|Notify me of new responses|
After the Sept. 16th announcement about the new crypto reforms, I wanted to know what the real crypto researchers, developers think of this new development, so I asked a few questions on the sipb zephyr class, and sent an email to my friend Ian Goldberg, who is the grad student doing crypto research at UC Berkeley (he's also the chief scientist for "Zero Knowledge" -- a Canadian company that has recently released a new line of crypto products, and he's also the person listed second in the "thanks to" list of Cryptonomicon, for reviewing all the crypto information in the book as well as writing the perl script that is quoted in the text). Here's the quote from our email discussion, and what I think of it:
> We were talking about the current proposed > change in US law (the bill that was announced on Sept. 16, that seems > to give much much more freedoms to companies, researchers, developers, > etc.),
It gives more leeway to big companies. Little companies, individuals, researchers, etc. still have no improvement. I still can't publish my research on my web site in the US.
The new rules say that you can export some kinds of crypto, provided you get the NSA to review it first. It's unclear whether the result of the review can be "no, you can't export this". This review process is expected to take a month or two.
For companies, this means that *each version* of your product will be delayed a couple of months. Even minor bugfixes explicitly have to go through the review process.
Little companies may not even be able to afford the review (it's unclear how much the review will cost).
Individual developers who just want to write a useful program and stick it on their web site are still out of luck, as are researchers who want to publish online.
And then there are the "post-export reporting requirements" which are as of yet unspecified, but which have the potential of causing huge headaches.
We'll have to wait until the actual regs come out in December before we see how bad this is, but it's certainly not a change that would enable me to work on crypto in the US.
It seems to me that, rather than helping the researchers and small developers, is actually harming them: there is a fear that, now that big companies seem to be placified, they won't fight for more concessions. And it's big companies that have money and time to get lobbyists to keep pushing for new regulations. If the companies are satisfied, then who's to continue the fight for researchers and individuals?
Having seen "brain drain" out of one particular country, I tend to think that it's a very bad thing to happen to a nation. Ian, as he told me, is not going to apply to any US universities for post-doc studies, and, I suspect, the same goes for a lot of other researchers, precisely because they are tired of fighting the losing battle. In the technology world, where new innovations are the key to market power and money, isn't US afraid of being at the end of the race, stripped of all of its best crypto minds? So that everyone, but US citizens end up with good encryption?
Also, from (possibly, limited) political knowledge I have, the reforms that try to "play to both sides", that is, try to change things, but not radically enough, are usually the ones that get killed because neither of the parties is happy with them. Do you think this particular announcement and bill will manage to escape that predicament of being deemed "not good enough" by both sides of the debate? Or do you think it will succeed in placifying both? And if yes to the latter, than do you think it's doing more harm than good? Do we need to care about individuals and researchers in this case?
I'd be interested in hearing other people's opinions on this,
-- Lucy Borodavkina, October 1, 1999
The kind of quandary Lucy's talking about has been going on the in the crypto debate for several years. At each stage, the Administration announces a "liberalization" of the regs, but it turns out never to be less than advertized when the details finally emerge.
In the plan of three years ago, exactly what Lucy suggested was what happened: the offer was such a "half a loaf" thing (in those days it was export relaxation in return for industry endorsement of key escrow) that the whole thing broke down after several months of frustrating discussion.
This plan -- if it indeed does what it says -- is much more attractive to industry, and my guess is that they will like it. Industry tends to be very pragmatic and is often willing to take half a loaf, on the theory that they can get the other half of the loaf later on.
And yes, it does little for the little guys. But remember what I said the name of the game is: get industry on your side, and isolate the third party (in this case, civil liberties groups and independent crypto developers).
But at the end of the day, there is that half a loaf. My feeling is that the more we see crypto getting used, the easier it will be to effect the rest of the liberalizations.
The ringer in all of this, of course, is the Bernstein case. That's a solid one of freedom of expression, and the proposed change in the regulations should have little impact on the case. Of course, Bernstein is now going to be reheard by the full Appeals Court, and the ruling cold go either way.
-- Hal Abelson, October 2, 1999