Industry: Looser rules on

encryption not enough

By AVIVA L. BRANDT

Associated Press Writer

SEATTLE (AP) _ The Clinton administration's recent relaxation of restrictions on the export of data-scrambling technology, also known as encryption, was a good first step but didn't go far enough, some software companies say.

"The salesmen tell us these controls are ruining the business," said Cheryl Behlmer, senior export-order administrator for Spyrus, a San Jose, Calif.-based software company that creates encryption technology.

Behlmer was in Seattle on Friday attending a seminar on U.S. export regulations on encryption software.

Many U.S. companies opened foreign subsidiaries to develop encryption software that would not be restricted by American export rules, she said.

It currently takes Spyrus six to eight weeks to obtain a license to export encryption software to a foreign company. Other U.S. software companies face the same delays, giving foreign companies an edge, she said.

"We're losing our market share" because customers don't want to wait so long, Behlmer said.

In fact, the export laws are expected to cause American encryption companies between $1.78 billion and $8.9 billion over the next five years, according to a study published in April by the Economic Strategy Institute, a Washington, D.C.-based pro-technology think tank.

The government now imposes limits on exports of the most powerful scrambling technology _ anything above the so-called 56-bit Data Encryption Standard or its equivalent, which has an unlocking key with 72 quadrillion possible combinations _ because it fears that authorities won't be able to decode the messages of criminals or terrorists.

Before this month, the Clinton administration limited the export of 40-bit encryption technology, which has more than 1 trillion combinations.

The export limits do not directly affect Americans, who are legally free to use encryption technology of any strength. But U.S. companies are reluctant to develop one version of their technology for domestic use and a weaker overseas version, so they typically sell only the most powerful type that's legal for export, even to Americans.

Iain Baird, deputy assistant secretary of the federal Bureau of Export Administration, acknowledged that U.S. companies are losing money to foreign competitors who don't have to worry about these restrictions.

"I don't think there's any question that U.S. export controls are implemented more seriously than other countries," said Baird, who spoke at the seminar.

The federal government tries to persuade other countries to be as vigilant about making sure encryption software doesn't get into the hands of criminals and terrorists, Baird said. But he acknowledged that many aren't as strict, despite their agreements with the U.S. government.

Shari Steele, staff counsel for the Electronic Frontier Foundation, a San Francisco-

based civil liberties group, said her group supports further relaxation of the regulations.

"The export laws are hurting people and communications. We see some real serious problems with it," Steele said. "It's really, really hampering our ability to compete in a world market."

Alan Davidson, an encryption policy expert for the Washington, D.C.-based Center for Democracy and Technology, agreed that even the current rules are too limiting.

"Fifty-six bits is old news," Davidson said. "The marketplace is looking in its rearview mirror at 56 bits. It's really not substantial relief."

The export policy should not be driven by fears of terrorists or hackers, he said.

"The law enforcement tail is wagging the dog here, and all of the other interests _ privacy, commerce, the health of the Internet _ are all being pushed aside because of this narrow, law enforcement view of the world," Davidson said.