[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Wired coverage of 'new' admin rules
Quite a different spin on it in this article...
----
Banks' Crypto Permit Not as Free as It Looks
by Kristi Coale
6:12pm 8.May.97.PDT When the Commerce Department on Thursday gave its
blessing to the export of the strongest available encryption products
for electronic banking and finance, the Clinton administration wasn't
really giving any ground on its stance on key recovery.
That's because the likely customers for these products - banks and
financial institutions - are already subject to tough rules when it
comes to tracking transactions and accounts to individuals. And these
institutions are legally bound to share this information with the
authorities.
Given the scope of current regulation, the Commerce Department's key
recovery requirement would only be duplicative, a department
spokesperson said.
That's why banks have been allowed to export government-approved Data
Encryption Standard technology since the early 1980s. And that's why
they'll now be able to use stronger encryption to secure transactions,
including account and credit card numbers. The government standard has
a fixed-key length of 56 bits; encryption being readied for electronic
commerce such as Secure Electronic Transaction can have keys of 1,024
bits and longer. It is assumed that it would take years and enormous
computing power to crack the longer keys.
In remarks Thursday before a Washington gathering of the American
Bankers Association, Undersecretary William Reinsch outlined the plan
which gives banks the ability to export direct-home-banking products
with encryption keys of unlimited length. However, if a commercial
software company - and not the bank - develops the banking product,
the program must meet the administration's requirement for a
key-recovery plan.
Key recovery provides a "back door" that allows third parties to open
and read electronic transmissions such as email. Under the
administration's plan, these keys would be stored with
government-sanctioned escrow agents such as Trusted Information
Systems, a computer security firm, or Bankers Trust, a bank holding
company. With these keys, police, prosecutors, and spy agencies with
court orders can get access to any message or document.
But privacy advocates distrust this system. To organizations like the
Electronic Privacy Information Center, key recovery is no different
from the administration's plans for government access under the failed
Clipper initiatives.
And given the current level of regulation, exempting the financial
institutions from the key-recovery requirements represents a mere "fig
leaf of a concession" on administration policy, said Dave Banisar,
EPIC staff counsel.
Developers have their own concerns about the Commerce Department
announcement - namely, that by telling companies seeking to sell
electronic commerce software to banks that they must include key
escrow in their products, the administration is playing to prominent a
role in the process.
Companies such as Hewlett-Packard which support key escrow prefer to
implement it in products where it makes business sense for them to do
so, said Fred Mailman, the company's regulatory manager. Mailman is
worried that the door may now be open for the government to tell
companies what product families will have key recovery instead of the
companies choosing themselves.
While companies sort this out, the pressure on the industry to
capitulate to the administration's key recovery plan increases,
Mailman said.
Related Wired Links:
Netscape's Key Recovery: That's Business
by Michael Stutz
Law and Order and a Crypto Bill
by Rebecca Vesely
Andreessen: Market, Not Policy, Pushes Crypto
by Michael Stutz
arrow
[INLINE]
Find Read a story in the Wired News archive.
Feedback Let us know how we're doing.
Tips Have a story or tip for Wired News? Send it.
Copyright ) 1993-97 Wired Ventures, Inc. and affiliated companies.
All rights reserved.