On November 3, 1998, Hewlett-Packard and Wave Systems announced a new hardware-based encryption system, called Embassy. The Embassy system will be shipped globally and incorporated into personal computers by manufacturers. Once the hardware is in place, the system can be adjusted by software commands to match prevailing local encryption policies. The system resolves two key difficulties for encryption vendors. First, Embassy allows vendors to mass-produce a product that can be customized, rather than producing a product tailored to the most restrictive jurisdiction (allowing the least secure product). Second, Embassy provides a method to update hardware already in place, as encryption policy evolves in each local jurisdiction.

Encryption is a method of encoding information, used to prevent others from accessing valuable data. Once limited to military and diplomatic uses, encryption has become a part of everyday life. The latest cellular phones encrypt conversations to prevent others from eavesdropping. Personal computers often contain encryption technology, allowing consumers to purchase goods over the Internet with confidence. Recognizing the value of encryption technology, the United States allows encryption of any strength within its borders. However, because securely encrypted data is a potential threat to law enforcement and espionage agencies, the United States prevents the export of strong encryption technology with a complex set of regulations. Furthermore, unlike the U.S., some foreign governments have restrictions on the kinds of encryption that can be used within their borders.

The Embassy system is one of the latest innovations in the field of encryption, made possible by advances in programmable chip technology. Embassy can encrypt data using a variety of methods, including some stronger than the current United States consumer encryption export limit. However, before the system can be used it must be registered and activated annually with a designated local authority. Embassy therefore allows local authorities to control the level of encryption and enforce compliance with annual policy changes.

The ability to modify hardware to local needs will change the economics of the encryption industry. Traditionally, encryption vendors have had to build their products to the lowest common denominator, providing a level of encryption low enough to satisfy the strictest government within the global market. With Embassy, one product can still be shipped domestically and internationally, but it can then be adjusted to take advantage of more permissive local policies where they apply. U.S. consumers, who have legally had access to strong encryption but practically been denied it, may benefit.

However, by making domestic use of strong encryption feasible, Embassy could trigger a backlash of regulation. It may also encourage strong encryption that has a 'back door' mechanism, providing access to law enforcement authorities. Some countries, such as France, have very restrictive local policies that require key recovery encryption. Key recovery is a technique that stores the key to unlocking encrypted data in a repository outside of the consumer's control. The Embassy system would make the establishment of these repositories more feasible.

Ninety percent of countries have no domestic-use policies at all. Those that have policies are changing them on a regular basis. Canada, Germany, Denmark, Japan, Australia and France have indicated that they will allow these systems. The United States has expressed interest but withheld an export license until actual implementations have been tested, according to Hewlett Packard executive Doug McGowan.

The backers of Embassy are pushing to make the hardware of the system ubiquitous. Wave Systems will provide chip manufacturers design specifications, allowing specialized chips to be embedded in personal computers. Initially, Embassy will work with Windows and Unix-based operating systems. Rather than have personal computer manufacturers and consumers directly absorb the cost of the Embassy system, Hewlett-Packard will charge licensing fees to developers who build applications that use Embassy. NEC has announced that it will ship Embassy-equipped computers next year.

Encryption advocates argue that anything less than full encryption, with very long keys to encrypt the data, is fundamentally insecure. They point out that messages encrypted with longer keys are exponentially more secure than messages encrypted with a shorter key. For similar implementations of an encryption algorithm, a 56-bit key is 64,000 times more powerful than a 40-bit key. Even so, the Electronic Frontier Foundation, one of the encryption watchdog groups, partnered with Cryptography Research, Inc. and Advanced Wireless Technologies, Inc., demonstrated that 56-bit DES, the current United States consumer encryption export standard, is easily and relatively inexpensively broken.

Encryption systems that require a central repository where keys must be stored create especially problematic issues. Since a system is only as secure as its weakest link, transporting the keys to the outside repository, and protecting the repository from unwarranted access threaten to make "key recovery" systems fundamentally insecure.

While it may seem the government is solely concerned with law enforcement's need to access data communications, the government is becoming a very large user of encryption. Many encryption advocates argue that the secure privacy afforded by full encryption will allow the government to operate more cost effectively.

Encryption advocates are also dismayed by laws that require individual consumers to provide back-door access to the plaintext of encrypted data, but allow large industries (such as banking and insurance) secure encryption without plaintext access. On September 16, 1998, the Clinton administration further segmented encryption policy by relaxing export controls on encryption technology for more large business industry groups. Foreign financial institutions have in most cases been able to buy U.S.-made encryption software of unlimited strength since 1997. Under the recent expansion of encryption rules, insurance companies, handlers of medical records, and companies that use specialized transaction software to do business over the Internet will be able to buy US software after a one-time review. Encryption and privacy advocates view this kind of strategy as a 'divide and conquer' technique, where government policy makers appease large business interest's in encryption while retaining antiquated restrictions on encryption technology for everyone else. The little guy, they feel, is being disenfranchised when it is the little guy who most needs the privacy protection encryption affords.

Systems like Embassy that must be activated on an annual basis by local authorities raise a number of additional issues. The system needs to be able to detect that a year has passed, even as software freely available on the Internet can freeze or roll back the clock in a computer. To implement Embassy successfully, the government would also need to become an expert at detecting the physical location of a server in cyberspace, even if measures were taken to fool it. John Gilmore, co-founder of the Electronic Frontier Foundation, asks, "When you contact the server to turn your crypto on, how does that server know what country you're in? If these systems do spread, bootleg certificates that turn them on would become popular." While recent developments in global positioning system (GPS) chip technology may make it possible for location to be detected without error, such solutions raise significant new privacy concerns.