THE AGE 26 Jan 1999

   Export ban kills Nexus' WHO deal 

   By SUELETTE DREYFUS 

   THE directors of Sydney e-commerce software firm Nexus Solutions
   Pty Ltd prepared to pop the champagne corks when they landed a
   major deal to sell encryption products to the World Health
   Organisation (WHO). They planned to celebrate the company's biggest
   financial deal of the year and the fact that its strong crypto
   product, NTrust, would be protecting people's private medical
   records for a WHO worldwide database project.
   
   Then everything fell apart.
   
   According to Nexus managing director Therese Bateman, the
   Department of Defences Signals Directorate (DSD) told them verbally
   that it would refuse to grant an export permit for their 448-bit
   encryption product.
   
   Former Nexus software development manager Peter Pavlovic said,
   ``When we spoke to the DSD, they said there was absolutely no way
   we were going to be able to export 448-bit encryption.''
   
   Within weeks, the deal was dead.
   
   ``It shelved our plans for expansion that year,'' he said.
   
   It was very frustrating dealing with DSD, because the agency only
   seemed to discuss things verbally, according to Pavlovic. DSD put
   very little in writing, he said.
   
   The export of strong cryptography, which scrambles data to prevent
   interception, is banned in Australia without Government
   approval. Strong encryption programs prevent anyone - criminals and
   Governments - from eavesdropping on data and voice networks or
   peering into hard drives.
   
   The following year (1997), Bateman said, the company experienced
   deja vu, when the DSD rejected another inquiry for a strong
   crypto-product export permit. This one was for a sizeable
   Australian company that wanted to secure data in its Philippines
   office.
   
   The Government only permitted a weak, 40-bit version of NTrust, to
   be exported but, according to Bateman, this was almost pointless
   since the whole purpose of buying an encryption product was keep
   data secure.
   
   The knock-back cost Nexus a larger deal; the client scrapped its
   plans to roll out NTrust across all its international subsidiaries.
   
   It was outrageous that an Australian company was barred from using
   an Australian product to protect its own data overseas, she said.
   
   Nexus is about to go through the process again, helping a new
   client apply for an export permit. But Bateman is not optimistic,
   despite the fact that the client is an American Government
   organisation. Without the permit, the deal will collapse.
   
   She said DSD was doing the bidding of the US Government, which has
   persistently pushed other countries to adopt its own strict export
   regulations, rather than looking after Australia business.
   
   ``The US Government says: Jump! And the Australian Government says:
   How high?" Ms Bateman said. This attitude is stopping legitimate
   businesses. She said she knew of other companies that had had
   similar problems dealing with DSD.
   
   Australian companies had no certainty because their export
   businesses were in the hands of the bureaucrats whose decisions
   were not subject to normal Government systems of accountability
   such as FoI, she said.
   
   The Department of Defence declined to comment on the matter, saying
   it did not discuss individual cases.
   
   According to the department, only the minister can refuse to grant
   a permit. There is no statutory right of administrative appeal
   against that decision.
   
   Any dissatisfied company can request a review of the
   decision. Also, if they wished, like any Australian citizen they
   can write to their local MPs, a DoD spokesman said.
   
   Although the DSD was not required to explain its assessments, it
   tried to build a strong relationship with Australian companies that
   intended to sell their products overseas, he said.
   
   He said no export applications for strong crypto products (128-bit
   or higher) were denied in 1998. However, he refused to answer
   questions about how many strong encryption products had been
   approved for export in the past four years.
   
   No applications approved for 128-bit or higher were for key-escrow
   systems, he said.
   
   The majority of companies which applied for export permits made
   products using 56-bit keys, he said.
   
   Software developers needed to get their own export permits and
   could not piggy-back on the export permits of toolkit product
   companies (such as RSA). Export to all countries, including New
   Zealand, required a permit for strong crypto-products, he said.
   
   Government approval is also needed for software with an interface
   specially designed for inserting cryptography, even if the program
   didn't contain any cryptography. There was no fee for the export
   applications.
   
   Most exported encryption products from Australia were used to
   protect financial transactions, he said.
   
   The majority of applications were assessed within 20 days, he
   said. But he would not reveal how many applications took longer.