An international policy body has released its long-awaited recommendations on encryption that acknowledge the commercial and privacy benefits of strong encryption as well as countries' sovereign right to police the Internet as they see fit, a balance that leaves much of the recommendations open to interpretation.
The guidelines are due to be released today by the Organization for Economic Cooperation and Development, an advisory group of 29 industrialized nations with headquarters in Paris. The guidelines are nonbinding, but the United States, France, and Britain in particular have lobbied hard for the OECD adopt an international framework for the storage of encryption keys, codes that let users hide electronic messages and data from prying eyes by scrambling text into often unbreakable ciphers.
The OECD guidelines do not explicitly endorse such a system. Marc Rotenberg, director of the Electronic Privacy Information Center, who participated in the drafting process, says the final draft represents a rejection of the main U.S. goals.
"The endorsement of key escrow has been rejected," he said. "The U.S. basically got hammered."
Rotenberg pointed to a key passage in the text which reads, "National cryptography policies may allow lawful access to plain text, or cryptographic keys, of encrypted data." The United States delegation lobbied for the sentence to read "should allow" but the motion was rejected, an indication that most delegates felt that end-user privacy and promotion of e-commerce overshadowed the needs of law enforcement, according to Rotenberg.
In other sections, the text makes strong endorsements of user choice: "Users of cryptography should be free, subject to applicable law, to determine the type and level of data security needed, and to select and implement appropriate cryptographic methods, including a key management system that suits their needs."
Despite Rotenberg's assertions, the Clinton administration's point man on encryption endorsed the guidelines.
"This is a very important step forward and we are very gratified by it," David Aaron, U.S. ambassador to the OECD, told the Associated Press.
The guidelines also contain language that could be broadly interpreted in favor of either business and user privacy or law-enforcement access.
For example, in addressing the law enforcement's desire to access and decode encrypted messages, the guidelines read: "A cryptographic key that provides for identity or integrity only should not be made available without the consent of the individual or entity in lawful possession of that key."
This statement seems to go against U.S. law agencies' insistence on real-time access to unencrypted messages without the key holder's knowledge.
But at least one U.S. business representative feels that subtle wording in certain sections of the guidelines has tipped the scales too far toward law enforcement and away from business interests.
"The section on user choice isn't strong enough," said Jon Englund, vice president of the Information Technology Association of America. "'Subject to applicable law' is a phrase frequently inserted in the recent draft which basically means 'whatever governments want to mandate.'"
EPIC's Rotenberg argues otherwise, that the diplomatic language of the document is subtle but firmly planted on the side of user privacy: "This is the strongest privacy language that's been adopted in any recent international policy," Rotenberg said. "Even some industry people objected because it went so far in the direction of the end user."
In related news, the Clinton administration has come under attack for its latest proposal to create a domestic key storage system. The system or "key management infrastructure" is part of proposed legislation the administration is shopping around Congress with the hope of finding a sponsor.
Participation in the system would be voluntary and thus technically does not create limits on domestic use of encryption--something administration officials have repeatedly promised not to create--but critics say that not to participate would effectively block a business or individual from using the data security necessary to conduct private transactions on the Internet.
The Clinton administration recently loosened its rules on the export of U.S. encryption, raising the ceiling from 40 to 56 bits as long as exporters promise to build "key-recovery" capabilities into their products. Key recovery allows access to a copy of an encryption key in case the key is lost, forgotten, or the holder is suddenly incapacitated. It also gives law enforcement access to decrypted data, including on-the-fly communications, when officials present a court order to a third-party key recovery agent.
Under the latest government export laws, administered by the Commerce Department's Bureau of Export Administration, several companies have received licenses to export strong encryption. The latest is Trusted Information Systems, which today announced it can start shipping its RecoverKey International Cryptographic Service Provider product, which can encrypt data using encryption up to 128 bits. The 128-bit level is far above the normal ceiling because RecoverKey already incorporates key recovery.