Deciphering cryptography policy

Issues in Science and Technology, Summer 1997 by Dam, Kenneth W, Lin, Herbert S

In "National Cryptography Policy for the Information Age" (Issues, Summer 1996), we argued that then-current federal efforts to control encryption technologies were damaging to information security. Based on the National Research Council (NRC) report Cryptography 's Role in Securing the Information Society (NAP, 1996), we said that the U.S. government should relax--not eliminate--export controls on encryption and that it should experiment with keyrecovery encryption rather than promoting it aggressively to the private sector at this time. We also emphasized the need to rely more on market forces in any new policy.

Since then, U.S. national cryptography policy has changed in a number of ways. The administration shifted export jurisdiction over cryptography from the State Department to the Commerce Department. It also temporarily relaxed controls over encryption products involving the Data Encryption Standard (DES), a 56-bit encryption algorithm, but it has clearly not abandoned its push for key-recovery encryption. Vendors can export DES products only if they submit a business plan promising to develop and market keyrecovery encryption products by January 1, 1999, after which date only key-recovery products will be approved for export. The administration has also floated a bill that includes other measures to promote the use of key recovery.

At the same time, several members of Congress have introduced bills that would further relax export controls on encryption and make the relaxation permanent. One of these bills, the Security and Freedom Through Encryption (SAFE) Act (H.R.695), has cleared the House Judiciary Committee and awaits action by the House International Relations Committee.

Although we applaud the administration's relaxation of export controls, the conditions for approval and the time limit are too restrictive. We still maintain that the administration should experiment with key recovery in its own systems to test its usefulness and allow the private sector to decide if key encryption meets its needs. The nation still lacks the experience to make sensible legislation that would govern or promote key recovery.