New York Times
Friday, August 1, 1997

Canadian Product Puts New Spin on Encryption Debate

by Peter Wayner

Canadian company's recent release of a new encryption product and subsequent announcement that it had received a license from Canada to export the product has surprised many companies and U.S. officials.

The release was startling because the United States and Canada historically regulated the encryption-exporting issue in synchrony.

The company, Entrust Technologies Ltd., released a free version of its Entrust/Solo software on Tuesday, and announced that they had received a license from the Canadian government to export it to almost all of the world.

The move by Entrust seems to exploit a difference in the regulations between the United States and Canada.

This decision by Canada could signal a major rift developing between two allies over an issue that is becoming increasingly important to the computer software industry.

In fact, the move seemed to startle the Bureau of Export Affairs at the U.S. Department of Commerce. James Lewis, director of strategic trade at the bureau, would only issue a one-sentence statement through a spokeswoman: "This is under review as a potential enforcement matter." He offered no insight into which American laws were being violated. Shauna White, a spokeswoman for the company, said "We believe we are in full compliance with all the Canadian laws that apply."

In the past, the United States and Canada enforced their encryption regulations with such cooperation that most controlled products are shipped in boxes announcing, "For U.S. and Canada only." The U.S. government was certain that Canadian regulations would block anyone from shipping the product out of Canada.

Those regulations are still in place and there has been no change in the effect on products built in the United States. Programs written by Canadians, however, are another matter. Entrust was able to qualify for a license because their software contained what John Ryan, the company president and chief executive, said was "100 percent Canadian content". That is, it was developed in Canada by Canadian citizens.

Entrust Technologies Inc. was spun off on Jan. 2, 1997, from Nortel (Northern Telecom) after Nortel developed the Entrust product. Entrust Technologies Inc. is based in Dallas, but most of the development work is done in Ottawa, Ontario, where the Canadian subsidiary, Entrust Technologies Ltd. has its offices. Ryan, for instance, is a Canadian citizen.

The move by Entrust seems to exploit a difference in the regulations between the United States and Canada. Both countries are members of the Wassenar Arrangement on Arms Export Controls, a set of loosely controlled rules that took the place of Cold War-era regulations designed to reign in conventional arms and dual-use technologies.

The arrangement regulates the export of encryption software but provided an exemption for general-use software that was freely available through either the public domain or widespread public channels like stores. Ryan explained: "Many countries have chosen to 'to turn that part off.' Canada has not chosen to turn that part off."

The existence of this regulatory difference may have come as a surprise to many people in the United States because the Canadian software industry has not yet produced a top-rank international competitor. The academic computer science departments at colleges like the University of Toronto are first rate, but there are no companies with the same public presence as Microsoft or IBM.

But Entrust Technology's emergence shows how quickly the public perception can become obsolete in the swiftly moving world of technology. The company is clearly hoping that its free version of the Entrust/Solo software will build acceptance for the commercial versions, which are also freely exportable. Many other companies follow the same strategy of releasing free versions to the public in order to publicize the commercial versions, which usually come with more features.

Entrust allows people to download free copies of Entrust/Solo for personal use from their Web site, but they block requests from seven restricted countries: Libya, Iran, Iraq, Cuba, Angola, Syria and North Korea. France and Singapore are also blocked because they have restrictions on the import of technology.

Entrust is already in heavy competition against a U.S. company, Pretty Good Privacy Inc., which is circulating a free version of its encryption package, PGP 5.0. This version is available for home and non-commercial use without charge. The software, however, was developed in the United States and can't be exported without a license. The company has worked closely with the U.S. Commerce Department to smooth licenses for major U.S. companies seeking to use the software with their subsidiaries, but an individual license must still be granted in each case.

Kelly Huebner Blough, director of government relations for Pretty Good Privacy, said: "Well, of course we would like the U.S. to license exports more liberally. Most of the other countries in the world license encryption software more freely. They may have strong policies on the books, but when it comes to implementation, the U.S. is the most restrictive."

All of the major software companies like Microsoft, IBM, and Sun continue to press the U.S. government for relief of the export control laws, arguing that better and better software is emerging throughout the world.

