An alliance of 11 software and hardware companies has just announced its formation to develop key-recovery solutions for electronic encryption, a crucial component of the Clinton administration's latest plan to loosen the export of encryption technology.
Announced yesterday, the administration's plan gives exporters of encryption or encrypted software a two-year window starting January 1, 1997, to build what the administration calls "key recovery" into their products. IBM, Apple Computer, Atalla, Digital Equipment, Groupe Bull, Hewlett-Packard, NCR, RSA Data Security, Sun Microsystems, Trusted Information Systems, and United Parcel Service have banded together to develop systems that will give the government what it wants, which is access to suspicious encrypted messages, so that compliant software companies will be able to get export licenses for hard-to-crack encryption codes.
"Export controls are a fact of life," RSA President Jim Bidzos said today. "In an imperfect world this technique will at least allow you to take advantage of what governments around the world will allow."
RSA's presence in the alliance is not only a coup for the government but a big surprise, as Bidzos has been one of the most vocal opponents of the Clinton administration's key escrow efforts. He has even accused the government of offering software companies special "sweetheart" deals to gain support for its encryption regulation plans.
A key-recovery plan not only satisfies the government's desire for court-ordered access to encrypted messages, but also sets off alarm bells for privacy advocates and civil libertarians. Some within the U.S. software industry also claim they won't be able to sell encrypted products overseas if customers know the U.S. government has access to a skeleton key.
"While some companies might choose to cast their lot with the government's key-escrow policy, the marketplace is likely to reject the approved products," said David Sobel, legal counsel for the Electronic Privacy Information Center. "Users want strong security, not guaranteed government access to their communications."
However, the concept of key recovery is not anathema to companies that acknowledge that firms and folks using encryption to secure electronic transactions and communications will need backup copies of their keys, just as homeowners keep an extra house key under a flower pot.
Under the new government plan, a company that promises to participate in key recovery will receive a six-month license to export up to 56-bit DES encryption. When the promise is fulfilled and the government can get access to the decryption keys, the 56-bit limit is lifted. If by the end of the two-year grace period the company has not fulfilled its promise to implement a key-recovery scheme, the 56-bit limit is dropped back down to the current 40-bit limit.
"The fact that 56-bit DES [a type of encryption] will be available from significant sources is going to jump-start electronic commerce," said Ken Kay, executive director of the Computer Systems Policy Project, a public policy group comprised of 12 computer industry CEOs.
Even though the increased limit to 56-bit DES was hailed by some in the computer industry, it still falls short of the recommendations from a panel of cryptography experts including Whitfield Diffie, the inventor of public key cryptography. The panel's February report said that a minimum of 75 bits was necessary for "adequate protection against serious threats" and 90 bits was necessary to thwart advances in hacking techniques for the next 20 years.
Now that the details are out and endorsements are coming in, executive action is expected in the next two to three weeks, according to one senior administration official. President Clinton will soon sign an executive order that transfers jurisdiction over encryption export licenses from the State Department to the Commerce Department, a move that the computer industry has asked for in the past because they see Commerce as a more sympathetic agency. At the same time, Commerce will announce a new set of streamlined rules to grant companies a "fast track" to an export license if they comply with key recovery, the official said.
Commerce plans to begin licensing on January 1.
But the new plan will also give the Justice Department a voice in the licensing process, a detail that angers privacy advocates and software companies alike.
"The transfer from State to Commerce has been called for for a long time, but a small tweak is that the FBI now has veto power," said Peter Harter, legal counsel to Netscape Communications. "Domestic law enforcement shouldn't have a seat at the table."
Harter acknowledged that Netscape has not ruled out key recovery but said that the market must show demand for it. The administration has said it hopes to introduce a bill next spring that would encourage the build-up of key recovery by establishing laws on the conduct of third-party key holders. But it will not try to mandate key recovery through legislation.
"I think we have a critical mass of companies willing to work with us," said Heidi Kukis, spokesperson for the Vice President's office. "That would make legislation to mandate key recovery very unlikely."
Another fear is that the administration is using export limits to control domestic use of encryption. While Gore directly stated yesterday that domestic use of encryption will remain unregulated, the double standard for domestic and international products might discourage U.S. companies from developing two different versions, leaving U.S. and Canadian customers with the same products that the federal government has deemed safe to ship overseas.
"We obtained and intend to hold the administration to its assurances that export controls would not be used to control domestic use," said Kay of the CSPP. "The CEOs have told the administration that if they want to do domestic controls, they should do it frontally through the democratic process and introduce legislation."