From mech@eff.org Tue Jun 7 17:45:28 1994 Received: (from mech@localhost) by eff.org (8.6.9/8.6.6) id RAA17878 for mech; Tue, 7 Jun 1994 17:45:28 -0400 Date: Tue, 7 Jun 1994 17:45:28 -0400 From: Stanton McCandlish Message-Id: <199406072145.RAA17878@eff.org> To: mech@eff.org Status: RO Subject: An SPA report on availability of crypto overseas >From alt.privacy.clipper Sat Apr 2 21:07:49 1994 From: hoffman@seas.gwu.edu (Lance J. Hoffman) Date: 31 Mar 1994 20:39:09 GMT Newsgroups: alt.privacy.clipper Subject: crypto articles in Software Publishers Association News The following articles appeared in a special government affairs section on cryptography in the April 1994 issue of the Software Publishers Association (SPA) news. Note that their counts are low. Latest figures have 340 foreign hardware, software, and combination products for text, file, data, voice, and fax encryption from 22 countries other than the USA. Of these 340, 155 employ DES Latest US figures show 423, of which 245 employ DES.. ============================================================================== SPA NEWS (March 1994, Vol. 11, No. 3) GOVERNMENT AFFAIRS UPDATE In This Issue: CRYPTOGRAPHY ------------------------------------------------------------------------------ The Software Publishers Association (SPA) is the principal trade association of the personal computer software industry. Since 1984, it has grown to over 1,000 members, representing the leading publishers in the business, consumer, and education software markets. SPA News is a monthly publication of the Software Publishers Association produced entirely in-house. Readers are invited to submit questions and comments to Douglas Miller at the SPA, 1730 M Street, NW, Suite 700, Washington, DC 20036-4510, 202 452-1600 ext. 342, fax 202 223-8756. Articles from this supplement to SPA News may be reproduced if SPA News is credited. TABLE OF CONTENTS SPA Study of Foreign Availability of Cryptography Legislative Outlook for Cryptography SPA Spearheads Efforts to Soften Controls on Encryption Software NIST Report Overview: Trends in technology and policy ------------------------------------------------------------------------------ SPA STUDY OF FOREIGN AVAILABILITY OF CRYPTOGRAPHY by Lance Hoffman, George Washington University The Bush and Clinton Administrations have asserted that export controls are not harming US firms by causing them to lose market shares because there are, effectively, no foreign products and programs available. SPA has countered this canard by developing a definitive assessment of just how widespread cryptography is in the world. Our research team focused exclusively on products providing text, file, and data communications encryption capabilities and on programs and products using DES or its equivalent, i.e., the precise products subject to export restrictions. New Product Information Information on new products continues to flow in daily: * Information gathered to date indicates that 210 foreign hardware, software, and combination products are available for text, file, and data encryption from 21 foreign countries: Argentina, Australia, Belgium, Canada, Denmark, Finland, France, Germany, Hong Kong, India, Ireland, Israel, Japan, the Netherlands, New Zealand, Norway, Russia, South Africa, Sweden, Switzerland, and the United Kingdom. * Of these 210 products, 129 employ DES. * We have confirmed the availability of 61 foreign encryption software programs and kits that employ the DES algorithm. These are published by companies in Australia, Belgium, Denmark, Finland, France, Germany, Israel, the Netherlands, New Zealand, Russia, Sweden, and the United Kingdom. Some have distributors in other foreign countries and in the United States; one, a UK company, has distributors in 13 countries (Bahrain, Denmark, France, Greece, Ireland, Italy, Malta, the Netherlands, Norway, Singapore, Spain, Sweden, and Yugoslavia). One in Germany has distributors in 14 countries (Australia, Austria, Belgium, Canada, France, Italy, the Netherlands, Norway, Spain, Sweden, Switzerland, Turkey, UK, US). The programs are installed by the user inserting a floppy diskette; the kits enable encryption capabilities to be easily programmed into a variety of applications. * Foreign customers increasingly recognize and are responding to the need to provide software-only encryption solutions. Although the foreign encryption market is still heavily weighted towards encryption hardware and hardware/software combinations, the market trend is towards software for reasons of cost, convenience, and space. * On the domestic front, we have identified 288 products, of which 142 employ DES. Thus, 142 products are unable to be exported, except in very limited circumstances, to compete with the many available foreign products. * In total, 498 cryptographic products have been identified to date that are, developed or distributed by a total of 366 companies (211 foreign, 155 domestic) in at least 33 countries. * Implementations of DES, RSA, and newer algorithms such as the International Data Encryption Algorithm (IDEA, an algorithm that has a key length more than twice that of DES) that is incorporated into the recently popularized Pretty Good Privacy (PGP) encryption software program, are available routinely on the Internet from sites all over the world. The ineffectiveness of export controls is also evident in their inability to stop the spread of technology through piracy. The software industry has a multi-billion dollar worldwide problem with software piracy. Mass market software is easy to duplicate and easy to ship via modem, suitcase, laptop, etc. Accordingly, domestic software products with encryption are easily available for export -- through illegal but pervasive software piracy -- to anyone who desires them. It cannot be any clearer: the existence of widespread and affordable cryptographic products overseas is an indisputable fact. Based on that fact, unilateral US export controls keep US firms from competing in the global marketplace. Foreign customers who need data security are forced to turn to foreign rather than US sources to secure that need. As a result, the US Government is succeeding only in crippling a vital American industry's exporting ability. Following the first publication of our cryptographic database at the Computer System Security and Privacy Advisory Board meeting on June 2, 