[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
NYT on New GAK
The New York Times, October 1, 1996, pp. D1, D2.
Accord Near On Computer Security Codes
'Key' System Required For Law Enforcement
By David E. Sanger
Washington, Sept. 30 -- After several years of debate
between the computer industry and American intelligence
agencies, President Clinton has decided to permit American
computer companies to export more powerful data-scrambling
software but only if they establish a system that will
enable keys to the code to be obtained by law enforcement
officials with a court warrant.
Administration officials, speaking on the condition of
anonymity, said Mr. Clinton reached his decision late last
week and that Vice President Al Gore would announce it on
Wednesday or Thursday.
Several big computer companies, led by the I.B.M., have
agreed to the new system, but many others, which have
opposed past proposals by the Administration for data-
scrambling policies, are likely to object.
Many American computer and software executives have long
argued that United States export controls on the most
sophisticated data-privacy technology put American industry
at a disadvantage versus products sold by their foreign
competitors.
But the Clinton White House, like previous Administrations,
citing national security issues and fears of foreign
terrorists or criminals, is loath to permit the export of
some of the most powerful data-scrambling software. The
reason has chiefly been that intelligence agencies feared
such equipment would be used by foreign terrorists, drug
cartels and other criminals to hide transactions and
communications.
Now, in a compromise, according to two senior officials in
the Administration who have been deeply involved in the new
policy, American companies will be permitted on Jan. 1 to
export software that encrypts, or scrambles, data using
"keys" -- lengthy numeric codes -- that are up to 56 bits
long. Until now, companies have been prohibited from
selling products abroad that have keys longer than 40 bits.
Mr. Clinton has also decided to move the authority for
exporting the encryption software from the State
Department, which has had export-licensing authority
because the technology has been classified as munitions, to
the Commerce Department, which controls the export of
products that have both commercial and military use.
Industry officials have long urged that change, betting the
Commerce Department would be more inclined to give a higher
priority to American competitive interests.
But starting in two years, American companies choosing to
export the more sophisticated software would have to set up
what the industry is calling a "key recovery" system. That
system would enable intelligence officials and law
enforcement agents, armed with court warrants, to go
through a lengthy multi-step process that would give them
the mathematical key to decoding scrambled communications.
The approach replaces the Administration's earlier proposed
"key escrow" system in which the Government would have been
the repository of the numeric keys -- leading to fears of
potential Government abuse, or a reluctance by legitimate
foreign users to buy the software.
Under the new plan, the keys may be held by third-party
companies. And large institutions, like banks may be
allowed to hold their keys in escrow -- assuming they pass
some kind of Government certification.
Still, the success of the system will depend on large part
on the Administration's efforts to persuade other countries
to adopt the same "key recovery" system, allowing their
intelligence agencies and justice systems to cooperate in
trailing criminals across national borders. But Mr.
Clinton's aides acknowledged today that this process has
just begun, and so far only England and France have
expressed much enthusiasm.
"It is going to take a while to persuade people that their
data is safe under this system, that it protects privacy,
and yet that we can use the system to trace terrorists or
drug dealers," one senior Administration official said.
Officials at I.B.M., which is expected to announce on
Wednesday the creation of an industry consortium to aid in
establishing the "key recovery" system, said today that no
single entity would hold the entire key.
Instead, it will be divided up across several companies
that would handle any given message, much the way the
launching officials in nuclear missile silos each had only
part of the key instructions needed to begin a nuclear
attack.
If the C.I.A., for example, obtained a court order to
decode a message, it would have to go to several groups
with its warrant to piece together the key.
"We believe that this solves the, biggest weak point in the
previous plans, where one entity held the key," said an
I.B.M. official familiar with the company's announcement.
But these steps are not likely to silence all the critics.
"There is still a perception that the U.S. is trying to
extend its intelligence capability by setting standards
around the world," said Marc Rotenberg, director of the
Electronic Privacy Information Center.
There are other potential holes in the system. Customers in
the United States will be free to buy encryption software
of any complexity -- as they can today -- with keys that
are much longer than 56 bits and are nearly impossible to
break. That means terrorist groups or drug dealers could
still buy such software and sneak it out of the country, or
even transmit it over computer networks.
"There is nothing we can do about bright students or Joe
Terrorist who use sophisticated encryption systems to
communicate with each other," one senior administration
official said. "But when they brush up against legitimate
groups, especially banks," the official said, "then they
are more likely to be dealing with a system" where law
enforcement could use the key recovery system to decode the
communications.
On Capitol Hill, several bills had been pending that would
lift all export controls on encryption software, but the
legislation did not move as the current session of Congress
wound down. In Congressional testimony last week, Jamie S.
Gorelick, Deputy Attorney General, said lifting all export
controls would "undermine our leadership role in fighting
international crime and damage our own national security
interests."
[End]