Interesting People mailing list archives
testimony by Steve Walker on Export controls
From: David Farber <farber () linc cis upenn edu>
Date: Tue, 12 Oct 93 17:08:40 -0400
communications to begin. Public key algorithms such as RSA have become as popular and widely used as DES throughout the world for integrity, confidentiality, and key management. SPA Study of Availability of Cryptography The Administration has asserted that export controls are not harming U.S. firms by causing them to lose market shares because there are no foreign products and programs available. Implementations of DES, RSA, and newer algorithms such as the International Data Encryption Algorithm (IDEA), an algorithm that has a key length more than twice that of DES, are available routinely on the Internet from sites all over the world. But according to the Administration, these do not count as commercial products. In order to develop a definitive assessment of just how widespread cryptography is in the world, in May of this year, the SPA commissioned a study of products employing cryptography. There was a significant amount of knowledge about specific products here and there, but no one had ever tried to assemble a comprehensive database with, where possible, verification of product availability. The SPA research team focused exclusively on products providing text, file, and data communications encryption capabilities and on programs and products using DES or its equivalent, i.e., the precise products subject to export restrictions. We did not include facsimile and voice encryption products. The team obtained information from product literature, reference guides, industry surveys, trade press and journal articles, and responses to requests for information from SPA members, cryptography experts, and information requests put on the Internet. Whenever possible, the team followed up information with requests for product literature. This was carefully scanned by at least two independent project members, and the data was prepared for entry into the database. To the greatest extent possible, phone calls have been made to vendors to clarify ambiguous technical information. Information on new products continues to flow in daily but as of October 12: o We have identified 264 foreign hardware, software, and combination products for text, file, and data encryption from 21 foreign countries: Argentina (1), Australia (18), Belgium (8), Canada (16), Denmark (14), Finland (1), France (5), Germany (33), Hong Kong (1), India (1), Ireland (1), Israel (10), Japan (2), the Netherlands (15), New Zealand (1), Norway (1), Russia (8), South Africa (7), Sweden (17), Switzerland (18), and the United Kingdom (86). o Of these 264 products, 123 employ DES. o We have confirmed the availability of 58 foreign encryption software programs and kits that employ the DES algorithm. These are published by companies in Australia, Belgium, Canada, Denmark, Finland, Germany, Israel, the Netherlands, Russia, Sweden, Switzerland, and the United Kingdom. We know some have distributors in other foreign countries and in the United States; one, a UK company, has distributors in 13 countries (Bahrain, Denmark, France, Greece, Ireland, Italy, Malta, the Netherlands, Norway, Singapore, Spain, Sweden, and Yugoslavia). One in Germany has distributors in 14 countries (Australia, Austria, Belgium, Canada, France, Italy, the Netherlands, Norway, Spain, Sweden, Switzerland, Turkey, the UK, and the U.S.). The programs are installed by the user inserting a floppy diskette; the kits enable encryption capabilities to be easily programmed into a variety of applications. A complete listing of all confirmed products in the database is identified in Attachment 1. We have ordered and taken delivery on products containing DES from four countries: Denmark, Germany, Israel, and the United Kingdom. Foreign customers increasingly recognize and are responding to the need to provide software-only encryption solutions. Although the foreign encryption market is still heavily weighted towards encryption hardware and hardware/software combinations, the market trend is towards software for reasons of cost, convenience, and space. o On the domestic front, we have identified 288 products, of which 142 employ DES. Thus, at least, 142 products are unable to be exported, except in very limited circumstances, to compete with the many available foreign products. o In total, we have identified to date 552 cryptographic products, developed or distributed by a total of 366 companies (211 foreign, 155 domestic) in at least 33 countries. DES is also widely available on the Internet, and the recently popularized Pretty Good Privacy (PGP) encryption software program, which implements the IDEA, also is widely available throughout the world. The ineffectiveness of export controls is also evident in their inability to stop the spread of technology through piracy. The software industry has a multibillion dollar worldwide problem with software piracy. Mass market software is easy to duplicate and easy to ship via modem, suitcase, laptop, etc. Accordingly, domestic software products with encryption are easily available for export--through illegal but pervasive software piracy--to anyone who desires them. It cannot be any clearer: the existence of widespread and affordable cryptographic products overseas is an indisputable fact. Based on that fact, unilateral U.S. export controls keep U.S. firms from competing in the global marketplace. Foreign customers who need data security now turn to foreign rather than U.S. sources to secure that need. As a result, the U.S. Government is succeeding only in crippling a vital American industry's exporting ability. Following the first publication of the cryptographic database at the Advisory Board meeting