One of the most challenging aspects of this new, global Internet-based economy is maximizing your potential across geographical boundaries while working within the constraints of each country's laws and regulations. The complexities of encryption policies around the world illustrate this point best. The research projects we've done in the area of international encryption policy have given us the sense that we have horse-and-buggy government policies in an age of rocket-fueled economies. However, we are seeing trends that give us some hope.
Encryption Policies are relaxing
While this certainly is not occurring at a pace encryption advocates would prefer, we are seeing more "safe" countries with each report and have seen a few key events take place in 1999 that seem to point to less controls for crypto:
Advertisement: |
France: which has historically had one of the most draconian sets of encryption restrictions, significantly liberalized its policies this past March. The supply and use of crypto systems with up to 128-bit keys now require simple declaration as opposed to prior authorization.
Germany: In June, the German government issued "Cornerstones of German Encryption Policy," a document that clearly shows a shift in policy towards promoting strong crypto as a way to protect personal liberties. We believe this will be a growing trend and that law enforcement will begin to see that strong encryption prevents more crimes than it conceals.
The U.S.: Bernstein vs. Department of Justice ruling in May is being considered by many the beginning of the end of government encryption controls. Professor Bernstein won the case, stating that his First Amendment rights to free speech were violated when he could not post his strong crypto algorithms on his Web site as an instructional aid in support of his cryptography course. Pending legislation in Congress, like the SAFE Act, promises some relaxation of export policies, though it is hard to tell how relaxed it will be when it's finally enacted into law.
To be sure, the path towards free use of crypto is not direct - it is more like two steps forward, one step back. However, the pressure exerted by grassroots organizations and the industry appears to be turning the tide.
Most crypto friendly region in the world? Latin America While the U.S. and Europe tend to have dual-use restrictions (easy to import, hard to export), Latin America seems to be lacking laws restricting import, export or domestic usage of cryptography. Argentina is the sole nation in South America to have signed the Wassenaar Arrangement for crypto control. When you consider that developing nations appear to be proportionately higher adopters of Open Source and Linux technology, this region could have a very bright future.
The former Soviet bloc is a mixed bag
Russia and some of the breakaway Soviet states, such as Kazakhstan and Uzbekistan, have some of the most prohibitive laws. On the other hand, Lithuania and Latvia have no restrictions. Hungary and Slovenia have laws encouraging encryption as a means of encouraging personal privacy.
The Wassenaar Arrangement is an anomaly
Thirty-three nations, including the U.S., signed the Wassenaar Arrangement on Dec. 3, 1998, to set boundaries for international exports of encryption. The primary function of Wassenaar has been to control the export of munitions into terrorist nations; however, encryption technology is also covered by the agreement, due in large part to the efforts of the U.S. Some of the 33 countries that signed Wassenaar, including most European nations, are presently the major sources for the international distribution of cryptographic software.
Previously, generally available encryption software was exempt from export restrictions under the Wassenaar Arrangement. But the December changes impose greater restrictions on overseas developers whose products incorporate strong encryption. The agreement is purposefully vague about "public domain" and "mass market" exemptions, mentioning mail-order distribution as possibly being exempt but making no mention of Internet distribution. However, it is up to each member nation to enforce Wassenaar, and it appears that by the recent actions of Wassenaar signatory nations that things are moving in exactly the opposite direction. At this point in time, it is important to check frequently with the Wassenaar nations and track changes.
When in doubt
If export regulations are an issue for you, it is easier to bring a clean machine through customs and download the crypto software you need. PGP [Pretty Good Privacy], for example, is widely available outside of the U.S. at locations such as Replay. It is possible to generate key pairs, use the software, and then remove it before traveling. The software can then be downloaded and reinstalled. If crypto regulations are not changed soon, we will see this mode of operation automated, and technology will again make policy obsolete. We are starting to see install stubs and scripts in the Open Source software world. Rather than putting some export-controlled strong encryption code on a distribution medium, it can be replaced by an install script. When the software is installed, the script can perform an Internet download from a "legal" site and install the strong encryption code. Technology like this threatens to make export restrictions obsolete.
RELATED LINKS
Wassenaar Arrangement Web site
SecurityPortal Quick Reference Policy matrix
New French Encryption Policy Decrees
Congress targets exported encryption tech
Network World, 07/23/99
U.S. committees approve encryption, other bills
Network World, 06/24/99
The absurdity of putting limits on technology
Network World, 05/10/99
Busy days on the cryptography front
Network World, 02/01/99
Archive of Network World on Security newsletters
Network World Security Alert will keep you up to date on the latest security holes and patches, with daily updates from key vendors, security organizations and Network World reporters. See the latest dispatches from the security here.
