A long-awaited encryption policy proposal has been sent to President Clinton for his approval, although his advisers are not necessarily finished tinkering with the still-undisclosed set of guidelines, according to the Under Secretary of Commerce for Export Administration William Reinsch.
The proposal, authored by a team of top-level Cabinet members, including the Secretaries of State, Commerce, Treasury, and Defense, the Attorney General, and the directors of the CIA and FBI as well as other administration officials, has been dubbed Clipper 3 by critics.
The proposal on the President's desk is not expected to result in legislation, an executive order, or any other imposition of encryption standards upon the computer industry, said Reinsch's press secretary. It is instead a "framework" to help define the industry's efforts to create new encryption technology.
But a coalition of computer industry executives, cryptographers, and online rights advocates that have opposed the Clipper proposal have given little indication that they are open to any kind of cooperation with the government.
One of the sticking points is the government's desire for a key escrow system, a clearinghouse available to law-enforcement officials of personal decryption codes, or "keys," that the government insists are necessary if the United States relaxes laws governing the use of strong encryption software.
Specifics of the pending proposal are still a matter of speculation, but an article in the Daily Report for Executives quotes unnamed U.S. officials saying the plan will raise the ceiling on encryption export controls, institute a key-escrow system, and give the Commerce Department authority to grant export licenses.
If the report is correct, the two big surprises in the proposal are a new 56-bit key length limit for encryption that is not subject to key escrow and the authorization of the Justice Department--most likely the Federal Bureau of Investigation--to reject any applications for export licenses.
"The administration always seems to be a bit behind the curve on encryption, and they always seem to throw in a new bizarre wrinkle," said David Sobel, legal counsel for the Electronic Privacy Information Center. "What does the FBI have to do with export? The FBI is a domestic law-enforcement agency."
The alleged 56-bit limit would only be a slight change from the current 40-bit limit. The administration also proposed a scheme in August 1995 with an escrow for all keys and a 64-bit limit for exported encryption technology. A panel of cryptographic experts, including Sun Microsystems engineer Whitfield Diffie, concluded in January that 90-bit encryption was the minimum level necessary for data security.
Under Secretary Reinsch would not comment on the key length or jurisdiction details. He told the House Judiciary committee yesterday that the United States was working with the Organization for Economic Cooperation and Development (OECD) to create a global encryption policy.
Some analysts believe that the administration will in fact unveil the proposal at this week's OECD conference in Paris. Formulation of encryption policy guidelines will be the main agenda for the 27 OECD member states, and online privacy advocates are gathering to lobby the delegates toward policies that protect individual privacy, according to Jerome Thorel, editor of Planete Internet, a French magazine devoted to online issues.
The OECD meetings take place today and Friday.
Sixteen international organizations, including the American Civil Liberties Union, EPIC, and Computer Professionals for Social Responsibility, released a statement at a pre-conference meeting yesterday in Paris. The statement called for OECD member states to "resist policies that would encourage the development of communications networks designed for surveillance," reported Thorel.