Clinton task force calls for key recovery

A presidential commission on cyber-terrorism released a report on encryption today, recommending the creation of a system to store the keys that decrypt coded messages that court-authorized law enforcement could access.

The President's Commission on Critical Infrastructure Protection recommendations hardly break new ground. The Clinton administration already is on record supporting a Senate bill that would make life difficult for those who didn't participate in a so-called key recovery system.

The presidential commission--which convened technical and policy experts to study how to secure computer networks, power grids, and phone systems--is only the latest governmental body to recommend the implementation of "key management infrastructures" without providing any specific suggestions.

Civil libertarians and critics in the high-tech industry have complained bitterly that key recovery systems make encrypted communications vulnerable to a host of threats. A study released in May by 11 cryptographers and computer scientists outlined a number of specific concerns, including bugs that would expose users' keys and abuse by law enforcement insiders.

At least one Internet civil liberties group criticized the commission today for failing to heed the report.

"When you create a separate copy of your key, you're running the risk that it will fall into the wrong hands," said James Dempsey, senior staff counsel with the Center for Democracy and Technology in Washington, D.C. "By urging the adoption of key recovery, this report is basically re-creating a whole new set of vulnerabilities in the name of solving existing vulnerabilities."

The recommendations come as no surprise, since at least 11 of the 18 commissioners work for the Clinton administration.