US Relaxes Crypto Regulations 69
Guru Meditation writes "CNN reports in an article that Clinton has decided to relax the export restrictions on crypto products, both hardware and software. " The Washington Post also has some good coverage of this. As part of the deal, the FBI will get funds to create a new "code cracker" unit. The Administration, however, did drop the proposal to require backdoor entrance for the government. The new regulations will allow selling to virtually any country, with a few exceptions for nations deemed a national security threat.
NOT a complete victory (Score:1)
Why there's no info on free software distribution (Score:4)
It would be good if someone could find an online copy of the actual Executive Order.
----
Probably a trade-off (Score:1)
Or maybe I'm just a bit cynical about our government *ever* giving an inch and letting US citizens have rights...
----
Re:Minor nitpick... (Score:2)
>mathematicians and computer scientists, and the clock cycles to help 'em?
Be afraid.
The FBI is chartered for domestic survailance. The NSA is not. This new unit is to spy on you.
----
Re:Worst case scenario (Part II) (Score:1)
Whether the NSA/FBI/... are now giving in because they have found a new trick is "interesting speculation", but not all that relevant in practice. Even if it is true, nothing changes for users of "exportable" encryption software when dealing with the NSA: the NSA was able to break such crypto before, and it still is. What's more, nothing much should change for users who distrust the NSA and use stronger crypto either: based on their distrust and assumption that the NSA already had a secret trick up their sleeves, they will (should) already have opted for stuff that is a lot harder to break anyway.
What is relevant in practice, is that one can now export (i.e. use) stronger crypto that (for the time being) only the likes of NSA, but not Joe Random Cracker, would be able to break.
Notice that I'm not saying "so what". All I'm saying is that the important thing is that it's a move in the right direction, whatever reason made it possible.
--
We can't relax (Score:1)
...phil
Re:Point of clarification...isn't it patents? (Score:1)
...phil
Right to keep and arm bears (Score:1)
Seriously, this has always been confusing to people. You have been able to import an encryption product into the US from country B, and then not export the exact same encryption product back to country B.
Re:Minor nitpick... (Score:4)
The FBI's charter however is:
The NSA's goal is to provide signal intelligence from foreign sources while the FBI's goal is uphold federal law and protect the US against foreign threats. They can be a consumer of information from the NSA if it relates to protecting us from foreign threats but not for residents breaking federal law.
If I'm forced to have an orginization trying to spy on my signals I'd rather have the FBI do it, they won't have near the resources of the NSA (the worlds leading employer of mathematicians). To reduce the chances of me being spyed on I avoid breaking any federal laws.
Not a victory at all! (Score:2)
Second, the text of the bill indicates that software designed for end-users will be more readily approved. This indicates a bias against products that will protect whole networks and provide a secure infrastructure; insuring that secure communications will remain the exception rather than the default.
Third, the timing of this decree is obviously designed to kill the SAFE bill. The SAFE bill not only goes further in liberating crypto exports, but also carries the force of law. Repealing a law is a large affair, requiring a vote of congress and thus allowing the public time to lobby, cuss and complain. This decree does not dismantle the export regs, and they can be tightened to previous standards with a stroke of a pen and no opportunity for public comment.
Do not let this kill SAFE! Lobby your congresscritter!
The stated reasons for doing this... (Score:3)
"Serving the national security interest" and "protecting law enforcement capabilities" were apparently not the reasons for restricting export in the first place. We have always been at war with Eurasia.
--
What's the real deal? (Score:1)
Will they rise the bar by a couple bits or do we get to 128? Any restrictions on the kinds of software?
Also, how does this go with the Wassenaar contract? Is it that now that Wassenaar went through, US can happily rely on other countries living with no exporting due to the contract. So, in essence, does this mean the White House is saying the contract doesn't apply to US anymore? Looking at the past where everyone else could export and US companies couldn't, the situation has now been completely reversed. Smart tactics from the US government.
The reason? (Score:1)
So, it's all just marketting tactics done by politicians. Money talks.
