Proponents see VerSecure as an innovative workaround to restrictive US policies, but critics say the software still does little for the foreign company seeking unrestricted access to strong encryption technology. Though companies can use VerSecure's encryption with and without key recovery - a "back-door" to encryption codes - it can be implemented at any time. The software is monitored full-time to see that it complies with local encryption laws in each country regarding key recovery. HP's system performs encryption in VerSecure-based hardware - PCs, servers, cell phones, and so on - only after a "token exchange" with a "Security Domain Authority" (SDA) clears the scrambling. SDAs are basically networked encryption checkpoints run by specified third-party organizations in each country; SDA's use "tokens" to electronically clear a device's use of encryption. In sending a communication from Denmark to the United States, for example, a Danish server would need to retrieve a token from an SDA server, which in turn would approve the use of encryption for the message. The tokens also feature expiration dates, allowing countries to change policies over time. Thus, a country that doesn't require key recovery initially may add the requirement later. "Many companies have been absolutely amazed by what we have achieved from a technology and government relationships point of view," said HP general manager Joe Beyers. But those hoops, so complicated to jump through, are also signs of what critics sees as the technology's major limitations. "I wouldn't even call this a solution - I would call it a special exemption to the regulation," said Willard of the Business Software Alliance. The approval doesn't end with VerSecure's government licensing. As Commerce Department spokeswoman Sue Hofer notes, each product using VerSecure technology must be checked for compliance by an inter-agency US government review. Jim Bidzos, CEO of encryption software vendor RSA Data Security, admires the relative flexibility Hewlett-Packard has finagled with its VerSecure architecture, but says it only goes so far. "In order to be able to freely compete with foreign companies offering strong cryptography, we still have work to do." Whether companies will be interested in products using VerSecure's encryption scheme also remains to be seen. Jude O'Reilley, analyst with the Gartner Group, said VerSecure may appeal to smaller companies that want to altogether avoid the Commerce Department and foreign regulators. "Companies that might not have the resources internally to work out local regulation - this gives them a reasonable front end." Still, O'Reilley said that VerSecure is only an architecture at this point. Hardware vendors have to license it, he said, and foreign companies have to buy those products. At the other end, the infrastructure for the Security Domain Authorities must be installed. "In some cases it will actually be a certificate authority that takes that role," O'Reilley said. "So their uptake is obviously critical here as well." And that, privacy advocates say, is far from the voluntary, market-driven system cryptography demands.