[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
HP crypto-announcement and key recovery, from The Netly News
---------- Forwarded message ----------
Date: Mon, 18 Nov 1996 09:03:25 -0800 (PST)
From: Declan McCullagh <[email protected]>
To: [email protected]
Subject: HP crypto-announcement and key recovery, from The Netly News
The Netly News
http://netlynews.com/
November 18, 1996
Under Lock And Key Recovery
By Declan McCullagh ([email protected])
As a non-event, it was a rather well-attended one. This morning
Hewlett-Packard Co. threw a press conference in Washington, DC to
announce that it had vaulted the Federal government's export
restriction hurdles by including "key recovery" technology in its
encryption products.
At least that's what the press release said. The reality is
somewhat less exciting: HP's announcement is crypto-vaporware. "We're
not making any specific announcements of products today," admitted
Doug McGowan, HP development director.
HP's move comes after competitors such as IBM and DEC stole the
limelight last month by being the first to buy into the Clinton
administration's latest key escrow scheme which would allow U.S. law
enforcement agencies to locate copies of the private keys used to
encode files and communications. The company's announcement follows a
presidential executive order signed last Friday codifying the
administration's "key recovery" proposal unveiled in October, which
the White House hopes will splinter an industry previously united in
opposition to Federal regulations governing encryption exports.
HP responded by flying CEO Lew Platt into town today to announce
a product using plug-in hardware or software "activation tokens" that
can vary by country -- but Platt admitted that the tokens don't exist
yet. Rather, he admitted, it's only a product with "a security
framework built into it" that currently uses woefully-insecure 40-bit
DES encryption. Eventually, HP hopes to export crypto that's stronger,
but the company declined to discuss details.
Dave Banisar, a policy analyst at EPIC, says such a system would
be "worse" than current policy. "It's got this new detection system in
it that requires monitoring of your crypto use and program use to
determine what the national government says is correct," he says.
The "key recovery" technology HP licensing is likely to come from
Trusted Information Systems Inc., a company founded by former NSAers
that still enjoys close ties to the spook community. TIS's Commercial
Key Escrow uses the 56-bit Data Encryption Standard and so was cleared
for export on January 18, 1996.
"This is the first step toward implementing key recovery. That's a
policy that's just not going to solve the privacy problem for Internet
users," says Alan Davidson, staff counsel for the Center for Democracy
and Technology. "This is the first step on that road toward building
key recovery for the world. It's a very dangerous thing."
Clinton's executive order is carefully crafted to counter the
three strategies that crypto privacy proponents have devised to kill
the export rules: the public relations, the judicial and the
legislative approaches.
Netizens, privacy advocates and high-tech firms rightfully
blasted the old export policy, which classified crypto as a
"munition," as a relic of the cold war -- a sentiment with which even
The New York Times agreed. So Clinton has reclassified it as a
non-munition, yet the change is in name only: Netscape browsers remain
subject to export controls.
Several lawsuits are challenging the constitutionality of the old
export regulations. So Clinton's executive order contains language
that EFF's John Gilmore says is designed "to evade the current
lawsuits" by taking aim at some of the legal arguments.
Administration officials spent an unhappy summer on Capitol Hill
being grilled by senators who were considering legislation to lift the
crypto export embargo. So Clinton carefully crafted his announcement
to defuse some of the reasons to pass this legislation when Congress
returns in January.
In other words, the White House has been able to answer or deflect
many issues that netizens have raised in favor of strong encryption.
But another argument may not be as easy to counter.
Patrick Ball is a senior program associate at the American
Association for the Advancement of Science who has traveled the globe
teaching human rights workers how to protect themselves from
oppressive governments. The stamps on his passport read like a who's
who of censor-happy regimes: El Salvador, Ethiopia, Haiti, Guatemala,
South Africa and Turkey. "I have done PGP training in every country
I've worked in," says Ball.
To Ball, the debate over crypto isn't about civil rights or
businesses losing export dollars, but over something much more
fundamental: human rights. He says: "Why do security police grab
people and torture them? To get their information. If you build an
information management system that concentrates information from
dozens of people, you've made that dozens of times more attractive.
You've focused the repressive regime's attention on the hard disk. And
hard disks put up no resistance to torture. You need to give the hard
disk a way to resist. That's cryptography."
And that's a winning argument.
###