From: “Vladimir Z. Nuri” <vznuri@netcom.com>
To: cypherpunks@cyberpass.net
Message Hash: de72f2cc208ce25f4f20a9101c038ddeb8bad5d49e426e6126d2e672397202c1
Message ID: <199708020443.VAA10553@netcom13.netcom.com>
Reply To: N/A
UTC Datetime: 1997-08-02 05:01:35 UTC
Raw Date: Sat, 2 Aug 1997 13:01:35 +0800
From: "Vladimir Z. Nuri" <vznuri@netcom.com>
Date: Sat, 2 Aug 1997 13:01:35 +0800
To: cypherpunks@cyberpass.net
Subject: Canada's Entrust does end-run around ITAR
Message-ID: <199708020443.VAA10553@netcom13.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain
------- Forwarded Message
Date: Fri, 01 Aug 1997 18:13:20 -0700
From: kalliste@aci.net (J. Orlin Grabbe)
To: snetnews@world.std.com
Subject: SNET: [Fwd: Another torpedo slams into Clinton crypto policy]
- -> SearchNet's SNETNEWS Mailing List
Path: news.alt.net!news1.alt.net!news-chi-13.sprintlink.net!news-east.sprintlink.net!news-dc-26.sprintlink.net!news-peer.sprintlink.net!news-pull.sprintlink.net!news-in-east.sprintlink.net!news.sprintlink.net!Sprint!205.185.79.4!zdc!super.zippo.com!lotsanews.com!szdc!newsp.zippo.com!news1
From: jqp@globaldialog.com
Newsgroups: alt.current-events.clinton.whitewater,alt.politics.clinton
Subject: Another torpedo slams into Clinton crypto policy
Date: Fri, 01 Aug 1997 00:21:25 -0500
Organization: None
Message-ID: <33E17255.18BB@globaldialog.com>
Reply-To: jqp@globaldialog.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Mailer: Mozilla 3.0Gold (Win95; I)
Xref: news.alt.net alt.current-events.clinton.whitewater:189839 alt.politics.clinton:338125
NY Times
August 1, 1997
Canadian Product Puts New Spin on Encryption Debate
By PETER WAYNER
Canadian company's recent release of a new
encryption product and subsequent announcement
that it had received a license from Canada to
export the product has surprised many companies
and U.S. officials.
The release was startling because the United States
and Canada historically regulated the encryption-
exporting issue in synchrony.
The company, Entrust Technologies Ltd., released
a free version of its Entrust/Solo software on
Tuesday, and announced that they had received a
license from the Canadian government to export
it to almost all of the world.
- -=- [TABLE] -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
THE MOVE BY ENTRUST SEEMS TO EXPLOIT A DIFFERENCE
IN THE REGULATIONS BETWEEN THE UNITED STATES AND
CANADA.
- -=- [TABLE] -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
This decision by Canada could signal a major rift
developing between two allies over an issue that
is becoming increasingly important to the computer
software industry.
In fact, the move seemed to startle the [*]Bureau
of Export Affairs at the U.S. Department of Commerce.
James Lewis, director of strategic trade at the
bureau, would only issue a one-sentence statement
through a spokeswoman: "This is under review as
a potential enforcement matter." He offered no
insight into which American laws were being violated.
Shauna White, a spokeswoman for the company, said
"We believe we are in full compliance with all
the Canadian laws that apply."
In the past, the United States and Canada enforced
their encryption regulations with such cooperation
that most controlled products are shipped in boxes
announcing, "For U.S. and Canada only." The U.S.
government was certain that Canadian regulations
would block anyone from shipping the product out
of Canada.
Those regulations are still in place and there
has been no change in the effect on products built
in the United States. Programs written by Canadians,
however, are another matter. Entrust was able to
qualify for a license because their software contained
what John Ryan, the company president and chief
executive, said was "100 percent Canadian content."
That is, it was developed in Canada by Canadian
citizens.
