20 March 1998
Thanks to Adam Back

See also: John Markoff's New York Times story: http://jya.com/pgp-buxbxa.htm

Will Rodger's Inter@active Week Online story: http://jya.com/will-pgp.htm


http://cgi.pathfinder.com/netly/afternoon/0,1012,1835,00.html

The Netly News / Afternoon Line
March 20, 1998

Crypto By the Book

In the long-standing tussle with the government over exports of encryption products, software companies have an little-known advantage: the U.S. Constitution. Currently a presidential executive order restricts firms from exporting software without backdoors for government surveillance. But the First Amendment allows them to publish it in book form. Therein lies the loophole Network Associates is using to sell strong, 128-bit PGP encryption products internationally through its Dutch subsidiary. For PGP published the "source code" innards of its software as a book. "We gave out copies at a meeting on U.S. soil," says a source within PGP. "We were not actually directly involved in the shipment overseas." One of the books eventually ended up in the hands of Norway's International PGP Users Group, which promptly scanned in the code and published it at pgpi.com. Sources say cryptographers at Network Associaties' European partner simply downloaded the files and now are hawking PGP worldwide. It's a cunning dodge around U.S. rules -- but is it legal? Sure, says Ken Bass, an attorney who specializes in export regulations: "The current regulatory regime and the presidental executive order expressly distinguish between books and non-books." Score one for PGP.

--By Declan McCullagh/Washington


http://www.nai.com/about/news/press/1998/032098.asp

Network Associates Announces Availability of 128bit PGP Encryption Software For Global Customers

Strong Encryption to Spur Growth of Secure Electronic Communications Worldwide

HANNOVER, Germany, CEBIT '98, March 20 /PRNewswire/ -- Network Associates International B.V. (Nasdaq: NETA), today announced the immediate availability of PGP, the world's best encryption software, for businesses around the world. The PGP encryption technology is the cornerstone of Network Associates' Total Network Security (TNS) Suite and enables users to successfully protect their confidential email and documents.

"Electronic commerce has not been a viable option for many businesses due to the lack of guaranteed protection for confidential information," said Peter Watkins, general manager of the Net Tools Secure Division at Network Associates. "We now have a solution to this problem with full-strength internationally developed PGP software -- guaranteeing safe communications over the Internet and the safe delivery of confidential documents via email."

Network Associates' PGP encryption products for international markets will be fully developed and compiled in Europe by cnlab Software, based upon widely available published source code that was legally exported from the United States. No United States technical assistance has been, or will be provided to cnlab Software or to international offices of Network Associates, ensuring full compliance with United States export laws.

Network Associates International B.V. will work with technical partners throughout the world to ensure that customers have access to technical support and development expertise throughout the region.

Network Associates Announces New Security Division

Network Associates is also announcing a new, dedicated security division headed up by Graham Curme in Windsor, United Kingdom. The new division will work with selected technical partners throughout Europe to provide technical support to customers. At the same time, a dedicated security division will be established in Germany, followed closely by Scandinavia and the rest of Europe.

Network Associates' PGP software, the flagship technology of the company's Total Network Security (TNS) Suite, is a multi-platform, fully scaleable encryption solution -- designed for single users to large corporations. The TNS Suite, employing 128-bit encryption, combines Network Associates' PGP Desktop Suite, providing multi-platform encryption protection for desktops and the PGP Server Security Suite, offering authentication and policy-based administration and management of security. PGP can cost as little as $80.00 (U.S.) for single users, while corporate pricing is dependent on the number of users.

About Network Associates

With headquarters in Santa Clara, Calif, and European headquarters in Amsterdam, The Netherlands, Network Associates, Inc., formed by the merger of McAfee Associates and Network General, is a leading supplier of enterprise network security and management solutions. Network Associates' product offering includes four individual software suites, McAfee Total Virus Defense, PGP Total Network Security, Sniffer Total Network Visibility and McAfee Total ServiceDesk, which can be centrally managed from within the Network Associates' Net Tools unified management environment. For more information, Network Associates can be reached at 408-988-3832 or on the web at http://www.nai.com.


http://www.nando.net/newsroom/ntn/info/032098/info6_14920.html

Company plans to sell encryption software despite U.S. law

Copyright © 1998 Nando.net
Copyright © 1998 The Associated Press

Feds investigate encryption export, but concede policy shaky

SAN FRANCISCO (March 20, 1998 4:43 p.m. EST http://www.nando.net) -- In a major challenge to federal export limits, a software company will begin selling a sophisticated encryption program Friday to international customers through an overseas subsidiary.

