FC: Details on White House encryption regulations

[Declan McCullagh <declan () well com>]

[Just got back from the White House where there was a briefing with AG
Reno, etc. My note is at the end. Also we're still waiting to see the
Clinton administration crypto-legislation that's supposed to go to the Hill
today. --DBM]


> Subject: Re: more re Encryption Technology Limits Eased 
> Date: Thu, 16 Sep 1999 12:25:21 -0700
> From: John Gilmore <gnu () toad com>
>
> Dave Farber:
> > As I said , the devil is in the details.
>
> Let me agree.  Remember when the Administration said it was giving
> industry what it wanted -- transferring crypto exports to the Commerce
> Dept?  And when later "industry" worked out a deal so they could "easily"
> export key-recovery products, only to discover that in the final regs 
> and procedures it really wasn't so easy?
>
> There's a vague and undefined term in the press leaks so far:
>
>       One-Time Technical Review
>
> What does this mean?  It appeared in some early crypto liberalization
> bills floated in Congressional committees.  Does it mean:
>
>       *  On the same day that you first put your encryption invention
>          on your web site, you have to send a binary copy to the NSA?
> or:    *  BEFORE you post your encryption invention on your web site,
>          you have to send a copy to NSA?
> or:    *  BEFORE you post it, you have to send a copy to NSA -- AND THEN WAIT
>          until they say you can export it?
> or:    *  BEFORE you post it, you have to send the source code to NSA --
>          and rather than a mere delay, they have the option to respond
>          by telling you that you just can't export it?
> or:    *  You can't post it at all -- you need to provide details about
>          each person who receives it, and you don't know that about the
>          people who download it.
> or:    *  ....infinite variations....
>
> We'll only really know once the regulations are published, which is
> rumored to be in a few months.
>
>       John



> Date: Thu, 16 Sep 1999 13:27:30 -0700
> From: Tom Weinstein <tomw () geocast com>
> Subject: Re: more re Encryption Technology Limits Eased
>
> John Gilmore wrote:
> > There's a vague and undefined term in the press leaks so far:
> >
> >         One-Time Technical Review
> >
> > What does this mean?  It appeared in some early crypto liberalization
> > bills floated in Congressional committees.
>
> Based on my previous experience with the export process, here's what I think
> this means:
>
>      You have to tell the NSA what you're doing and let them think
>      about it for a while.  You'll have to answer any questions they
>      have, but they aren't likely to ask for source code.  It's not
>      something you want to do the week before you ship.  It's a process
>      that's likely to take a couple months and involve more than one
>      face to face meeting with NSA people.
>
> Of course it may mean something completely different.  I've been surprised by
> what the NSA does more often than not.



> Date: Thu, 16 Sep 1999 17:15:26 -0400
> To: John Gilmore <gnu () toad com>, "Perry E. Metzger" <perry () piermont com>,
farber () cis upenn edu
> From: Declan McCullagh <declan () well com>
> Subject: Re: more re Encryption Technology Limits Eased 
>
> John,
>
> I buttonholed William Reinsch, Commerce Dept undersecretary, outside the
White House briefing room a few minutes ago. I happened to ask him the same
question you bring up here: What's up with that one-time technical review?
> Things were crowded and noisy, but here's what I learned. (The BXA regs
are still being drafted and are supposed to be published in the Federal
Register no later than December 15.)
> Products <64 bit or equivalent are generally decontrolled except for:
>
> 1. Can't export to Cuba, Iran, Iraq, Libya, N.Korea, Sudan, Syria, and
> 2. A one-time technical review is STILL REQUIRED. That process is supposed
to take not more than a few months. According to Reinsch, such a review is
closest to your:
> > or:   *  BEFORE you post it, you have to send a copy to NSA -- AND THEN WAIT
> >         until they say you can export it?
>
> It's unclear to me whether they'll require source. DoD's Hamre simply said
it would have to be a "meaningful" review and said providing a product
brochure just isn't good enough.
> Also, the regs differentiate between "retail" and "custom" products.
Reinsch: "There are differences in the way it will be treated." When asked
whether, say, shrinkwrapped software available at CompUSA would be
automatically treated as retail, Reinsch replied, "It's more complicated
than that."
> Products >64bit or equivalent are still controlled under EAR but can be
exported through a license exception under these circumstances:
> 1. Feds get one-time technical review, and
> 2. You must file post-export reports with Commerce Dept, and
> 3. Can't export to Cuba, Iran, Iraq, Libya, N.Korea, Sudan, Syria, and
>
> If the destination is a permissible foreign government or a state entity
such as a telecom firm, I believe you must also satisfy these conditions:
> 4. Product must not "require substantial support" (think technical
support), and
> 5. Product must be "sold in tangible form or have been specifically
designed for individual consumer use"
> For each version of a new product (I gave Reinsch example of PGP 10.0.0.0
and 10.0.0.1), you have to submit it and wait for a new "one-time"
technical review.
> Also, I asked Reinsch if "end users" include distributors such as computer
stores in foreign countries. He said yes, and that they're not trying to
pull a fast one.
> What I found most interesting was what Attorney General Reno said about
the government's cryptanalysis abilities. When asked if she can break
strong, >64 bit equivalent crypto, she said, "We have carefully looked at
this and think it's possible," and declined to add details.
> DoD's Hamre said that there would be a big chunk assigned to cryptanalysis
R&D in DoD's requested FY2001 budget but added "some of the parts you may
be interested [in] I can't discuss." (I wouldn't necessarily read much into
this. It could simply be a face-saving move.)
> Finally, Reno indicated that this kind of cryptanalysis may not be enough
-- and legal requirements such as mandatory key escrow may be necessary.
She said:
> "This legislation does not provide any new authority for law enforcement
to be able to obtain usable evidence from criminals. We will continue to
operate under our existing authorities and attempt to meet the threat of
the criminal use of encryption. We are hopeful that these existing
authorities will prove sufficient."
> Here's hoping...
>
> -Declan
>
> More:
> http://www.wired.com/news/news/politics/story/21790.html
> http://www.wired.com/news/news/politics/story/21786.html



--------------------------------------------------------------------------
POLITECH -- the moderated mailing list of politics and technology
To subscribe: send a message to majordomo () vorlon mit edu with this text:
subscribe politech
More information is at http://www.well.com/~declan/politech/
--------------------------------------------------------------------------