[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Ozzie Apes Jim Clark, Fix Is In to Cave and Cry




Wall Street Journal, Jan 18, 1996

IBM Compromises on Encryption Keys, U.S. Allows Export of
More-Secure Notes

By Thomas E. Weber

New York -- International Business Machines Corp., caving in
to intense government pressure, agreed to include a special
key that helps investigators tap into data messages in return
for permission to export a more-secure version of its Lotus
Notes software.

The U.S. has prevented software makers from exporting
sophisticated encryption technology for fear that terrorists
and other criminals would gain access to a snoop-proof
communications system. Industry observers said IBM's move
marked the first time a supplier agreed to give the government
special access to its software's security code.

Encryption keys have stirred the concern of privacy experts in
the past. While IBM's Lotus Development Corp. software unit
defended the move as a stopgap compromise until a broader
agreement on data security can be reached, Notes creator Ray
Ozzie clearly found the controversial plan somewhat
distasteful.

"We were desperate enough to try to negotiate a short-term,
pragmatic solution," Mr. Ozzie said. "But we do not believe
this is the right long-term solution."

One privacy advocate would agree. "The irreducible fact is
that foreign customers are reluctant to rely on security
products that have been compromised in some way" by federal
intelligence agencies, said Mike Godwin, staff counsel for the
Electronic Frontier Foundation.

Several years ago the government proposed the "Clipper"
computer chip that was programmed to let investigators tap
into phone calls and data messages transmitted digitally.
While that plan died after privacy advocates accused the
government of trying to spy on users, the idea of leaving a
back door open for government agents has remained alive.

Under the Lotus plan, government investigators would still
need to employ sophisticated code breaking to read messages
sent via Notes software, which lets users at different
computers collaborate. Security software encrypts information
by using a unique key of software code. The length of a key is
measured in computer bits, and longer keys are better --
they're more complex and more difficult for would-be spies,
not to mention government agents, to unravel.

Until now, to obtain an export license for Notes, Lotus has
been restricted to an encryption system of 40 bits in its
international version. Domestic users have been permitted to
use a higher-level, more-secure 64-bit system.

The new overseas version of Notes, tagged Release 4, will give
foreign users 64-bit security. But to get permission to export
the software, Lotus agreed to give the government access to 24
of those bits by using a special 24-bit key supplied by the
National Security Agency.

The plan effectively gives the government a headstart in
trying to break the encryption scheme. With 24 bits of the key
already in hand, the government need only crack the remaining
40 bits -- a task considered trivial for the code-masters at
the NSA. As far as the U.S. government is concerned, this
version of Notes is no more difficult to crack than the
previous one.

The advantage to customers, Mr. Ozzie said, is that anyone
other than the U.S. government -- say, a malevolent criminal
or computer hacker -- would face the more daunting task of
breaking the 64-bit key.

Mr. Ozzie said the move was a response to complaints from
foreign purchasers of Notes. "Our customers have been telling
us that, unless we did something about the security, we could
no longer call it a secure system," Mr. Ozzie said.

It remains to be seen whether Lotus's move will allow it to
sell more software. "The idea is a good stopgap measure," said
Stephen Franco, an analyst at Yankee Group in Boston. "But the
most important thing is pushing the U.S. government to relax
some of its restrictions" on exports.

--