FC: Marc Rotenberg reports on crypto-debate with Commerce's Reinsch

[Declan McCullagh <declan () well com>]

*******

Date: Fri, 24 Sep 1999 13:25:43 -0400
To: EPIC Staff:;
From: Marc Rotenberg <rotenberg () epic org>
Subject: Notes on Panel with William Reinsch
Cc: Declan McCullagh <declan () well com>, Barbara Simons <simons () acm org>,
        "Peter G. Neumann" <neumann () csl sri com>,
        Whitfield Diffie <whitfield.diffie () Eng Sun COM>,
        Susan Landau  <susan.landau () east sun com>,
        Bruce Schneier <schneier () counterpane com>
:
:


I spoke on a panel yesterday morning at the Smart Card Forum with
William Reinsch, Undersecretary of Export Administation at the
Department of Commerce. Reinsch had just returned from a hearing on
the Hill concerning the Export Administration Act, During the course
of the panel, I had the chance to ask Reinsch several questions
about the Administration's new policy on encryption.

Reinsch emphasized that the new policy was an attempt to "reflect
market realities." He said that it was one of three pillars of the
administration's approach to encryption, which included revisions to
export controls, support for law enforcement, and the promotion of
more secure systems within the federal government. On this last
point, Reinsch acknowledged that the Department of Defense and other
agencies complained that they were not able to obtain strong
encryption products to protect US assets. Thus, the reason that the
DOD favored the new approach.

Reinsch said, as the White House had earlier indicated, that the
country lists and the sector specific applications (health,
financial) were essentially gone. The key to the new regime was the
distinction between "retail products" and "everything else." Retail
products could be freely exported to all end users, but "everything
else" could be limited if the enduser were a government or military
agency.

Reinsch spoke in some detail about the post-export reporting
requirements. He assured business that they would not be required to
collect any information that they are not currently collecting. He
also said that the reporting would correspond to current business
practices. And he said that there would be no reporting requirement
for products below 64 bit.

On the one-time review, he said that requirement is already in
place. It was highlighted in the announcement because it is one of
the few remaining parts of the export control regime. In terms of
timing, he said the expectation was that the review would generally
be completed within 15 days, but in no case more than 30 days.

Reinsch said that the administration's policy on source code had not
changed which meant that Dan Bernstein would still be required to
submit his program to government review prior to export. When I
asked whether this meant that the revised policy would still be
unconstitutional, at least as applied to source code that is
scientific expression, he replied that a court might reach a
different conclusion once it reviewed the revised approach. Indeed,
Judge Betty Fletcher pointed to several of the procedural problems
in the old regime to support her finding that the export controls
violated the First Amendment. But a prior restraint is still a prior
restraint, and it seems to me that a court will reach a similar
result even under the new, more benign approach.

One of the more interesting questions concerned the impact, or lack
thereof, of the new rules on Linux and open source code. The point
being that were software is developed collectively by programmers
around the world, there really is no single person to go to the USA
Department of Commerce for one-time review.  If the requirements
remain for open source, and there is no reason to think otherwise,
then they could still be a significant barrier to the incorporation
of strong encryption in such products as Linux. I suggested to
Reinsch that perhaps the Administration should consider not only
"market realities," but also "development realities" and he agreed.

There was some discussion of Wassenaar. Reinsch said that the new US
policy was fully compliant with Wassenaar. He further said that the
US was effectively liberalizing upward to the 64-bit Wassenaar level
for mass-market. I asked whether we would continue to press our
allies for licensing for products above 64 bit. He said that
Wassenaar did not in fact require countries to do anything, but
instead recommended that they bring their national policies in line
with national law, whatever that means.

I did not ask about CESA which Reinsch freely admitted he did not
know much about. He and the Administration still hold out the hope
that companies will adopt key escrow like techniques. He said that
there is market demand for these products.

Just a few comments on my own presentation: I opened by quoting
Senator Aiken's line regarding Vietnam that the US should "declare
victory and then get out." I suggested that with the crypto issue,
the Administration has decided to "declare defeat, but stay in." I
also said that the revised policy seems to move from a "Gatekeeper
model" to a "surveillance model," i.e. the US could no longer
effectively control the use of crypto through export control and
chose instead to pursue a strategy that maximizes involvement in
development and use. Thus the Technical Support Center and the
post-export reporting requirements.

Marc.


--------------------------------------------------------------------------
POLITECH -- the moderated mailing list of politics and technology
To subscribe: send a message to majordomo () vorlon mit edu with this text:
subscribe politech
More information is at http://www.well.com/~declan/politech/
--------------------------------------------------------------------------