New export guidelines for cryptography have already come under fire from activists for not going far enough. US Commerce Secretary William Daley announced that American software companies can now export encryption of any bit-length without a license. There are conditions, though. The crypto can only be sold to banks, securities firms, brokers, credit card companies and their branches, and only to 45 countries that have been deemed eligible. In addition, each product will be subject to a one-time review, although products already approved for export under license will not have to be reviewed again. The 45 eligible countries include most major industrialized nations but exclude Russia, China and Mexico. All are either members of an international anti-money-laundering accord or the Financial Action Task Force, or else they have enacted anti- money-laundering laws. This action gives our nations’ financial institutions the flexibility they need to remain globally competitive, Daley said in a statement. Importantly, it balances those needs with law enforcement, national security and foreign policy concerns. Through steps like these we can continue to encourage the development of an electronic commerce systems users can trust. Daley’s words point up the main aspects of the government’s thorny dilemma. While FBI director Louis Freeh demands control of cryptography and the mandatory provision of a key recovery back door to prevent its use by terrorists and organized crime, vendors and privacy advocates want all controls lifted. Without consumer faith in the protection of their privacy, electronic commerce will never take off. That would be more than a little embarrassing for the Department of Commerce. Even more to the government’s discomfort, vendors have a lot to lose while exports remain controlled. The export ban has proved a boon for software companies outside the US, notably in Ireland, Israel and Australia. Their gain is the USA’s loss. At present American vendors have to obtain a permit from the Commerce Department before they can export their products, and products without key recovery for law enforcement do not qualify. When the new rules take effect later this summer, companies will no longer have to have a license or demonstrate key recovery. This could make it easier for American companies like IBM to compete. Then again, the Commerce Secretary’s statement might not be as significant as the government would like us to think. Peter Gutmann, University of Auckland computer scientist and co- moderator of the sci.crypt.research newsgroup, is particularly scathing about the announcement. It’s a very misleading press release, he says. They haven’t really lifted restrictions at all. They’ve merely formalized what’s always been done on an informal basis. This codifies existing practice. It’s just a propaganda exercise. They’re making a big fuss about it to make it look like they’re liberalizing things, but they’re not.
