1 2 3 4 5 6 7 8 9 10

case you lock yourself out. On the other hand, if you were being prosecuted by the government and were using email to communicate with your lawyer, knowing the government couldn't get a copy of your key might be awfully important. That's why privacy campaigners feel so strongly that escrow should be voluntary, not mandatory--an argument that gains some force from the fact that encryption software spreads across the Net faster than politicians can argue.

The other big issue, the International Traffic in Arms Regulations (ITAR) that restrict exports of strong encryption, can't be argued fast enough for American software companies, all of whom would love to be able to build encryption into their business-oriented products. It's a measure of the general air of official provincialism that, when the two spokesmen the White House threw to the CFP'94 wolves were asked by reporters about this, their answer was, "Well, the domestic market is pretty big." Two years later, Nelson followed this up by saying that the companies' complaints showed that the export controls were having precisely the effect they were intended to have: "Keeping cryptography from where we don't want it to go."

Did these guys really not know that even in 1993, 40 percent of the revenues of a company the size and dominance of Lotus (at the time Microsoft's chief competitor) came from Europe? Lotus, then two years away from big losses and acquisition by IBM, was betting its future on the groupware product Notes, which uses encryption to protect the confidentiality of the company-wide databases it helps generate. Encryption has a place in business in everything from fileservers to databases and word processors as well as email, and European companies are if anything more security-minded and suspicious than American companies. Does the U.S. government really think Europeans will tamely settle for whatever encryption it decides is weak enough to export, especially when they have access to top-notch cryptographers like the Israelis (including Adi Shamir, co-formulator of the RSA algorithm) and respected algorithms like IDEA being developed in places like Switzerland?

These export controls arguably have given companies in the rest of the world the chance to compete in and even dominate a market that otherwise might have gone to American companies by default. If they haven't succeeded, it's because U.S. dominance of office software makes integrating cryptography a problem. A May 1996 government report, "Cryptography's Role in Securing the Information Society" (CRISIS),[3] ended up agreeing with the things the Net had been saying for years: "Export controls also have had the effect of reducing the domestic availability of products with strong encryption capabilities. The need for US vendors (especially software vendors) to market their products to an international audience leads many of them to weaken the encryption capabilities of products available to the domestic market, even though no statutory restrictions are imposed on that market." The reason: it's too expensive to support two versions of every product. Nonetheless, the report recommended that export controls should not be eliminated, only that they should be "progressively relaxed."[4] Interestingly enough, by late October 1996, European companies were equally unhappy about the American restrictions, and the European Electronic Messaging Association began lobbying the European Commission in Brussels to improve matters both by harmonizing European legislation and by negotiating with the United States to lift restrictions on access to the software developer kits that allow third parties to integrate encryption into the market-leading business office software such as that produced by Microsoft.

Encryption is just as controversial outside the United States, though not as publicly debated. France, the most often cited example of a repressive regime, cryptographically speaking, requires anyone using cryptography to obtain a license. Japan tightened its export regulations in September 1996 to require businesses to get prior government approval for any overseas order of encryption products worth more than 50,000 yen (about $450), way down from 10 million yen (about $91,000). However, RSA announced earlier that summer that its Japanese affiliate would shortly begin selling a triple-DES chip stronger than U.S. companies were allowed to export, a move critics felt vindicated their stance against the U.S. government's regulations. The Organization for Economic Cooperation and Development (OECD), too, spent much of 1996 talking about developing a network of trusted third parties to hold keys in escrow; however, its draft guidelines of