[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

NYT on Crypto Policy

   The New York Times, August 18, 1995, pp. D1, D6.

   U.S. to Urge A New Policy On Software

   Affempt at Compromise On Scrambling of Data

   By John Markoff

   The Clinton Administration broke a year of silence on its
   data-scrambling policy yesterday by saying it would soon
   propose an alternative to the Government's so-called Clipper
   Chip system, which has been widely criticized by makers and
   users of computer technology.

   The Administration announcement is an attempt to reach a
   compromise with American corporations on a software coding
   system that would protect the privacy of communication over
   computer networks while still permitting court-authorized
   wiretaps and eavesdropping by law enforcement officials.

   Critics of the Clipper Chip have opposed it because the
   Government refused to allow public examination of the
   underlying technology to make sure there were no secret
   backdoors that might allow unauthorized spying.
   Privacy-rights advocates attacked the policy because it
   called for a Government agency to hold a numeric key to
   each user's code. And technology executives have opposed
   the Government's data-scrambling policy because it
   restricts export of other types of data-security systems,
   which is seen as an impediment to sales of American
   computer products overseas.

   Officials of the Commerce Department's National Institute
   of Standards and Technology, which administers the data-
   scrambling standard, said yesterday that the Government
   would convene a workshop on Sept. 6 and 7 to discuss the
   new proposal. The topics include a proposal to relax the
   export policy and discussion of an alternative to Clipper
   technology that would be more palatable to industry

   Industry officials had written two weeks ago to Vice
   President Al Gore, calling for resumption of talks that had
   broken off last year. In the talks last year industry
   leaders had met with Government officials to seek Clipper
   Chip alternatives.

   "I think that moving ahead with industry dialogue is
   positive," Robert W. Holleyman 2d, president of the
   Business Software Alliance, said yesterday. The alliance is
   a group of the industry's largest software companies,
   including Microsoft, Lotus and Novell. "But much more needs
   to be fleshed out," Mr. Holleyman said.

   One big criticism of the Clipper policy was the proviso
   that a Government agency would hold, in escrow, a decoding
   key that law-enforcement officials could obtain after
   receiving a court's authorization. The new proposal would
   still include a provision for holding keys in escrow, but
   Government officials said they were now willing to discuss
   letting non-Government escrow agents hold the keys.

   Later in September, the Government will hold a second
   workshop to discuss Federal standards for software coding
   systems that could then be used as an alternative to
   Clipper and a related technology called Capstone. In an
   attempt to establish Clipper and Capstone as de-facto
   industry standards, the original policy mandated that
   computer and communications systems sold to the Federal
   Government must contain Clipper or Capstone hardware.

   But the new approach might allow computer and
   communications companies to sell products to the Government
   that achieved the same privacy protection through software-
   only means. That would relieve companies doing business
   with the Government of the obligation to invest in Clipper
   and Capstone technologies that might not find buyers in the
   commercial marketplace.

   Another criticism of the Government s policy has been its
   longstanding export rules, which have put strict limits on
   the export of software containing data-encoding
   capabilities. The assumption has been that the Government's
   electronic spies, the National Security Agency, would be
   able to break codes with keys of 40 bits or shorter. But
   now the Government will consider allowing export of coding
   systems with keys up to 64 bits long -- on the condition
   that decoding keys be held in escrow for access by
   authorized law-enforcement officials.

   "This is definitely a compromise," said Ray Kammer, the
   deputy director of the National Institute of Standards and
   Technology. "During the past year we've had a pretty
   spirited debate about the possibility of a 64-bit software
   key-escrow system. Law enforcement people had to get used
   to the notion it might be possible to do this."

   The vulnerability of 40-bit systems was underscored two
   days ago. A French student decoded a message that had been
   encoded using the 40-bit security feature in the European
   version of the Netscape Communications Corporation software
   for navigating the Internet's World Wide Web service.

   The student, Damien Doligez, at Ecole Polytechnique, a
   French engineering and sciences college, used 120 computers
   in a campus network to simultaneously test every key
   possible in a short period. It took him eight days, but he
   was able to decode a single encoded Netscape message. Mr.
   Doligez announced his achievement on the Internet.

   Yesterday, Netscape issued a statement saying that the
   version of its software distributed in the United States
   supports 128-bit keys, which the company said would require
   more than one trillion times the computing power the French
   student used to decode the message.

   Despite the industry's tentative willingness to accept a
   key-escrow coding plan, civil liberties organizations and
   other computer experts said that escrow techniques made
   little sense in light of the fact that private individuals
   might use any kind of coding system they wished to exchange
   information domestically. Encoding systems without escrow
   keys are also widely available overseas.

   "How does key escrow accomplish what the Government has set
   out to do?" asked David Sobel, legal counsel for the
   Electronic Privacy Information Center, a Washington D.C.
   public interest group. "Nonescrowed encryption is out
   there," he said. "And for the concerns law and enforcement
   and intelligence have, the problem remains and it will
   remain under this policy."