1993, the Administration requested a meeting with the SPA research team to review their approach and findings. This meeting was held on July 1, 1993, at the Department of Commerce and involved Government representatives from the Department of Commerce and NSA. We described both our technique for gathering and cataloging the information and the latest results as of that date. At the conclusion of the meeting, it appeared that the Administration representatives were satisfied that a valid survey process was being carried out. Later, informal conversation with someone who should know at NSA reinforced SPA's impression that there was little difference in the numbers of foreign cryptographic products known to NSA and to SPA. SPA is continuing to collect additional information on cryptographic product availability and to periodically publish its results in this newsletter to help focus attention on this important and often ignored situation. We welcome any information you may have that might be of some help. ------------------------------------------------------------------------------ LEGISLATIVE OUTLOOK FOR CRYPTOGRAPHY A VIEW FROM THE HILL by Douglas Miller, SPA Government Affairs Representative The effort to liberalize export controls on mass market software with encryption capabilities is picking up steam on Capitol Hill. In the wake of the Clinton Administration's announcement on February 4 that they will be proceeding with the Key Escrow System and will not be liberalizing the export controls on software with encryption has given renewed ardor to industry efforts. Ultimately, the activity will center on broad legislation to rewrite the Export Administration Act, which is due for reauthorization in June. A measure has been introduced by Reps. Roth (R-WI) and and Oberstar (D-MN), and an overdue administration bill is expected soon. The Introduction of a New Bill A new bill introduced by Maria Cantwell (D-WA), H.R. 3627, would amend the Export Administration Act to essentially fulfill our wish list for exporting software with encryption. This legislation will likely be attached to a broader bill. Sen. Patty Murray (D-WA) will be introducing companion legislation in the Senate. Fundamentally, the new Cantwell bill does three things: First: Authority The bill gives the Commerce Department authority over the export of mass market software with encryption, with the exception of products expressly designed for military use or for cracking codes. Second: License Restrictions No validated license may be required for the export of mass market or public domain software, or the hardware that may incorporate such software. Naturally, controls will continue for terrorist countries or embargoed countries like North Korea and Cuba, for which export is proscribed by the Trading with the Enemy Act. Third: Software Exportation The Commerce Department will have to grant validated licenses for the export of software to commercial users in countries to which the export of such software is already approved for use by foreign financial institutions. Again, exports with either the military or terrorists as likely end-users are expressly prohibited. Put simply, the bill allows exports of software with encryption to a degree that reflects a reality clarified by the SPA foreign availability study, but also seeks to keep software out of the hands of international bad guys. Export Control Hearings Rep. Sam Gejdenson, who chairs the House Economic Policy, Trade, and Environment Subcommittee, has held a series of hearings on export control issues with a view toward crafting legislation to rewrite the EAA. He was enthusiastic about the presentation made by SPA member Steve Walker of Trusted Information Systems at the hearing on October 12 (call or write the SPA to obtain a copy). Walker presented the results of the SPA study, and demonstrated how easy it is to use the widely available foreign cryptographic products. Congress needs to know how important this legislation is to you. Please contact your member of Congress as soon as possible and urge him or her to support H.R. 3627. Call Doug Miller at (202) 452-1600 ext. 342 if you have any questions or concerns. Other Legislation The Clinton Administration maintains that no legislation will be necessary to implement its key escrow scheme. At present, there is no legislation to oppose it, either. However, a few small legislative initiatives may impact on the cryptography debate. The Administration has developed an alternative to Title VI of S.4, the competitiveness legislation. Title VI contains the companion legislation to H.R. 1757, the information infrastructure legislation. It contains one alarming provision that would have support and research and development of advanced security technology conducted through the National Security Agency. Such language contravenes the Computer Security Act of 1987, which places NIST in charge of R&D for unclassified communications. SPA is now active at working to counter this effort to put the fox in charge of the henhouse. ------------------------------------------------------------------------------ SPA SPEARHEADS EFFORTS TO SOFTEN CONTROLS ON ENCRYPTION SOFTWARE by Ken Wasch, SPA Executive Director For nearly three years, the Software Publishers Association has spearheaded the effort to liberalize the export controls on mass market software with encryption. Our membership of over 1000 of the leading software publishers in the business, consumer, and education markets includes many companies who publish software with encryption that would be competitive with any similar product in the world -- except that the US government will not permit the export of such products. There are growing markets for encryption, because companies want to be able to protect corporate communications and data against unauthorized access. Access to such markets is important to the software industry, which makes over 40% of its revenues from exports. Exports of mass market programs with encryption capabilities are not treated as a commercial matter within the Department of Commerce. Rather, they must be cleared with the State Department's Office of Defense Trade controls, which despite presidential directives to the contrary continues to review the encryption software as a "munitions" item, like a bomb or bullet. Because most industrialized countries follow COCOM guidelines