"Encryption" is the ability to encode information to be sent over computer networks so that it can only be read by the intended receiver. Certain "strong" encryption - encryption that is truly effective in ensuring the privacy of electronic communications - cannot legally be exported or even published on the Internet because of concerns that it may be used to shield criminal and terrorist activities.

   As more communications occur electronically, however, privacy advocates and the information technology industry have long held that effective encryption is necessary both to ensure that sensitive communications stay private and to facilitate the growth of electronic commerce. The need for stronger encryption grows as computing power expands - on July 17, 1998, the Electronic Frontier Foundation announced that it broke a 56-bit encryption algorithm in just 56 hours, using a computer built with commercially available technology.

   In 1998, the Clinton Administration dramatically eased some encryption export restrictions. It declined, however, to eliminate restrictions across the board on the strongest varieties of encryption software. Additionally, a federal court refused to hold that restrictions on the ability to publish encryption software violated the First Amendment. Several bills to liberalize controls on encryption failed to pass Congress.

Executive Branch Actions

   The Clinton Administration historically has opposed any liberalization of encryption regulations, fearing it would hamper law enforcement. On April 15, 1998, however, Secretary of Commerce William Daley signaled a change of course by branding U.S. encryption policy a "failure," noting that the policy hindered domestic development of encryption products. Daley also said that the U.S. policy hurts exports because most foreign countries, unlike the United States, do not require licenses to export encryption products. Thus, foreign countries are producing encryption products that are competitive with those made in the United States. Daley1s comments reportedly led to increased activity within the Administration to develop a policy with eased export controls on encryption products.

   On Sept. 16, 1998, Vice President Al Gore announced a new federal policy on encryption controls. The new policy will allow the export of 56-bit encryption after an initial one-time review, without requiring key recovery plans or commitments (making permanent a policy that would have expired in December) and will simplify the regulations related to the export of key recovery products. It also will extend an existing policy that enables financial institutions to export encryption of unlimited strength to 45 countries so long as the software is used by insurance companies, health and medical-sector companies (other than biochemical and pharmaceutical producers), and on-line merchants (other than manufacturers or distributors of munitions items). The new policy will allow export of recovery-capable products to 42 countries and will permit the export of unlimited-length encryption to subsidiaries of U.S. companies anywhere in the world other than seven specific nations that have been associated with terrorist activities.

   Although software industry executives generally praised the policy revision, they expressed hope that the government would further relax its encryption policy following a review of existing regulations scheduled for next year. Both the Electronic Frontier Foundation and the Center for Democracy and Technology criticized the reliance upon 56-bit encryption as insufficiently strong.

   On Aug. 25, 1998, the Department of Commerce extended the charter of the Technical Advisory Committee To Develop a Federal Information Processing Standard for the Federal Key Management Infrastructure until Dec. 31, 1998. The charter of the committee, which is charged with developing a federal key recovery standard, had originally expired on July 31. Several technical issues, however, remain to be resolved. If the committee fails to resolve them by the end of the year, they will be left to the Commerce Department to decide.

   In October 1998, the Commerce Department allowed a 10-firm coalition called the Alliance for Network Security to export key escrow versions of strong encryption technology. The key escrow system, called "private doorbell," provides the potential for access to data prior to encryption.

   In December 1998, the United States accepted a 33-nation agreement to impose controls on encryption software using more than 56-bit keys. The so-termed Wassenaar Arrangement permits the U.S. government to argue that it is not alone in opposing the export of strong encryption, as well as preventing U.S. controls from being circumvented.

   Finally, on the last day of 1998, the Commerce Department issued interim regulations that streamline encryption export controls. These regulations permit sale of encryption software to subsidiaries of U.S. companies and allow sale of such software to insurance and health organizations in 46 countries.

Congressional Actions

   Sens. John Ashcroft (R-Mo.) and Patrick Leahy (D-Vt.) introduced on May 12, 1998, an encryption bill - the E-PRIVACY Act - that sought to balance the privacy concerns present in current legislative proposals with law enforcement concerns raised by the Administration. In particular, the bill would have established privacy protections for computer data and communications while creating an encryption research center to assist law enforcement. Privacy groups and law enforcement organizations expressed concern over various aspects of the bill, and a Commerce Department official expressed opposition to the bill. Several other senators, however, indicated that they supported the bill, although the measure did not pass before Congress adjourned for the term in October 1998.

   On June 30, 1998, Speaker of the House Newt Gingrich (R-Ga.) and Rep. Bob Goodlatte (R-Va.) announced the formation of an encryption task force, whose members will include both politicians and cryptography researchers. Rep. Goodlatte, who chairs the speaker1s newly formed High Technology Working Group, said that the task force will aim to reach a workable compromise between law enforcement interests on the one hand and privacy interests on the other.

Judicial Branch Actions    On July 2, 1998, the U.S. District Court for the Northern District of Ohio dismissed a law professor1s challenge to export controls on encryption. The court ruled that the export limits did not violate the professor1s constitutional right to free speech even though the regulations prevented Prof. Peter Junger from publishing his encryption software and algorithms on his Web site. Junger v. Daley, No. 96-CV-1723 (N.D. Ohio July 2, 1998). The court reasoned that the code making up the software was solely utilitarian in nature and did not convey ideas or expression. On July 8, Junger said he planned to appeal the decision.    The Junger result contradicts Bernstein v. Department of State, 974 F. Supp. 1288 (N.D. Cal. 1997), in which Judge Marilyn Hall Patel held that new Commerce Department regulations restricting the export of encryption software violate the First Amendment. The government obtained a stay pending appeal, and the U.S. Court of Appeals for the Ninth Circuit agreed to expedite the appeal process for the case. As of late 1998, however, no decision had been issued.