The Internet Files

The network is the story: News on the latest Internet standards and struggles

April  1998
[Next story]
[Table of Contents]
Sun's Site

Mail this
article to
a friend
Internet Files index

U.K. government encryption plan favors key recovery

London (April 28, 1998) -- The U.K. Department of Trade and Industry (DTI) has outlined its recommendations for encryption policies, including the introduction of a voluntary licensing program aimed at getting certification authorities, trusted third parties and encryption software companies to comply with a key-recovery program.

The long-awaited proposals take the form of a bill aimed at promoting electronic commerce in the U.K., introduced by Barbara Roche, minister for small firms, trade and industry and undersecretary of state at the DTI. That means the encryption policies could become law, rather than just guidelines, according to a statement issued by the department yesterday.

Like the much-debated government policies in the U.S., the U.K. proposal would allow law enforcement officials to obtain "keys" to encrypted communications should the government believe the content to be in violation of the law. The British government has long favored such a plan, which would house keys -- mathematical values that unlock an encrypted text -- with a trusted third party.

The new plan takes into account criticisms and concerns of U.K. businesses regarding a consultation paper on the licensing of trusted third parties, proposed by the government last year.

The new U.K. scheme would encourage, but not require, that certificate authorities or trusted third parties register with a licensing body, according to the DTI. It would set minimum technical and competence requirements on companies seeking licenses, one term of which is cooperation with the government in the area of key recovery in investigations. Licensed providers of encryption services would be required by law to make keys available to the government or other interested parties -- such as companies that want to read encrypted messages sent by employees -- under certain circumstances.

In large part, the DTI supports a key recovery system involving trusted third parties because it fears that criminals and terrorists could use encryption to harmful ends. While civil liberties groups have disputed the validity of this claim, the U.K. government stands by its reasoning that law enforcement officials should be able to get access to encrypted information when investigating suspicious activities. The new proposal would require that law enforcement officials obtain a warrant in order to request the keys, whether from the third party or the user of the encryption product.

The biggest problem with the proposal is that it leaves many fundamental questions unanswered, said several observers.

"It's a bit of a dodgy document," said Yaman Akdeniz, founder of the U.K. group Cyber Rights and Cyber Liberties. "The statement doesn't make anything better or anything worse."

Because it is unclear what advantages licensed authorities would hold over unlicensed ones, such a two-tier system is bound to create confusion and stem the development of electronic commerce, according to Akdeniz. The government plans to encourage licensing by recognizing only digital signatures from licensed bodies as legal documents, according to the DTI.

It is also unclear what would happen if users of unlicensed encryption services are asked by law enforcement officials to give up their keys, Akdeniz said. Criminals and terrorists are unlikely to use encryption products from companies that have signed deals with the government to provide keys, in which case the government will still have to recover the key by forceful measures, he said. For that reason, it doesn't seem to matter whether a company is using a licensed encryption system, he said.

The government proposal was drafted to comply with the Organization for Economic Cooperation and Development (OECD) guidelines on cryptography policy, which were released in March 1997. Although it states the need for encryption export controls, it does not go into detail about the U.K.'s plans in that area, nor does it place any restrictions on the use of strong encryption within the U.K.

Akdeniz suggested that the DTI may be introducing a voluntary key recovery system, instead of the mandatory scheme it has pushed in the past, because the U.K. is following the lead of European Union policies, which do not favor key recovery systems. The DTI said it would follow the OECD guidelines and would also work with EU on the development of digital signatures.

Commercial interests in the U.K. had mixed reactions to the proposal. The Confederation of British Industry supports key recovery in some instances, but maintains that it should not be applied to all encrypted communications between corporations. For example, two companies that have been doing business with one another for many years may already have a trusted relationship in place, so it would be unfair to ask them to invest in a new system that places keys with a third party, said a Confederation spokeswoman.

The Confederation's main goal is to eliminate undue burdens on companies and to protect their privacy, she said. The group has not yet read the new proposal carefully enough to state a formal opinion, she added.

One encryption software vendor in the U.K., JCP Computer Services, echoed concerns that the document paints a foggy picture of what it means for a company to obtain a license. Even if a company doesn't cooperate with the key recovery plan, the government could still get the keys, calling into question the advantage of standing up to the government and refusing to get a license, according to Robin Wilton, chief consultant at JCP in London.

