Personal tools


CFP'93 - Rosenthal

CFP'93 - Export Controls on Mass Market Software with Encryption Capabilities

by Ilene Rosenthal

General Counsel, Software Publishers Association

U.S. export control policy has long classified software with encryption capabilities as "munitions" requiring an export license under the Arms Export Control Act and administered by the State Department's Office of Defense Trade Controls. This policy has continued in spite of a February 1991 COCOM decision that all mass market software, including software with encryption capabilities, be controlled as are other commercial, dual use items.

In July, 1992, the Software Publishers Association reached agreement with the Bush Administration that two encryption algorithms devised by RSA Data Security, Inc. be subject to an expedited review process within the State Department's Office of Defense Trade Controls. Although this was an important first step toward the much-needed decontrol of exports of mass market software with encryption capability, the National Security Agency and the National Security Council must continue the process of decontrol.

Under the agreement, the administration will now grant export approval within 7 days of request for software using one of two algorithms developed by RSA Data Security, Inc. (RSA). The algorithms, known as RC2 and RC4, have already been licensed by many of the major software publishers in the U.S. The algorithms are significantly stronger than those previously allowed for export, but are limited to a 40-bit key length, and are thus significantly weaker than the DES-strength programs that can be marketed in the U.S., and that are available overseas.

RSA offered to provide de minimus licensing fees for smaller companies so that there can be no discrimination. Other proprietary algorithms may continue to be used but will not be reviewed on a streamlined case-by-case basis, with 15-day turnaround times.

Worldwide Demand for Encryption is Growing Rapidly

Approximately 120 million individuals worldwide use personal computers in their offices and homes. Moreover, these personal computers increasingly are interconnected. Information that once resided in mainframe computers with tight controls and security is now available on distributed personal computer networks. This includes corporate information such as customer data, financial statements and research results as well as individual information such as employee records, medical history and tax returns.

Corporate and home PC users do not want their files and communications read, changed or stolen by unauthorized persons. Moreover, they know that encryption techniques can protect their information. As a result, software publishers are experiencing dramatically increased demand from their domestic and foreign customers for mass market software with encryption capabilities. Large domestic and multinational companies in the telecommunications, financial and health care industries are particularly vocal.

These users want more than simple passwords or access control to the computer network. They are demanding data, file and text encryption capabilities in order to prevent the unauthorized alteration and appropriation of information. Indeed, SPA estimates that within five years the substantial majority of all mass market software programs will include such encryption capabilities.

Outdated Export Controls Threaten Cripple U.S. Industry

In February 1991 COCOM decided that all mass market software - including software with encryption capabilities - should be controlled as are other commercial, dual-use items. Notwithstanding this decision, the United States has continued to impose unilateral U.S. munitions export controls under the Arms Export Control Act and administered by the State Department's Office of Defense Trade Controls, which submits the software to NSA for review.

These controls significantly harm the legitimate export prospects and impede the competitiveness of America's software publishers. Apart from the time and expense of the licensing process, software publishers face a Hobson's Choice: either they market a single program worldwide with reduced encryption capabilities to meet U.S. Government restrictions; or they have to incur the time and expense of marketing two separate programs, as well as the reduced appeal of an export version which clearly has reduced security.

This outdated export control policy:

  • Keeps strong encryption out of the hands of legitimate users concerned about their business and personal privacy thereby making them vulnerable to spying and tampering;

  • Forces American companies to compete against pirated copies of their own programs; and

  • Gives a huge advantage to foreign software companies willing and able to sell encryption products abroad.

Outdated Export Controls No Longer Protect National Security

Cryptography has traditionally been the bailiwick of the intelligence community. In the aftermath of the cold war, economic competitiveness is part of a progressive concept of national security. The current export control system is a double-edged sword cutting against a broader concept of national security: the technology is not controlled, but the competitiveness of U.S. industry is undercut.

Encryption technology today is widely understood, readily available and commercially utilized. The U.S. government's efforts to prevent or delay the widespread use of encryption do not make our country safer or more secure. Anyone within the United States who wants to encrypt data can do so. As soon as a program becomes available in the United States, it becomes available abroad through illegal means. It is not difficult to conceal a floppy disk. Moreover, computer programs can be transmitted via modem to a computer abroad. Once abroad, foreign "pirated" copies proliferate.

The real question is whether software with encryption capabilities will be published by American or foreign companies. It is essential to remember that there are numerous foreign software encryption programs available today. To the extent foreign companies perceive a market need not being met by American companies, they will continue to expand their efforts in this regard. In short, encryption technology today is widespread and uncontrollable.

The Need For Further Export Control Relaxation

The RSA encryption algorithms need to be strengthened (by lengthening the permitted key sized for RC2 and RC4) and mass market software programs using the DES algorithm also should receive expedited licensing approval, because:

  • Increasingly sensitive information is being put on distributed personal computer networks

  • Advances in computing power make random attacks cheaper and faster

  • American companies face a competitive disadvantage worldwide

  • Encryption technology today is widespread and uncontrollable.

The U.S. Government should not wait until such foreign integrated programs gain significant market share and should not force American companies to play "catch up." To do so would be to directly harm the worldwide position of one of America's star exporting industries.

Return to CPSR conferences page.

Return to the CPSR home page.

Send mail to webmaster.

Archived CPSR Information
Created before October 2004

Sign up for CPSR announcements emails


International Chapters -

> Canada
> Japan
> Peru
> Spain

USA Chapters -

> Chicago, IL
> Pittsburgh, PA
> San Francisco Bay Area
> Seattle, WA
Why did you join CPSR?

We need voices like CPSR in the national and international debates about technology.