3rd party key repositories (Score:1)
Someone's really given thought on this one and still fails to understand that the misusers haven't and still won't do anything by the regulations nor tell of the use to third parties. The repositories will probably end up with a ton of keys from people who never have anything to say that'd require cryptography in the first place.
else if(SAFE && Internet Tax) (Score:1)
Warning !!! IANAL
We seem to have a congress with two bridges to burn... How to tax the internet, and how secure can we allow the Internet to be. The real question for congress (if the realize it or not) is not how to tax the internet, but how to justify taxing the internet. Perhaps a combo bill would be powerful enough to ram right through lobby roadblocks.
Some key points of such a bill.
* No review or restriction of any crypto (up to X number of bits encryption.) Complete restriction after X.
* Online transactions (when the consumer is physically located in the US) must be made by credit or debit card. Credit card/Debit card companies/banks will be responsible for extracting N% federal sales tax.
Now congress can justify why American citizens should pay an internet tax. N-Y% (Y will likely go to kissing somones butt to make this thing pass.) of the internet tax can be spent on propping up agencies like the NSA an FBI so they can effectively brute force X level encription upon court order.
This should work if you choose the correct numbers for N, X and Y.
Whatever you push to the congress critters, remember keep it fair and simple.
Point of clarification (Score:3)
Is it OK for a US citizen to *import* strong encryption?
If the US laws state ony that crypto shouldn't be exported, then the law is becoming a bit of a non-issue. There arc plenty of good encryption algorithms and sopftware coming from outside the US, from places like Israel, etc.
Perhaps this change of heart is to prevent other countries adopting draconian export licenses which would hinder US software houses. Of course, export laws will never hinder covert organisations who will use the best available crypto code regardless of laws
Chris Wareham
Why does the FBI care? (Score:2)
The US government does not prohibit US citizens from using cryptography, no matter how strong, as far as I know. PGP and so on are just fine for US citizens to use. The government just doesn't allow their export.
So, the crypto regulations that the US has are, in theory, supposed to prevent foreign interests from getting strong crypto. The regulations don't work, of course, but that's the motivation for them.
The FBI is a domestic law-enforcement agency. Practically everybody it's supposed to be watching is already allowed to use crypto. The people who would benefit from the export regs (if they actually did anything) would be the CIA and the NSA, which monitor international communication.
So, why is the FBI in a position to receive concessions when the export regs are relaxed? They shouldn't be in a position to benefit from the regulations in the first place!
Minor nitpick Re:Minor nitpick... (Score:3)
The NSA doesn't officially have a charter. Or at least, if it does, you, I, and everyone else are not allowed to see it. The desription on the web page is filtered through some rose-colored glasses. NSA does not, and is not legeally required to, stick solely to foreign SIGINT. They tend to, because otherwise they piss off other US spy agencies, but they will do, and have done, whatever they feel is necessary, including domestic snooping on many occasions.
In general, though, your conclusions are sensible. The FBI is not nearly as competent, so I'd much rather have them trying to decode my bomb plans, or laundry list, or whatever. :-)
----
We all take pink lemonade for granted.
Re:A few countries deemed .... (Score:1)
Few = 7
Countries = Iran, Iraq, Libya, Syria,Sudan, North Korea and Cuba.
Janet Reno is not your friend (Score:1)
"The court shall enter such orders and take such other action as may be necessary and appropriate to preserve the confidentiality of the technique used by the governmental entity," Section 2716 of the proposed Cyberspace Electronic Security Act says.
This would mean that the feds could introduce evidence at a trial and not disclose how they obtained it. I think that is a very bad idea. What would prevent them from fabricating "incriminating evidence" and saying "we can't tell you where it came from, trust us". We already have the use of anonymous tips from non-existent sources as a basis for obtaining search warrants.