Other companies will also be feeling the pressure. Ray Ozzie, the president of Iris, the developer of Lotus Notes, which is now owned by IBM, said: "This is further proof that easy-to-use, high-grade encryption products are available worldwide, and that U.S. companies continue to be at a disadvantage in the world marketplace. U.S. policy needs to change in order to take these realities into account."

One of the most vexing parts of the regulatory equation involves unraveling whether the U.S. government can exert any pressure on Entrust Technologies Ltd. through its U.S.-based corporate parent, Entrust Technologies Inc. The current version of the regulations restrict U.S. companies from providing "technical assistance" to their foreign companies -- a rule that would seemingly not apply to a product developed completely by Canadians. Earlier drafts were more vague and seemed to target any relationship or aid, but the final version focused on technical assistance.

Companies with close relationships with the U.S. government are still circumspect. Steve Walker, president of the Glenwood, Md.-based Trusted Information Systems, works closely with the Commerce Department to seek approval for all of its work done in Europe. They ask for a license for all of the software being developed by their subsidiary in Britain. "We've tried to be very careful about this, perhaps more careful about it than we need to be", Walker said and then pointed out, "We're getting approval."

Sun Microsystems is pursuing a strategy with a different corporate structure. The company bought a minority stake in a Russian network software company in 1993 and recently asked them to develop encryption software for the world market. The deal is undergoing scrutiny from the U.S. Department of Commerce, but no announcement has been made about the resolution. Sun announced that they hope to ship the software on August 15.

Still, the range of a government is hard to measure. Greg Katsas, a lawyer in the Washington office of Jones, Day, Reavis, and Pogue, said: "Generally, the rules of jurisdiction of the place of incorporation apply, but there are cases where U.S. law reaches outside the boundaries. For instance, anti-trust law can cover acts done outside the U.S. intended to have an impact inside the U.S."

All of the major software companies like Microsoft, IBM and Sun continue to press the U.S. government for relief of the export control laws, arguing that better and better software is emerging throughout the world. In the House of Representatives, legislation sponsored by Representative Bob Goodlatte, a Republican from Virginia, to liberalize export laws has found wide support, while similar legislation in the Senate has died.

One of the major initiatives offered by the Clinton administration would ease export licenses for software that made it possible for law enforcement officials to obtain the software's keys with a court order. They propose lifting the restrictions for exporting the software using 56-bit keys with DES.

A number of businesses have joined together what they call the Key Recovery Alliance to help negotiate with the government about the final implementation of this plan. Most major software vendors, including Entrust and Sun, are part of the alliance. While the companies are committed to producing software that helps recover encryption keys in emergencies, there is a great deal of debate about how this will be carried out.

Entrust's product for office groups does offer key recovery, but it is a far cry from what the U.S. government would like to see implemented. Copies of the keys are only stored on the hard disk of the employee responsible for overseeing the network. There is no capability right now for interfacing with trusted third parties who would serve as recovery agents for the police.

Still, Entrust also seems to be working to meet U.S. regulations. Their enterprise-wide system for larger companies has been granted a license for U.S. export even though it uses 56-bit keys. This license was recently granted as part of the United States' push for key recovery. It signifies that the U.S. Commerce Department felt that Entrust was moving toward compliance with the policy of smoothing access for the police. In two years, Entrust may integrate their key recovery system with licensed recovery agents or it could face losing its U.S. license.

In the long run, this strategy continues to receive heavy resistance. While many businesses welcome key-recovery solutions for internal use, they seem to resist making it too easy for the police to access their documents. Corporations, after all, can be found guilty as well.

The same rules apply to countries, which are finding themselves in an increasingly brutal worldwide competition for dominance. Countries with the most liberal export laws may be rewarded with a strong fraction of the market share and this is the crucial time when the decisions about product acceptance are being decided. Many MIS managers may choose Entrust's products simply because they don't need to fill out forms with the U.S. government in order to supply it to all of their foreign subsidiaries.

Andrew Csinger is the President of Xcert, a Vancouver-based Canadian software company that manufactures encryption technology used for certification authorities. He expects that any difference between U.S. and Canadian encryption laws will be short-lived. "I think that market pressures are going to force the U.S. administration to respond more quickly", he said. "In reality, cryptography is widely available throughout the world."

Copyright © 1997 by The New York Times. All Rights Reserved. Reprinted with permission.