Crypto companies in hot seat

As the computer industry argues over whether the latest federal rules on cryptography exports are good for e-commerce and bad for privacy, one segment of the encryption and security market suddenly finds itself the center of attention.

CNET News staff
4 min read
As the computer industry argues over whether the latest federal rules on cryptography exports are good for e-commerce and bad for privacy, one segment of the encryption and security market suddenly finds itself the center of attention.

New federal rules due to become law via a presidential order later this month require software vendors to implement key recovery, a technology that allows storage and access to encryption codes, in exchange for export licenses for their encryption technology. Now that the government has mandated key recovery as a condition of shipping strong crypto software overseas, a host of companies, including IBM and Hewlett-Packard are lining up to develop and provide key recovery services as part of the electronic security solutions.

Just like house keys, encryption keys can get lost. Or the key's owner could change jobs, die, or be suspected of illegal activities within the company. For all these possibilities, corporate brass and the government would like to have copies of encryption keys on hand, preferably stored securely within the organization itself.

The new government rules will require key recovery technology to be included in all exported cryptography and encrypted software. This mandate could turn the formerly limited market for key recovery into a boom market.

That part is fine with the U.S. software industry, which wants to develop interest in key recovery as part of the larger effort to promote security for digital commerce. It's difficult to quantify how much exactly is at stake, as security products are increasingly integrated into other software. But as global electronic communication increases and users want everything from email and financial transactions to operating systems encrypted, the potential business impact could be huge.

But software vendors also prefer to implement key recovery and other kinds of security on their own terms. Some argue that the ability of the U.S. government to access the keys will make their products unpalatable to foreign and multinational businesses, which will instead look to companies in Japan, South Africa, and Europe for security solutions unencumbered by U.S. restrictions.

"If I'm a British citizen, am I going to buy a 128-bit browser from Netscape Communications with a peephole for Uncle Sam, or the 128-bit browser from British Telecom?" asked Kurt Stammberger, director of technology marketing for RSA Data Security, whose cryptography algorithms are widely used around the world. "Key recovery basically has no market outside of the United States."

The Clinton administration, however, is working to convince foreign countries, especially France and Great Britain, to adopt similar key recovery systems and access rules. Other companies, meanwhile, are quickly positioning themselves to take advantage of the new federal rules.

"This is great for us and our customers," said Alex Cavalli, chief technical officer of TradeWave, which already builds key recovery systems into its Internet security software. "This sets up the opportunity for people to go into the key recovery game."

Cavalli said his customers haven't expressed concerns about government snooping. "Government access hasn't been an issue, but then again it also hasn't been lurking on the horizon until now."

Not to miss a market opportunity, IBM is heading up a coalition of companies that announced their willingness to collaborate with government guidelines to provide standards for key recovery mechanisms. The coalition between the companies themselves is a shaky one: Big Blue and at least two other members, Hewlett-Packard and Sun Microsystems, each want to develop their own security and encryption frameworks and then promote it as an industry standard.

"We're working hard to have ours approved by the government," said HP spokeswoman Kim Daniel. "It would be a big win for HP."

RSA, a vocal critic of the government's encryption policies in the past, is also a member of the coalition, but the company didn't want to be perceived as giving in too easily to the government's demands.

"We weren't pleased with the rosy glow of the IBM press release," said Stammberger. "It's interesting how several companies have suddenly gotten enthusiastic about key recovery."

Privacy advocates and analysts are skeptical that customers will accept too much cooperation with the new policy. "Ninety-nine percent of users don't care how their keys are stored," said Clay Ryder, senior industry analyst at Zona Research. "But it's the [corporate] brain trust that takes issue."

The clock is ticking. By January 1, 1999, software companies will have to demonstrate working key recovery schemes to the Commerce Department if they want to export encryption stronger than 40 bits in length. The government may rethink its demands if the market reacts too negatively, but if it doesn't, then companies who reject key recovery may have significantly fewer security solutions to choose from.

"If the government access is too ominous for [those companies], they'll have to make that decision," said TradeWave spokeswoman Patricia Friar.