Split on encryption exploited

Sources say the computer industry is trying to take advantage of apparent splits in the government to make its encryption plan better for business.

CNET News staff
4 min read
Less than a month before the Clinton administration is to ease encryption export regulations, sources say the computer industry is trying to take advantage of apparent splits in the government to make the plan more friendly to business.

"We don't think the administration is of one mind on this thing, which is why there's still time left to take what they've drafted and turn it into something acceptable," said an industry source involved in negotiations.

The difference of opinion within the administration has existed for some time but is becoming public because of a recently announced White House panel on e-commerce chaired by senior presidential adviser and former health care czar Ira Magaziner.

The Commerce Department believes that the government should go even further in loosening encryption export regulations to make it easier for American businesses to compete in international markets. The National Security Agency and the Justice Department, however, believe that they have already compromised enough.

"Nobody is happy with this policy," said an administration official who asked not to be named.

Introduced officially October 1, the White House plan calls for a liberalization of export laws on encryption technology in return for the creation of a "key escrow" or "key recovery" system that would require companies to store the information needed to decode encrypted data.

The administration hopes this would allow companies to use stronger encryption codes but would keep the keys in one place so that the government can read any electronic data considered part of suspected criminal activity or a threat to national security. The plan is expected to go into effect January 1.

The industry welcomed the loosening of export regulations, which it has long considered a barrier to the growth of American encryption companies and the vendors that provide secure e-commerce systems.

An alliance of companies including IBM and Hewlett-Packard immediately announced that they would support the government's plan. While some privacy advocates objected to the key recovery plan altogether, companies such as IBM said that their customers wanted them to create some kind of key recovery system and that they would cooperate to make it happen.

But this week, the Business Software Alliance, an industry trade group, changed its mind and issued a statement that the government's implementation is going in the wrong direction.

The BSA, along with privacy advocates, are growing increasingly worried that the National Security Agency and the Justice Department are prompting the government to impose a much stricter interpretation of the policy than the industry was expecting.

For example, the government may want to monitor and intercept email as it is transmitted across public networks. The industry thought the government would ask only for access to stored data, such as messages saved to hard disks or databases.

"The DOJ is driving this," said Becca Gould, vice president of public policy for the BSA. "Commerce has been good about recognizing the needs of business."

The BSA hopes to throw industry support behind the Commerce Department and thereby carry the day for the free-market advocates within the government before the January 1 deadline. Some Commerce Department supporters say the administration wants to track each company's progress in implementing key recovery, with updates on project budgets, personnel, and technology.

"It should be sufficient if the CEOs endorse a policy and say we're working on key recovery," said an industry source. "Coming in and reviewing company-by-company plans smacks of a loyalty oath."

The BSA also says that it understood that under the new policy companies could store their own encryption keys, instead of having to store them with an outside trust company. But the government worries about the difficulty of investigating companies that store their own keys.

"If a company is subject to investigation, we don't want the security guy operating the key recovery center to call the front office to say, 'Hey, the FBI is here,'" said a senior administration official. "There has to be a Chinese wall around the key recovery operation."

While the Justice Department and the FBI want to maintain as much surveillance ability as possible, Commerce Department officials are telling industry representatives that the government hasn't gone far enough to deregulate encryption laws.

Speaking on an e-commerce conference panel in San Francisco this Wednesday, Commerce undersecretary for technology Mary Good reiterated that position, stating that the latest encryption policy will not make encryption software commercially viable.

Even though the Commerce Department is now technically in charge of granting encryption export licenses--a change that the industry had specifically requested of the Clinton administration--some wonder if Commerce really is holding the reins.

"Commerce historically has not pulled a lot of weight," said Jim Rapp, a technology consultant based in Washington who has worked for several federal agencies. "They don't get a lot of respect, so the jury's still out whether they'll still call the shots."

The BSA and its allies still maintain that the market will ultimately decide how widespread key recovery becomes a reality.

"Regardless of what they do, it will not deter the key recovery alliance from our efforts," said Aaron Cross, director of public policy for IBM. "The reason we're doing the key recovery alliance is because our customers are telling us they want key recovery."