Re:Is this a bone? (Score:1)
Re:Decrypt this one, big brother. (Score:1)
o yjoml oy jsd dp,yomh yp fp eoyj no;; v;omypmd jrsf nromh dvts,n;rf
Hey! They're only giving Janet $80 million -- you've just wasted about $3 million of it, so she's only got $77 million left for other codes!
And you misspelled dp,ryjom -- but that'll probably make it harder for her to decipher. :-)
Re:Why use U.S crypto products? (Score:1)
U.S. citizens cannot contribute work to a cryptosystem that is distributed outside of the U.S. That is a good practical reason for objecting to crypto controls.
But besides that, crypto laws are an area where we clearly need to be concerned about our eroding rights. I don't think there's any doubt that Freeh and Reno would be just as glad to see the use of strong crypto outlawed. For them to head off a law that would have eliminated most export controls, simply by throwing a tiny concession to the computing industry, would be a significant strategic victory. That is why we should be concerned about the effect of this move.
no celebration yet (Score:2)
What we know so far:
Few details have been released. The only official words on the subject seem to be yesterday's White House briefing, which is more like press release cheerleading than hard policy. The briefing was conducted by:
Reinsch's role in the briefing was mainly to answer procedural questions about Wassenaar and technical review. Swire spoke very briefly in support of the upcoming Cyberspace Electronic Security Act, and talked about how key escrow will make all our lives better.
That leaves Steinberg, Reno and Hamre -- noted opponents of private crypto, all three -- to express their support for the Administration's decision to relax export controls.
I smell a rat.
As others have noticed, the closest thing to a firm commitment that has been made is that a "license exception" can be made for products that pass a "one-time technical review." The details of the technical review are not forthcoming: Secretary Daley says, "That will be developed over the next number of weeks." Nor do we know under what circumstances a license exception will be granted. This has all the earmarks of being all talk and no action.
Maybe this is the most telling part of the briefing:
I am not getting my hopes up. The right thing for us to do is to contact our Congresscritters and make sure they understand that it is still important to pass SAFE -- maybe more than ever.
Re:Not a substantial change (Score:1)
Also, this has relaxed the rules enough for big business to sell their stuff *reasonably* easy.
Thus, there's a lot less incentive for big business to continue lobbying for total freedom.
Now that big business is happy, what's the chance of this trend continuing any further?
A few countries deemed .... (Score:1)
Define national security threat...
I don't believe this relaxation. You either restrict it, or you don't.
How do I contact my representative??? (Score:3)
Slightly offtopic to the article, but relevant:
One of the great things about electronic communication is that it gives the common man instant lobbying power.
One of the greatest things Slashdot:YRO could do is to post a tool, or a permanent link to a tool, that lets you quickly and easily determine who represents you. I have occasionally seen posts with links to sites like Project Vote Smart [vote-smart.org] that provide this ability. More frequently I have seen posts where people have formatted excellent letters to send to your congressional representatives that address various issues (UCITA, Microsoft trial, etc.), but I still have to do a lot of rooting around to find out who my current representatives are.
This process could all be streamlined right here on YRO, if there was some kind of simple tool (enter your ZIP, up pop the email addresses of everyone who represents you).
There are a lot of intelligent opinions on Slashdot. We need to make them visible in the political arena.
Wow, these guys work fast... (Score:1)
I just wish I had joined FIN so I could claim to be part of the group that made it happen [or at least claim to have made it happen].
Can't wait until FIN finds a way to protect me from the internet boogey man.
Big fscking deal (Score:3)
Microsoft will find it far easier to export W2K (which includes e&e Kerberos)
My company *might* be able get an export license for a Kerberized Linux distribution. Or it might not, since my company is still at the "one person in the garage" stage. Red Hat wouldn't have this problem, but if the export license prohibited export of source code they're still dead in the water due to the GPL.
Debian wouldn't have a snowball's chance in Redmond of being able to carry my (US) Kerberos packages on their pages.
