Crypto code of honor <br>put to test

The battle over digital encryption is one of competing fears and ghosts, a struggle that pits fundamental rights of privacy against national security.

The specter of J. Edgar Hoover and government abuse of private information hovers against televised disasters like the ominous crash of TWA Flight 800, images that law enforcement authorities warn will be repeated with tragic frequency if the Internet becomes a criminal playground where the good guys are locked out.

Hearings were cybercast by Senate staff members

The theater for this historic conflict is a piece of legislation unknown to much of the general public called the Promotion of Commerce On-Line in the Digital Era Act of 1996. The bill is a rallying point for online rights advocates and Silicon Valley executives who see encryption not only as the way to ensure individual privacy in a virtual world full of digital holes, but also as the key to realizing the Internet commerce boom that has so far advanced with baby steps.

Supporters of the legislation, known commonly as the Pro-Code bill, say their campaign is gaining momentum and express confidence that the measure will eventually become law. But even if they broaden their foundation, they face the obstacles of a presidential veto and a perceived threat of terrorism associated with secret codes.

Pro-Code seeks to abolish not only Cold War-era export restrictions on encryption but also a "key escrow" system in which everyone's private encryption codes, or "keys," would be stored with third-party agencies sanctioned by the government. What Pro-Code opposes, and what the FBI, the National Security Agency, and the Clinton administration want, is back-door access built into the key escrow system that would basically give the government a skeleton key to everyone's email or computer files.

The latest government proposal, outlined on July 12 by Vice President Al Gore's office, is the descendant of the Clipper chip, a piece of silicon the administration originally proposed in its first year that would have given law officials access to all sorts of digital systems.

Sen. Conrad Burns speaks before the hearings.

Those on all sides say Pro-Code has no chance of passing before Congress adjourns for the election season. Even the legislation's strongest supporters acknowledge that the measure faces an uphill battle on Capitol Hill next year, especially after such recent incidents as the TWA explosion and the Olympics pipe-bombing. No public links have been made between these incidents and encryption technology, but that is a subtlety that is sure to get lost in an election year, if not trampled to death.

"With the election coming up, the last thing politicians want to see is the Empire State Building getting leveled," said one Washington-based government affairs manager at a major computer company.

The administration is hoping to temper the ardor behind the bill by helping Silicon Valley and other technology companies become more agile in navigating Washington's infamous bureaucracy.

Another word for it is seduction. One Silicon Valley CEO contends that the Clinton administration is trying to buy the support of its more vocal opponents in the industry by granting export licenses on a case-by-case basis or awarding lucrative government contracts.

"Their M.O. [modus operandi] is to cut special deals with people," said Jim Bidzos of RSA Data Security, whose cryptography algorithms have become an industry standard in software products. "Rather than make broad industry concessions, they prefer to grease the squeaky wheel."

Spokeswoman Heidi Kukis of Gore's office denies that any deals are being cut.

If the Defense Department purchase of almost 200,000 Netscape Communications browsers was an attempt to grease the wheels of an influential software company, it hasn't seemed to work. A month after the deal was announced in July, Netscape CEO Jim Barksdale lobbied on behalf of Pro-Code before the Senate Commerce Committee, and company officials say they are ready to pick up the fight when the 105th Congress convenes in January. Before then, however, the administration could implement its own legislation based on the July 12 proposal, or even issue an executive order.

Opponents say the new key escrow proposal represents an evolution from hardware to software but not much of a compromise. Moreover, many details remain vague: For example, it doesn't limit access to officials at the federal level, leaving the possibility of local, state, and international authorities having as much a right to a citizen's crypto keys as the FBI or the NSA would have.

Ultimately, such concerns might not matter. Recent tragedies, combined with constant media fascination with any suspicious online behavior, give the government's appeal to antiterrorist measures a public resonance that, justified or not, are hard to ignore.

President Bill Clinton

"You can go too far in terms of individual rights," said Dorothy Denning, a computer science professor at Georgetown University. "Where do you strike the balance? That's the question."

Denning sees terrorism increasing regardless of whether Pro-Code passes, but she doesn't want to see law enforcement with its hands tied: "Some of that [increase] is being enabled by the Internet and communications technology in general, and Pro-Code will make it harder to gather intelligence not just after a crime but for preventative purposes."

Even Matt Raymond, press secretary for Pro-Code sponsor Senator Conrad Burns, admits the bill has no chance of passing this year. The attention then shifts to next year's congressional session and the administration's key-management proposal, which could be unveiled at this month's meeting in Paris of the Organization of Economic Cooperation and Development. There, the U.S. government hopes to ask its European allies for help in implementing a key-escrow system.

The support of even a few key industry players would solidify the administration's hand going into the Paris meetings, Raymond said.

In addition, the government has 30 years of Cold War policy on which to base its arguments. Encryption is still classified as a munition and its export is thus strictly regulated.

"A crypto-related [crime] event would certainly create a larger problem for our side," said Shabbir Safdar, co-founder of the Voters Telecommunications Watch and keeper of the Encryption Policy Resource Page. Safdar and others like him see the Pro-Code's progress so far as a stepping stone to next year's congressional session.

"Congress and the White House might come to blows," Safdar said. "The White House, however, has the attorney general and a lot of smart legal minds at their disposal, and they're not going to lose a (crypto) case as easily as they lost the Communications Decency Act."

As intrasigent as the two sides may seem, a solution will have to be reached if online technology is to fulfill the communications and economic needs of the next century.

"It'll finally be recognized that big business and educational institutions will want emergency [key] access for their own self-interest, internal to their own organizations," said Lynn McNulty, former associate director for computer security at the Commerce Department's National Institute of Standards and Technology and now a private security consultant in the Washington area. "That's where the general solution lies, but it still doesn't address individuals, smaller groups, and those morally opposed to the government having access to their private files."

In the end, McNulty says, the fate of the latest technology will rely upon one of our country's oldest documents: "There's still a First Amendment issue to be thrashed out, to see, ultimately, if the ability to use encryption is protected speech."

Senate hearing photos courtesy of www.crypto.com