U.S. Crypto Laws Relaxed, but Not Enough to Enable Commerce




Event Summary

On January 12th, the Department of Commerce's Bureau of Export Administration announced revisions to its encryption export control policy. The revisions allow U.S. companies to increase the key length in exported enterprise encryption products from 40 bits to 56 and 64 bits. The new regulations allow for "retail" encryption products up to any key length to be exportable, except to the designated terrorist nations: Cuba, Iran, Iraq, Libya, North Korea, Sudan or Syria.

Though this is a step in the right direction, it does not go far enough to enable U.S. crypto companies to compete in the global Internet marketplace. As well, it does not give U.S. companies, research firms, and institutions of higher learning much incentive to develop stronger encryption algorithms.

Market and Societal Impact

Without capital incentive to innovate, U.S. companies will inevitably see lost opportunities in the worldwide crypto market. Today U.S. encryption companies hang their head as European counterparts relish in the fact that American encryption products are forced to be weak by law.

The original encryption export restrictions came about because U.S. law enforcement agencies believed that commercially available encryption products would be exploited by criminals and terrorists, thus endangering public safety and U.S. national security. The FBI has been a leading advocate of export controls on encryption products, claiming that enabling criminals and terrorists to encrypt data makes it too difficult for law enforcement agencies to obtain and decipher the encrypted content. Once a criminal or terrorist is on American soil, the argument becomes moot since it is legal to purchase strong encryption products locally.

Though the U.S. export restrictions on encryption products have been well meaning, they inevitably do not prevent criminals and terrorists from encrypting fraudulent or exploitive information. There are enough encryption companies in Canada and European countries that are not subject to encryption restrictions that obtaining strong encryption products in foreign markets has become a cakewalk.

In the end, U.S. encryption companies pay the price by seeing millions of revenue dollars go to foreign entrepreneurs. As well, huge tax dollars are lost to foreign nations. These lost tax dollars could be spent equipping domestic law enforcement agencies with proper cybercrime fighting technology tools, and offering salaries high enough to attract some of the security mavens found in private and publicly held domestic corporations.

Since "retail" encryption products will be exportable to all but the T-7 terrorist nations, this means that the strongest U.S. encryption products sold will be available on foreign retail shelves for criminals and terrorists to purchase, but not available on the foreign market for legitimate foreign multi-nationals to purchase.

While the U.S. government is rightly concerned with public safety and national security, export controls on encryption products is not actually making the world a safer place. These restrictions need to be abandoned and replaced with more effective ways of protecting our national infrastructure and public safety. It would be nice if aberrant behavior could be controlled by software products and their distribution. History, however, has shown that restricting the sale of enterprise encryption products has not been an effective way to deter criminal behavior.

The current fear and associated governmental restrictions are akin to the privacy alarms that went off when cameras first debuted as image capturing devices in the 1890s. Just as cameras have added value to world cultures and security initiatives based on imaging, so to can encryption technologies. We need to enable foreign enterprises to take advantage of our encryption technologies so that they can assist both domestic and foreign law enforcement agencies in keeping ahead of criminal underpinnings.

Instead of restricting and tracking software, what we need to do is restrict and track individuals who exploit technology advancements. If approached from a different perspective, U.S. federal agencies could harness the talent and advancements they are hindering, by using appropriate tax dollars to enlist the assistance of expert cryptographers towards a common goal of safety, security, and economic prosperity. It is only after domestic law enforcement agencies learn to work with expert cryptographers, instead of against them, that we will be better able to thwart technology exploitive behavior .

Recommendations

The Bureau of Export Administration needs to relax the enforcement of encryption export laws enough to allow U.S. corporations to compete in worldwide encryption markets.

Federal and local law enforcement agencies need to partner with cryptographic innovators and their institutions in order to better understand the technology.

Tracking and restricting high-risk individuals (whether foreign or domestic) who exploit technology advancements will contribute more to safety, security, and economic prosperity than tracking and restricting software.

Federal agencies and local law enforcement agencies need to increase their security budgets in order to attract expert security professionals from the private sector.

Multimillion-dollar security corporations need to lobby legislators to market enable U.S. encryption sales.

 
comments powered by Disqus