US encryption plans cause controversy in Europe

The US Department of Commerce's (USDC) legislation making it illegal for US companies to export strong encryption products that are essential for securing ebusiness transactions, has long been a source of controversy.

The Clinton administration has now unveiled its plans to liberalise these encryption rules and attracted guarded approval in the US. The scheme was first outlined in September 1999.

However, because the plan only covers encryption products that are available for retail use, experts have condemned the rule change as nearly useless for European ebusiness companies.

Export licence required
According to Dr Brian Gladman, technical advisor at the Foundation for Information Policy Research, the enterprise encryption material that is required for corporate ebusiness operations will still need an export licence.

"The new rules only apply to whatever the USDC defines as retail use only," Gladman said. "Essentially these are products that can be bought over the counter, often for home use. But high-grade products like secure routers are still going to be up against export licences."

Gladman added that, while these retail products have some ecommerce uses, they would not provide the level of security that many companies will need: "The new rules are simply a move to help US companies sell more products rather than develop global ecommerce."

Robert Holleyman, president of Business Software Alliance, a trade group that includes Microsoft, Adobe Systems and IBM's Lotus unit, confirmed this last week. "With these regulations, we will no longer be at a competitive disadvantage," he said.

Piper Cole, vice president at Sun Microsystems, added: "It's going to help us with sales abroad because security is becoming increasingly important to our customers."

Approval for encryption options
Already Microsoft, Netscape and Novell have approached the USDC to have the encryption options of their software approved as 'retail' so that they can export them to the UK.

This will mean that UK Novell customers can use more secure versions of NDS, eDirectory and Netware 5.1.

However, Gladman believes that some companies that are frantically applying for 'retail status' for their products might be rejected by the USDC because their products are too strong. "This is the way the US government will continue to exercise its control over encryption products," he said.

Considering the Linux option
Gladman said that Linux could be the way forward for ecommerce because it is an open standard system and would be exempt from any export restriction. He predicted that many network managers considering ecommerce systems would opt for Linux because they would be able to build formidable security based around ultra-strong encryption.

Colin Ives, director of systems integration at Corporate Network Services, said the US government rules were unworkable for corporate business in the UK and had set the scene for network managers to bypass encryption rules.

"Governments always show that they have no insight about business needs. They may have the best experts, but they still don't understand," Ives said.

As a result, companies wanting to develop secure ebusiness systems will ignore the US government rules, or set up systems that work within the rules but have proprietary hardware and software twists to make systems secure, he said.

Access denied
These would make systems impregnable to attack and ironically make it impossible for police and government agents to gain access.

"By being so tough on encryption, which law enforcement agencies can access, the US government has forced companies to adopt networking techniques, which make it impossible for them to legally tap into," Ives said.

Companies looking for ebusiness systems to connect them to suppliers may opt for 'retail encryption' alongside some sort of certificate system.

"In other cases they might set up transactions with a supplier in advance so that financial information, like credit card numbers, does not have to be transferred electronically," Ives added.

On the consumer front, he sees many ecommerce problems being resolved if credit card companies are pressured into using smartcard technology to make their products more secure.

"So far the credit card companies have resisted attempts to make their products more secure, but as Internet fraud increases they will be forced to act," he said.

Whatever technique network managers select, it is clear that the US government will never make ecommerce much easier for them, he added.

The Clinton administration plans

• US companies will be permitted to export any retail encryption product around the world to commercial firms, individuals and other non-government end-users under a licence exception.
• Commercial encryption source code, encryption toolkits and components can now be exported under licence exception to businesses and non-government end- users for internal use and customisation, and for the development of new products.
• The regulations relax restrictions on publicly available encryption source code, including by posting on the Internet.
• US companies are permitted to export any encryption item to their foreign subsidiaries without a prior review.
• Foreign employees of US companies working in the United States no longer need an export licence to work on encryption.
• The guidelines remove controls on 64-bit mass-market products, 56-bit encryption items and 512-bit key management products.