It's up to Congress or the courts to ease export of U.S. encryption technology, since new Clinton administration regulations have fallen short, according to groups representing the computer industry and privacy rights activists.
"We're not very happy about it, and we are looking for a Congressional solution at this point," says Kim Willard, public affairs specialist for the Business Software Alliance (BSA). "Our major concerns are ... this is still basically mandating key escrow and is not providing a voluntary, market-driven practice."
The interim-final U.S. government encryption regulations, which took effect on December 30, have not changed much since a draft released earlier in the month, Willard says. The regulations enable vendors to export encryption products with 56-bit keys, stronger than the previous 40-bit key maximum.
But in order to do so, vendors have two years to develop key recovery products - products for which a government-approved third party would hold a key able to decrypt data and communications - according a U.S. Commerce Department official.
The BSA holds that those and other restrictions make it hard for companies to export 56-bit encryption products, pushing them into adopting key escrow systems that are not likely to be popular with customers.
The U.S. government, however, views the regulations as striking a balance between industry and law enforcement needs, an official says.
"There's no controls on domestic use, there's no import controls," says William Reinsch, undersecretary of commerce for the Bureau of Export Controls. "I don't see what's mandatory about this. We were trying to give the market a little push in the key recovery direction, and I think it's going in that direction anyway."
The BSA will look to Congressional action in the new year to try to ease export regulations, Willard said. While several bills failed to make it through the legislature this year, Rep. Bob Goodlatte (R-Va.) has said that he will reintroduce legislation in the next Congress.
Meanwhile, the Electronic Frontier Foundation (EFF) plans to continue its court attack on the regulations, building on a Dec 6 California judge's ruling that the earlier U.S. encryption regulations were unconstitutional.
In that lawsuit, backed by the EFF, University of Illinois professor Daniel Bernstein claimed that the law was an unconstitutional restraint on free speech because it required citizens to get a license from the government to publish encryption information and software. While the new regulations are now handled by the Commerce Department, instead of the State Department, they are still unconstitutional for the same reason, says John Gilmore, co-founder of the EFF.
Bernstein's attorneys have asked the U.S. government to hold off enforcing the new regulations until the judge in the case gets a chance to review them. If they do not hear back or get a satisfactory answer by Jan 2, they plan to ask the judge for a temporary restraining order. They hope to have the matter settled before Jan 13, when Bernstein's class on encryption starts, so he can publish course materials on the Internet, Gilmore said.
The government is studying Bernstein's request, Reinsch says. A similar case in Washington D.C. earlier this year was decided in the government's favor, however, and that case has been appealed, he said.
"Litigation will continue and this will get sorted out," Reinsch says. "I wouldn't be surprised if it ends up in the Supreme Court at some point, and then we'll have to see."
Sari Kalin is a Boston-based correspondent with the IDG News Service, an InfoWorld affiliate.