To me, this proposal is proof that "social engineering" isn't limited to crackers. This proposal will get industry lobbyists off the administration's back, and it gives them the perceived moral high ground on the Sunday morning talk shows. ("We've removed all but token obstacles to American businesses competing in the world market. Only drug running child pornography terrorists will be impacted, and We Don't Want To Help THEM, Do We?!")
WE know that it also hurts us, but we also know that we're all a bunch of pinko communists. Just look at the "exposes" that appear on a regular basis.
Finally, as others have pointed out Executive Orders can be rescended, often with no basis in reality. E.g., I'm still showing my passport to board domestic flights because TERRORISTS BLEW UP TWA 800. That theory has been discredited for years, but the EO that grew from it is still in effect. I would not be surprised if this EO blocked passage of SAFE, then in 6 months some crisis is manufactured which justifies slamming the door again. Naturally products with licenses (e.g., W2K) will be grandfathered.
How does this effect free software? (Score:2)
I understand that is means companies like AOL, NA and co. can now get one license to export crypto products that would cover all shipments of the product, but it doesn't say anywhere that the regime will actually grant that license, or anything about the terms required. And while a company might be able to negoiate the terms with the american regime, that is completely out of the question for an open source effort, right? (I mean, they would still need to have it re-evaluated with every version).
What about the proffessor who posted his crypto routines on his webpage? As I understand the new law, he might actually be able to do it, but only after applying for a license and being granted one. Wow, that is sooo much better.
It seems to me that this is a bit out of touch with reality. It makes it clear how to export shrink wrapped crypto software, but how many of you bought your crypto software in a shrinkwrap anyways? The real issue is online, I couldn't care less if I will now start seeing american crypto products in stores here.
Good for Microsoft though... (they can dump the whole key thing and include the crypto modules in NTs installation now - just in time when the PR damage has been done, how sweet
-
Fall Out (Score:1)
Re:Janet Reno is not your friend (Score:2)
Yeah, Right.... (Score:1)
Not a substantial change (Score:3)
What this bill does not cover includes sales to any foreign government, military, or ISP. Those will still require a case-by-case review. Only products that meet the requirements for law-enforcement intercept will get this one time approval, so key-escrow and door-bell systems will quickly get the green light, others will have to slog through a years long process. They will still criminalize exports to "terrorist" countries, such as Cuba, but allow it to friendly nations like Columbia.
Nobody gets to see the wording of this new policy until December, so it is hard to tell why Hamre and Reno are smiling at this announcement. I have a feeling there is nothing new here except a minor improvement for big companies in return for a drop-in-the-bucket US$80million for a dedicated cryptanalysis team for the FBI. Its just a PR move.
For another slightly pessimistic view, go read this San Jose Merc article [sjmercury.com]. Given the track record of the administration, I really don't think they've suddenly given up the fight and want strong crypto everywhere.
the AC
"The only person who'd be safe if the SAFE bill we (Score:1)
WTF?
Isn't that like saying, "If gun ownership is legal, only criminals will use guns"? What a bunch of crap...
If the SAFE bill were to pass, the citizens would be another step closer to running the country, not the bloated, increasingly self-centered government. OK, I hope I'm not quite as paranoid as I sound, but it does appear the government doesn't care about the citizens any more, but rather focuses on giving itself more power.
Re:Reality? (Score:1)
All they have said is that they will audit a product once instead of for every sale..
It really isn't that much of a win for encryptation, for they can deny anything they want to be exported still.
For instance, they can say that only only 56bit keys will be allowed, or only programs with backdoors, or whatever they darn well please. I'm still holding out for some REAL openness for encryptation.
Re:Decrypt this one, big brother. (Score:1)
Re:BXA has updated its encryption page (Score:1)
Howard Owen hbo@egbok.com Everything's Gonna Be OK Consulting
BXA has updated its encryption page (Score:2)
The Bureau of Export Administration (BXA) has updated its encryption web site [doc.gov] to include information on the new policy. In the question and answer page [doc.gov] appears the following :
8. Is source code allowed to be exported under a license exception or does this policy only authorize the export of encryption object code?
