title: Privacy- & security-enhancing technology

Privacy- & security-enhancing technology

by Scott Bradner

The Clinton administration's newly revised policies on the export of encryption technologies looks amazingly good. But there are more than a few details to be revealed which may still change the picture somewhat.

For many years the Clinton administration seemed to be operating in a fantasy land. A land where the only smart people lived in the U.S. and no one outside the U.S. knew enough to develop good encryption technologies. A fantasy land where the bad guys would be too stupid to use readily available secure encryption software and instead use administration approved software that saved a copy of the encryption key for the government's use. For some reason the administration has suddenly decided to move from fantasyland to todayland. (To overuse a Disneyland theme.)

In a September 17th press conference that included describing encryption as "a privacy- and security-enhancing technology" the Clinton administration announced that it was removing almost all U.S. export controls on encryption technologies. You still will not be able to sell any encryption technology to anyone in countries that the U.S. has labeled as supporters of terrorism, nor will you be able to sell custom encryption software or hardware to foreign governments or military establishments without specific approval. You will be able to sell retail products to foreign governments and military establishments and, other than the above restrictions, custom encryption products to anyone. But you will need a "meaningful technical review" (in the words of the Defense Department representative at the press conference) before you can sell any encryption products overseas and you will need to provide the U.S. government with a list of your customers.

This is a refreshing change in attitude on the part of the administration. Finally they were able to understand that good encryption is a necessity for good security. As the DoD representative said "we (the Defense Department) strongly need the sorts of protections that come with strong encryption."

This new policy is one part of a three part proposal. The other parts are additional funding for a FBI-based Technical Support Center to help law enforcement agencies "respond to increasing use of encryption by criminals" and new laws that will protect any encryption-related techniques law enforcement uses from discovery if a case comes to trial.

But it is too early to fully rejoice. The details about what the technical review will consist of, how long it will take and what the government wants to do with your customer lists are yet to be announced. These details are due by December 15th.

I do not know what caused reality to seep into the thought process, a skeptic might guess a need to help Gore in the high-tech community. But whatever the reason it looks like we may just be getting a Christmas present that will help make the Internet and our privacy a lot safer in the next century.

disclaimer: For Harvard centuries come and go with many exigencies of the moment along the way and the above is my view of this one.