Firms propose new crypto plan
Leading software firms propose a new encryption plan meant to ease U.S. government fears that current technology will compromise security.
Thirteen companies, many arch rivals such as Microsoft and Netscape Communications or Cisco Systems and Bay Networks, are backing a new approach to allow the sale of encryption products overseas if they support a "private doorbell." That would let network operators to give law enforcement access to messages to or from a specific individual with a court order or legal warrant.
Eight of the companies, including Cisco, last week applied to the Commerce Department for permission to sell products overseas if they include the technology, which already exists in Cisco's ClearZone management tools for its routers. Cisco said two additional firms are planning to file by the end of this week.
The federal government requires U.S. firms to get approval before exporting strong encryption products, fearing that those technologies might fall into the hands of terrorists or criminals. It currently requires those high-tech firms to promise they will explore use of key recovery as a condition for overseas sale.
The "doorbell" approach addresses only network encryption, meaning data sent over the Internet or another network. It does nothing for desktop encryption, as when an individual user encrypts an email message before sending or encrypts data on a computer hard drive.
"While this effort represents a partial solution to the encryption debate, the industry is committed to work together toward a complete solution," said a press release jointly issued by the 13 companies.
With the "doorbell," data remains encrypted as it crosses a network. The approach lets a network administrator give access to law enforcement or espionage agencies (the "private doorbell") if they have the proper legal authority, similar to obtaining a wiretap. But the order would only give future messages, not information that had been sent in the past, and only traffic for specific users.
The Commerce Department issued a careful statement welcoming the initiative. Americans for Computer Privacy, a coalition of users and technology vendors, praised the proposal, but Washington-based privacy advocates panned it.
"We welcome the development as part of the ongoing dialogue the [Clinton] administration is having with industry to find encryption products that reach a balance between national security and law enforcement concerns on the one hand and the needs of electronic commerce and personal privacy on the other," a Commerce spokesperson said. "There are serious issues that must be considered in interagency export review, and we will carefully review Cisco's license application."
Peter Gordon, a spokesman for the Justice Department, said his agency, the FBI, Commerce, the State Department, the Defense Department, and other agencies have 30 days to respond to the applications.
"We will be looking at it for its impact on national security and law enforcement," he said.
"Anything that is market-driven is a better solution than anything that is government-mandated," said Greg Garcia, coalition manager for the ACP advocacy group. "This shows how industry can approach the problem with solutions or developments that support law enforcement's access needs without endangering the privacy of citizens or corporations."
"I'm not really clear how it moves the privacy aspect of this debate much further than where we've been for a long time," said David Sobel, general counsel of the Electronic Privacy Information Center.
"The problem is that it is not end-to-end encryption. From a privacy perspective, that is what the debate is about," Sobel added, suggesting the proposal merely helps vendors sell more products overseas.
"We believe that some of the coverage has overstated how much of an impact this will have," said Alan Davidson of the Center for Democracy and Technology. "We're glad the companies are getting more licenses to export more products--that's good for privacy. But this does not solve the privacy problem for the rest of us."
The proposal has been in discussion since October 1997, and industry representatives indicated in a teleconference today that they are trying to respond to government complaints that vendors have not put forward positive proposals.
"The administration has challenged this industry on numerous occasions to come up with innovative solutions," said Dan Scheinman, Cisco's vice president of legal affairs. "Everybody can't get everything they want, but this represents our best thinking in terms of the networking problem."
Doug McGowan of Hewlett Packard noted that the private doorbell approach has advantages over the "key recovery" or "key escrow" schemes because it requires companies to create less infrastructure.
The companies in the coalition are Bay Networks, Cisco, Microsoft, Netscape, Ascend, 3Com, Hewlett Packard, Intel, Network Associates, Novell, RedCreek Communications, Secure Computing, and Sun Microsystems.