Introduction: Spyglass and the Internet
Good morning. My name is Tim Krauskopf, and I am the co-founder
and Chief Technology Officer of Spyglass, located in Naperville,
Illinois. We are a small business employing 137 people and had
revenues of $10 million last year. We are growing rapidly, and
are in a unique position in the Internet software industry of
holding the exclusive rights to the commercial version of Mosaic,
originally developed at the National Center for Supercomputing
Applications at the University of Illinois at Urbana-Champaign.
Mosaic is software that was developed to allow people to navigate
the graphical portions of the Internet, specifically the World
Wide Web. Spyglass is also unique in that we license our Internet
technology to more than 70 companies who incorporate it in various
products. So our technology plays a central role in the growth
of the broader Internet software industry.
Our company's first product was a suite of data visualization tools used by scientists and engineers. We entered the Internet and World Wide Web market in May, 1994 when we completed our licensing arrangement with NCSA to develop and market a commercial version of NCSA Mosaic. Spyglass was selected for several reasons: First, I had been involved in developing early Internet technology, co-authoring NCSA/Telnet, software that made the Internet accessible for researchers and students. Second, Spyglass had already established a strong track record developing cross-platform software for the commercial marketplace. In August of 1994, NCSA extended its agreement to provide, on an exclusive basis, all future commercial licensing rights to Spyglass. Our core business is to license Spyglass Mosaic technology to other companies to include in their Internet and Intranet-related products. As the Web market has grown and evolved, so has Spyglass and its technologies. You may have heard about our recent acquisition of Surfwatch, the leading provider of filtering and parental control technology.
The Information Technology Association of America
I am here today representing both Spyglass and our primary trade
association, the Information Technology Association of America.
Spyglass licenses Web technology to many other ITAA member companies
such as Oracle Corporation, Computer Associates, IBM, Microsoft, Platinum Technology, and others.
The Information Technology Association of America represents a
broad cross-section of the software, Internet, information technology
services, telecommunications and systems integration segments
of the high-technology industry. ITAA direct and affiliate members
number over 9,000 across the U.S. ITAA is the umbrella organization
for 25 of the regional high technology organizations in various
states, representing them here in Washington, D.C.
Member companies include Netscape Communications, Microsoft, Oracle Corporation, Computer Associates, Novell, IBM, AT&T, MCI, and EDS, to name a few.
ITAA's software division has made a name for itself as the leading
organization representing the Internet, Intranet and Network-centric
business software industry. The largest software companies focusing
upon the Internet and Intranet markets are active in the association.
Priority issues include encryption, international, federal and
state taxation of software, services and the Internet, telecommunications
reform, copyright, immigration, and the Year 2000 software crisis.
ITAA Supports the Goals of S. 1726
ITAA supports the goals of S. 1726, the Promotion of Electronic
Commerce in the Digital Era (Pro-CODE), because it recognizes
1. The issue of encryption and information security over computer
networks and the Internet is no longer an esoteric, arcane subject.
How security over this network of networks is addressed will have
a broad, pervasive impact on the future of the Internet, business
and society. Companies have legitimate concerns about protecting
their proprietary information from competitors and foreign governments.
2. The Internet is a global medium and the availability of encryption
products around the world must be a fundamental factor in setting
U.S. export policy. While there are legitimate law enforcement
and national security considerations, U.S. policy cannot ignore
these market realities.
3. The economic cost of the Administration's current policy on
encryption will be enormous not only to U.S. software industry
jobs and revenues but will also have an impact on the ability
of U.S. businesses to harness the Internet to enter new markets.
We will discuss each one of these points in turn, and then lay out our specific recommendations for moving forward.
The Significance of Information Security and Encryption in
a Networked World: The Threat Is Real
A cover story in Business Week last year proclaimed that,
"The Web Changes Everything." While that may be a slight
exaggeration, the Internet is indeed starting to transform not
only how business is conducted but society more broadly.
Within several years, there will be more than 100 million people
connected to the Internet. Zona Research estimates that the market
for corporate "Intranets" alone - businesses harnessing
Internet technology for both in-house and inter-enterprise applications
- will grow to more than $6 billion by 1998.
