New Department of Commerce Regs Critiqued (NYT article)
August 24, 1997
Proposed U.S. Rules Would Slow
Encryption Software Downloads
By PETER WAYNER
U nder a proposed set of rules being circulated by the Commerce
Department, the Clinton Administration is considering regulating
Web servers that allow people to download encryption software.
Among the sites that would be affected are those now operated by
companies like Netscape, Pretty Good Privacy, and Microsoft, all of
which distribute software over the Web. Under the proposed rules,
access to such sites would be more tightly controlled or could
disappear altogether in the future.
The proposed new regulations would be modifications to the Export
Administration Regulations used by the Bureau of Export Affairs in
the Commerce Department to regulate the flow of encryption software
from the United States. The Commerce Department took control of the
regulations at the beginning of 1997 from the State Department
after the software industry pushed for a more responsive
bureaucracy.
The version of the regulations being circulated is an interagency
draft, a document designed to give other agencies, like the Federal
Bureau of Investigation or the National Security Agency, the chance
to comment on them. For this reason, Commerce Department refused to
comment until the new rules are published in the Federal Register.
The spokeswoman from the Commerce Department also refused to check
the authenticity of the proposal, a copy of which was given to
CyberTimes by a software industry representative. Several other
industry representatives confirmed that the document was
legitimate.
Most of the new regulations involve tuning the details of the
administration's key-recovery plan, which would allow industry to
export software with a built-in back door for the police to use to
gather evidence. For instance, the new regulations would require
key-recovery encryption software to be injected into the message
stream for law enforcement use at least every three hours.
The requirement for Federal approval of a Web server, however, is
buried inside the densely written, virtually impenetrable document,
and the change is not even noted in the executive summary at the
beginning. The new regulation would require that anyone setting up
a Web server offering encryption software seek an "advisory
opinion" from the Bureau of Export Affairs.
The opinions carry no weight in court and only serve as an
indication of the agency's view on the matter at a given moment. A
company could later be prosecuted for exporting software despite
receiving permission in an advisory opinion, although the existence
of the opinion should offer some emotional support with the court.
The purpose of the rule is to force the Web server to take all
prudent steps to ensure that encryption software is not leaving the
country. Currently, companies like Netscape or PGP ask anyone
requesting encryption software to fill out a form certifying that
they were not breaking the law. They also check the destination
domain to ascertain whether the receiving computer was located
within the United States. They could then deliver the software over
the Web without waiting for any government action.
The proposed regulations do not set out any hard and fast
guidelines for a company to meet. They only suggest that sites that
allow encryption downloads include an "access control system either
through automated means or human intervention, (that) checks the
address of every system requesting or receiving a transfer and
verifies that such systems are located within the United States or
Canada."
When Netscape originally set out to distribute the version of its
browser with high-grade encryption over the Internet, the company
sought the opinion of the State Department, which gave permission
in their version of an advisory opinion. But the new regulations
would effectively force Netscape to shut down its Web servers until
the Commerce Department could rule again -- a process that can take
several months.
This waiting time is what worries companies. Although Vice
President Al Gore promised that the Commerce Department would reply
promptly to all applications, delays have increased for companies
since the beginning of the year. Those delays, in turn, stymie
widespread distribution of new software.
This new regulation frustrates Peter Harter, global public policy
counsel at Netscape. "It seems to be inconsistent with the Vice
President's 'do no harm' promise to treat commerce online the same
as commerce for physical stores," Harter said. "I'm not aware of
any procedure that would require retail stores such as Fry's or
Egghead to apply to the Commerce Department."
Netscape depends heavily on electronic distribution to provide its
customers with the latest version of its products. New versions
that fix bugs and plug security holes are made available on the Web
as soon as possible. The regulations are ambiguous enough that they
may require a company to seek separate approval for every new
server it installs.
Kelly Huebner Blough, director of government relations for Pretty
Good Privacy, said: "When we first release a product, it's
available off the Web. Then a few weeks later you can order a
product in a package." The company currently sells about 15 percent
of its new packages through the Web and it hopes to sell more that
way, she said.
Pretty Good Privacy is also in direct competition with Entrust
Technologies Ltd., a Canadian encryption software company that is
allowed to sell many of its Entrust products throughout the world.
Canadian regulations permit export of full-strength encryption
software to most parts of the world if the software is developed
entirely within Canada. The company's Web server does check domain
names to detect whether the software might be going to Libya, Iran,
Iraq, Cuba, Angola, Syria, North Korea, France or Singapore.
The software industry worries that the Administration's proposed
regulations will restrict the growth of Internet commerce because
encryption is a crucial tool for secure transactions. While most
software companies do not include encryption technology at this
time, many suggest that its use will continue to grow because
encryption is the best defense against fraud on the Net. Banks, for
instance, may find that the regulation is another regulatory burden
to providing online banking.
Stewart Baker, a former general counsel for the National Security
Agency who now practices at the Washington law firm Steptoe &
Johnson, said that the difficulty the regulators face is that the
regulations must adapt to a quickly changing Internet environment.
"They're saying 'Here's the basic standard. Show us what you're
trying to do. If you're doing what we feel is a good faith effort,
then we'll approve it,'" Baker said. "They don't quite say that,
but I suspect that's what's going on."
To draw an analogy, he compared the action to a hand check in
basketball, a move by which a defensive player warns someone with a
ball that they're there by touching them.
Adam Shostack, a Boston-based consultant to several major banks and
financial institutions, said that the current rules were already
making it difficult for his clients to take care of their foreign
customers. The new regulations, Shostack predicted, will just make
matters worse.
"We've never needed the permission of the government to publish
anything in this country," Shostack said. "I don't see where their
legal authority comes from. You can't make reasonable business
plans when they reserve the right to change the rules in bizarre
and unconstitutional ways."
The rest of the proposed regulatory changes would provide
clarifications to unanswered questions that others have had. For
instance, source code could be shipped without restriction to
Canada without a license if the new regulations are adopted.
Software could also be shipped to Bulgaria, the Czech Republic,
Hungary, Poland, Romania and Slovakia without support
documentation.
Copyright 1997 The New York Times Company