In the United States, companies that develop encryption products have been precluded from exporting symmetric encryption software greater than 40 bits. The restriction was eased to 56 bits for some firms in 1997.[] In June 1997, Netscape and Microsoft were granted an exception to the United States export restrictions, which allowed them to sell software protected by 128-bit encryption technology to banking institutions so long as the software was used only for financial transactions.[]

On July 17, 2000, the Clinton administration announced it would loosen controls on the export of encryption software. U.S. companies no longer need a license to export encryption products to any end users in the 15 nations of the European Union, Australia, Norway, the Czech Republic, Hungary, Poland, Japan, New Zealand, and Switzerland.[]

The issue of export restriction of encryption products stems from the fact that criminals, including spies from other countries, could employ cryptography to mask their activities. Therefore, the U.S. government believes that it should be able to access key recovery programs for law enforcement purposes and the protection of national security interests.

While these reasons seem appropriate, opponents, including RSA Data Security, Inc., contend that users of cryptographic products have a right to privacy. They believe that U.S. law enforcement agencies may abuse their authority to obtain key recovery software and subsequently ...

Get Auditing Information Systems, Second Edition now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.