Förderverein Informationstechnik und Gesellschaft

Re: New Crypto Regs -- More of the Same

------- Forwarded Message Follows -------
Date:          Thu, 31 Dec 1998 08:24:51 -0500
To:            John Young <>,,
From:          Alan Davidson <abd@CDT.ORG>
Subject:       Re: New Crypto Regs -- More of the Same

Here is CDT's statement on the new regs. They should be available in the
Federal Register this morning.

Happy Holidays to all. Here's hoping for some real relief in 1999.

	  -- Alan

Alan Davidson, Staff Counsel                 202.637.9800 (v)
Center for Democracy and Technology          202.637.0968 (f)
1634 Eye St. NW, Suite 1100                  <>
Washington, DC 20006                         PGP key via finger

December 30, 1998

New Encryption Regs Fail To Change Debate

The U.S. government is expected to publish new encryption export
regulations in the Federal Register tomorrow that once again grant only
limited relief for encryption exports. The new regulations implement the
policy announcement on encryption made by the White House last September.
While providing welcome incremental relief allowing export of 56-bit
encryption, and stronger products to certain industry sectors, the
Administration's latest liberalization effort leaves individual privacy at
risk and fails to resolve the broader issues surrounding U.S. encryption

"These latest encryption regulations are like rearranging the deck chairs
on the Titanic," said CDT Staff Counsel Alan Davidson. "While any export
relief is welcome, the U.S. government continues to embrace a failed
encryption policy based on export controls and backdoor plaintext access
features that threaten privacy and prevent people from protecting
themselves online. Today's announcement does little to change the broader
policy debate over how to give people the security tools they need to
protect their privacy in the Information Age.  We expect to continue the
policy debate, and the push for sensible encryption legislation, in
Congress next year."

Major features of the September White House policy, implemented in the new
regulations, include:
* Decontrol of 56-bit DES products or equivalent (hardware and software)
* Export of higher strength products for:
  * Subsidiaries of U.S. firms
  * Sectoral relief allowing export of strong encryption products to
    insurance companies and health and medical organizations
  * Limited relief allowing export of strong encryption products to online
    merchants for certain electronic commerce server applications only.
  * License exceptions allowing export of strong encryption product if they
    contain "recovery" or other "plaintext access" features (such as "private
    doorbells") that allow law enforcement access to plaintext without the
    notice or consent of the end user.

While CDT welcomes efforts by the Administration to grant greater export
relief, the new regulations leave privacy and security concerns unresolved,
particularly for individuals. These include:

* 56-bit DES is Not Strong Enough -- Expert cryptographers have argued for
years that 56-bit encryption is not sufficient to protect privacy online.
Just last summer, a group of California researchers created a "DES Cracker"
that broke a 56-bit length encrypted message in just 56 hours, using
minimal resources. RSA, the data security company, just this week offering
a new prize to anyone who can crack DES in one day. The new Administration
policy prohibits the export of far stronger 128-bit encryption products
that are becoming the world standard for security.

* Individual End-Users are Left Vulnerable -- While the relief offered for
particular industry sectors is welcome, individuals seeking to encrypt
securely abroad face are left vulnerable. The new policy begs the
questions: When do everyday computer users get encryption relief?

* U.S Policy Continues Push for Key Recovery and "Plaintext Access" -- The new
policy continues to push for adoption of key recovery and other plaintext
access products, granting broad relief for products "that, when activated,
allow[] recovery of the plaintext of encrypted data without the assistance
of the end user." Such access systems create new vulnerable backdoors,
jeopardizing personal privacy and creating security concerns where none
need exist. (See "The Risks of Key Recovery, Key Escrow, and Trusted Third
Party Encryption" experts report, available at

CDT remains committed to seeking broad relief from export controls and to
promoting the freedom of people to use whatever encryption tools they need
to protect their privacy online. For more information on this or other
encryption policy and Internet civil liberties issues, please contact Alan
Davidson or Ari Schwartz at CDT, (202) 637-9800.