Entrust Technologies Inc. was spun off on Jan.
2, 1997, from Nortel (Northern Telecom) after Nortel
developed the Entrust product. Entrust Technologies
Inc. is based in Dallas, but most of the development
work is done in Ottawa, Ontario, where the Canadian
subsidiary, Entrust Technologies Ltd. has its offices.
Ryan, for instance, is a Canadian citizen.
The move by Entrust seems to exploit a difference
in the regulations between the United States and
Canada. Both countries are members of the Wassenar
Arrangement on Arms Export Controls, a set of loosely
controlled rules that took the place of Cold War-
era regulations designed to reign in conventional
arms and dual-use technologies.
The arrangement regulates the export of encryption
software but provided an exemption for general-
use software that was freely available through
either the public domain or widespread public channels
like stores. Ryan explained: "Many countries have
chosen to 'to turn that part off.' Canada has not
chosen to turn that part off."
The existence of this regulatory difference may
have come as a surprise to many people in the United
States because the Canadian software industry has
not yet produced a top-rank international competitor.
The academic computer science departments at colleges
like the University of Toronto are first rate,
but there are no companies with the same public
presence as Microsoft or IBM.
But Entrust Technology's emergence shows how quickly
the public perception can become obsolete in the
swiftly moving world of technology. The company
is clearly hoping that its free version of the
Entrust/Solo software will build acceptance for
the commercial versions, which are also freely
exportable. Many other companies follow the same
strategy of releasing free versions to the public
in order to publicize the commercial versions,
which usually come with more features.
Entrust allows people to download free copies of
Entrust/Solo for personal use from their Web site,
but they block requests from seven restricted countries:
Libya, Iran, Iraq, Cuba, Angola, Syria and North
Korea. France and Singapore are also blocked because
they have restrictions on the import of technology.
Entrust is already in heavy competition against
a U.S. company, [*]Pretty Good Privacy Inc., which
is circulating a free version of its encryption
package, PGP 5.0. This version is available for
home and non-commercial use without charge. The
software, however, was developed in the United
States and can't be exported without a license.
The company has worked closely with the U.S. Commerce
Department to smooth licenses for major U.S. companies
seeking to use the software with their subsidiaries,
but an individual license must still be granted
in each case.
Kelly Huebner Blough, director of government relations
for Pretty Good Privacy, said: "Well, of course
we would like the U.S. to license exports more
liberally. Most of the other countries in the world
license encryption software more freely. They may
have strong policies on the books, but when it
comes to implementation, the U.S. is the most restrictive."
- -=- [TABLE] -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
ALL OF THE MAJOR SOFTWARE COMPANIES LIKE MICROSOFT,
IBM AND SUN CONTINUE TO PRESS THE U.S. GOVERNMENT
FOR RELIEF OF THE EXPORT CONTROL LAWS, ARGUING
THAT BETTER AND BETTER SOFTWARE IS EMERGING THROUGHOUT
THE WORLD.
- -=- [TABLE] -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Other companies will also be feeling the pressure.
Ray Ozzie, the president of Iris, the developer
of Lotus Notes, which is now owned by IBM, said:
"This is further proof that easy-to-use, high-grade
encryption products are available worldwide, and
that U.S. companies continue to be at a disadvantage
in the world marketplace. U.S. policy needs to
change in order to take these realities into account."
One of the most vexing parts of the regulatory
equation involves unraveling whether the U.S. government
can exert any pressure on Entrust Technologies
Ltd. through its U.S.-based corporate parent, Entrust
Technologies Inc. The current version of the regulations
restrict U.S. companies from providing "technical
assistance" to their foreign companies--a rule
that would seemingly not apply to a product developed
completely by Canadians. Earlier drafts were more
vague and seemed to target any relationship or
aid, but the final version focused on technical
assistance.
