With spring in the air, the struggle over the use of encryption enters what could be its most crucial month yet.
Both chambers of Congress are considering legislation that aims to overturn federal limits on the export of strong encryption and security software.
The House bill, known as the SAFE Act, has already unanimously passed its first hurdle in a Judiciary subcommittee. It is generally applauded by proponents of freely available encryption, although provisions that penalize the use of encryption in a criminal act have raised the concerns of civil libertarians.
In the Senate, similar legislation called the Pro-Code bill was scheduled for a Commerce Committee vote May 1 but has been pushed back a month. The bill's sponsors, led by Sen. Conrad Burns (R-Montana), decided to delay the vote because they feel the success of SAFE has given them a stronger negotiating position with the Clinton administration, which opposes both bills, and with fence-sitters in the Senate.
"I think the administration sees the handwriting on the wall," said Burns's press secretary, Matt Raymond. "If channels of negotiation can be opened, we can maybe get a bill that can, if necessary, withstand a veto."
Pro-Code does not contain the same criminalization provisions as SAFE but has language establishing an "information security board" of federal law enforcement advisers. Board members would keep their national security agencies informed about the latest encryption and information security technologies being exported.
Raymond did not rule out more changes to the bill but felt confident that an early June goal would be met. At that point, the bill would go to the full Senate chamber for debate and a potential vote. Senate majority leader Trent Lott (R-Mississippi) is a cosponsor of Pro-Code.
Meanwhile, several software vendors have complied with the current federal export policy that the bills are meant to overturn to ship their products overseas. Even some of the government's most vocal critics, including Netscape Communications and its CEO Jim Barksdale, have applied for and received a license to ship software with 56-bit encryption to foreign customers.
To receive such a license, a company must show that its product gives law enforcement agents armed with a court order real-time access to the content of encrypted messages. The Clinton administration, led by agencies such as the FBI, argues that such access, enabled by a process called key recovery, is essential to prevent criminals from using the Internet to send unbreakable messages.
If a product doesn't support key recovery, a vendor can still obtain a license by promising to build such support by the end of 1999. Licenses are subject to a review every six months.
Despite vociferous opposition to the export policy, Netscape acknowledged last week that it needed a license to satisfy foreign buyers of its Communicator client and SuiteSpot server software.
"For some folks, it's very difficult to accept that you are not getting the full security in the product," said Taher Elgamal, chief scientist at Netscape.
High-tech companies, such as the members of the Key Recovery Alliance, stress that key recovery itself is a technology that many businesses need in case an employee leaves the company, dies, or loses a private key. It is the mandatory implementation and guaranteed government access, however, that raises hackles.
Opponents of the administration's policy also point to the availability of strong cryptography from sources outside the United States. To cut off such sources, the administration's cryptography envoy David Aaron is lobbying foreign governments to adopt similar restrictions and join the United States in creating a global "key management infrastructure" where all crypto keys would be stored and available for law enforcement purposes.
The efforts have met with mixed success so far. Initiatives in Britain and France are well under way to limit the use of encryption. But in Germany last week, Economics Minister Guenter Rexrodt spoke out against a proposed law that would mandate access to private keys, according to a Reuters report. Rexrodt was responding to a law proposed by German Interior Minister Manfred Kanther.
"The criminals are hiding in the anonymity of the networks, wiping their electronic tracks," Kanther was quoted as saying. "The technical and organizational competence of agencies charged with fighting computer crime must be strengthened."
White House envoy Aaron, who also serves as U.S. ambassador to the Paris-based Organization for Economic Cooperation and Development, is reportedly being tapped as the new chief of the Commerce Department's International Trade Administration. The story first surfaced last month in a Washington Post article that quoted anonymous sources. One Commerce Department official who asked not to be identified confirmed that the change is in the works but cautioned that it doesn't necessarily reflect dissatisfaction with Aaron's performance as crypto envoy.
"He won't be OECD ambassador anymore, but he might keep his special envoy title," the official said. "People are happy with his performance."
OECD representatives in Paris and Washington were unaware of any change in Aaron's status.
Observers are also keeping an eye on a Clinton administration proposal to create a domestic infrastructure for key storage. The proposed bill would encourage participation in the storage scheme by awarding digital certificates to participants.
Digital certificates verify the integrity of data sent over networks. Without such certification, it would be difficult to engage in electronic commerce, according to security experts.
Domestic sale and use of encryption are currently unregulated.