Politech mailing list archives
FC: Marc Rotenberg reports on crypto-debate with Commerce's Reinsch
From: Declan McCullagh <declan () well com>
Date: Sat, 25 Sep 1999 00:14:16 -0400
******* Date: Fri, 24 Sep 1999 13:25:43 -0400 To: EPIC Staff:; From: Marc Rotenberg <rotenberg () epic org> Subject: Notes on Panel with William Reinsch Cc: Declan McCullagh <declan () well com>, Barbara Simons <simons () acm org>, "Peter G. Neumann" <neumann () csl sri com>, Whitfield Diffie <whitfield.diffie () Eng Sun COM>, Susan Landau <susan.landau () east sun com>, Bruce Schneier <schneier () counterpane com> : : I spoke on a panel yesterday morning at the Smart Card Forum with William Reinsch, Undersecretary of Export Administation at the Department of Commerce. Reinsch had just returned from a hearing on the Hill concerning the Export Administration Act, During the course of the panel, I had the chance to ask Reinsch several questions about the Administration's new policy on encryption. Reinsch emphasized that the new policy was an attempt to "reflect market realities." He said that it was one of three pillars of the administration's approach to encryption, which included revisions to export controls, support for law enforcement, and the promotion of more secure systems within the federal government. On this last point, Reinsch acknowledged that the Department of Defense and other agencies complained that they were not able to obtain strong encryption products to protect US assets. Thus, the reason that the DOD favored the new approach. Reinsch said, as the White House had earlier indicated, that the country lists and the sector specific applications (health, financial) were essentially gone. The key to the new regime was the distinction between "retail products" and "everything else." Retail products could be freely exported to all end users, but "everything else" could be limited if the enduser were a government or military agency. Reinsch spoke in some detail about the post-export reporting requirements. He assured business that they would not be required to collect any information that they are not currently collecting. He also said that the reporting would correspond to current business practices. And he said that there would be no reporting requirement for products below 64 bit. On the one-time review, he said that requirement is already in place. It was highlighted in the announcement because it is one of the few remaining parts of the export control regime. In terms of timing, he said the expectation was that the review would generally be completed within 15 days, but in no case more than 30 days. Reinsch said that the administration's policy on source code had not changed which meant that Dan Bernstein would still be required to submit his program to government review prior to export. When I asked whether this meant that the revised policy would still be unconstitutional, at least as applied to source code that is scientific expression, he replied that a court might reach a different conclusion once it reviewed the revised approach. Indeed, Judge Betty Fletcher pointed to several of the procedural problems in the old regime to support her finding that the export controls violated the First Amendment. But a prior restraint is still a prior restraint, and it seems to me that a court will reach a similar result even under the new, more benign approach. One of the more interesting questions concerned the impact, or lack thereof, of the new rules on Linux and open source code. The point being that were software is developed collectively by programmers around the world, there really is no single person to go to the USA Department of Commerce for one-time review. If the requirements remain for open source, and there is no reason to think otherwise, then they could still be a significant barrier to the incorporation of strong encryption in such products as Linux. I suggested to Reinsch that perhaps the Administration should consider not only "market realities," but also "development realities" and he agreed. There was some discussion of Wassenaar. Reinsch said that the new US policy was fully compliant with Wassenaar. He further said that the US was effectively liberalizing upward to the 64-bit Wassenaar level for mass-market. I asked whether we would continue to press our allies for licensing for products above 64 bit. He said that Wassenaar did not in fact require countries to do anything, but instead recommended that they bring their national policies in line with national law, whatever that means. I did not ask about CESA which Reinsch freely admitted he did not know much about. He and the Administration still hold out the hope that companies will adopt key escrow like techniques. He said that there is market demand for these products. Just a few comments on my own presentation: I opened by quoting Senator Aiken's line regarding Vietnam that the US should "declare victory and then get out." I suggested that with the crypto issue, the Administration has decided to "declare defeat, but stay in." I also said that the revised policy seems to move from a "Gatekeeper model" to a "surveillance model," i.e. the US could no longer effectively control the use of crypto through export control and chose instead to pursue a strategy that maximizes involvement in development and use. Thus the Technical Support Center and the post-export reporting requirements. Marc. -------------------------------------------------------------------------- POLITECH -- the moderated mailing list of politics and technology To subscribe: send a message to majordomo () vorlon mit edu with this text: subscribe politech More information is at http://www.well.com/~declan/politech/ --------------------------------------------------------------------------
Current thread:
- FC: Marc Rotenberg reports on crypto-debate with Commerce's Reinsch Declan McCullagh (Sep 24)