Same news was also reported in today's WSJ (on-line edition at least).
--------
January 18, 1999
Tech Center
Hewlett-Packard Announces
Export-Permissions Expansion
By JASON FRY
THE WALL STREET JOURNAL INTERACTIVE EDITION
Hewlett-Packard Co. announced Monday that it has received U.S.
government approval to export a key component of its VerSecure
encryption technology to customers in nine more countries.
The announcement marks an expansion of existing approvals from the
government. H-P officials hope it will boost demand for VerSecure by
easing a difficult distribution problem for companies exporting
encryption products, and possibly pave the way for other applications
using the technology.
The U.S. Commerce Department has approved export licenses for
Belgium, Iceland, Italy, Luxembourg, Netherlands, New Zealand,
Norway, Portugal and Spain, the Palo Alto, Calif., computer maker said.
H-P received permission last year to export VerSecure servers to Australia,
Canada, Denmark, France, Germany, Japan and the United Kingdom.
Doug McGowan, H-P's director of VerSecure, said the company hoped
to get permissions for most remaining nations later this year.
The U.S. government's policy on encryption
technology, which scrambles data so that, for
example, e-mail messages or credit-card
numbers can't be intercepted and read as
they make their way across the Internet, has
become a battlefield pitting the high-tech
industry against the government.
The Clinton administration has loosened some
export restrictions on encryption, but maintains controls due to worries that data-scrambling technology will be used by terrorists and criminals to defeat law-enforcement attempts to gather intelligence. The government has pushed encryption firms to include "key recovery," a back-door decoding method under which trusted organizations would keep copies of encryption keys for potential recovery by authorized agencies.
U.S. high-tech firms argue that strong encryption technology is readily available, that the U.S. restrictions are still too tight. Officials from these companies contend that they are losing billions in potential sales to foreign competitors that can offer products without key-recovery features.
While some of its competitors have fought the government, H-P tried
another tack with VerSecure.
The VerSecure technology, first proposed in 1996, is a combination of
hardware and software.
H-P (or a licensed manufacturer) embeds VerSecure into hardware -- a
card or an integrated chip, for instance -- and ships it "broken." Users then activate the encryption by going online to servers controlled by a "security domain authority," where they download a key -- a "policy activation token" in VerSecure parlance.
Those security domain authorities define what encryption strengths and methods are available to users, and choose whether or not to
implement a key-recovery scheme: VerSecure in itself isn't a key-recovery technology, but H-P says any commercial key-recovery method will work with it. And the authorities can set a time frame -- typically one year -- after which the policy activation token will no longer work and must be renewed.
Mr. McGowan said H-P pitched the idea for the technology to the
government ahead of time and asked the government to work with it.
Last year, Commerce Undersecretary William A. Reinsch said the
department was pleased to support H-P's effort because the
department saw it as encouraging the use of key recovery.
H-P said that any manufacturer of VerSecure-compliant hardware
should win widespread export permissions after a routine review by the Commerce Department. Meanwhile, H-P is working to win permissions
from the government to export the other half of the equation -- the
servers -- to security domain authorities in more and more nations. Those authorities -- whether companies or government agencies -- must then abide by their own nations' encryption laws.
H-P touts the result as a flexible answer to the encryption problem that can address companies' and countries' different policies and allow those companies and countries to change those policies without
replacing their system.
Opponents of the government's encryption policy, meanwhile, see the
H-P product as largely a sidelight to that debate, as VerSecure is aimed more at corporate users than at the mass market. None of the export reforms or exceptions granted so far, opponents of the restrictions argue, address the needs of individual users.
Mr. McGowan said H-P has lobbied for further liberalization of the
government's encryption rules, but at the same time acknowledges that
the government has real security concerns. "Our position is that the
government has a legitimate problem," he said, adding that "I'm glad
I'm not them."
Besides, Mr. McGowan said, even if the U.S. lifted its encryption
restrictions, high-tech companies would still have to deal with other
nations' laws. "You can't unilaterally fix the problem anyway," he said.
"You've got to fix the world's laws, and I don't know how you lobby for that."
Meanwhile, analysts say VerSecure could solve a problem for
encryption-software makers that hasn't been adequately addressed:
product distribution.
Ted Julian, an analyst for Cambridge, Mass., market-research firm
Forrester Research, noted that receiving permission from the U.S.
government to export encryption technology doesn't solve all of a
company's problems. Because different countries have different rules, Mr. Julian said, companies face the unhappy prospect of having to design products for countries' users in any number of ways and then keep inventories of those products on-hand. Moreover, firms and even
individual users within nations may have different standards and wants.
"How do I as a global vendor deal with those differences in as
streamlined a way as possible?" Mr. Julian asked. "H-P's answer is to
enable encryption locally." A company designing its products to work
with VerSecure can address the needed variations in its software, a far easier course of action.
Mr. McGowan says VerSecure will only succeed if it's widely deployed,
adding that H-P products alone won't ensure that success. Therefore, he said, H-P is actively looking for licensees and trying to get hardware manufacturers to use the technology. Putting VerSecure on a
motherboard inside a PC costs less than $5, Mr. McGowan said, adding
that that price is expected to drop.
In October, H-P struck a licensing deal with Wave Systems to build
VerSecure into a pair of chips and PC maker NEC Corp. has said it will offer the chips in its PCs this year.
H-P, meanwhile, sees VerSecure as the foundation for other software
and services beyond encryption -- after all, the technology can be built into non-PC devices such as set-top boxes and cell phones.
For example, Mr. McGowan says, the system could easily be adapted to
address software makers' fears of privacy. A CD-ROM containing a
business-software suite could be encoded so that it could only be used with the PCs that incorporated VerSecure in their hardware. |