The proposal could put companies such as JCP in a bind. Developers of encryption software would be required to build products to the specifications of key recovery in order to work with licensed certificate authorities and third parties. Failure to build this capability into products could make such a company less competitive if key recovery becomes the standard, but supporting key recovery could cause some customers who disagree with the policy to turn away, Wilton added.

The role of software vendors in the licensing plan is unclear, as is the application of the scheme to specific industries, such as high-security finance and medicine, he said.

"The government has raised issues but not gone into detail," Wilton said. "I hope their thinking behind this document is more clear than the document itself."

--By Kristi Essick, IDG News Service


Internet should be free of regulation, U.S. Commerce Dept. says

Boston (April 15, 1998) -- Governments should encourage growth of the Internet by offering funds for research and development and helping to create a "predictable legal environment," but for it to flourish, cyberspace must remain largely unregulated, according to a study out today from the U.S. Department of Commerce.

"The Emerging Digital Economy" relays mostly U.S. statistics on IT spending and Internet use that will not come as a surprise to anyone who follows the industry. The report also outlines Internet use by businesses and consumers, the advantages of using cyberspace for everything from buying company supplies to planning a trip and the obstacles to growth. Government, it seems, could be a primary stumbling block.

"Government must allow electronic commerce to grow up in an environment driven by markets, not burdened with extensive regulation, taxation or censorship," the report said. "While government actions will not stop the growth of electronic commerce, if they are too intrusive, progress can be substantially impeded."

The report further recommended that competition be encouraged in telecommunications and broadcast industries "so that high-bandwidth services are brought to homes and offices around the world and so that the new converged marketplace of broadcast, telephony and the Internet operate based on laws of competition and consumer choice rather than those of government regulation."

Internet commerce should not be hampered by "discriminatory taxation" and it should be allowed to work as a "seamless global marketplace with no artificial barriers erected by governments," the report said.

The hands-off approach to the Internet is the policy of U.S. President Bill Clinton's administration, and so would be expected to enjoy support from the Commerce Department, which is one of the offices of the president's cabinet. And while it seems that the policy will continue for the foreseeable future, challenges other than attempts by local, state and federal lawmakers to regulate the Internet will be, perhaps, more pressing.

"Perhaps the greatest challenge the U.S. faces, however, is to put in place the human resource policies necessary for the digital economy," the report said. "If the trends described in this study continue, millions of jobs will likely be created, while millions of others will be lost."

The digital revolution will likely create more jobs than are lost and the work that is created is likely to call for higher skills and provide better pay than jobs that are eliminated.

"However, it is clear that we will face great challenges in preparing the current workforce and future workers to fill the new jobs that will be created," the report said. "If we do not have a sufficient number of well-educated and trained people to fill these jobs, then the good news can turn to bad."

The report does not provide specific recommendations for preparing the workforce for the digital economy, but concludes "if these public policy issues can be resolved, and electronic commerce is allowed to flourish, the digital economy could accelerate world economic growth well into the next century."

The report was hailed by the Information Technology Association of America (ITAA). The group said in a statement today that the report will underscore how much the U.S. has come to rely on information technology for economic growth, productivity gains and low inflation.

--Nancy Weil, IDG News Service


Gore to unveil high-speed Internet2 today

Boston (April 14, 1998) -- U.S. Vice President Al Gore today formally announced an IP (Internet Protocol) network, dubbed Abilene, that will provide the native backbone for the Internet2 project intended to give a faster route through cyberspace to research universities.

Abilene is being developed by the University Corporation for Advanced Internet Development (UCAID) as part of the Internet2 project. UCAID is a consortium of some 110 U.S. research universities, nonprofit research centers, government agencies and industry members developing new points of presence (POPs) that will link university campuses to the Abilene backbone operating at 2.4G bits per second.

The Internet2 is expected to be in operation by 2000 and is being designed to help researchers share and obtain information more rapidly than is possible on the Internet. Database analysis, for example, can take hours or even days via the congested Internet, but will require just minutes on Internet2.

