Originally created 12/31/98

U.S. relaxes data-scrambling restrictions



WASHINGTON -- The Clinton administration enacted more lenient rules Wednesday over the export of powerful data-scrambling technology, used to guarantee privacy of e-mail and credit-card sales over the Internet.

But critics complained that the relaxed restrictions still go too far, leaving sensitive data vulnerable to dedicated hackers with sufficient financial resources.

"Today's action is a good first step, but it is only that," said Ed Gillespie, executive director for Americans for Computer Privacy, an industry trade group.

The new rules from the Commerce Department allow U.S. companies to sell high-tech tools overseas that use the so-called 56-bit Data Encryption Standard or its equivalent, which has an unlocking key with 72 quadrillion possible combinations.

"U.S. encryption firms will be better able to compete effectively with encryption manufacturers around the world," said William Reinsch, the agency's undersecretary for export administration.

The rules also eliminate restrictions on selling data-scrambling products to U.S. subsidiaries overseas, and even more-powerful products can be sold in 46 countries to some industries, such as insurance and health care.

The government imposes limits on exports of the most powerful scrambling technology -- now anything above 56-bit -- because it fears that authorities, even with a judge's permission, won't be able to read the messages of criminals or terrorists.

The administration previously limited the export of 40-bit encryption technology, which has more than 1 trillion combinations.

Experts have suggested that scrambling sensitive e-mail or online credit-card transactions using less than 90 bits is vulnerable, while most experts consider 128-bit encryption practically unbreakable.

Vice President Al Gore announced the relaxed restrictions in September, calling the balance between privacy and not helping criminals "probably one of the single-most difficult and complex issues that you can possibly imagine."

The export limits do not directly affect Americans, who are legally free to use encryption technology of any strength. But U.S. companies are reluctant to develop one version of their technology for domestic use and a weaker overseas version, so they typically sell only the most powerful type that's legal for export.

Last week, two industry groups -- the Internet Architecture Board and the Internet Engineering Steering Group -- estimated that after an initial purchase of equipment, hackers could break a 64-bit encrypted message in less than a day for roughly $2,500 per message.