on June 2, the Administration requested a meeting with the SPA research team to review their approach and findings. This meeting was held on July 1, 1993, at the Department of Commerce and involved Government representatives from the Department of Commerce and NSA. The team described both their technique for gathering and cataloging the information and the latest results. At the conclusion of the meeting, it appeared that the Administration representatives were satisfied that a valid survey process was being carried out. At the second meeting of the Advisory Board on July 29, a Government representative of the Administration indicated that the mere availability of products overseas was not sufficient, that what was needed was an assessment of the market impact of those products. It is important to note to the contrary, though, that the Department of Commerce, in similar deliberations, requires only the demonstrated existence of foreign products, not an assessment of their market share. It would seem that no matter how much information is acquired at what level of detail, the Administration will request more to delay further action. Nevertheless, the study begun in May by the SPA will continue to collect additional information on cryptographic product availability and to periodically publish its results to help focus attention on this important and often ignored situation. We would welcome Government participation in this ongoing effort to ensure the maximum coverage of available products and maximum utility to the Government. Frequently Heard Arguments One argument that is frequently heard to justify continued export controls is that cryptographic products are not available outside the U.S. so U.S. software and hardware developers are not hurt by export controls. The statistics from the SPA survey (264 foreign products, 123 using DES) prove that this argument is patently false! A second argument is that even if products are available, they cannot be purchased worldwide. This is also patently false! We have found 366 companies in 32 foreign countries and the U.S. that are manufacturing, marketing, and/or distributing cryptographic products, most on a worldwide basis. The names of these companies are listed in Attachment 2. A third argument frequently heard is that the products sold in other parts of the world are inferior to those available in the U.S. Again, the results of our survey show this to be patently false! We purchased products from several sources throughout the world. We ordered DES-based PC file encryption programs for shipment using routine channels from: o Algorithmic Research Limited (ARL), Israel o Sophos Ltd., UK o Cryptomathic A/S, Denmark o CEInfosys GmbH, Germany o uti-maco, Germany o Elias Ltd., Russia (distributed through EngRus Software International, UK) All the products we ordered were shipped to us in the U.S. within a few days. The German products were sent to us directly from their U.S. distributors in Virginia and Connecticut, respectively. Our experience has been that if there is paperwork required by the governments in which these companies operate to approve cryptographic exports, it is minimal and results in essentially immediate approval for shipping to friendly countries. The products we obtained from these manufacturers and distributors were in every case first rate implementations of DES. To better understand if foreign products are somehow inferior, we tried to order the same Sophos product from their Bahrain distributor. We were informed by the distributor that since we were outside his area, he could not sell directly to us. He then told us that everything he sells is shipped directly from the manufacturer in England. The uti-maco U.S. distributor in Connecticut indicated that he could ship us his German made product immediately (we received it the next day), without needing any further approval from the German parent company or the German government. Apparently, the Germans have a form of blanket approval for sale to anyone in the U.S. I asked if that was true elsewhere in the world and the representative told me that while he dealt only in the U.S., he believed that this was true. We have no indication that products being shipped to the U.S. or the rest of the world from foreign manufacturers or distributors are in any way inferior to products available in the U.S. Others Use Different Rules But our survey results also point to a much more ominous finding! Apparently the controls imposed by the U.S. Government on export of cryptographic products from the U.S. are far more restrictive than those imposed by most other countries including our major allies. The effect of this most unfortunate situation is to cripple U.S. industry while our friends overseas are essentially free to export as they wish. The U.S. imposes very strict rules on the export of cryptographic products. In general, applications for the export of products that use DES will be denied even to friendly countries unless they are for financial uses or for U.S. subsidiaries. We have been told repeatedly by the U.S. Government that other countries such as the United Kingdom and Germany have the same export restrictions that the U.S. does. But our experiences with these purchases of cryptographic products show a very different picture. Companies in the UK, Germany, Denmark, and Israel can freely ship DES products to the U.S. and presumably elsewhere in the world with no more then a few days of government export control delay, if any. The claim is they have to "fill out some papers," but it's no big problem. Based on our experiences to date, I conjecture that these countries are using CoCom (the Coordinating Committee of western nations and Japan) rules for determining where to allow exports. If this conjecture is