Clinton Administration Relaxes Encryption Restrictions

Online Newsletter, Oct, 1999

In the wake of recent court decisions overturning U.S. Government restrictions of encryption used over the Internet and other telecommunications uses, the Clinton Administration held a White House briefing on September 16, 1999, on the subject of encryption technology. Present at the briefing were Attorney General, Janet Reno; Secretary of Commerce, William Daley; Deputy Secretary of Defense, John Hamre; OMB Chief Counselor for Privacy, Peter Swire; and the President's Deputy Assistant for National Security Affairs, James Steinberg.

However, as the briefing unfolded, it revealed that the Clinton Administration has relaxed - but not quite back-pedaled on most of the outstanding objections on the use, export, or government control of encryption software. Much of its response to these objections was purely rhetoric. The final new regulations could be issued as late as December 15, 1999.

The U.S. Government will still maintain bans on selling encryption software to seven terrorist nations: Iran, Iraq, Libya, Syria, Sudan, North Korea, and Cuba.

Although, as the ACLU has said, "... the announcement is a step forward. The battle now is whether the ability to use encryption is a meaningful one. Without protections against illegal searches, this change will benefit industry and leave the average computer user out in the cold."

Substituting its new "Cyberspace Electronic Security Act of 1999" (CESA) proposal, the White House is still advocating basically the same kind of legislation via this new proposal, to enable the Justice Department and National Security Agency the means to counter any meaningful use of encryption that would be secure from government snooping or abuse.

ACLU promised to maintain that any law enforcement be required to obtain judicial review and permission to gain access to the encryption keys and passwords, and that the law protect individuals from law enforcement "fishing expeditions".

The ACLU is representing Ohio Law professor Peter Junger in an encryption case that is now before the Sixth Circuit Federal Court of Appeals.

The Electronic Frontier Foundation (EFF) also criticized the Clinton Administration's backing of CESA as a new "push" by the Department of Justice and the Defense Department for increased law enforcement and intelligence access to U.S. citizens's private, encrypted materials. EFF also noted that the proposed CESA did not address continuing major Constitutional problems on export controls or regulations that do not permit companies to publish their software on the Internet without getting government approval first.

The encryption issue has continued for the past several years as well as encountering numerous court cases along the way defeating government regulations and proposals (see "Meddling with the Internet: Encryption issue raises its ugly head again" "Online Newsletter's October 1997 p.1 and "Meddling with the Internet: Appeals court overturns encryption law" Online Newsletter's June 1999 p.1).

U.S. companies have been reluctant to develop two versions of their encryption software: one for domestic use, and another weaker version for foreign export. In the meantime, the booming Internet e-commerce field makes extensive use of credit card transactions and U.S. Government sanctioned 56-bit DES encryption standards, which are easily cracked by hackers, are a ludicrous failure when newer DES software is now available (see "Hi/fn offers insight into public key encryption" Online Newsletter's September 1999 p.7). Under the new CESA proposal, it would still restrict any encryption software over 64-bits, and even lesser-advanced encryption software would still be subject to government review.

Secretary of Commerce William Daley said during the White House briefing that "... the new regulations will permit any encryption product or software with a key length of 64 bits to be exported under a license exception to commercial firms and other non-government end-users in any country, except for the seven state supporters of terrorism. This means that exporters will be able to ship freely once Commerce has reviewed their products and classified them. We've decided that encryption exports we previously allowed only for a company's internal use can now be used for external purposes such as communications with other firms, supply chains and customers. This step will be very helpful in building electronic commerce."

Both businesses and consumers should be well advised there are two numbers in which they should absolutely use extra care sending over the Internet: their Social Security number -or- credit card numbers. Users sending these numbers over the Internet cannot not see that their transmission may go via as many as twelve or more servers and/or countries (transparent to the user), and many Web sites offering e-commerce products and services are not really "secure" in spite of the fact that many sites have made a "secure site" statement. ... If the Web site is actually secure the URL will begin with (or change to) "https" rather than the usual "http". Both Netscape and Internet Explorer browsers have the built-in capability to automatically invoke and/or download a secure encrypted transaction using SSL (Secure Sockets Layer), RSA, and other systems, but there are usually two versions of encryption software - one for export (40-bit) and one for domestic U.S. use (128-bit). Users can verify the level of security on the host secure Web site by using the browser's View/Document Info (Netscape) or File/Properties (Internet Explorer) feature and viewing the site certificate to be sure it is properly assigned to that Web site or organization. (The Netscape certificate display is more detailed and preferred.) Up to the present, these methods of encryption have made Internet e-commerce possible and relatively safe.