Gore has publicly supported the Internet2 project and UCAID, whose meeting begins tomorrow in Washington, D.C., where the group is based.

Abilene will use Qwest Communications International Inc.'s fiber-optic network and technologies from Cisco Systems Inc. and Northern Telecom Ltd.

--Nancy Weil, IDG News Service


Domain name fund ruled illegal

New York (April 9, 1998) -- A U.S. district court judge has ruled that a fund consisting of domain-name registration fees collected by Network Solutions Inc. (NSI) on behalf of the National Science Foundation (NSF) constitutes an illegal tax.

However, what finally happens to the fund -- which now holds at least $45.5 million -- depends in part on whether Congress wants to revisit the issue and officially approve the fund as a tax, according to a decision reached yesterday by Judge Thomas Hogan in U.S. District Court for the District of Columbia.

The good news for NSI is that, as part of the same case, the judge affirmed NSI's role to provide domain name registration services and collect fees for its own operations, dismissing nine of 10 counts in a class-action lawsuit filed against NSI and the NSF, which is a government body that has been charged with overseeing the Internet.

The lawsuit was brought by domain name registrants as part of a filing seeking class action status last October. It named the NSF and NSI as defendants, alleging that the NSF lacked authority to permit NSI to charge for Internet registration fees, and to set aside 30 percent of all fees for the preservation and enhancement of the 'Net's infrastructure.

The suit further charged that the NSF had created an illegal monopoly in Internet registration services and that NSI has illegally precluded competition.

Everyone who registered for .con, .net, .org, and .edu domain names with NSI up to April 1 was charged $100, $70 of which went to NSI for its own operations and $30 for the NSF fund, which was to go to further enhancing the Internet. NSF, charged with overseeing the development of the Internet in the U.S., subcontracted the work of domain name registration to NSI.

NSI's contract with NSF ended on April 1, and it is still operating as registrar of domain names until a new system is worked out. NSI plans to continue to register domain names under a new, competitive system, according to spokeswoman Cheryl Regan. It stopped charging the $30 for the NSF fund as of April 1.

But what will happen to the $30-per-registration part of the fees it has collected up to April 1 is now in question. If Congress takes action, those funds could still be plowed back into developing the Internet, according to the judge's decision. The problem is that Congress never explicitly said that the $30 portion of the fee set aside for Internet development was a tax the NSF could use to further develop the Internet.

"It is settled law that if Congress ratifies a tax, it is proper under the constitution, even though the Congressional approval might postdate the initial imposition of the tax," the judge said in his decision. "If it wishes to effect such a ratification and permit NSF to use the Intellectual Infrastructure Fund, Congress must pass legislation that more explicitly conveys its intentions."

There are other outstanding issues, the judge said. If Congress does not explicitly ratify the fund as a tax, the plaintiffs may be entitled to a refund, but it is not yet clear how much money has been collected for the fund.

Up to the end of 1997, $45.5 million had been collected, but a final count of how much money was collected in the first quarter this year has not been made. Also, the judge has reserved judgment on whether the plaintiffs constitute a class. If they are granted class status, they may be entitled to more money for refunds than if they are not, the judge said.

NSI's Regan today said that the money in the fund has not been spent, and whether or not it is refunded to the plaintiffs will have no material impact on the company.

Meanwhile, NSI has not been cleared of all anticompetition charges filed against it. A separate lawsuit involving monopoly charges, brought by pgMedia Inc., is ongoing. PgMedia filed a suit in March last year in the Southern District of New York charging NSI, along with other Internet-related organizations, with violating antitrust laws by exclusively controlling the assignment of domain names.

--Marc Ferranti, IDG News Service


Study puts US$35 billion price tag on U.S. encryption policy

San Francisco (April 3, 1998) -- Not only is the U.S. government's encryption export policy cutting into the domestic applications software business, but the policy is stifling other IT sectors and could result in a loss of between US$35 billion and $95.9 billion over the next five years, according to a new study by an independent think-tank.

Those figures represent the low and high estimates of U.S. losses due to: lost encryption sales that are picked up by non-U.S. vendors; slower growth in encryption-dependent industries like banking; foregone cost savings and efficiency gains that could be earned from greater Internet, extranet, and intranet usage; and indirect costs, the Economic Strategy Institute (ESI) of Washington, D.C., concluded in its report released this week.