and treat software with encryption as a dual-use item with both military and commercial applications, companies from these countries are winning market share of a growing industry from which US firms are excluded. The SPA Agreement In July, 1992, SPA reached an agreement with the Bush administration to allow for the expedited review of software using one of two algorithms developed by RSA Data Security, Inc. (RSA). The algorithms, RC2 and RC4, are significantly stronger than those previously allowed for export, but are limited to a 40-bit key length. They are weaker than the DES-strength programs that can be marketed in the US and that are available overseas from foreign competitors. The SPA Study The SPA agreement was an important first step, but it is still the case that foreign competitors are able to export stronger encryption, which makes products with a 40-bit key simply non-competitive. But the administration was not receptive to our contention that there is widespread availability in foreign markets of strong encryption. During the summer of 1993, SPA set out to demonstrate incontrovertibly that there are many easily available products in foreign markets that are stronger than what US firms are able to export. The Clipper Chip As America moves toward the development of an "electronic information superhighway," our increased reliance on electronic information generates a need for data security and privacy. But the right of individuals and corporations to privacy conflicts with the need for law enforcement to intercept the communications of criminals. On April 16, 1993, the Clinton Administration made the surprise announcement that it was making a hardware product called the Clipper chip, or key escrow device, a government standard for encryption. The key escrow device is designed primarily to encrypt nonclassified voice communications, but the technology can be applied to data transmissions as well. The underlying algorithm for the device has been dubbed "Skipjack" by the National Security Agency, which developed the device in secret. The key escrow system is a paradigm shift in cryptography, employing a split key for decrypting messages held in escrow by two government agencies, NIST and a yet-to-be determined arm of the Treasury Department. Law enforcement would thus have the technical means to execute wiretaps, but only after they have obtained the legal means with a court order. SPA honors the need for law enforcement to be able to execute authorized wiretaps. But there are serious problems with the key escrow proposal that SPA is addressing along with a broad coalition of high tech companies and associations, the Digital Privacy and Security Working Group. First, the system must be voluntary, but it is hard to imagine that criminals or terrorists would use encryption to which the US Government holds the keys. Second, the system will not be marketable overseas because no foreign entity will use a product to which the US government holds the keys. Third, it is a hardware solution, and less likely to encounter wide use at a time when people are turning to encryption with software because it is cheaper and easier to use. Finally, the device was the product of a secret process, and the national cryptography policy review that was announced with the system is in fact an interagency review. The technology has progressed beyond the purview of government, and the full range of companies, public interest groups, and other users must have input to a cryptography policy process that must strike a complex balance of conflicting societal values. ------------------------------------------------------------------------------ NIST REPORT OVERVIEW: TRENDS IN TECHNOLOGY AND POLICY During the past five years, encryption technology has become easily available to individuals and businesses, affording a level of security formerly available to only military, national security, and law enforcement agencies. As a result, a debate within the US about the proper balance between national security and personal freedom has begun. Law enforcement and national security agencies would like to maintain tight control over civilian encryption technologies, while industry and individual and privacy rights advocates fight to expand their ability to distribute and use cryptographic products as they please. A report completed by Lance Hoffman of George Washington University for the National Institute of Standards and Technologies analyzes trends in encryption technologies, markets export controls, and legislation, and identified five trends which will have a strong influence on cryptographic policy in the US. 1. The continued expansion of the Internet and the progressive miniaturization of cryptographic hardware combined with the increasing availability and use of strong cryptographic software means that the strongest encryption technologies will continue to become more easily obtainable. 2. Additional growth in networked and wireless communication will fuel a strong demand for encryption hardware and software both domestically and abroad, causing the US high-tech industry to be increasingly interested in selling encryption products overseas and in modifying current export restrictions. 3. Products using strong encryption algorithms, such as DES will continue to face at least some export restrictions, despite the widespread availability of strong encryption products overseas. 4. The American public will become more concerned about its privacy and cryptographic policy as a result of increased online personal information, and wireless and networked communications. The development and increasing widespread use of the National Information Infrastructure will heighten these concerns. 5. Encryption policy is becoming an important public policy issue that will engage the attention of all branches of government. Congress will become more visible due to its power of agency oversight and its role in passing laws in accommodating the US rapid rate of technological change. Agencies will remain important because of their implementing and planning responsibilities. ============================================================================== -- Professor Lance J. Hoffman Department of Electrical Engineering and Computer Science The George Washington University (202) 994-4955 Fax: (202) 994-0227 Washington, D. C. 20052 hoffman@seas.gwu.edu