November 24, 1997

White House May Tighten Data Exports

By JOHN MARKOFF

AN FRANCISCO — The Clinton Administration is debating whether to further tighten controls on the export of electronic data scrambling systems by narrowing a special exemption that has let financial institutions export the strongest encryption technology.

Today in CyberTimes ARTICLES AND COLUMNS White House May Tighten Data Exports By John Markoff Pictures Speak Much Louder Than Words in Courtroom Animations By Kris Goodfellow Local TV Stations Look to a Digital Future By Joel Brinkley Rolling Stone to Create Online Music Site By Amy Harmon Security System for Internet Purchases Raises Doubts By Saul Hansell Nations Struggle With How to Control Hate on the Web By Elizabeth G. Olson Confusion Over Modems Is Hurting Sales By Lawrence M. Fisher Au Pair Trial Brings Internet Into the Courtroom By Edward Rothstein Old Ivy Meets New Media By Pamela Mendels Congress Stays in Touch on the Web By Eric Schmitt TODAY'S SECTION FRONT SEVEN-DAY INDEX CYBERTIMES FORUMS CYBERTIMES NAVIGATOR

If the policy is changed, it could narrow the range of financial institutions that are allowed to use the most powerful encryption gear overseas to protect electronic transactions.

The debate comes at a time when changes in financial markets, Federal regulations and the rapid emergence of Internet commerce are blurring the lines around financial institutions and permitting companies ranging from investment firms to software companies to begin offering financial services that were once the exclusive province of banks.

As a result, companies in industries ranging from securities to software — including the Microsoft Corporation, the software giant based in Redmond, Wash. — are lobbying the Clinton Administration to keep it from tightening the exemption. To do so, they argue, would curtail the growth of electronic commerce, which promises to become a global business.

The new debate is part of a larger fight pitting American high technology businesses and privacy advocates against law enforcement officials.

Law enforcement officials, including FBI Director Louis Freeh, say their powers are increasingly threatened by criminals and terrorists who have the ability to use ever more sophisticated data-scrambling technology. They are worried that the export exemption for financial companies could provide a large loophole for many business activities and communications that they could not track.

"This has turned into a divisive issue within the Administration," said Stewart Baker, a Washington lawyer who is a former official of the National Security Administration.

Financial companies, including banks and securities firms, have been permitted to export equipment that is based on what is called the United States data encryption standard, while other American companies are restricted to less powerful data scrambling standards, which are widely believed to be vulnerable to attackers with powerful computers.

Law enforcement officials want to remove the exemption from securities firms and other commercial financial institutions, limiting it to banks. In the past, the exemption had been only for a relatively limited type of banking applications, even if conducted by nonbank financial companies.

But the Commerce Department in May modified export guidelines to permit companies developing certain other kinds of financial applications to include strong encryption without any provision for eavesdropping — through a monitoring technology that has been called "key recovery," because it gives Federal law enforcement agencies "keys" permitting electronic surveillance of the contents.

Related Article Security System for Internet Purchases Raises Doubts (November 24, 1997)

Besides international fund transfers between banks, applications now permitted under the exemption might include privacy-protected home-banking software for banks to offer customers worldwide. The new, more relaxed policy also applied to a technology known as the secure electronic transaction standard, which has been developed by Mastercard and Visa to permit consumers to send credit card information to merchants electronically.

At the same time, the growing fears of a new generation of companies that are developing electronic commerce have put pressure on the Government to broaden — rather than narrow — the guidelines covering financial institutions.

"This whole Internet commerce explosion is starting to make it harder to grease the squeaky wheels," said Jim Bidzos, president of RSA Data Security, a developer of commercial encryption software.

Government officials acknowledged the disagreement and said that a group of officials from several agencies planned to meet next week to address the differences.

The Encryption Debate: Is It About Privacy or Security? Go to Forum Related Articles

Several computer industry executives called the debate intriguing because it had redefined the lines in the encryption battle. In this case, banks — concerned in part about competition — have sided with law enforcement and national security executives, opposing software companies, securities firms and Internet commerce start-ups.

"As you might expect, banks don't want to expand the definition," said William A. Reinsch, Under Secretary for Export Administration in the Commerce Department. "There has been a great deal of input from outside that has been commercially motivated."

One of the companies with a stake in the outcome is Microsoft, which is increasingly moving into a variety of commerce-related areas, ranging from airline ticket sales to partnerships with banks to facilitate electronic transactions.

"Our industry has requested that the Government expand the notion of trusted sectors beyond banks," said George Spix, a Microsoft official involved with encryption issues. He expects corporations to get relief case by case, adding "This will be very difficult for a mass market company like Microsoft," Mr. Spix said.

The dispute will ultimately be resolved by the Administration group, which is focused on encryption issues that were not resolved by the issuance of new regulations in May.

On Dec. 30, 1996, the Administration transferred the licensing of commercial encryption products from the State Department to the Commerce Department. At the same time, the Government began to encourage companies to develop systems that have built-in key recovery mechanisms, which permit third parties to decode scrambled electronic communications.

To encourage companies to develop such recoverable systems, the Administration also introduced a two-year liberalization period during which companies that had submitted plans demonstrating that they were developing such systems would be permitted to export products under the 56-bit data encryption standard, the most sophisticated encoding technology.

This fall, the Administration said that so far 37 companies had submitted plans to build recoverable key systems that would permit eavesdropping.

---

Related Sites
Following are links to the external Web sites mentioned in this article. These sites are not part of The New York Times on the Web, and The Times has no control over their content or availability. When you have finished visiting any of these sites, you will be able to return to this page by clicking on your Web browser's "Back" button or icon until this page reappears.

• Microsoft Corp.

• U.S. Department of Commerce

• RSA Data Security

Home | Sections | Contents | Search | Forums | Help Copyright 1997 The New York Times Company