JoC Nox GAK

[John Young <jya@pipeline.com>]

The Journal of Commerce, October 10, 1996.


Editorial/ Encryption Technology Policy 


Oct. 10 -- SECRET CODES: Let's say you're selling your house and, 
after months of searching, you've found a potential buyer. But 
there's a problem: The local sheriff wants a spare set of keys in
case the house is used for unlawful purposes. Your buyer, a solid
citizen, doesn't want his privacy invaded. He decides to look in 
another neighborhood, with a less intrusive sheriff.


This improbable scenario describes, more or less, Washington's 
policy toward U.S. exports of encryption technology -- devices 
that scramble computerized data. Under a revised policy, the 
Clinton administration says that, following a partial two-year 
grace period, it will require exporters of sophisticated 
encryption devices to keep a spare set of "keys" -- the 
formulas that turn encrypted data back into plain text -- in a 
place accessible to the government. That may seem like a sensible
precaution, but it is likely to hurt exporters while doing little 
for law enforcement. The government's effort to control encryption 
goes to the heart of the information networks that are becoming a 
bigger part of people's lives almost by the day. Individuals and 
companies leave behind them an ever-broadening wake of electronic 
records -- on everything from video rentals and catalog sales to
car registrations and health records. As hackers get better at 
breaking into these files, it becomes more urgent to use 
encryption to protect them.


The government, however, has other ideas. It says encryption sold 
overseas poses a threat because law enforcement officials may not 
be able to decode the secret communications of terrorists and
drug dealers. To ease its access to such files, the government 
essentially is building a trap door into billions of records 
stored in computers overseas.


Of course, there are caveats and loopholes. The policy applies 
only to foreign sales; U.S. law forbids government prying into 
domestic computer files. Also, the policy grants exporters a 
two-year period in which they can sell encryption up to a 
moderate level of sophistication -- 56 bits in key length --
without restriction. After that, a key-access requirement would 
take effect.


The government-access rule will force U.S. exporters to do some 
fancy sales footwork. Foreign buyers, after all, may not be 
thrilled to know Uncle Sam can gain access to their private 
files. They may worry that if Washington has keys, their own 
governments may demand the same, and that the strangers holding 
the keys may not guard them carefully, no matter what the rules 
say.


Terrorists, meanwhile, will have plenty of ways to circumvent 
the U.S. rules. They have a choice of 179 foreign-made encryption 
devices of at least 56-bit strength that are not burdened by 
key-access requirements. Terrorists also could make their own 
scrambling devices -- there are books available on how to write 
encryption codes -- or buy them in the United States, which has 
no domestic sales restrictions, and carry them out of the 
country. Why, then, is Washington bothering with export 
controls? In part, it's an attempt at back-door control of the 
domestic market. If companies are forced to limit the 
sophistication of encryption destined for export markets they 
may do the same for domestic products, to cut production costs. 
That would make life easier for law enforcement officials, 
who worry increasingly about impenetrable barriers to suspected 
criminals' computerized information.Those agencies indeed have 
a problem. Technology has given the world's bad actors a better 
cover of secrecy than ever before. But trying to control exports 
and limit domestic technology is not the solution. As a 
practical matter, the encryption horse has long since departed 
the law enforcement barn.


Absent an agreement among all nations on a key access system -- 
an impossible goal and not a very desirable one, given different 
countries' views on protecting privacy -- unilateral restrictions 
will be futile. They will serve mainly to scare customers away 
from U.S. manufacturers. Rather than try to restrict the 
encryption industry, the administration should promote it, and 
find other ways to improve criminal surveillance.

-----

On the Internet:

Visit The Journal of Commerce on the World Wide Web. Point your 
browser to: http://www.joc.com/

-----