A week after the Clinton administration announced it was lifting most export restrictions on cryptography, the security crowd gathered here for the RSA Conference 2000 danced, celebrated and -- you'll have to pardon them, this has been a long fight -- gloated over the federal government's apparent change of heart.
"This feeling is really good, you know?" said Phil Zimmerman, the inventor of the PGP encryption algorithm who was once threatened with a federal jail sentence. "I wish my prosecutor and the customs agents who attempted to incarcerate me were here tonight."
Zimmerman, as much as anyone in the computer industry, personifies the battle over encryption export regulations. Nearly five years ago, Zimmerman, now a fellow at Network Associates Inc., defied encryption export restrictions and used his PGP encryption across international borders.
At the time, this was nothing short of treason -- at least in the eyes of federal regulators. Until 1998, encryption was considered a munition -- a weapon of war. So allowing strong encryption -- that is, encryption strong enough to thwart any head-on attack -- to cross international borders was akin to selling explosives to the enemy. To make a long story short, Zimmerman just barely escaped going to the slammer for a very long time.
Since his act of civil disobedience, Zimmerman has sold his company, Pretty Good Privacy Inc., to Network Associates. He's also achieved rock star status in the tech community. It's not uncommon, as was the case Tuesday, to find him posing with fans for a photograph.
And finally, last night at the swanky Fairmont Hotel in downtown San Jose, Zimmerman had the last laugh.
He finally got to do what he always wanted to do: send an encrypted message across international borders and do it legally. But not only did he get to do it, he got to do it with style. The encrypted Yahoo e-mail message was sent to a Ministry of Defense official in the United Kingdom. Zimmerman's cohorts in this newly legal transmission: U.S. Representatives Zoe Lofgren (D-Calif.) and Bob Goodlatte (R-Va.).
"It was a thrill to export that crypto," Lofgren told a cheering audience of security experts.
Behind the scenes
While Zimmerman gained notoriety and the ire of federal officials, it was people like Lofgren, Goodlatte, industry lobbyists and William Crowell, the president and CEO of Cylink Corp., who did much of the fighting on Capitol Hill.
Three years running, Goodlatte introduced a bill that would have relaxed export restrictions. This year, it looked like it would pass.
But regulators in the U.S. Commerce Department, which controls encryption exports, beat them to the punch. The new regulations, as explained last week, allow for the unfettered export of strong, commercial encryption to all but terrorist nations. That's a huge change from before, when nothing with more than 56-bit encryption keys -- keys that can be solved with heavy computer processing -- could be exported without a lengthy approval process.
Crowell, a former deputy director of the National Security Agency, knew both sides of the coin. As a former government security honcho, he understood fears about criminal and terrorist use of encryption. But, as he often pointed out to regulators, the idea that limiting American encryption exports -- while allowing use of strong encryption within U.S. borders and providing no regulation of encryption in other countries -- was hopelessly naÃÆ'Æ'Ã,Ã,¯ve.
With his ties to industry and Capitol Hill, and his behind-the-curtain knowledge of America's spy agencies, Crowell became the chairman of the President's Export Committee, Subcommittee on Encryption.
"My committee was quite vocal about what needed to be done," said Crowell. And what needed to be done, according to the committee, was a complete relaxation of export restrictions, except to those governments and anyone in the five countries designated terrorist nations by the U.S. State Department.
Eventually, it appears, the administration listened.
Back to the gloating
Jim Bidzos, the chairman of RSA Security Inc. and a longtime critic of encryption export regulations, said he finally believes that the computer industry will no longer have to worry about encryption regulations.
"This time, they've gone so far they can't turn back," Bidzos told reporters here earlier this week.
Some analysts estimate that could cut security development costs by as much as 50 percent, because companies will no longer be forced to create domestic and exportable versions of their software.
Ron Rivest, the co-inventor of the RSA algorithm that's used in nearly every browser and most encrypted e-commerce transactions, said he long thought it was an insult, a downright infringement on his freedom of expression, that he couldn't put his public key encryption algorithm on his Web site. He added that the Clinton administration's change of heart is welcome.
"It was ridiculous," Rivest said. "The horse has been out of the barn for a long time."
