From: jya@pipeline.com (John Young)
Date: Wed, 7 Aug 1996 15:39:53 +0800
To: cypherpunks@toad.com
Subject: CRN on Crypto Roadblock
Message-ID: <199608061732.RAA18656@pipe5.t2.usa.pipeline.com>
MIME-Version: 1.0
Content-Type: text/plain


   Computer Reseller News, 8-05-96, p. 51 
 
   Channel feels pinch of export limitations -- VARs Hit 
   Encryption Roadblock 
 
   By Charlotte Dunlap & Deborah Gage 
 
 
   Could 40 bits of code cost you that multimillion-dollar 
   bid? 
 
   Andrew Sheppard, president of Branford, Conn.-based Espion 
   Inc., just returned from a frustrating business trip to 
   Europe, where he said he lost a number of accounts with 
   financial institutions because he could not deliver 
   software with more than 40 bits of encryption key length. 
 
   Sheppard, who recently tried to sell his encryption wares 
   to clients in Europe, said he lost business to competitors 
   offering stronger encryption. 
 
   "There is a real demand for this type of product, and yet 
   I find myself thwarted at every single opportunity by this 
   stupid law, which everyone realizes is unnecessary," 
   Sheppard said. 
 
   Sheppard said potential clients that turned him down during 
   his recent trip included Banco Santander, a Madrid-based 
   bank; the London office of Credit Suisse; Logica Systems of 
   London; and the financial reporting arm of Reuters' news 
   service in London. 
 
   As the trend toward networking-sensitive information grows, 
   woes tied to encryption export limitations are spreading to 
   the VAR community. The dilemma of shipping overseas 
   anything other than light versions of security software is 
   starting to sabotage the efforts of Internet resellers. 
 
   Because 40 bits of code is considered to be breakable by an 
   elementary hacker, major corporations with data to protect 
   are reluctant to trust U.S. technology. So, U.S. resellers 
   are being turned away while multinational corporations turn 
   to foreign technologies. 
 
   The debate between business and the U.S. government about 
   export limitations is getting increasingly heated with the 
   growth of the Internet. The Pro-Code Bill, which aims to 
   relax export restrictions, has just been introduced, and 
   prominent Silicon Valley executives are trekking to 
   Washington regularly to argue the case. Jim Bidzos, 
   president and chief executive of encryption market leader 
   RSA Data Security Inc., Redwood City, Calif., has spent a 
   lot of time in Washington. 
 
   "The big picture in terms of what's happening is all of our 
   communications and document storage is moving from paper 
   and filing cabinets to the Internet and disk drives. We 
   need crypto technology in order to protect this," he said. 
   But resellers are getting discouraged and do not see a 
   quick resolution with law makers. Meanwhile, they are 
   losing business at a staggering rate. 
 
   Norm Yamaguchi, director of sales for RSA master reseller 
   Secure Distribution Inc., said he could have tripled the 
   size of his million-dollar company this year if it were not 
   for U.S. export laws dictating a maximum 40-bit key 
   encryption length to his clients' international offices. 
 
   "To say this law is causing me problems is a massive 
   understatement," Yamaguchi said. The reseller currently is 
   in talks with Price Waterhouse to get them to standardize 
   on Oakland, Calif.-based Secure Distribution's security 
   products, but will likely lose the contract because of the 
   40-bit key length limitation. 
 
   Resellers' fear of losing business to foreign players is 
   not paranoia, either. The Business Software Alliance has 
   identified 500 encryption products that can be purchased in 
   foreign countries. Information about the stronger foreign 
   technology can be obtained easily through the Internet. 
 
   "The laws are punishing U.S. companies, and we're losing 
   business to foreign countries because they can offer the 
   same thing. The law is not holding back the flow of 
   encryption, it is just holding back U.S. companies from 
   making money," he added, calling it a "lose-lose 
   situation." 
 
   Reseller Al Hill, vice president of engineering for 
   Successful Systems Solutions, Rancho Cordova, Calif., has 
   to surrender part of his solutions services in order to 
   keep his foreign clients. 
 
   "We ship units to England, Hong Kong and Singapore, and we 
   have to downgrade the software [to 40 bits] on all of them. 
   They were rather upset but smart enough to realize they 
   could upgrade the security themselves," he said, adding 
   that he has lost business because he could not complete 
   projects himself. 
 
   "We have to make sure the APIs in the software are 
   available so people overseas can tie them into their 
   [security] applications," he said. Similarly, Dave Johnson, 
   senior account manager of Precision Computers Inc., 
   Portland, Ore., said he lost an account with a 
   multinational company with offices in France because "it 
   became too troublesome for them to implement U.S. products 
   because of the legal problems." 
 
   Uncle Sam's View 
 
   U.S. companies and civil libertarians have been battling 
   the government since 1991, when the proposal of the Clipper 
   Chip first surfaced. At that time, the government proposed 
   splitting the encryption keys and holding a portion of them 
   in escrow, giving law enforcement officials with court 
   orders a back door through which to conduct electronic 
   surveillance. To date, the U.S. government has budged 
   little from its original idea. 
 
   The Clipper Chip idea was squelched, but the government 
   refuses to concede that strong encryption is not a munition 
   because it believes national security is at stake. In 
   recent weeks, Vice President Al Gore proposed a compromise: 
   The government would extend the types of software that 
   could be exported, perhaps to include healthcare or 
   insurance instead of just finance, and allow long keys if 
   countries where the United States has government-to- 
   government agreements could hold keys in escrow. A 
   24-member technical advisory committee is expected to 
   produce a blueprint for establishing the Federal Key 
   Management Infrastructure in September. 
 
   The Vendor's View 
 
   Software executives remain disgruntled with the 
   government's progress. "Do we really want government- 
   to-government agreements?" asked Eric Schmidt, Sun 
   Microsystems Inc.'s Chief Technology Officer. "The U.S. has 
   protections that other countries don't. France, for 
   example, is noted for industrial espionage." 
 
   Microsoft Corp. Senior Vice President Craig Mundie said an 
   escrow system would create an expensive bureaucracy, 
   adding: "This should really be described as a key-leasing 
   system. This will create a huge new business in extracting 
   keys from the public. If you want to make sure that your 
   key is not compromised by law enforcement officials, you're 
   going to need insurance. There will be a whole service 
   industry around keys." 
 
   Vendors also argue that the government's reasoning is not 
   legitimate. "The current controls do not keep encryption 
   out of the hands of the criminals. They keep it out of the 
   hands of individuals and corporations," said Sybase Inc. 
   Director of Data and Communications Security Development 
   Thomas Parenty. 
 
   Sun, Microsoft and other companies would like complete 
   deregulation of encryption. Three bills that would lift 
   government restrictions and prohibit mandatory key escrow 
   are working their way through Congress, although none are 
   likely to pass this year. 
 
   NEXT WEEK: Measuring the level of difficulty in cracking 
   code. 
 
   [End] 
 
   Thanks to LG.