Source code will continue to be reviewed under a case-by-case basis. This update will allow the global export of object code encryption software under a license exception.
This confirms the fears of many posing here that OSS crypto is NOT covered under the new policy.
They also had an item this morning that seemed to imply that they were still hoping for some sort of key escrow for law enforcement, but it has since been pulled.
It should be interesting to see how contined restrictions on the export of crypto source code are rationalized. The stated reason source (and object) code was treated differently from printed matter in the past was that such code represented an encryption "device". Clearly this continued restriction on source code export is designed to hobble freely available packages such as SSH, PGP and GnuPG. Why? So that export of crypto can be confined to business entities that can be pressured to play ball with the Government. Paranoid rant? I don't think so.
Howard Owen hbo@egbok.com Everything's Gonna Be OK Consulting
Paranoid like me? (Score:2)
1) NSA can factor prime numbers?
2) NSA/FBI finally gave in after the finalists for AES (successor to DES which they can brute-force) were announced since they can crack them all (and PGP, and RSA, and elliptic curve)?
3) The U.S. military has become so heavily dependent on TCP/IP that they need a secure infrastructure throughout the Internet.
4) NSA has developed effective nano-mites which effectively render all encryption obsolete via a physical side-channel attack?
5) Intel's microprocessor dominance is now assured. And the NSA has inserted a microcode hook (can you say, "mask technician?") in all Intel processors (cf Ken Thompson [acm.org], "A well installed microcode bug will be almost impossible to detect.")
Reply with your speculative other options. Remember "only the paranoid survive."
--LinuxParanoid
Re:Can you say e-commerce (Score:1)
Read it, and go "ah-ha"!
Re:The reason? (Score:2)
First of all, I am not sure the Wassenaar agreement has anything to do with crypto. I thought it was more about intellectual property (but I may be wrong).
Second, don't forget that some extremely good crypto has been issued from Europe and the rest of the world. For instance, IDEA (which is used by PGP) came from Switzerland. Another crypto proposal, which is currently under review as one of the possible US federal standard, issued from a group of researcher in the Netherlands. Some scandinavian firms, such as DataFellows which is from Finland (I think) already produce some pretty good crypto software, based on Blowfish and IDEA.
There is a lot of money to be made, that's for sure. Which is certainly one of the reasons for this display of crypto love. But I don't think it's the only one.
Then again, what do I know? =)
Worst case scenario (Part II) (Score:3)
Here is a quote that I like (from the Washington Post):
Pressed to explain the turnabout, Reno and Hamre said their concerns were assuaged by the administration's pending introduction of legislation called the Cyberspace Electronic Security Act of 1999, which would give the FBI $80 million over the next four years to establish the new code-cracking unit.
That's really interesting. Up until now, the NSA was not allowed by the law to conduct SIGINT (code-cracking) operations against US citizens. Now, this new law gives the FBI a spanking, brand new unit, specialised in... tada! code-cracking! I think this little outfit will be more like a joint-venture between NSA and FBI. It happened before -- but now it's going to be legit.
Think about it for a second: who is the ultimate authority in code-cracking? NSA. Who has been playing the little game of crypto for the past 20+ years? NSA. Who has the brain- and CPU power to do some serious code-cracking? NSA. I can't believe, for more than 10 seconds, that this agency is going to just stand there and let the FBI have it its own way, especially since these people have been very cosy for a number of years now. Expect some interesting stories to surface in the near-future... I really expect the NSA to start spying on US citizens. Maybe not on a scale on a par with the "Echelon" project, but certainly a lot more often than what was the case previously.
Another important question is: WHY NOW? Why accept a law these people have been fighting tooth and nail for the past 5 years?
Is it because there really isn't any choice and crypto's Pandora box is open? It's possible. The rest of the world has been doing a great job creating strong crypto, despite (or because of) the silly US ban on export.
