Install

Get the latest updates as we post them — right on your browser

. Last Updated: 07/27/2016

U.S. Relaxes Encryption Export Laws




WASHINGTON -- The administration of U.S. President Bill Clinton has lifted more of the licensing requirements on software products that are used to keep computer data and communications secure after industry complaints last fall that its efforts to rewrite the rules still placed American companies at a disadvantage.


Under the new rules, virtually any program sold on the retail market to encrypt data can be sold overseas after what the Commerce Department said last week would be a "one-time review" to give it an exemption from export license. But more important, for the first time the administration said it would allow the export, without licenses, of most types of "source code," the computer code used to create programs that encrypt data.


The only exceptions would be to nations on the State Department's terrorist list, including Cuba, Iran, Iraq, Libya and Sudan.


The action is another retreat by the National Security Agency and the FBI, which have long opposed the export of cutting-edge encryption products for fear they would be unable to break coded communications sent by foreign governments and terrorist groups.


But the technology has overwhelmed the government's ability to control many of these products, including some that can be downloaded free from Internet sites to protect individuals using online banking services or sending secure messages.


It has also been a politically sensitive issue for Vice President Al Gore, who found that the computer executives he had assiduously courted in Silicon Valley for seven years remained angry about the government's efforts to control encryption products. They flooded his office with complaints.


The new rules were cautiously applauded by industry groups, who argued that regulations issued by the administration in September were still cumbersome and put them at a disadvantage when competing with foreign companies, especially from Germany, that have no such restrictions.


"This should go a way toward satisfying them, but it is not a total end to controls," said Stewart Baker, formerly the general counsel of the National Security Agency, which monitors foreign communications from a huge network of satellites and antennas around the world.


Baker, now a lawyer in Washington who represents many companies in the encryption business, said that under the new rules, "the reality is that they can sell practically all the products they want," even if there are some paperwork requirements and licensing restrictions on custom-made software sold to foreign governments.


Some congressional leaders have vowed for years to pass legislation that would essentially eliminate the administration's oversight on the export of "strong-data" scrambling technology, the highest levels of protection. But that has run counter to a movement in Congress to tighten other export controls, especially to countries like China, and the result has been a stalemate.


Among those expressing modest enthusiasm for the new rules was Cisco Systems, one of the largest producers of "routers," which form the backbone of the Internet. Under the September rules, it was unclear whether companies could ship abroad, without license, programs that would encrypt data that ran from one large router to another.


Under the new rules, they can. Cisco's chief of government relations, Laura Ipsen, said, "the technology industry's goal is a simple, equitable encryption policy; these regulations work toward that goal."


The new regulations will allow U.S. companies to ship any retail encryption products around the world to commercial concerns, individuals and other nongovernment users after a one-time technical review by an interagency panel. Retail products, many of which are already widely used in the United States to protect everything from networks to individual e-mail programs, would be exempt from licensing requirements and could be sold to companies, individuals and foreign governments.


And while companies said they had won significant concessions from the administration over the last few months on what should and should not be classified as a retail product, they said much was riding on the final definitions.


But Washington retains a right to license specialty products made for other governments.


"We want to make sure there is a review for any sale, for example, to a ministry for state security," said William Reinsch, who heads the Commerce Department's bureau of export administration. He said that could include sales to companies that are partially owned by governments. That restriction has annoyed some American concerns because many governments hold stakes in telecommunications and other companies.


Alan Davidson, a lawyer with the Center for Democracy and Technology, an online civil liberties group in Washington, said the new regulations were "good news and bad news."


"The good news is that consumers all over the world are going to have access to much stronger encryption," Davidson said. "The bad news is that if you want to send encryption out of the country, you have to hire a lawyer to do it. These regulations are very complicated."