Outdated U.S. export restrictions on encryption is a major barrier
to realizing the potential of the Global Information Infrastructure
and all it has to offer, such as business communications, financial
transactions, healthcare and personal medical information, and
A New York Times editorial this week made the point effectively:
"Once largely the domain of governments and their intelligence
services, encryption technology is now commonly used by corporations,
banks, securities firms and individual computer operators. It
is time to revise Government encryption policy to fit this new
The recent, authoritative report of the National Research Council
(which includes former Attorney General Benjamin Civiletti and
Ann Caracristi, a former Deputy Director of the National Security
Agency) also pointed out the growing pervasive impact of communications
networks upon global society:
"As the availability and use of computer-based systems grow,
so, too, does their interconnection. The result is a shared infrastructure
of information, computing, and communications resources that facilitates
collaboration at a distance, geographic dispersal of operations,
and sharing of data.
Today, the rising level of familiarity
with computer-based systems is combining with an explosion of
experimentation with information and communications infrastructure
in industry, education, health care, government, and personal
settings to motivate new uses and societal expectations about
the evolving infrastructure."
In short, we are going through a paradigm shift in which the importance
of protecting the security of information on computer networks
is growing at a geometric rate.
The threat to the security of information on the Internet is real.
Companies are concerned not only about the ability of competitors
to gain access to proprietary information, but also foreign intelligence
agencies. Two former Directors of France's intelligence agency
have stated that they gather economic intelligence, including
information from certain companies that have been targeted. Attached
is a box included in the National Research Council report laying
out the "Threat Sources."Last August, a French student
was able to crack a 40-bit encryption scheme distributed by Netscape
Communications by using computers at his university in his spare
time (it took him 8 days to break the code). A group of computer
scientists released a report recently that $10,000 worth of computer
hardware can break a 40-bit key in 12 minutes. The group estimates
that a 56-bit key using a $10 million corporate computer could
be broken in 12 seconds. Such costs could be justified by a foreign
company or intelligence agency trying to steal financial information,
trade secrets or valuable technology.
In meeting the threat, our responsibility is three-fold: to understand
the shifts taking place in society, to identify the new vulnerabilities,
and to put in place the technology solutions necessary, including
strong encryption, to counteract inappropriate or illegal behavior.
The Internet is a Global Medium and Foreign Availability Must
Be a Fundamental Factor in U.S. Policy
The Internet does not stop at the U.S. border. It is a global
medium that does not recognize the boundaries between states,
countries or continents. If information or products are made
available somewhere on the Internet, it is accessible to anyone
regardless of geographic location. S. 1726 allows U.S. software
and computer companies to compete on a level playing field with
our foreign competitors in this rapid growth global marketplace.
We are particularly pleased that S. 1726 recognizes that distributing
software over the Internet will grow in volume and economic significance
and should be used as a factor in determining whether a product
is generally available around the world.
One of the most perplexing aspects of the Administration's position
is that it has decided to turn a blind eye to the issue of what
strength of encryption products are broadly available outside
of the U.S. The Administration's position is reminiscent of the
Reagan Administration's decision to ban the export of Apple II
computers to Eastern Europe in the 1980s. The Clinton Administration
used foreign availability as a key factor in its decision last
year to change the definition of supercomputer and relax its control
on the export of computer workstations. It has elected to stick
its head in the sand and ignore this key factor in its deliberations
Basing its research on a study originally conducted by Dr. Lance Hoffman of George Washington University in conjunction with the Software Publishers Association in 1993, Trusted Information Systems (TIS) has identified 1181 encryption products worldwide (the full study is available at http://www.tis.com). TIS has found 497 foreign products from 28 countries. 193 of these products use DES, which has a 56-bit key length and is not permitted for export by U.S. companies. A recent study by the Commerce Department and National Security Agency comes to similar conclusions.
Anecdotal examples underscore why U.S. companies are losing market
share rapidly. There is a foreign product called Sioux on the
market in which the company uses U.S. export restrictions as a
major selling point to customers. The company's Web page (http://www.thawte.com/products/sioux/)
proclaims that, "The U.S. ITAR regulations prohibit the export
of strong encryption technology from North America. This means
that companies such as Netscape, Microsoft and Open Market have
to ship "Export Versions" of their software which have
limited encryption capability - using 40-bit keys which can be
since Sioux was developed outside of
the ITAR framework it ships with full encryption enabled all over
the world. Why limit your security?" These are real competitive
handicaps faced by U.S. companies.
