IP: PGP sells crypto in Europe - with no back doors.

[Dave Farber <farber () cis upenn edu>]

Date: Fri, 20 Mar 1998 09:02:50 -0500
To: farber () cis upenn edu
From: Will Rodger <rodger () worldnet att net>
:
:
:


Dave - 


I wrote about PGP's search for a partner in europe a year ago based on
conversations at CFP 97. 


Now theory has become reality


PGP will sell crypto abroad
By Will Rodger
Inter@ctive Week Online March 19, 1998 6:56 PM PST


Pretty Good Privacy, a computer security product long associated with
opposition to US export controls on data-scrambling exports, will be sold
outside the United States for the first time ever beginning this week,
sources at Network Associates Inc. said.


The sales initiative comes perilously close to violating US felony
prohibitions on exports of strong encryption software. But it also exposes
a gaping hole in export laws that could lead to the ultimate downfall of
the regulations themselves, observers say.


"It's yet another example of the absurdity of export controls," said Alan
Davidson, staff counsel with the Center for Democracy and Technology. "You
can't stop ideas at the border."


Powerful encryption techniques were once the province of empire-fighting
patriots like John Adams and Thomas Jefferson, spies and military officers.
For centuries they used the arcane mathematical concepts behind code making
to protect secret communiques, form new governments and win wars. But those
skills have rapidly spread to the private sector over the past 20 years,
giving companies and private citizens secure email and voice communications
over cell phones, conventional telephones and a hacker-ridden Internet.


The core conflict


At the same time, the technology that renders privacy certain in a digital
age can also hide criminal plans and conspiracies. It's for that reason
that the US government has controlled encryption exports tightly since
World War II. More recently, the Clinton Administration has forced
encryption exporters to supply spare encryption "keys" for storage with
third parties in case wiretaps are needed or forego exports in all but a
few cases.


The clear conflict between the need for personal security on one hand and
the ability to track down criminals on the other has exploded on Capitol
Hill. On one side stand civil libertarians and businesses who fear
uncontrolled police power. On the other: federal wiretappers who want
access to all electronic communications with court orders.


"Our reaction is this is something to be investigated," said Bill Reinsch,
undersecretary for export control at the US Department of Commerce. "This
case may be a ground breaker."


How PGP slipped past the Feds


To sell the controlled encryption software abroad, Pretty Good Privacy
executives last year exported copies of the software source code in book
form. Since the software went over in books, there was no violation of
export laws, they say.


Once abroad, volunteers supportive of PGP's fight to liberalize encryption
laws scanned the books into computers and converted that source code into
usable software. Had the software been shipped on floppies, by contrast,
those who exported it could have been charged with felony violations of the


law.


Executives at Network Associates' Dutch affiliate have since taken the
software and begun striking deals to sell the American-developed product
abroad - all in compliance with US laws, they say. The Commerce
Department's Reinsch isn't so sure, however. US laws prohibit not just the
export of powerful encryption technology, but re-export as well. As a
result, he says, any attempt by Network Associates' executives to export
the software from the Netherlands would be a crime punishable in a court of
law if federal lawyers could show the end product was at least 25 percent
American. Prosecution of foreign nationals could be difficult, especially
given the Netherland's disinterest in controlling strong encryption.


"Can we reach a foreign national? Sometimes we can, sometimes we can't," he
said.


Books yes, software no


Encryption advocates say there's more than a bit of irony in the Network
Associates story. For years, the government has avoided First Amendment
challenges to encryption controls by drawing distinctions between source
code in book form and software on diskettes. As long as US attorneys could
claim they would control only finished software and not books, they could
safely say their controls were constitutional.


Yet two court challenges to the regulations say that source code itself is
speech, regardless of whether it exists in books or floppy disks. By giving
safe harbor to books, attorney Cindy Cohn said, the government has
effectively reduced export controls to meaninglessness. Cohn is counsel to
Daniel Bernstein, a professor who has filed suit to publish the source code
to his encryption program "Snuffle" on the Internet.


Cohn disputed Reinsch's interpretation of regulations governing "re-export"
of encryption.


"I don't think you can take something that's protected expression at the
time it's exported and then claim that it suddenly becomes an export item
on the other side," she said. "I'm pleased that PGP is continuing to take
advantage of the obvious inconsistencies in the regulations."


Will Rodger                                           Voice: +1 202-408-7027 
Washington Bureau Chief                        Fax: +1 202-789-2036
Inter@ctive Week                    http://www.interactiveweek.com
A Ziff-Davis Publication            http://www.zdnn.com
PGP 5.0: 584D FD11 3035 0EC2 B35C AB16 D660 293F C7BE 3F62
       PGP 2.6.2: D83D 0095 299C 2505 25FA 93FE DDF6 9B5F