Reinsch, the Under Secretary for export administration, said. "The question of whether or not this product is based on legal or illegal export of U.S. technology is a question to be investigated. If the Government determines that it was illegal, then we'll take appropriate action." In part, that decision will hinge on whether the entire software package was developed independently from the United States company, Mr. Reinsch said. Network Associates executives said that in developing the international version of P.G.P. they took care not to violate United States laws. The international version was developed by Network Associates in Europe in partnership with a small group of cryptographers at Cnlab Software in Switzerland. Network Associates said that the international version would be marketed by its European subsidiary, Networks Associates International B.V., based in the Netherlands. "We're not sure what the impact of this will be," Peter Watkins, general manager of the company's Net Tools Secure Division. said. "This is the first time that a U.S. company has taken this approach, but there are no prohibitions against this." While United States laws restrict the export of strong encryption products, there are no restrictions on exporting the text of the original source code. This loophole allows programmers in other countries to translate the source code into new software programs. P.G.P was written in the early 1990's by a privacy activist and computer programmer, Philip Zimmermann, and was freely distributed in the United States. Mr. Zimmermann also made his source code available internationally in text form. As a result, versions of the program have long been widely available in many countries. Network Associates' executives said they had met with Commerce Department officials earlier this year to explain their plan but the department had not responded. Mr. Reinsch said that his staff had been briefed by the company. Richard Hornstein, vice president of legal affairs for Network Associates, said the Justice Department was notified because "we wanted to make sure they felt comfortable about this, but there was no way the Commerce Department should have a role." Network Associates is not the first United States company to attempt to use an international partnership to circumvent export restrictions. Currently C2net Software Inc., an Oakland, Calif., security software concern, sells an international version of its Web server which has powerful built-in cryptography. The company said that the international version of the product was developed overseas independently from the United States product. Sun Microsystems has run into Government opposition to a similar project which was based on a cooperative development project with Elvis+, a company formed by scientists from the former Soviet space program. [End]