Vice President Al Gore today released a long-awaited encryption policy that offers disappointingly little to computer companies chafing under current export laws.
The subject of intense speculation since Gore's office released a blueprint for it in July, the plan allows the export of slightly more powerful encryption than what is currently legal, but only if the numerical keys are stored with a third nongovernmental party. So-called key escrow lets law enforcement officials get access to, or "recover," the keys that can unlock encrypted documents with a court order.
Under the plan, companies can apply for a six-month license to export the new, stronger encryption keys, up to 56 bits in length, rather than the minimum of 75 bits recommended by cryptographers earlier this year. In exchange, exporters of the stronger encryption promise to submit their keys to escrow within two years. Domestic use of key escrow will be voluntary, and domestic use of encryption will remain unregulated, the vice president said in a statement today.
The software industry got at least one concession, as the proposal transfers jurisdiction for export controls from the State Department to the Commerce Department as expected. Gore made no mention of giving veto power to the Justice Department or the FBI as rumored last week. However, a senior administration official confirmed today that the Justice Department will have some say in who gets export licenses.
The proposal flies in the face of the recommendations of a panel of cryptography experts, which said earlier this year that a minimum of 75 bits was necessary for "adequate protection against serious threats" and 90 bits was necessary to thwart advances in hacking techniques for the next 20 years.
The Business Software Alliance, a trade organization for the software industry, has been lobbying for a 56-bit limit tempered by a cost-of-cracking adjustment, or COCA, that raises the bit limit by two every three years to allow for increasing sophistication of code-cracking methods.
The Gore proposal, which makes no mention of the COCA, is less stringent than previous administration plans.
"They actually put 64 bits plus key escrow on the table last November," said Becca Gould, the software alliance's vice president for public policy.
The vice president's proposal, hammered out by a panel of administration and security officials, gives law enforcement agencies what it has adamantly demanded for years: a "backdoor" into all encrypted email messages and software. Representatives of the FBI and the National Security Agency say unregulated encryption will only increase the chance of international criminal communication and the threat of terrorism.
However, a Congress-commissioned report countered the security community's position. Released this spring, the National Research Council report said that the lack of strong encryption for financial and security systems could in fact encourage electronic sabotage and terrorism.
Sen. Conrad Burns (R-Montana), cosponsor of the Senate Pro-Code bill that sought to abolish key escrow, argued that today's proposal propagated the disadvantage of the U.S. software industry in the global software marketplace, where companies that want to purchase strong encryption will turn to non-U.S. companies. One example is in Japan, where Nippon Telegraph and Telephone has contracted the Japanese subsidiary of RSA Data Security to provide encrypted chip sets for NTT's electronic devices. The United States has no restrictions on encryption imports.
"The administration's insistence on key escrow as a condition of lifting these restrictions has never been negotiable," Burns said in a statement. "Meanwhile, what choice do these companies have but to yield as their global competitiveness withers on the vine?"
The Pro-Code bill, which did not make it out of committee this year, is likely to be taken up again in the next congressional session. It has already gained bipartisan support, including the endorsement of Republican presidential candidate Bob Dole and Sen. Patrick Leahy (D-Vermont).
The Administration was hoping to release its own plan in time for last week's meeting of the Organization of Economic Cooperation and Development in Paris, where 27 member countries discussed international cryptography guidelines. The organization said today that it will recommend nonbinding guidelines by the end of the year but will not endorse a specific cryptography system.
To encourage foreign allies such as France, Great Britain, and Japan to participate in a key escrow system, the Clinton administration is trying to elicit support for its plan on the domestic front.