Sun puts pressure on U.S. encryption policy

Sun finds loophole in U.S. encryption policy by licensing Russian software

By Robert McMillan

San Francisco (May 20, 1997) -- Sun Microsystems Inc. is stepping up the pressure on the U.S. government to change its encryption policy, industry observers say, by becoming the first major U.S. company to offer software capable of 128-bit encryption for sale outside of the United States.

Sun announced yesterday that it will license software capable of up to 128-bit cipher, and 2048-bit three-key triple DES (Data Encryption Standard) encryption under an exclusive licensing arrangement with Russia's Electronic Computer and Information Systems (whose Russian acronym just happens to be ELVIS+).

Under U.S. law, Commerce Department approval is required for U.S. companies to export anything stronger than 40-bit encryption. But Sun is importing and "not exporting technology," according to Humphrey Polanen, general manager of Sun's Network Security Products Group, and "current regulations do not address imports. In fact," he adds, "there are no plans to regulate them [imports]."

By licensing the Elvis+ software, Sun customers will now be able to buy the same 128-bit encryption software in, for example, Germany as they do in the U.S.

Polanen maintains that Sun's actions "are purely driven by market demand," but industry observers say that Sun's move sends a strong message to Congress to change its encryption policy. "I think it just shows yet again that our current policy just doesn't make any sense. In a global market, we can't continue to rely on these Cold War era export regulations," says Jonah Seiger, a spokesperson for the Center for Democracy and Technology in Washington, D.C.

Though the Elvis+'s software is based on Sun's own Simple Key Management for the Internet (SKIP) encryption protocol, Sun did not provide any technical assistance to Elvis+ in its product implementation, says Polanen. "Elvis+ has done some development for Sun, but not in the encryption area." He continues, "the fact that we've published the spec [SKIP specification] is not considered to be joint development."

In 1993, Sun acquired a 10 percent interest in Elvis+, which had been doing work on mobile IP technology and a wireless PCMCIA card.

Interestingly, an Elvis+ company history on a Web site maintained by Russia Communications Research -- the company that represents Elvis+ in the U.S. -- says that joint development with Sun is, in fact a key objective for Elvis+. According to the Web site, the company's "mission is to develop new computer and information technologies in the field of computer networks and telecommunications under joint development programs with Sun Microsystems, Inc." Steven Hunziker, chief operating officer for Russia Communications Research, says the history is "just marketing talk. If Sun gave us [Elvis+] any help whatsoever," he explains, "then we'd be out of business immediately."

A source close to Russia Communications Research says Sun did not enter into this deal in order to throw down its gauntlet to the federal government. According to the source, "the only question for Sun was whether they were going to make any money off of what Elvis+ did."

If Sun's move did upset government regulators they weren't saying so publicly. A spokesperson for the Commerce Department had no comment on the matter.

Alexander Galitsky, CEO of Elvis+, says that all the publicity about the U.S. encryption law takes away from the fact that they managed to produce SKIP clients for Windows 3.x and NT -- something Sun has thus far been unable to do. Galitsky concedes that exporting encryption software is "a risky area." Russia, which does restrict the export of encryption products on hardware, could decide to shut down the Sun/Elvis+ deal at any time.

The fact that Sun was able to license the Elvis+ software may also send a darker message to Washington, which has long defended its ban on encryption technology on grounds of foreign availability. Since companies outside the U.S. are not selling the technology, American companies are not losing any technological advantage in being denied access to the market, or so the argument goes. The Center for Democracy and Technology's Seiger says that deals like this one show that reasoning to be false. "We're ceding the market to foreign companies that are able to export stronger encryption technology" because of U.S. policy, he says. Galitsky says, "for us it [shows] that Russians can do products and not just technology."

While Sun will be making strong encryption client software available internationally, Sun has no plans to OEM similar server-side software, according to Polanen. So customers outside of the U.S. will have to get their 128-bit server products from another non-U.S. vendor like Israel's CheckPoint, he says.

On August 15, 1997 Sun begin will to sell the Elvis+ software, under the brand name SunScreen SKIP E+. Pricing for 3.x and Windows 95 licenses will start at $99 per user. A Windows NT version will be available for $149. Polanen says Sun has not yet decided whether or not to license Elvis+'s SKIP client for Solaris.