Network Associates Inc. will sell the "Pretty Good Privacy" software through its Dutch subsidiary. The software scrambles e-mails and files, preventing eavesdroppers from seeing information sent across the Internet and stored in databases.

Federal law requires U.S. companies that write and export sophisticated encryption software to include a "key" or entry point for law enforcement officials to decode data. The limits address concerns that encryption technology may fall into the wrong hands, enabling wrongdoers to mask illicit electronic activities such as money laundering.

Network Associates will get around the law by having a Swiss company, Cnlab Software, write the software. Since the U.S. company isn't directly involved in either writing or selling the overseas version of Pretty Good Privacy, the software won't contain a key.

"This is the most significant challenge to date to the U.S. encryption export policy," said Ted Julian, an analyst with Forrester Research in Cambridge, Mass. "This is big enough that the government's lack of response is in itself a response."

The company said it explained the plan to the Commerce Department and received no objection.

Last year, Sun Microsystems Inc. announced a similar plan to use a Russian firm to circumvent the U.S. law but Commerce officials have started an investigation into whether the company assisted the Russian firm. The ongoing investigation has delayed Sun Microsystems' plans.

Rich Hornstein, a vice president at Network Associates, said the company isn't assisting the Swiss company in any way with the software.

Hornstein said the Swiss software is "functionally equivalent" to the PGP software sold in the United States.

PGP uses 128-bit encryption, which would take "10,000 years with a supercomputer to break," according to Peter Watkins, general manager of NA's Net Tools Secure Division.

In May, the company got a federal waiver allowing it to sell Pretty Good Privacy software to the international subsidiaries of 100 leading U.S. companies.


http://www.nando.net/newsroom/ntn/info/032098/info6_14920_S1.html

Feds investigate encryption export, but concede policy shaky

Copyright © 1998 Nando.net
Copyright © 1998 The Associated Press

SAN FRANCISCO (March 20, 1998 4:43 p.m. EST http://www.nando.net) -- Shipments of sophisticated encryption software across Europe on Friday may violate American law, a top Commerce Department official said.

But Undersecretary William Reinsch conceded the ban on exporting encryption software is on shaky ground because other governments have yet to back U.S. policy.

"If we can't get our allies to do the same kind of thing we're doing, in a year or so we'll have to review this," Reinsch said.

The latest flap came Friday when a Dutch subsidiary of Network Associates, based in Santa Clara, Calif., began shipments to European cities of a version of Pretty Good Privacy, a top commercial encryption program.

The software scrambles e-mails and files, preventing eavesdroppers from seeing information sent across the Internet and stored in databases.

Reinsch said the Commerce Department objected to the sales because the program has no "key" allowing law enforcement officials to crack codes used to hide illegal activities.

"If you've got international terrorists and international drug dealers engaged in crimes that transcend national borders, you need ... communications that are recoverable," he said.

Federal law requires U.S. companies that write and export sophisticated encryption software to include a "key" or entry point for law enforcement officials to decode data. The limits address concerns that encryption technology may fall into the wrong hands, enabling wrongdoers to mask illicit electronic activities such as money laundering.

Network Associates is getting around the law by having a Swiss company, Cnlab Software, write the software. Since the U.S. company isn't directly involved in either writing or selling the overseas version of Pretty Good Privacy, the software won't contain a key.

Reinsch said the Commerce Department has begun an investigation of Network Associates' action, but hasn't yet determined whether there were any violations of the encryption ban. He could not say how long the investigation might take.

In theory, Network Associates could be liable to criminal charges if the shipments are found to violate U.S. law, although administrative sanctions -- such as a ban on future exports -- would be more likely.

But the department has already signaled it doesn't view the shipments as an immediate threat.

The Commerce Department could have issued an emergency order prohibiting software sales to Europe while the investigation proceeded, Reinsch acknowledged.

"If we felt there was an imminent violation, we have temporary denial authority," he said. "We haven't done that."

Peter Watkins, head of the security software division at Network Associates, said the new software shipments began Friday in Amsterdam, Netherlands, and would cover much of Europe.

The company does not believe it is violating the Commerce Department's ban, he said.

The software is "functionally equivalent" to Pretty Good Privacy, but was developed in Europe.

"We have 4 million users worldwide," he said. "And we wanted to make sure a user in Europe could speak to a user in the U.S. and could speak to a user in Japan."

By RICHARD COLE, Associated Press Writer