CNET también está disponible en español.

Ir a español

Don't show this again


Official saw flaws in crypto law

William Reinsch, a Commerce Department official, called U.S. crypto policy "costly and less efficient," according to a 1996 memo.

Despite the Clinton administration's policy that U.S. exporters of encryption build products that can be cracked with a court order, a high official conceded more than a year ago that such systems were considered "costly and less efficient" by overseas users.

According to a government memo obtained and circulated today by the Electronic Privacy Information Center (EPIC), William Reinsch, the undersecretary for the Commerce Department's export administration, made the statements in November 1996--almost two months before the White House's new export rules went into effect.

The federal export policy limits the strength of encryption, which renders communications unreadable if intercepted. All products shipped overseas must have a built-in system in which copies of private keys are stored with a third party or the product manufacturer. The feature was designed to allow law enforcement officials with court orders back-door access to encrypted communication, as well as for the benefit of companies or users who lose their key.

In his memo to other government officials, Reinsch discussed whether the export policy would be used "to try to force adoption of key recovery, or whether it will use incentives to reinforce market forces that are moving toward an international key management infrastructure."

Reinsch opposes domestic controls on encryption. But he has toed the administration's line promoting key recovery in products for export outside the United States. However, when he compared encryption software to cellular phones with encryption capabilities, he admitted that foreign customers prefer products without "key escrow" or key recovery.

"Police forces are reluctant to use 'escrowed' encryption products, such as radios in patrol cars. They are more costly and less efficient than non-escrowed products," he wrote. "Our own police do not use recoverable encryption products; they buy the same non-escrowable products used by their counterparts in Europe and Japan."

He went on to warn that controlling exporters from upgrading their privacy technologies could "cause serious economic dislocation, legal challenges, and a political firestorm."

Reinsch's observation is not new to privacy groups, which have been fighting to overturn the federal export restrictions. Opponents of the law say it cripples the U.S. software industry's ability to compete with their international competitors that can distribute stronger products.

Moreover, a report released in May by a group of 11 cryptographers and computer scientists said the creation of a worldwide system to crack encrypted messages would "result in substantial sacrifices in security and greatly increased costs to the end user."

EPIC asserts that Reinsch's internal memo is saying the same thing.

"The U.S. policy for several years now has been to promote this technology in the international market on the grounds that key recovery is a feature that users want," said David Sobel, EPIC's legal counsel. "The significance of his statement is that at the moment, foreign law officials, who can buy strong U.S. crypto, are not interested in it because it contains key recovery.

"We now have an admission that even the U.S. government recognizes the inefficiency of these products," he added.

But the Commerce Department said today that because Reinsch's memo is dated and was written before the export regulations were released, his statements should not be taken as an admission that export crypto products with built-in key recovery are undesirable or expensive now.

"Overall, the memo was written before the regulation was published in 1996 and discussed questions that at the time were unanswered," a Commerce Department spokeswoman said today.

"Things have changed dramatically since then. The memo is old," she added. "Since that time, the interagency process has resolved the issues. The technology has changed so much in the last 18 months. There are solutions to problems that we didn't even know were problems."

The White House has long pushed for industry players to "voluntarily" build key recovery into their domestic products as well. But earlier this month, a Justice Department official said that--for now--the government was not seeking a mandatory system. The FBI has been lobbying for a mandatory domestic system since last year.