true, most countries in the free world can readily receive exports from these countries. I speculate that companies in these countries are required to fill out export forms but if they can show that the destination country is not proscribed by CoCom or their local equivalent, they can ship without waiting for further government approval. Every experience we have had supports this supposition. Whether my theory is correct or not, our experience with these purchases has demonstrated conclusively that U.S. business is at a severe disadvantage in attempting to sell products to the world market. If our competitors overseas can routinely ship to most places in the world within days and we must go though time consuming and onerous procedures with the most likely outcome being denial of the export request, we might as well not even try. And that is exactly what many U.S. companies have decided. And please be certain to understand that we are not talking about a few isolated products involving encryption. More and more we are talking about major information processing applications like databases, electronic mail packages, and integrated software systems that must use cryptography to provide even the most basic level of security being demanded by multinational companies. Demonstrations of Available Cryptographic Products We have before us today several examples of cryptographic products that were lawfully obtained in the United States from foreign vendors: o AR DISKrete: produced by Algorithmic Research Limited (ARL), Israel. Uses DES disk/file encryption to provide PC security and access control. o EDS: produced by Sophos Ltd., UK. DES-based PC file encryption package. o F2F (File-to-File): produced by Cryptomathic A/S, Denmark. DES-based PC file encryption utility. o Softcrypt: produced by CEInfosys GmbH, Germany. DES-based PC file encryption utility. o SAFE-GUARD Easy: produced by uti-maco, Germany. DES-based PC file encryption utility. o EXCELLENCE for DOS: produced by Elias Ltd., Russia distributed through EngRus Software International, UK. GOST-based (Russian DES equivalent) PC file encryption utility. We also have a demonstration of the power of the digital revolution and the impact it will have on all our communications in the future. Traditionally, when we think of voice communications, we think of the telephone in its many forms (desk, cordless, cellular, car). However, many modern computer workstations now have the ability to carry voice as well as other multimedia communications. Routinely today on the Internet, voice conferences are held over packet switched communications networks. Today we have a demonstration using two workstations that come with software to digitize voice communications, packetize it for transmission over a network, and resynthesize it into perfectly good (sometimes better than phone quality) voice. Systems like these are being used daily for voice conferencing over networks around the world. With this capability, it is straightforward to protect phone conversations from eavesdroppers. Since all the capabilities are performed in software, it is trivial to add an encryption algorithm, such as the Data Encryption Standard, to the software and provide good quality encryption to the digitized, packetized speech. Today we have DES versions from Finland, Sweden, Australia, and the U.S. HOW IS U.S. INDUSTRY BEING AFFECTED BY EXPORT CONTROLS? TIS Experiences To begin this section, I would like to give several examples of experiences that my company has had recently in dealing with the export control process. Trusted Information Systems is a member of the Internet community and has implemented a version of the Internet Privacy Enhanced Mail (PEM) system, which it is offering free to users on the Internet and for sale to commercial users under the name Trusted MailTM. Several hundred Internet users have retrieved the PEM source code, and many of them are using it on a daily basis. Our experiences with PEM illustrate the variety of frustrations, confusion, and lost opportunities that confront U.S. businesses in the area of international cryptographic products. PEM is based on international Internet specifications developed over the past five years by a team of researchers from throughout the world. In its present version, PEM uses DES for confidentiality and RSA for signature and key management. As such, it does not meet the U.S. Department of State requirements for export outside the U.S. or Canada. In order to establish a distribution system for PEM similar to that of other software products on the Internet, TIS reviewed various techniques that universities and other companies have used. The "anonymous FTP" approach, in which a user who does not have an account is allowed to log on to the computer containing the information and perform a file transfer of the specific program files, was considered the best choice. Such techniques are routinely used throughout the Internet, but in the case of software that is subject to export controls, one must be concerned that individuals outside the U.S. and Canada may attempt to retrieve the programs. The problem is how to identify whether someone who is anonymous is approved to retrieve the software or not. As had been done earlier by others, we have created a "READ ME" file that the person seeking the software must read before retrieving the PEM program. The reader is cautioned that if he or she is not from the U.S. or Canada, it is against U.S. export
Current thread:
- testimony by Steve Walker on Export controls David Farber (Oct 12)
- <Possible follow-ups>
- testimony by Steve Walker on Export controls David Farber (Oct 12)
- testimony by Steve Walker on Export controls David Farber (Oct 12)
- testimony by Steve Walker on Export controls David Farber (Oct 12)