Companies with close relationships with the U.S.
government are still circumspect. Steve Walker,
president of the Glenwood, Md.-based [*]Trusted
Information Systems, works closely with the Commerce
Department to seek approval for all of its work
done in Europe. They ask for a license for all
of the software being developed by their subsidiary
in Britain. "We've tried to be very careful about
this, perhaps more careful about it than we need
to be," Walker said and then pointed out, "We're
getting approval."
[*]Sun Microsystems is pursuing a strategy with
a different corporate structure. The company bought
a minority stake in a Russian network software
company in 1993 and recently asked them to develop
encryption software for the world market. The deal
is undergoing scrutiny from the U.S. Department
of Commerce, but no announcement has been made
about the resolution. Sun announced that they hope
to ship the software on August 15.
Still, the range of a government is hard to measure.
Greg Katsas, a lawyer in the Washington office
of Jones, Day, Reavis, and Pogue, said: "Generally,
the rules of jurisdiction of the place of incorporation
apply, but there are cases where U.S. law reaches
outside the boundaries. For instance, anti-trust
law can cover acts done outside the U.S. intended
to have an impact inside the U.S."
All of the major software companies like Microsoft,
IBM and Sun continue to press the U.S. government
for relief of the export control laws, arguing
that better and better software is emerging throughout
the world. In the House of Representatives, legislation
sponsored by Representative Bob Goodlatte, a Republican
from Virginia, to liberalize export laws has found
wide support, while similar legislation in the
Senate has died.
One of the major initiatives offered by the Clinton
administration would ease export licenses for software
that made it possible for law enforcement officials
to obtain the software's keys with a court order.
They propose lifting the restrictions for exporting
the software using 56-bit keys with DES.
A number of businesses have joined together what
they call the Key Recovery Alliance to help negotiate
with the government about the final implementation
of this plan. Most major software vendors, including
Entrust and Sun, are part of the alliance. While
the companies are committed to producing software
that helps recover encryption keys in emergencies,
there is a great deal of debate about how this
will be carried out.
Entrust's product for office groups does offer
key recovery, but it is a far cry from what the
U.S. government would like to see implemented.
Copies of the keys are only stored on the hard
disk of the employee responsible for overseeing
the network. There is no capability right now for
interfacing with trusted third parties who would
serve as recovery agents for the police.
Still, Entrust also seems to be working to meet
U.S. regulations. Their enterprise-wide system
for larger companies has been granted a license
for U.S. export even though it uses 56-bit keys.
This license was recently granted as part of the
United States' push for key recovery. It signifies
that the U.S. Commerce Department felt that Entrust
was moving toward compliance with the policy of
smoothing access for the police. In two years,
Entrust may integrate their key recovery system
with licensed recovery agents or it could face
losing its U.S. license.
In the long run, this strategy continues to receive
heavy resistance. While many businesses welcome
key-recovery solutions for internal use, they seem
to resist making it too easy for the police to
access their documents. Corporations, after all,
can be found guilty as well.
The same rules apply to countries, which are finding
themselves in an increasingly brutal worldwide
competition for dominance. Countries with the most
liberal export laws may be rewarded with a strong
fraction of the market share and this is the crucial
time when the decisions about product acceptance
are being decided. Many MIS managers may choose
Entrust's products simply because they don't need
to fill out forms with the U.S. government in order
to supply it to all of their foreign subsidiaries.
Andrew Csinger is the President of Xcert, a Vancouver-
based Canadian software company that manufactures
encryption technology used for certification authorities.
He expects that any difference between U.S. and
Canadian encryption laws will be short-lived. "I
think that market pressures are going to force
the U.S. administration to respond more quickly,
" he said. "In reality, cryptography is widely
available throughout the world."
Copyright 1997 The New York Times Company
- -> Send "subscribe snetnews " to majordomo@world.std.com
- -> Posted by: kalliste@aci.net (J. Orlin Grabbe)
------- End of Forwarded Message
Return to August 1997
Return to ““Vladimir Z. Nuri” <vznuri@netcom.com>”