Originally created 12/09/96

Encryption programs no longer 'munition', but still restricted



The latest news on encryption is both good and bad.

The good news is that encryption programs, as of Nov. 15, are no longer being considered a munition, and therefore subject to Department of Defense regulations for shipping the programs outside the United States.

The bad news is that not much else has changed. A careful reading of President Clinton's executive order shows that encryption programs targeted for shipment outside the United States will now be controlled by the Department of Commerce, and that companies wishing to ship such programs might do well to include something called a "key recovery management infrastructure" in the encryption software.

"Key recovery" essentially allows for the possibility of encrypted e-mail or text to be decoded by police or other agencies if the need should arise.

The issue of encryption is one of the biggest and most confusing issues that faces computer users in our emerging digital age.

Treating encryption programs as a munition has caused some problems. Makers of Netscape, the World Wide Web browser of choice, had to offer two versions of their popular Web browser, one for U.S. residents and a less-robust version for users outside the country.

Many of the questions surrounding encryption, such as whether individuals have the right to keep their e-mail private, remain unanswered, even with the shift of control from Defense to Commerce.

One way to follow these issues is to log onto the Encryption Policy Resource Page, where these issues are discussed. A copy of Clinton's executive order is also available for downloading.

The page has links to other sites where users can get updates on new encryption policies, including the Internet Privacy Council, a nonpartisan group that is in the forefront of the fight to keep encryption available to all users of online services and the Internet.

People without Web access, but who may have access to Internet e-mail, can subscribe to an IPC e-mail list of announcements relating to encryption issues by sending an e-mail message to ipc-announce(at)privacy.org and by placing the phrase "subscribe ipc-announce" (minus the quotation marks) in the text block of the message. Unlike some mailing lists, traffic on this message list is relatively light, so subscribers who join won't have to handle a deluge of e-mail.