Is it because NSA scientists would like to get fat stock options from new Silicon Valley start-ups? That's possible too. Some of these people are incredibly smart, and it must hurt to see so many bad code out there, while they are the cream of the crop, but can't talk because of the security involved. Expect plenty of little, unknown crypto companies to appear overnight if that's the case.
Is it because the NSA has found a new way to factor prime number? That could also be the case... Imagine 2048 bits crypto cracked in 15 seconds flat and 4096 bits in half an hour, due to to some ultra-secret mathematical breakthrough. Why keep on playing the export control game? Just let crypto go free. NSA can read your e-mail anyway. Oh, and your SSL transactions as well. Of course, it's not going to publicize that fact.
Yeah, I know. I *am* getting paranoid... =)
But you have to admit this last scenario makes sense, all of a sudden. It certainly explain the change of heart of this ultra-secretive organization. And the fact that it makes Al "I invented the Internet" Gore looks good doesn't hurt, either.
Just my $0.02...
Minor nitpick... (Score:1)
Re:We can't relax (Score:2)
* The legislation hasn't been introduced yet; wait 'til December to see if there's a change of heart.
* The backing for it appears to be tied towards some not-yet-introduced "Cyberspace Electronic Security Act of 1999", which includes the FBI code-cracker funding. I'd be curious to see what other provisions are intended.
* Companies still need to get a (one-time) certification for export, so you're still not home-free.
* They still oppose the "Security and Freedom through Encryption Act", on the odd grounds that the only people who would be safe "would be spies"...
What gummint gives, gummint takes away (Score:1)
I see no lasting good news here!
Media is Cryptic (pun not intended) (Score:1)
I think we need someone to read the regulation and report how it affects free software and open source software.
If I write a crypto program I don't intend on selling it. How weak must it be to export? Is the approval free?
It's an act of good for netscape, i suppose.
Atleast it's a start. :)
Re:NOT a complete victory (Score:1)
The question is, did the Government actually have to get Micro$lop to weaken their security for NT in the first place? :)
Why use U.S crypto products? (Score:1)
People outside of the U.S should use non-U.S strong cryptography, it's freely available (and generally free - PGP International and GNUPG are two examples) and at least as strong as the U.S variants.
The only people who should ever have been inconvenienced by the export regulations are U.S-based crypto sellers. U.S and non-U.S citizens have access to strong crypto anyway.
Does anyone really believe that a halfway intelligent criminal would not have downloaded PGP by now?
Yesterday (Score:1)
When I was in Japan a few years ago, I ordered a cheesy reseller system(because they would mail it to me and they financed over the phone). They would not send me MS office 97 Home Edition because of the encryption in MONEY! The stupid thing is, I could go buy an American version(the one the wouldn't send me) from various places throughout Asia, and not only from pirate shops.
With the advent of incredibly secure encryption schemes that are so easy to download(PGP, et al.), American export laws are silly at best.
Re:What's the real deal? (Score:3)
http://www.epic.org/crypto/legislation/cesa/ [epic.org]
It appears that 64 bit encryption will be allowed, and 128 `may be' allowed if it is designed for `end users' and does not require very much tech support, and is not being exported to the 7 `terrorist' countries.
I also read in a transcipt of a White House briefing that Wassenaar will be modified to reflect this somehow, but it was somewhat vague...
Something else interesting is this so called 3rd party key repository which people can optionaly deposit thier private keys for `backup' purposes. The Government of course can get access to any key this 3rd party has after getting proper `judicial authorization'. I am sure we will see alot of Government BS to try and convince people to deposit thier keys...
--He who gives up liberty for security ends up with neither. --Benjamin Franklin
Re:Point of clarification...isn't it patents? (Score:1)
Close, but not quite.
The patent on the RSA algorithm runs out precisely one year from today -- Sept 17, 2000.
366 days and counting...
Of Course, Microsoft is unaffected by the move... (Score:1)
Re:Decrypt this one, big brother. (Score:1)
Decrypt this one, big brother. (Score:2)
fine print of new US crypto export regs (Score:1)