[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
GAK Rat Pack
C|NET, October 2, 1996, 1:45 p.m. PT
Computer alliance supports encryption policy
By Alex Lash
An alliance of 11 software and hardware companies has
just announced its formation to develop key-recovery
solutions for electronic encryption, a crucial component
of the Clinton administration's latest plan to loosen the
export of encryption technology.
Announced yesterday, the administration's plan gives
exporters of encryption or encrypted software a two-year
window starting January 1, 1997, to build what the
administration calls "key recovery" into their products.
IBM, Apple Computer, Atalla, Digital Equipment, Groupe
Bull, Hewlett-Packard, NCR, RSA Data Security, Sun
Microsystems, Trusted Information Systems, and United
Parcel Service have banded together to develop systems
that will give the government what it wants, which is
access to suspicious encrypted messages, so that
compliant software companies will be able to get export
licenses for hard-to-crack encryption codes.
"Export controls are a fact of life," RSA President Jim
Bidzos said today. "In an imperfect world this technique
will at least allow you to take advantage of what
governments around the world will allow."
RSA's presence in the alliance is not only a coup for the
government but a big surprise, as Bidzos has been one of
the most vocal opponents of the Clinton administration's
key escrow efforts. He has even accused the government of
offering software companies special "sweetheart" deals to
gain support for its encryption regulation plans.
A key-recovery plan not only satisfies the government's
desire for court-ordered access to encrypted messages,
but also sets off alarm bells for privacy advocates and
civil libertarians. Some within the U.S. software
industry also claim they won't be able to sell encrypted
products overseas if customers know the U.S. government
has access to a skeleton key.
"While some companies might choose to cast their lot with
the government's key-escrow policy, the marketplace is
likely to reject the approved products," said David
Sobel, legal counsel for the Electronic Privacy
Information Center. "Users want strong security, not
guaranteed government access to their communications."
However, the concept of key recovery is not anathema to
companies that acknowledge that firms and folks using
encryption to secure electronic transactions and
communications will need backup copies of their keys,
just as homeowners keep an extra house key under a flower
pot.
Under the new government plan, a company that promises to
participate in key recovery will receive a six-month
license to export up to 56-bit DES encryption. When the
promise is fulfilled and the government can get access to
the decryption keys, the 56-bit limit is lifted. If by
the end of the two-year grace period the company has not
fulfilled its promise to implement a key-recovery scheme,
the 56-bit limit is dropped back down to the current
40-bit limit.
"The fact that 56-bit DES [a type of encryption] will be
available from significant sources is going to jump-start
electronic commerce," said Ken Kay, executive director of
the Computer Systems Policy Project, a public policy
group comprised of 12 computer industry CEOs.
Now that the details are out and endorsements are coming
in, executive action is expected in the next two to three
weeks, according to one senior administration official.
President Clinton will soon sign an executive order that
transfers jurisdiction over encryption export licenses
from the State Department to the Commerce Department, a
move that the computer industry has asked for in the past
because they see Commerce as a more sympathetic agency.
At the same time, Commerce will announce a new set of
streamlined rules to grant companies a "fast track" to an
export license if they comply with key recovery, the
official said.
Commerce plans to begin licensing on January 1.
But the new plan will also give the Justice Department a
voice in the licensing process, a detail that angers
privacy advocates and software companies alike.
"The transfer from State to Commerce has been called for
for a long time, but a small tweak is that the FBI now
has veto power," said Peter Harter, legal counsel to
Netscape Communications. "Domestic law enforcement
shouldn't have a seat at the table."
Harter acknowledged that Netscape has not ruled out key
recovery but said that the market must show demand for
it. The administration has said it hopes to introduce a
bill next spring that would encourage the build-up of key
recovery by establishing laws on the conduct of
third-party key holders. But it will not try to mandate
key recovery through legislation.
"I think we have a critical mass of companies willing to
work with us," said Heidi Kukis, spokesperson for the
Vice President's office. "That would make legislation to
mandate key recovery very unlikely."
Another fear is that the administration is using export
limits to control domestic use of encryption. While Gore
directly stated yesterday that domestic use of encryption
will remain unregulated, the double standard for domestic
and international products might discourage U.S.
companies from developing two different versions, leaving
U.S. and Canadian customers with the same products that
the federal government has deemed safe to ship overseas.
"We obtained and intend to hold the administration to its
assurances that export controls would not be used to
control domestic use," said Kay of the CSPP. "The CEOs
have told the administration that if they want to do
domestic controls, they should do it frontally through
the democratic process and introduce legislation."
[End]