Politech mailing list archives
FC: Details on White House encryption regulations
From: Declan McCullagh <declan () well com>
Date: Thu, 16 Sep 1999 17:23:33 -0400
[Just got back from the White House where there was a briefing with AG Reno, etc. My note is at the end. Also we're still waiting to see the Clinton administration crypto-legislation that's supposed to go to the Hill today. --DBM]
Subject: Re: more re Encryption Technology Limits Eased Date: Thu, 16 Sep 1999 12:25:21 -0700 From: John Gilmore <gnu () toad com> Dave Farber:As I said , the devil is in the details.Let me agree. Remember when the Administration said it was giving industry what it wanted -- transferring crypto exports to the Commerce Dept? And when later "industry" worked out a deal so they could "easily" export key-recovery products, only to discover that in the final regs and procedures it really wasn't so easy? There's a vague and undefined term in the press leaks so far: One-Time Technical Review What does this mean? It appeared in some early crypto liberalization bills floated in Congressional committees. Does it mean: * On the same day that you first put your encryption invention on your web site, you have to send a binary copy to the NSA? or: * BEFORE you post your encryption invention on your web site, you have to send a copy to NSA? or: * BEFORE you post it, you have to send a copy to NSA -- AND THEN WAIT until they say you can export it? or: * BEFORE you post it, you have to send the source code to NSA -- and rather than a mere delay, they have the option to respond by telling you that you just can't export it? or: * You can't post it at all -- you need to provide details about each person who receives it, and you don't know that about the people who download it. or: * ....infinite variations.... We'll only really know once the regulations are published, which is rumored to be in a few months. John
Date: Thu, 16 Sep 1999 13:27:30 -0700 From: Tom Weinstein <tomw () geocast com> Subject: Re: more re Encryption Technology Limits Eased John Gilmore wrote:There's a vague and undefined term in the press leaks so far: One-Time Technical Review What does this mean? It appeared in some early crypto liberalization bills floated in Congressional committees.Based on my previous experience with the export process, here's what I think this means: You have to tell the NSA what you're doing and let them think about it for a while. You'll have to answer any questions they have, but they aren't likely to ask for source code. It's not something you want to do the week before you ship. It's a process that's likely to take a couple months and involve more than one face to face meeting with NSA people. Of course it may mean something completely different. I've been surprised by what the NSA does more often than not.
Date: Thu, 16 Sep 1999 17:15:26 -0400 To: John Gilmore <gnu () toad com>, "Perry E. Metzger" <perry () piermont com>,
farber () cis upenn edu
From: Declan McCullagh <declan () well com> Subject: Re: more re Encryption Technology Limits Eased John, I buttonholed William Reinsch, Commerce Dept undersecretary, outside the
White House briefing room a few minutes ago. I happened to ask him the same question you bring up here: What's up with that one-time technical review?
Things were crowded and noisy, but here's what I learned. (The BXA regs
are still being drafted and are supposed to be published in the Federal Register no later than December 15.)
Products <64 bit or equivalent are generally decontrolled except for: 1. Can't export to Cuba, Iran, Iraq, Libya, N.Korea, Sudan, Syria, and 2. A one-time technical review is STILL REQUIRED. That process is supposed
to take not more than a few months. According to Reinsch, such a review is closest to your:
or: * BEFORE you post it, you have to send a copy to NSA -- AND THEN WAIT until they say you can export it?It's unclear to me whether they'll require source. DoD's Hamre simply said
it would have to be a "meaningful" review and said providing a product brochure just isn't good enough.
Also, the regs differentiate between "retail" and "custom" products.
Reinsch: "There are differences in the way it will be treated." When asked whether, say, shrinkwrapped software available at CompUSA would be automatically treated as retail, Reinsch replied, "It's more complicated than that."
Products >64bit or equivalent are still controlled under EAR but can be
exported through a license exception under these circumstances:
1. Feds get one-time technical review, and 2. You must file post-export reports with Commerce Dept, and 3. Can't export to Cuba, Iran, Iraq, Libya, N.Korea, Sudan, Syria, and If the destination is a permissible foreign government or a state entity
such as a telecom firm, I believe you must also satisfy these conditions:
4. Product must not "require substantial support" (think technical
support), and
5. Product must be "sold in tangible form or have been specifically
designed for individual consumer use"
For each version of a new product (I gave Reinsch example of PGP 10.0.0.0
and 10.0.0.1), you have to submit it and wait for a new "one-time" technical review.
Also, I asked Reinsch if "end users" include distributors such as computer
stores in foreign countries. He said yes, and that they're not trying to pull a fast one.
What I found most interesting was what Attorney General Reno said about
the government's cryptanalysis abilities. When asked if she can break strong, >64 bit equivalent crypto, she said, "We have carefully looked at this and think it's possible," and declined to add details.
DoD's Hamre said that there would be a big chunk assigned to cryptanalysis
R&D in DoD's requested FY2001 budget but added "some of the parts you may be interested [in] I can't discuss." (I wouldn't necessarily read much into this. It could simply be a face-saving move.)
Finally, Reno indicated that this kind of cryptanalysis may not be enough
-- and legal requirements such as mandatory key escrow may be necessary. She said:
"This legislation does not provide any new authority for law enforcement
to be able to obtain usable evidence from criminals. We will continue to operate under our existing authorities and attempt to meet the threat of the criminal use of encryption. We are hopeful that these existing authorities will prove sufficient."
Here's hoping... -Declan More: http://www.wired.com/news/news/politics/story/21790.html http://www.wired.com/news/news/politics/story/21786.html
-------------------------------------------------------------------------- POLITECH -- the moderated mailing list of politics and technology To subscribe: send a message to majordomo () vorlon mit edu with this text: subscribe politech More information is at http://www.well.com/~declan/politech/ --------------------------------------------------------------------------
Current thread:
- FC: Details on White House encryption regulations Declan McCullagh (Sep 16)