[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
NYT on Crypto Policy
The New York Times, August 18, 1995, pp. D1, D6.
U.S. to Urge A New Policy On Software
Affempt at Compromise On Scrambling of Data
By John Markoff
The Clinton Administration broke a year of silence on its
data-scrambling policy yesterday by saying it would soon
propose an alternative to the Government's so-called Clipper
Chip system, which has been widely criticized by makers and
users of computer technology.
The Administration announcement is an attempt to reach a
compromise with American corporations on a software coding
system that would protect the privacy of communication over
computer networks while still permitting court-authorized
wiretaps and eavesdropping by law enforcement officials.
Critics of the Clipper Chip have opposed it because the
Government refused to allow public examination of the
underlying technology to make sure there were no secret
backdoors that might allow unauthorized spying.
Privacy-rights advocates attacked the policy because it
called for a Government agency to hold a numeric key to
each user's code. And technology executives have opposed
the Government's data-scrambling policy because it
restricts export of other types of data-security systems,
which is seen as an impediment to sales of American
computer products overseas.
Officials of the Commerce Department's National Institute
of Standards and Technology, which administers the data-
scrambling standard, said yesterday that the Government
would convene a workshop on Sept. 6 and 7 to discuss the
new proposal. The topics include a proposal to relax the
export policy and discussion of an alternative to Clipper
technology that would be more palatable to industry
Industry officials had written two weeks ago to Vice
President Al Gore, calling for resumption of talks that had
broken off last year. In the talks last year industry
leaders had met with Government officials to seek Clipper
"I think that moving ahead with industry dialogue is
positive," Robert W. Holleyman 2d, president of the
Business Software Alliance, said yesterday. The alliance is
a group of the industry's largest software companies,
including Microsoft, Lotus and Novell. "But much more needs
to be fleshed out," Mr. Holleyman said.
One big criticism of the Clipper policy was the proviso
that a Government agency would hold, in escrow, a decoding
key that law-enforcement officials could obtain after
receiving a court's authorization. The new proposal would
still include a provision for holding keys in escrow, but
Government officials said they were now willing to discuss
letting non-Government escrow agents hold the keys.
Later in September, the Government will hold a second
workshop to discuss Federal standards for software coding
systems that could then be used as an alternative to
Clipper and a related technology called Capstone. In an
attempt to establish Clipper and Capstone as de-facto
industry standards, the original policy mandated that
computer and communications systems sold to the Federal
Government must contain Clipper or Capstone hardware.
But the new approach might allow computer and
communications companies to sell products to the Government
that achieved the same privacy protection through software-
only means. That would relieve companies doing business
with the Government of the obligation to invest in Clipper
and Capstone technologies that might not find buyers in the
Another criticism of the Government s policy has been its
longstanding export rules, which have put strict limits on
the export of software containing data-encoding
capabilities. The assumption has been that the Government's
electronic spies, the National Security Agency, would be
able to break codes with keys of 40 bits or shorter. But
now the Government will consider allowing export of coding
systems with keys up to 64 bits long -- on the condition
that decoding keys be held in escrow for access by
authorized law-enforcement officials.
"This is definitely a compromise," said Ray Kammer, the
deputy director of the National Institute of Standards and
Technology. "During the past year we've had a pretty
spirited debate about the possibility of a 64-bit software
key-escrow system. Law enforcement people had to get used
to the notion it might be possible to do this."
The vulnerability of 40-bit systems was underscored two
days ago. A French student decoded a message that had been
encoded using the 40-bit security feature in the European
version of the Netscape Communications Corporation software
for navigating the Internet's World Wide Web service.
The student, Damien Doligez, at Ecole Polytechnique, a
French engineering and sciences college, used 120 computers
in a campus network to simultaneously test every key
possible in a short period. It took him eight days, but he
was able to decode a single encoded Netscape message. Mr.
Doligez announced his achievement on the Internet.
Yesterday, Netscape issued a statement saying that the
version of its software distributed in the United States
supports 128-bit keys, which the company said would require
more than one trillion times the computing power the French
student used to decode the message.
Despite the industry's tentative willingness to accept a
key-escrow coding plan, civil liberties organizations and
other computer experts said that escrow techniques made
little sense in light of the fact that private individuals
might use any kind of coding system they wished to exchange
information domestically. Encoding systems without escrow
keys are also widely available overseas.
"How does key escrow accomplish what the Government has set
out to do?" asked David Sobel, legal counsel for the
Electronic Privacy Information Center, a Washington D.C.
public interest group. "Nonescrowed encryption is out
there," he said. "And for the concerns law and enforcement
and intelligence have, the problem remains and it will
remain under this policy."