The U.S. encryption export policy "negatively affects a market that gives us this big economic boom," Erik Olbeter, co-author of the study and director of the advanced telecommunications and information technology program at the ESI, said today. "It is related to the industries that we expect to continue the boom, including electronic commerce and Internet-related markets."

Specifically, the report, "Finding the Key: Reconciling National and Economic Security Interests in Cryptography Policy," estimates that over the next five years:

Olbeter said the ESI, which is not funded by any software vendors or encryption-related firms, arrived at the cost estimates by analyzing figures and projections from a variety of different sources, including Wall Street brokerage firms, and industry and other publications. The group did not use one methodology, but conducted different types of analysis and research for each of the different market segments, he said.

The deviation between the low and high estimates allows for unknown variables in each of the areas, Olbeter said, adding that the study has been criticized for being conservative in its cost estimates.

Officials at the U.S. Department of Commerce and Department of Justice did not return phone calls seeking comment on the report.

Current administration policies allow exemptions for exporting strong encryption only for financial institutions and for software built with key-recovery mechanisms that allow law enforcement to obtain data to decode encrypted information with a court order.

The current policy is jeopardizing both the country's economic and national security, the report said. It has had little or no impact on enabling law enforcement to protect against or prosecute cyber-terrorists, partly because encryption products are readily available from non-U.S. sources, according to the report.

As of September 1997, there were 1,601 encryption products available from 941 vendors in 30 countries, the report said. Of those, 653 products were made outside the U.S. by 472 firms. The study also looked at a range of policy options -- including maintaining domestic and export controls as the FBI desires, eliminating export controls only, eliminating both domestic and export controls as the software industry is asking, and eliminating export controls if global controls are in place as the White House wants -- but found all of them lacking and/or unfeasible.

The study concluded that, at a minimum, export controls should be dropped because they aren't protecting national security and are instead compromising U.S. economic security. In addition, a domestic key-recovery system undermines national security if other countries do not require similar systems internally, the report said.

"This issue has been lingering in Washington for five years now and no action has been taken on it," Olbeter said when asked why the ESI chose to research the economics of the U.S. encryption export policy. The policy is providing opportunities for non-U.S. companies to get into areas they aren't competing in now, which hurts not only U.S. encryption and application software vendors, but vendors in many other areas, as well, he said.

"There's a real potential for serious damage" to the country's economic health, Olbeter warned.

--Elinor Mills, IDG News Service

Internet Content Coalition, Trust-e develop privacy "Trustmark"

Boston (April 1, 1998) -- The Internet Content Coalition (ICC) trade group is promoting a Trust-e program that puts a "trustmark" symbol on World Wide Web sites that are deemed to have sound privacy practices.

The ICC and Trust-e announced the promotion on Monday in a statement. Privacy concerns frequently top the list of issues consumers cite in surveys about the Internet and e-commerce.

Trust-e is a non-profit global privacy initiative designed to build consumer trust in making online transactions. The trustmark symbol is given to sites that follow principles of disclosure and informed consent. Trust-e staff periodically review sites to make certain those principles are being upheld.

The ICC and Trust-e are promoting the trustmark symbol as the industry standard for consumer privacy, the statement said.

More than 41 percent of consumers refuse to give registration information online because they fear their personal information will be misused, according to a letter from Martin Nisenholtz, president of The New York Times Electronic Media Co. and a member of the ICC board. The letter, which accompanied the statement, said that if privacy issues are addressed, up to US$6 billion more in e-commerce revenue can be generated in the next two years.

The trustmark symbol means that "consumers can have peace of mind that the site is living up to the highest standards of good conduct regarding privacy and information disclosure," he said in the letter.

--Nancy Weil, IDG News Service


What did you think of this article?
-Very worth reading
-Worth reading
-Not worth reading
-Too long
-Just right
-Too short
-Too technical
-Just right
-Not technical enough

[Table of Contents]
Sun's Site
[Next story]
Sun's Site

[(c) Copyright  Web Publishing Inc., and IDG Communication company]

If you have technical problems with this magazine, contact

Last modified: