CNN logo
Message Boards 

CNN Networks 

Quick News 
Video Vault 
News Quiz 

Pathfinder/Warner Bros

Barnes and Noble

Barnes and Noble



Government restrictions on encryption pose obstacles for Internet security

May 18, 1998

by Ellen Messmer

Your global-minded organization has decided to use an IP encryption gateway or secure e-mail to protect traffic exchanged with subsidiaries and trading partners around the world.

This seems like a simple enough decision. By using the Internet, everyone will save money, and communications will be secure. However, the move will be anything but simple if you are the network manager charged with shipping the encryption products abroad and getting them installed.

That's because government agencies here and around the world often view strong encryption technology as a military weapon.

So before you ship that "virtual private network" with strong encryption abroad, you'll first need to get an encryption export license from the U.S. government. And quite possibly, you'll need to get an encryption permit to use the technology in other countries, such as France or Russia, which prohibit unregistered encryption use. Some countries, such as Saudi Arabia, simply ban encryption.
 Reviews & in-depth info at's personal news page
  Questions about computers? Let's editors help you
  Search in 12 languages
 News Radio
  PC World News Radio
  Computerworld Minute audio news for managers

Just finding out what the cryptography ground rules are can be bewildering because many governments don't bother to spell them out. Why? Because the spy agencies and national defense organizations that set the guidelines want to have complete freedom when it comes to approving use of strong cryptography.

Even in the U.S., "what's written or published is only about 40 percent of what you need to know," said Ken Bass, a partner at Washington, D.C. law firm Venable, Baetjer, Howard & Civelletti.

In the U.S., you'll have to apply foryour export license through the Department of Commerce. But behind the scenes, you'll also have to curry favor with the National Security Agency (NSA), the Federal Bureau of Investigation and the State Department.

About the only clear rule when it comes to shipping encryption technology is that you shouldn't even think of exporting anything to what the U.S. government considers to be pariah countries, such as Iraq, Cuba and Libya.

Otherwise, "from a regulatory standpoint, it's chaos," Bass said.

"But the NSA has determinative powers at [the] Commerce [Department] today," Bass said. Therefore, he makes regular trips to the NSA at Fort Meade, Maryland, to plead the case for his clients who want to ship equipment out of the country.

Under the known rules, financial institutions get special treatment to export strong 128-bit encryption technology. There is ardent debate in government circles about whether insurance companies should also get special treatment.

But even banks are restricted to encrypting only financial transactions and can't use their equipment for general-purpose communication, Bass said.

"In theory, you can get a special license for your trading partners, vendors or consultants," he added. "The most complicated [licenses] are for general-purpose public communications at 128-bit [Data Encryption Standard] levels. But [the feds are] not approving those."

Getting the necessary export licenses to use strong encryption with your trading partners isn't easy, said Roszel Thomsen, an attorney at Baltimore-based Thomsen & Burke LLP.

For a company to convince U.S. encryption-export bureaucrats to allow it to conduct secure communications with its trading partners, "you get into multiple applications and extensive justifications," Thomsen said. "You have to show a long-term relationship with the business partner and provide evidence, such as contracts."

If your trading partner happens to be based in another country, getting approval can be mission impossible. The expert lawyers in this field all say they just won't take cases that are hard to get approved.

"Of course, this makes the Commerce Department look good because they can say they approved a large percentage of export licenses," Thomsen added. But this view overlooks the licenses that companies neglected to apply for because the companies figured they had no chance of getting the licenses approved.

Encryption regulations greatly complicate electronic commerce at firms that take security seriously. One of Wall Street's largest investment firms now conducts some high-stakes global trading on the Net, but cryptography rules require that some of the firm's international trading partners only use 40-bit encryption in their browser-based digital certificates.

"We know [the encryption is] breakable, but we can't do anything about it except add another layer of security, dynamic password tokens, for authentication," said the Wall Street firm's director of global security services.

Although encryption export remains a combination of "law and lore," as Thomsen calls it, he tells his clients there are five basic ways to get a U.S. export license.

If a company decides to go the route of using NSA-approved key-recovery systems, the company can probably export whatever level of encryption tech-nology it wants to use.

However, the Gauntlet firewall from Network Associates, Inc.'s Trusted Information Systems division, available with an option for encryption key recovery, may be the only product on the market that meets the NSA's criteria. And most customers just don't seem to want to buy key-recovery systems, which could allow governments around the world to eavesdrop on their data.

"Customers strongly want to be in control over their own systems," said Kelly Blough, Network Associates' director of government relations. "They want to determine how and when they can recover their encrypted data."

Global challenge

Figuring out U.S. encryption rules is tough, but figuring out other countries' rules can be nearly impossible.

Israel, France, Singapore and Hong Kong have restrictions on encryption import. And like the U.S., Europe is in the early stages of investigating how to set up key-recovery centers to hold digital certificates or encryption keys.

Cryptography used strictly for authenticating users' identities, such as digital signatures, is usually not subject to encryption export or domestic-use rules. But Germany and Malaysia appear to be among the few countries with rules pertaining to the provision of digital certificate services, according to Stewart Baker, an attorney here at international law firm Steptoe and Johnson LLP.

With the notable exception of France, most European countries don't make it hard for corporations to use encryption technology as they wish.

In France, where rules seem to be spelled out decently, users have to get encryption permits. Companies can also expect to have French authorities hold their encryption keys if they are not 40-bit, which is breakable, or if they are not based on key-recovery technology.

Corporations should be prepared to have their data intercepted and decrypted by French authorities, Baker said.

"Wiretapping has a long history of enthusiastic use in France," said Baker, claiming that French authorities pass on decrypted competitive secrets to local firms.

In areas of the world where few rules are written down, local government attempts to regulate encryption can get bizarre. "In Africa, I've had officials tell us if you bring in encryption equipment, they'll throw you in jail," said Baker, who next month will issue a book on encryption export called The Limits of Trust.

"The point is, you can't be sure if you're legal in a lot of areas," Baker added.


Related stories:

Related stories at

Related sites:

Note: Pages will open in a new browser window

External sites are not endorsed by CNN Interactive

Infoseek search  


Watch Science & Technology Week on CNN for more sci-tech stories.

Message Boards Sound off on our
message boards & chat

Back to the top

© 1998 Cable News Network, Inc.
A Time Warner Company
All Rights Reserved.

Terms under which this service is provided to you.
Read our privacy guidelines.