This past Sunday, working from home on my PC, I went to the World-Wide
Web to see what was easily available for downloading. I had heard
there was a free application with SSL called "Apache"
and a search on Digital's AltaVista catalog for "Apache with
SSL" quickly led me to the names and locations on the web.
Here is a summary of what I found.
[SSL, or secure sockets layer, is a protocol for protecting any
amount of data during transmission between client and server programs.
SSL provides server authentication, data encryption and message
integrity. It was designed by Netscape Communications for use
in Internet applications. It is a highly desired feature for
our customers, and Spyglass provides a compatible product. Encryption
libraries allow software developers to build secure applications
using various operating systems and platforms.]
I found a WWW server, which roughly matches the feature set of
our own Spyglass Server, called Apache. At an Oxford University
site, I found a version which can be configured with SSL if you
have an SSL library. At that site, I found pointers to Australia
for obtaining SSL. I also found pointers to a commercialized
version of that product available from South Africa, called Sioux.
I consider this product a direct competitor to our own.
In particular, I downloaded the "SSLeay" library. Though
written in Australia, I downloaded from a site in Japan because
the network link was faster. Copies can be found at sites in
Korea, Germany, Taiwan, the UK, Japan, and of course, Australia.
URLs: ftp://ftp.psy.uq.oz.au/pub/Crypto/SSL/ (Original Australian
site) ftp://ftp.epistat.m.u-tokyo.ac.jp/pub/Crypto (Japanese mirror site)
This library contains source code to implement to any encryption bit length, DES, RC2, RC4, IDEA, and RSA encryption schemes. The documentation brags about being interoperable with all US implementations even though none of the code is derived from any US source. They simply had people inside the US test the results. I was able to download the 500K file, peruse and compile the source code without any problems in about 30 minutes. I don't believe I broke any laws because I only imported the code, never exported it.
The conclusion is that these algorithms and source code are fully
available to anyone who has access to the Internet. Because they
are available in source code form, even 64-bit or 128-bit capabilities
may have trouble competing.
ITAA believes that the issue of foreign availability is a key
element in changing the Administration's policy. S. 1726 permits
the export of encryption that is "generally available,"
but we believe that this section of the legislation may require
more detailed definitions. We are announcing today that we will
work with Congress to craft a detailed, specific way to assess
the global availability of encryption products. Such legislation
must ensure that the analysis is objective and has teeth. This
assessment must be timely and conducted at least three times a
year given the pace of technological and market development.
There's a joke in the Internet industry that the pace of technological
change and market growth is so rapid in our business that each
calendar year is really more like seven years, or a dog's year.
We need to assess foreign availability on a continual basis to
ensure that U.S. industry is not placed at an unfair disadvantage
in the global marketplace.
The Impact of the Administration's Encryption Policy upon U.S.
Jobs, the Software Industry and Small Businesses
The U.S. software industry leads the world. U.S. firms hold more
than 70 percent of the global market for pre-packaged software.
The software industry has created more than 500,000 jobs across
the U.S. The U.S. is also dominant in the emerging Internet software
market, with ITAA member firms like Netscape, Microsoft, Spyglass,
IBM, Oracle and others leading the world.
The Computer Systems Policy Project estimates that unless U.S.
policy on encryption is relaxed, this will cost 200,000 jobs and
$60 billion in revenues over the next four years. As the world
relies increasingly upon software used and shared across computer
networks instead of stand-alone workstations, the impact of U.S.
restrictions on encryption upon the U.S. software industry grows
larger and larger.
The impact of a restrictive U.S. export policy will have an impact
beyond just the U.S. software industry, however. It is anticipated
that U.S. small businesses will rely increasingly on the Internet
as an effective way to help them enter foreign markets. One of
the greatest potential benefits of Internet business communications
is that it lowers the barriers for small businesses to enter these
new markets. As more and more companies begin to rely upon digital
commerce, efforts to protect confidential and sensitive company
information carried on this network grow in importance.
