Pretty Good Privacy said Thursday that it has secured government approval to export strong encryption technology to foreign branch offices and subsidiaries of US companies, without any key recovery mechanism enabling the government to access data.
The splashy play for its new corporate target market is a step in the right direction, but may be little more than a clever game of catch-up, insiders say. PGP hasn't actually won approval for the full-scale export of its 128-bit encrypted email software, but has jumped into the middleman game and shepherded a group of more than 100 large, publicly traded companies through the Commerce Department licensing process.
Competitors call the en masse licensing a good stunt, but say there's nothing new about securing export permission company-by-company for encryption products stronger than the 40-bit algorithms specified under US policy. At least five companies have secured similar permission for their products in the past few months and experts say the government often grants subsidiaries of US companies exemptions to its tight crypto laws.
RSA Data Security says it has been doing its clients' licensing leg-work for years and employs a consultant who formerly worked at the export control office of the National Security Agency to ease the process.
"It's no big deal," said Larry Dietz, vice president at Zona Research, about the company's move to facilitate the licensing process. "[PGP founder] Phil Zimmermann, vegetarian and all-around nice guy, is really playing catch-up with RSA."
The companies on whose behalf PGP gained export licensing approval don't make up a client list, so much as a wish list of would-be clients. "Companies that are approved for the export of Pretty Good Privacy's strong encryption should contact PGP's sales office," the press release states, making clear it that the legal battle being touted is all about marketing.
"PGP decided to get [those companies] in a position where, to quote the Publisher's Sweepstakes, they might already be a winner," said Stewart Baker, former general counsel for the NSA who now jokingly calls himself the world's best crypto lawyer. "I don't think it breaks great new ground, ... [but] it's one of the more creative approaches to getting licenses."
PGP, which made a name for itself by giving away encryption technology as freeware, said the licensing move is in line with its new corporate thrust. The refocused direction has brought layoffs and the resignation of its CEO in recent months, as well as cosmetic changes like the renaming of its encrypted email product, PGP Mail, to PGP for Personal Privacy (for the consumer market) and PGP for Business Security (for the business market).
"This is a golden opportunity to secure the corporate market," said PGP spokesman Mike Nelson, while adding that the company won't abandon its roots in freeware. "We believe that people should have access to strong encryption to protect their personal privacy, so we're continuing to create easy-to-use freeware as well as products businesses need to secure their corporate assets," he said.
The freeware is what put the company on the map, and prompted Zimmermann to face an investigation by the Justice Department, which classified strong encryption as a munitions and considered its export on a par with arms trafficking. The case was dropped, but freeware still doesn't pay the bills. So, the company has been looking to gain a foothold in the corporate world - and the license to export its strong encryption can only help.
"PGP is growing up," Baker explained. "They've now developed the two-track strategy that every mature company in this area has developed - to complain loudly about the US government's policies and then to also be as creative and aggressive as possible at getting licenses in conformity with that policy," he said, before getting in a laugh: "It's not a surprise - it goes with all of the suits Phil Zimmermann now owns."
