From: Anonymous <anon@anon.efga.org>
Date: Mon, 25 Aug 1997 02:12:40 +0800
To: cypherpunks@toad.com
Subject: Drastic crypto crackdown
Message-ID: <bBaqFDiFTI4OyRHT7Zr6Yw==@JawJaCrakR>
MIME-Version: 1.0
Content-Type: text/plain



>From the New York Times cybertimes:

Proposed U.S. Rules Would Slow
Encryption Software Downloads

By PETER WAYNER 

Under a proposed set of rules being circulated by the Commerce
Department, the Clinton Administration is considering regulating
Web servers that allow people to download encryption software.

Among the sites that would be affected are those now operated by
companies like Netscape, Pretty Good Privacy, and Microsoft, all
of which distribute software over the Web. Under the proposed rules,
access to such sites would be more tightly controlled or could
disappear altogether in the future.

The proposed new regulations would be modifications to the Export
Administration Regulations used by the Bureau of Export Affairs in
the Commerce Department to regulate the flow of encryption software
from the United States. The Commerce Department took control of
the regulations at the beginning of 1997 from the State Department
after the software industry pushed for a more responsive bureaucracy.

The version of the regulations being circulated is an interagency
draft, a document designed to give other agencies, like the Federal
Bureau of Investigation or the National Security Agency, the chance
to comment on them. For this reason, Commerce Department refused
to comment until the new rules are published in the Federal Register.

The spokeswoman from the Commerce Department also refused to check
the authenticity of the proposal, a copy of which was given to
CyberTimes by a software industry representative. Several other
industry representatives confirmed that the document was legitimate.

Most of the new regulations involve tuning the details of the
administration's key-recovery plan, which would allow industry to
export software with a built-in back door for the police to use to
gather evidence. For instance, the new regulations would require
key-recovery encryption software to be injected into the message
stream for law enforcement use at least every three hours.

The requirement for Federal approval of a Web server, however, is
buried inside the densely written, virtually impenetrable document,
and the change is not even noted in the executive summary at the
beginning. The new regulation would require that anyone setting up
a Web server offering encryption software seek an "advisory opinion"
from the Bureau of Export Affairs.

The opinions carry no weight in court and only serve as an indication
of the agency's view on the matter at a given moment. A company
could later be prosecuted for exporting software despite receiving
permission in an advisory opinion, although the existence of the
opinion should offer some emotional support with the court.

The purpose of the rule is to force the Web server to take all
prudent steps to ensure that encryption software is not leaving
the country. Currently, companies like Netscape or PGP ask anyone
requesting encryption software to fill out a form certifying that
they were not breaking the law. They also check the destination
domain to ascertain whether the receiving computer was located
within the United States. They could then deliver the software over
the Web without waiting for any government action.

The proposed regulations do not set out any hard and fast guidelines
for a company to meet. They only suggest that sites that allow
encryption downloads include an "access control system either
through automated means or human intervention, (that) checks the
address of every system requesting or receiving a transfer and
verifies that such systems are located within the United States or
Canada."

When Netscape originally set out to distribute the version of its
browser with high-grade encryption over the Internet, the company
sought the opinion of the State Department, which gave permission
in their version of an advisory opinion. But the new regulations
would effectively force Netscape to shut down its Web servers until
the Commerce Department could rule again -- a process that can take
several months.

This waiting time is what worries companies.  Although Vice President
Al Gore promised that the Commerce Department would reply promptly
to all applications, delays have increased for companies since the
beginning of the year.  Those delays, in turn, stymie widespread
distribution of new software.

This new regulation frustrates Peter Harter, global public policy
counsel at Netscape. "It seems to be inconsistent with the Vice
President's 'do no harm' promise to treat commerce online the same
as commerce for physical stores," Harter said. "I'm not aware of
any procedure that would require retail stores such as Fry's or
Egghead to apply to the Commerce Department."

Netscape depends heavily on electronic distribution to provide its
customers with the latest version of its products. New versions
that fix bugs and plug security holes are made available on the
Web as soon as possible. The regulations are ambiguous enough that
they may require a company to seek separate approval for every new
server it installs.

Kelly Huebner Blough, director of government relations for Pretty
Good Privacy, said:  "When we first release a product, it's available
off the Web. Then a few weeks later you can order a product in a
package." The company currently sells about 15 percent of its new
packages through the Web and it hopes to sell more that way, she
said.

Pretty Good Privacy is also in direct competition with Entrust
Technologies Ltd., a Canadian encryption software company that is
allowed to sell many of its Entrust products throughout the world.
Canadian regulations permit export of full-strength encryption
software to most parts of the world if the software is developed
entirely within Canada.  The company's Web server does check domain
names to detect whether the software might be going to Libya, Iran,
Iraq, Cuba, Angola, Syria, North Korea, France or Singapore.

The software industry worries that the Administration's proposed
regulations will restrict the growth of Internet commerce because
encryption is a crucial tool for secure transactions. While most
software companies do not include encryption technology at this
time, many suggest that its use will continue to grow because
encryption is the best defense against fraud on the Net. Banks,
for instance, may find that the regulation is another regulatory
burden to providing online banking.

Stewart Baker, a former general counsel for the National Security
Agency who now practices at the Washington law firm Steptoe &
Johnson, said that the difficulty the regulators face is that the
regulations must adapt to a quickly changing Internet environment.

"They're saying 'Here's the basic standard. Show us what you're
trying to do. If you're doing what we feel is a good faith effort,
then we'll approve it,'" Baker said. "They don't quite say that,
but I suspect that's what's going on."

To draw an analogy, he compared the action to a hand check in
basketball, a move by which a defensive player warns someone with
a ball that they're there by touching them.

Adam Shostack, a Boston-based consultant to several major banks
and financial institutions, said that the current rules were already
making it difficult for his clients to take care of their foreign
customers. The new regulations, Shostack predicted, will just make
matters worse.

"We've never needed the permission of the government to publish
anything in this country," Shostack said. "I don't see where their
legal authority comes from. You can't make reasonable business
plans when they reserve the right to change the rules in bizarre
and unconstitutional ways."

The rest of the proposed regulatory changes would provide clarifications
to unanswered questions that others have had. For instance, source
code could be shipped without restriction to Canada without a
license if the new regulations are adopted. Software could also be
shipped to Bulgaria, the Czech Republic, Hungary, Poland, Romania
and Slovakia without support documentation.