The Administration's policy allows the export of encrypted software above a 40-bit key length limit if a company permits a government-certified third party to hold the "keys" that unlock the encrypted information. [As demonstrated above, a 40-bit key length is too weak to ensure the protection of information over the Internet.]
The cost of such a key escrow scheme would be paid for by individual
companies. So, companies would be faced with either choosing
1) a level of security for their information that is not 100%
secure or accepting a 2) significant administrative burden and
additional costs. In addition, such a key escrow requirement
could become a "de facto" global standard which would
create, in effect, an international Internet "tax."
This "tax" would be part of the cost of doing business
on this global network of networks.
So the Administration's policy would raise the costs and the barriers
for small businesses to enter new markets. S. 1726 recognizes
this fact by rejecting mandatory key escrow schemes. ITAA is
conducting a survey of small businesses to gather more information
on the importance of the Internet to them and the impact of the
Administration's encryption policies (see http://www.itaa.org).
We will also be analyzing in greater detail the costs associated
with the Administration's key escrow scheme.
Our Specific Recommendations and Principles Moving Forward
We support the goals of S. 1726, the Pro-Code legislation. Below
is our position on the Administration's policies and our recommendations,
followed by a set of principles on information security that we
endorse. It should be noted that Spyglass as a company has a
position that goes beyond the ITAA stance, which I will expand
upon as well.
ITAA endorses the following industry principles on encryption
developed by the United States Council for International Business:
While Spyglass supports fully the ITAA recommendations and all
of the supporting reasoning presented here, I would like to go
one step beyond the ITAA position because of Spyglass' unique
position in the market.
Spyglass only has 72 customers. Nearly half of them receive source
code to our WWW technologies as part of our service to them.
Companies like NEC, Nippon Telephone and Telegraph, Dacom, and
Siemens-Nixdorf do not receive our full product. We eliminate
all of the encryption libraries and any references to them. Spyglass
can compete against the free Apache WWW technology or the Sioux
product by providing additional features over and above what can
be obtained for free on the network. We cannot compete when certain
features cannot be legally shipped. More WWW technologies appear
weekly and more and more of them include encryption features.
A source code customer of ours, JSB, a British company, told me
last week that they required an SSL (Secure Sockets Layer) library
with encryption for use in their product. He is willing but cannot
purchase it from us. I am convinced that he will find one available
from outside the US. I am more worried about how many other companies
there are who have not contacted us.
Spyglass would add the following recommendations:
A) For RC2, RC4, DES, and RSA encryption schemes, release all
capabilities at all key bit lengths. The source code to these
algorithms (or equivalent) is available all over the world on
the Internet today. My reading of S. 1726 is that it would accomplish
B) For all cases, eliminate the restrictions on software "hooks" which call the encryption libraries. Spyglass would then be able to ship source code to SSL and other Internet security schemes along with binary libraries which use restricted key lengths (or key escrow). Ironically, by not letting us make it easy for our customers to use short key lengths, we are forcing them to find foreign alternatives which do not have key length restrictions (or key escrow). While S. 1726 would accomplish this end, the Administration could eliminate the restrictions tomorrow by changing the language in the International Traffic in Arms Regulations or ITAR (see 22 CFR Section 121.1).
In conclusion, let me say that we recognize the concerns of both
the law enforcement and national security communities. But the
Administration's current policies do not and will not be successful
by ignoring the explosive growth and nature of the global Internet
and the pace of technological change. And the Administration's
policies would also prove devastating to the U.S. software industry.
A New York Times editorial makes the point that "The
best way for the Government to protect its ability to eavesdrop
on domestic and foreign criminals is to stay technically ahead
The export restrictions do nothing to keep encryption
software out of the hands of criminals and hostile governments,
but needlessly drive American exports out of foreign markets."
The National Research Council also advocates that the U.S. Government
fund robust research programs to keep our law enforcement and
intelligence agencies ahead technologically. ITAA endorses this
recommendation, as well as the provision in S. 1726 directing
the Secretary of Commerce to "prohibit the export or re-export
of computer software and computer hardware
" if it will
be diverted or modified for foreign military or terrorist use.
Thank you, and I look forward to your questions.