US releases 64-bit crypto products for export

Obviously because the NSA can crack it in real time now…

The Clinton Administration has kept its promise and lifted export restrictions on cryprographic technology, over the stubborn objections of US Attorney General Janet Reno. This marks one of the rare occasions when the Gigolo-in-Chief has dared exercise his authority over Reno, whose Draconian appeals for the protection of women and children at the expense of civil liberties normally win the day at the White House. We can only surmise that the National Security Agency's stable of spooks have given the Clintonites a quiet 'green light' based on their confidence that they can now crack the code with a minimum of fuss. Thus the US Commerce Department's Bureau of Export Adminisration (BXA) today dutifully published an interim final rule lifting export controls on all mass-marketed encryption software up to and including 64-bits. The rule also covers asymmetric key exchange algorithms not exceeding 512 bits. Such items will no longer require a license or a license exception, and may be exported and re-exported with the designation "NLR", or No License Required, much to the relief of software companies across the USA. Under previous regulations, companies were required to obtain a license for each sale. The new rules allow sales after a single review by the BXA to ensure that they qualify for the exception. Shipments made directly to foreign governments will still require individual licenses, however. Products covered by the rule will qualify for export to all destinations, albeit with the usual exceptions for very naughty countries like Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria, which will have to buy them second-hand from somewhat naughty countries like China, Russia, South Korea and Mexico, or develop their own. Neither end-run strategem strikes us as particularly challenging. The new regulations are being touted as a breakthrough compromise on an issue which has placed President Clinton in the maddening position of being unable to satisfy two of his truest loves, High-Tech Commerce and the Reno DoJ, simultaneously. In some aspects there is breakthrough matter here. It gets tricky, however, with the "Internet download screening requirements," which have changed little in the revised document. "Posting source code on the Internet, where it may be downloaded by anyone, would not establish 'knowledge' of a prohibited export or re-export. Such posting would not trigger 'red flags'" requiring screening of the people downloading it. Fair enough, but in order to post such code, an author would first have to submit it to the BXA for review to ensure that it qualifies for NLR status. This raises a sticky First Amendment issue, which has already been challenged and is currently winding its way through the federal appeals process. The interim final rule took effect upon publication, but a truly final rule is still pending. The BXA will entertain comments on the interim rule until 15 May 2000. The current draft has been published online by the Government Printing Office, for the amusement of those who enjoy reading very laboured legalese. ®

Sponsored: Designing and building an open ITOA architecture