Crypto license raises concerns
The government gives an export license to V-One after the encryption firm agrees to cooperate with criminal investigations.
The government is afraid that criminals will use encrypted communications to slip incriminating evidence right under the noses of federal agents. To prevent this, all companies that want to export encryption technology are required to store the decoder keys in a place where the government can get them with a court order.
The government would prefer that companies give their keys to neutral third parties, but it has said that it would also allow firms to operate on an honor system; that is, they can store their own keys if they promise to cooperate with law enforcement agencies during criminal investigations.
What is critical here is that V-One's 56-bit export license requires its customers also to cooperate with government probes. To buy the product--the SmartGate security system--a customer must agree to give the government access to the encryption keys and, most importantly, promise not to tell any of its users who come under investigation.
The benefit is that the customers get to store their own keys instead of having to give them to a third party. Encryption users want to store the keys for privacy and security reasons.
"Our customers are typically large, and their security infrastructure would tend to be isolated from the end user," V-One executive adviser Lee Stanton said. "But they will have to agree to this requirement, that the end-user customer not disclose that an investigation is taking place."
This part of the agreement raised concerns with at least one online rights group.
"Any additional freedom in the sale and use of encryption is a step in the right direction," said Alan Davidson, staff counsel for the Center for Democracy and Technology. "But if the person whose key is being disclosed is never given notice, the privacy problems are still there."
The government is using its approval of V-One's license as evidence that it is willing to compromise to accommodate encryption users.
"Maybe this is making news because no one believed we would be so flexible," said Sue Hofer of the Commerce Department's Bureau of Export Administration, which is responsible for administering the federal encryption export rules.
It is questionable, however, whether the federal government could enforce this requirement outside American borders. For example, if V-One sells SmartGate to the French post office, it is unclear whether the U.S. government can gain access to user keys or penalize a company that refuses to cooperate.
To close such loopholes, the Clinton administration is lobbying foreign countries to participate in a global key management infrastructure but has met resistance overseas to its proposals.
Separately, V-One's claim to be the first to receive approval to let customers store their own keys raised the hackles of competitors.
"Cylink congratulates V-One for their approval, but I claim that they're not the first," Cylink chief scientist Chuck Williams said. "Our product was set up for customers to set up their own key recovery. V-One has done nothing new."
Cylink received approval in February to export its CyKey key recovery product. Since the administration of encryption export was transferred from the State Department to the Commerce Department in January, several companies have received licenses under the condition that they have in place or promise to build key recovery capabilities in their products.
Commerce Department officials would not comment on V-One's claim to be the first to deliver self-storage.