The Reporter, 6 May 1997
Hacking the Encryption Export Ban
U.S. cryptography companies are finding ways to crack government
and compete in the global market
By DAN GOODIN
Sameer Parekh is more than willing to talk about his company's new foreign subsidiary, but ask the software entrepreneur about the whereabouts of the outpost and he quickly turns mum.
"We don't reveal the location," says Parekh.
As president of Oakland-based C2Net Software Inc., Parekh runs one of a handful of companies peddling heavily controlled encryption software -- the technology that scrambles e-mail, computer files and phone conversations to prevent eavesdropping.
"We don't want the U.S. government to pressure [our host] country into implementing export controls such as those in the U.S.," Parekh says, explaining his secrecy.
Traditionally associated with spies and the military, cryptography has been slow to lose its cloak-and-dagger image in the United States, even as its use has become commonplace in civilian applications around the world -- for example, in electronic commerce.
While the government has long argued that strict export controls are necessary to keep encryption technology out of the hands of hostile governments and terrorists, C2Net and others complain that the restrictions are locking U.S. companies out of a lucrative consumer market for communications security software.
Now, after years of chafing under the restrictions -- and skeptical of government promises to loosen them -- companies like C2Net are finding ways to "hack" the regulations.
The key to cracking the export ban: A loophole that doesn't prevent U.S. companies from developing and distributing cryptographic code as long as the activities take place outside the United States by non-U.S. citizens or nationals.
As a result, cryptography developers can create overseas subsidiaries that write code from scratch. A company could also let anyone copy its software, but license only its overseas subsidiaries to slap its trademark on the packaging.
Three attorneys specializing in cryptography law interviewed for this story say the strategy, while posing risks, appears sound.
"This is not a case of people flouting the law," says Stewart Baker, a former general counsel for the National Security Agency, a government espionage group that until recently oversaw cryptography regulations. The companies "have come up with real gaps in the coverage of the export control laws and have some reason to think that what they're doing can be done."
DECIPHERING THE LAW
At least one U.S. cryptography company has already taken the path of C2Net, and others may be considering it.
In June, Redwood City-based RSA Data Security Inc. -- which holds patents to one of the most popular types of cryptography in the world -- established RSA Japan, a subsidiary it owns jointly with several Japanese companies, including NEC Corp., Sony Electronics Inc. and NTT Electronics Inc.
Meanwhile, Pretty Good Privacy Inc. of San Mateo is close to licensing trademarks for European and other international versions of its popular encryption software, according to Interactive Week Online. PGP officials declined to confirm or deny the report.
Although it is uncertain how many U.S. cryptography companies are setting up overseas subsidiaries and joint ventures, Baker calls the strategy the "flavor of the month" among companies searching for ways to peddle strong cryptographic products in the global market.
"I'm sure there are a lot of people who are going to watch this quite closely," the partner at Washington, D.C.'s Steptoe & Johnson adds. "If it works, I'm confident there are going to be a lot of imitators within the next year."
Nevertheless, attorneys whose clients aren't employing the strategy warn that companies that do must be extremely careful.
"A danger would be inadvertent transfer of technology from a United States individual or entity [to a foreigner], which would amount to an unauthorized export under the restrictions," says Andrea Migdal, a San Diego partner at Gray Cary Ware & Freidenrich.
A U.S. parent company or partner "would not be able to make comments or suggestions related to the development" of software, she says.
A person convicted of violating the law, formally known as the Export Administration Regulations, could be fined $250,000 and sentenced to 10 years in prison.
Kenneth Bass III, a partner at the McLean, Va., office of Washington, D.C.'s Venable, Baetjer, Howard & Civiletti, agrees, adding that a U.S. company setting up a foreign subsidiary seems especially risky.
Bass said it is difficult for the government to stop a company from transferring technology to its overseas subsidiaries. But, he says, "I'm not sure that the government would not attempt to apply the export laws to the sales of the subsidiary."
Baker and Migdal agree that companies would be in compliance with the restrictions as long as no technology or expertise were to travel from the U.S. company to its partners or subsidiary.
But they caution that building a fire wall between two company divisions may not be easy, especially for an established company with a large line of established software products. Because the code developed by the foreign subsidiary must be compatible with all of a company's existing software, "there's going to be a real temptation on the part of the foreign programmers to ask for help," Baker says.
In the case of C2Net, Parekh had to throw out a couple months' worth of code after deciding to form his multinational corporation so that the foreign subsidiary could start from scratch.
The start-up has now purged itself of all cryptographic code originating in the United States, and sealing the headquarters off from its new foreign subsidiary won't be hard, says Parekh.
"A lot of companies have a lot to lose" in making an end run around the government restrictions, he adds. "If a company such as Sun [Microsystems] did what we're doing, they might lose important [government] contracts. We don't have anything to lose because all we do is crypto."
Companies like C2Net seeking to exploit loopholes in the current law could face difficulties down the road if the government moves to tighten or close inadvertent gaps in the export regulations.
"I don't think [the drafters] anticipated all of the methods that are being rolled out these days," says Baker. "They were moving very fast when they wrote these regulations."
Despite signs that lawmakers are struggling to take account of business interests as well as law enforcement and national security interests in proposing new regulations, many high-tech companies remain wary of the government's position.
Reacting to industry complaints, the Clinton administration has on several occasions relaxed encryption export restrictions, most recently in January when it transferred oversight of cryptography regulations from the NSA to the more business-friendly Commerce Department. In addition, the government has incrementally allowed export of ever-stronger encryption programs.
Several bills now before Congress would further relax the government's control over encryption technology. The so-called pro-code bill sponsored by Sen. Conrad Burns, R-Mont., appears to have the best chance of passing. A number of senators, including California Democrat Barbara Boxer, are co-sponsoring the bill, which has yet to be scheduled for a floor vote.
Nevertheless, the government has seesawed on key issues. In a striking reversal, the Clinton administration is once again seeking to roll back unfettered encryption use at home as well as abroad by pushing a controversial system that would give law enforcement the means, in principle, to decode encrypted communications on demand.
In late March, the government proposed legislation that would compel anyone using encryption within U.S. borders to submit code-cracking keys with trusted third parties. The parties would be required to turn over the keys to law enforcement upon written notice, with or without a court order.
Meanwhile, the government has sought to create strict international guidelines regulating the development and distribution of strong cryptography. In early April, the 19-member Organization for Economic Cooperation and Development rejected a plan backed by President Clinton that would have created an international "key-recovery" system similar to the administration's proposed domestic cryptography regulation bill.
Given the uncertainty over the future of U.S. cryptography law, companies like C2Net for now appear more than willing to skirt the edges of the law, rather than wait for business-friendly reform.
"People's impression of the government becoming more lenient is just successful public relations," Parekh says. "The government is not making it any easier [to export strong cryptography]. We have to do strange things in order to deal with the strange legal climate in which we're operating."
© 1996 The Recorder
Copyright ©1995-1998 Cryptosoft GmbH
All Rights Reserved