Feeds

Crypto regs still tricky

Stealth export rules keep lawyers busy

  • alert
  • submit to reddit

Beginner's guide to SSL certificates

Over a year after the US government first announced the liberalization of encryption export rules, a tangle of vestigial regulations might still trip up unwary developers, experts say.

"Never work under the belief that encryption is not controlled," said Susan Kotila, project manager with Apple's export license department. "I've run into a lot of developers where I've had to tell them, I've got the name of a good lawyer, but you're in violation right now."

The last eighteen months of the Clinton administration heralded a series of significant reforms in the export restrictions that had kept strong security and privacy technology out of commercial products for years. But some regulation remains, and developers who include unbreakable encryption in a product that's sold overseas or online still need to jump through bureaucratic hoops to avoid running afoul of the law, said Kotila.

"Developers, be aware that you do need to go through one-time government review on your crypto before you export it," said Kotila, who delivered an impromptu lecture on the topic Tuesday at the 2001 Mac Crypto Conference held at Apple's Cupertino, California campus.

Apple's John Hurley blamed the regulations for keeping support for plug-in Cryptographic Service Providers (CSPs) out of Mac OSX, a feature that would have permitted independent developers to create their own replacements for the operating system's built-in encryption. "We do want people to be able to write CSPs," said Hurley. "But we're stuck by export laws."

Strong crypto is generally exportable, but in many cases companies are still required to submit a copy of new software to the US government for a thirty day review. Open source code has fewer restrictions, except when part of a commercial product.

Cindy Cohn, legal direct of the Electronic Frontier Foundation (EFF), agrees that reports of the death of crypto regulations are greatly exaggerated.

"The government came out and said they were giving up, but when you read the fine print, they didn't give up entirely," says Cohn, who represented mathematician Daniel Bernstein in his successful First Amendment challenge to the old crypto regulations. "They took something complex and made it even more complex. They've got caveats for every little thing."

Details on the rules and various exemptions may be found on the US Commerce Department's Bureau of Export Administration Web site.

© 2001 SecurityFocus.com. All rights reserved.

Security for virtualized datacentres

More from The Register

next story
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Apple CEO Tim Cook: TV is TERRIBLE and stuck in the 1970s
The iKing thinks telly is far too fiddly and ugly – basically, iTunes
Huawei ditches new Windows Phone mobe plans, blames poor sales
Giganto mobe firm slams door shut on Microsoft. OH DEAR
Phones 4u website DIES as wounded mobe retailer struggles to stay above water
Founder blames 'ruthless network partners' for implosion
Found inside ISIS terror chap's laptop: CELINE DION tunes
REPORT: Stash of terrorist material found in Syria Dell box
Show us your Five-Eyes SECRETS says Privacy International
Refusal to disclose GCHQ canteen menus and prices triggers Euro Human Rights Court action
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.