29 April 2000
Source: Hardcopy US national newspaper, April 28, 2000

More on details of the new regulation welcomed; send to: eucrypt@cryptome.org


EU to Relax Rules on Data-Encryption Exports

Regulatory Gap Is Still a Hindrance To U.S. Companies

By GEOFF WINESTOCK

The European Union has agreed to relax rules for exporting data-encryption products, giving exporters in the 15-nation bloc a new advantage over U.S. competitors who only recently won the right to export data-scrambling technology.

The new EU regulation on "dual-use exports" allows almost free circulation of encryption software in the 15 EU countries and in 10 other countries, which together make up over 80% of the world market.

It was only in January that the U.S. allowed exports of basic encryption products, tacitly admitting that controls cost the U.S. computer industry dearly while doing little to stop organized crime and terrorists getting hold of the technology.

But the new EU decision will free EU firms from cumbersome licensing procedures and controversial technical checks by national security agencies that still apply widely under modified U.S. regulations. Frank Jorissen, vice chairman of the European Forum for Electronic Business, said he was waiting for details but said the EU regulation "sounds like music to my ears."

The opening of the gap between regulations on each side of the Atlantic could rekindle tension between the EU and the U.S. over their policies on encryption technology exports. American computer companies are also likely to use the new EU rule to push for further liberalization of the U.S. regulations, which they say are unrealistic. Bruce Heiman, executive director of Americans for Computer Privacy, a coalition of U.S. trade associations and companies, said the new EU regulation could be crucial when the U.S. starts a review of its rules next month.

"We will be urging further steps to ensure that U.S. companies aren't at a competitive disadvantage vis-a-vis foreign companies.," he said.

The swift EU response to the U.S. liberalization of encryption-export was was discussed at a summit of EU leaders in Lisbon last month as part of a plan to increase Europe's share in the New Economy. The EU originally developed its lead in encryption products used to ensure confidentiality of information in everything from corporate networks to credit card payments over the Internet, largely because American firms were held back until January by the U.S. export rules.

A spokesman for Portugal, which holds the rotating presidency of the European Union, confirmed the new EU regulation had been approved at a meeting of EU officials last week and said it would be passed at a meeting of European foreign ministers on May 22. Details of the regulation will be published in the next few days.

The new regulation will end the requirement that EU companies secure approval from national licensing bodies or, in some cases, from national security agencies like the Communications Electronic Security Group in Britain. Exporters to 10 other countries, including the U.S., Japan, Canada, Switzerland and several eastern European nations, will also be able to ship almost all products without any security checks. They will only have to obtain a general license by promising that the end-user is in one of the 10 countries.

But the regulation leaves almost unchanged existing controls on exports to countries outside the EU and the 10 on the list. In practice, Britain and France, Europe's most security-conscious states, are the most rigorous in applying these rules.

The extra licensing requirements that remain in the U.S. place an administrative burden and longer delays on American companies. But U.S. computer-privacy advocates say American manufacturers are also compromised by "technical reviews" of many encryption products still required by the National Security Agency as part of the licensing procedure.

The EU and many computer privacy advocates in the U.S. contend that these technical reviews give U.S. intelligence agencies the chance to tamper with the codes to make sure they can tap into them. "We question the level of security of these types of products," says one EU official. The U.S. in the past has advocated giving law enforcers and security agencies techniques for breaking codes, but denies it requires U.S. companies to give it "backdoor" access to their encryption.