December 2, 1996
The Honorable Albert Gore
The Vice President of the United States
The White House
1600 Pennsylvania Ave., N.W.
Washington, D.C. 20500
Dear Mr. Vice President:
On behalf of America's leading publishers of computer software,* I want to express our dismay at the way the Administration is implementing the October 1 encryption policy announcement. BSA said at the time that the announcement was a step in the right direction, but that numerous questions remained. We understand that the Interagency Working Group on Encryption intends to consult with interested parties throughout the process prior to implementation of regulations which is planned for January 1, 1997, and additional information may be available in the very near future. However, given that everything we have seen and heard to date reveals that the government is headed in the absolute wrong direction, we specifically wanted to bring to your direct attention five key principles which underlie BSA's positions and which should, but unfortunately do not appear to, be guiding the Administration.
It appears that significant backtracking has occurred since the October 1 announcement and, therefore, we seriously doubt that the regulations will work, meet computer user demands, or be accepted by the private sector unless the Administration radically changes its approach immediately. If not, the new policy is destined to fail just like its predecessor Clipper efforts. We strongly urge the Administration to focus on what is doable in the real world of millions of Internet users with scores of encryption alternatives from which to chose.
On November 8, BSA provided the Working Group detailed positions on the issues and specific suggestions for regulatory implementation (a copy of the letter is attached). Given the short period left before implementation, five key principles are specifically discussed below which underlie the positions taken in our earlier letter.
(1) VOLUNTARY AND MARKET DRIVEN: To be successful, any key recovery initiative must be voluntary and market-driven. Our companies cannot sell what consumers do not want. As BSA CEOs have discussed with numerous Administration officials, the U.S. software industry is operating in a very competitive, international market -- hundreds of strong encryption products are presently available around the world, many easily down loaded from the Internet. Consumers are demanding strong encryption and it is key to the success of the Internet. Unless users find value in a key recovery function, they will not buy products with this function. The result: American companies lose sales and the government will have failed in its efforts to have such products widely deployed.
(2) UNLIMITED KEY LENGTH FOR KEY RECOVERY PRODUCTS: "Key recovery" products should be exportable without key length limit if they include features making the recovery of plain text stored information accessible without the assistance of the individual who has encrypted the information.
As we have explained to the Working Group, there may well be commercial demand for products that enable the recovery of stored encrypted data, but there is little, if any, commercial demand for a key recovery function in real-time communications. Accordingly, there should be no such requirement for exportable encryption communications products (or products which do both communications and stored data as long as there are key recovery features for stored data).
Furthermore, key recovery is not key escrow. A purchaser or user of a product being able to recover his data is different than, and separate from, the decision as to whether to voluntarily empower a trusted third party to be able to recover the data.
(3) NO INDUSTRIAL POLICY: The government should not dictate "milestones" for company specific plans regarding key recovery products as a condition for interim export control relief. Companies have already announced plans to develop such key recovery products; for example, 35 companies have joined IBM in a key recovery alliance. Numerous other companies already have key recovery products on the market today. There is no need for the government to go down the road of industrial policy by insisting upon becoming a partner with each company. We urge the Administration to adopt the simplest possible process.
(4) EASY EXPORT OF 56 BIT PRODUCTS AS PROMISED: Interim export control relief must permit the export of 56-bit non-key recovery encryption products under Department of Commerce General License procedures that represent actual liberalization. The mere transfer of licensing jurisdiction to Commerce is of little significance unless accompanied with expedited product reviews and realistic licensing requirements. Yet, the recent Executive Order states that products which already have export licenses will have to undergo new reviews -- only this time with FBI scrutiny. There is also an urgent need to permit the export of 128-bit encryption for financial applications (when done with appropriate safeguards).
(5) MEETING MARKET DEMANDS NOW AND IN THE FUTURE: Any interim export control relief will be only a mirage unless it meets business needs after two years. Quite simply, there must be interoperability between key-recovery and non key-recovery products. It also must be possible for American companies to service and support the installed base of 56-bit non key-recovery products.
The American software industry needs immediate relief. It is a matter of jobs and international competitiveness. For the Administration's policy to be successful, the government must accept and work with the market, not try to supplant it. It is clear that many in Congress understand the urgency and importance of this issue and the need for strong protection for Internet users. We thought that the October 1 announcement showed that the Administration was also coming to grips with these issues. But now, only a few weeks later, we wonder.
We have submitted comments to the Government and we stand ready to continue working with you to formulate and implement a market driven, voluntary system which meets consumers' needs.
Robert W. Holleyman, II
* The Business Software Alliance promotes the continued growth of the software industry through
its international public policy, education and enforcement programs in 65 countries throughout
North America, Europe, Asia and Latin America. BSA worldwide members include the leading
publishers of software for personal computers: Adobe Systems Inc., Apple Computer, Inc.,
Autodesk, Inc., Bentley Systems, Inc., Lotus Development Corp., Microsoft Corp., Novell, Inc.,
Symantec Corporation, and the Santa Cruz Operation. BSA's Policy Council consists of these
publishers and other leading computer technology companies including Computer Associates,
Digital Equipment Corp., IBM, and Sybase.
* The Business Software Alliance promotes the continued growth of the software industry through its international public policy, education and enforcement programs in 65 countries throughout North America, Europe, Asia and Latin America. BSA worldwide members include the leading publishers of software for personal computers: Adobe Systems Inc., Apple Computer, Inc., Autodesk, Inc., Bentley Systems, Inc., Lotus Development Corp., Microsoft Corp., Novell, Inc., Symantec Corporation, and the Santa Cruz Operation. BSA's Policy Council consists of these publishers and other leading computer technology companies including Computer Associates, Digital Equipment Corp., IBM, and Sybase.
Return to EPIC Key Escrow Page