Will the government hold the key
Boston (12/12/96) -- Privacy rights and computer industry groups accused the Clinton Administration of backpedaling on plans to loosen encryption export rules after the Commerce Department released draft regulations that mandate key recovery whereby officials would have access to encrypted messages.
A Commerce Department official denied there had been any digressions and said critics had either misread the draft regulations or had come upon vague areas that may need to be clarified. He said the administration's intent had not changed from Oct. 1, when it approved a policy increasing the encryption U.S. firms could export from 40 bits to 56 bits, as long as the firms agreed to use key recovery technology that would enable third parties to hold keys that "unlock" the protected messages.
"I do not believe that we have walked back in any respect from things we said in October," said William Reinsch, Undersecretary of Commerce for the Export Administration.
The Business Software Alliance (BSA) computer trade association and the Electronic Privacy Information Center (EPIC), however, said the draft regulation included some changes from an earlier incarnation that had been blessed with a lukewarm reception. At the time, they said that proposal was a step in the right direction from the existing law, which they claim hobbles U.S. industry by forcing weak encryption on exported software for the sake of national security.
"U.S. hardware vendors are backing off support, too," said Dave Banisar, an attorney for EPIC. For instance, he said, "IBM has products that won't be exportable under key recovery."
Representatives at IBM and Sun Microsystems Inc. could not be reached for comment. IBM is leading a group of computer companies, including Sun, Apple Computer Inc., Digital Equipment Corp., and Hewlett-Packard Co., in coalescing to develop products with 56-bit encryption.
The main objection to the draft regulation is the key recovery provision. The BSA and EPIC claim the administration's key recovery concept is functionally the same as key escrow, a provision in the controversial Clipper Chip initiative that placed the keys to unlock encrypted messages into the government's hand. Key escrow would interfere with individuals' and corporations' rights to privacy and could be abused by officials, critics charge.
"Key escrow is where I have to give my password and spare keys to a government-approved agent, and companies don't want to do that," said Diane Smiroldo, a BSA spokeswoman. "The government is going to have a back door to your e-mail."
Reinsch disagreed. Key escrow requires a third-party to hold the key, and key recovery would permit the owner of information to hold the key, he said. "We have made [it] clear...that people will be permitted under a variety of circumstances to hold their own key. We have tried very hard to make this a market-driven approach," he added.
Favoring key recovery agents
The BSA and EPIC also complained that the draft regulations favor key recovery agents, or key holders, who have a recent U.S. government security clearance of "secret" or higher. But Reinsch responded that "the public will want third parties that are trustworthy."
Critics also complain that companies will be forced to use key recovery technology sooner than previously stated, and to provide a business plan showing they are complying with the Administration's dictate to develop key recovery products. The previous plan would have allowed companies to export 56-bit for two years before having to include key recovery technology.
Under the draft regulations, the Administration would review export licenses and only allow companies to continue exporting 56-bit encryption if they showed they are "acting in good faith" to comply with the key recovery technology development goal, according to Reinsch.
"We will not automatically terminate licenses after six months," he said. "We always said the companies will have to make a commitment and tell us what their plans are."
The BSA and EPIC also complained that the Administration is pushing the draft regulation through quickly before the industry and others have time to comment. The Commerce Department hopes to publish them before Dec. 25 and they are scheduled to take effect Jan. 1 as an "interim regulation," Reinsch said. "We will continue to revise it following comment as much as possible."
"The regulations, we think, are so bad...we think our only option is to go back to Congress," said the BSA's Smiroldo. "We don't think the regulations can be turned around before then."
The Administration will take the draft regulation to a meeting in Paris next week for the Organization for Economic Cooperation Development (OECD), which is developing encryption guidelines that its 33 country members will be strongly encouraged to follow.
The Clinton Administration "is trying to cut a deal with [the] industry to get...[the] sign off on these" draft regulations, said Banisar of the EPIC. "That's very tricky. We call that `policy laundering.'" Key escrow is roundly opposed in Europe, Japan, and elsewhere around the world, according to Banisar.
"A key element of our policy is to get our friends and allies to do the same," Reinsch said in response to Banisar's charge.
--Elinor Mills, IDG News Service, San Francisco Bureau
If you have technical problems with this magazine, contact firstname.lastname@example.org