From: Jeff Weinstein <jsw@netscape.com>
Date: Sun, 3 Dec 1995 01:41:14 +0800
To: cypherpunks@toad.com
Subject: Info on Netscape's key escrow position
Message-ID: <199512020701.XAA01919@ammodump.mcom.com>
MIME-Version: 1.0
Content-Type: text/plain



  I had lunch with Jim Clark today, and explained the furor that was
currently going on in cypherpunks and elsewhere.  After lunch he sent
me the e-mail that I've attached below to pass along.  I think the gist
of it is that if governments require key escrow, we will have to do it
in order to sell our products with encryption into those countries.

  We've actively lobbied against the government's proposal through
our participation and support of industry efforts by the ITAA, BSA,
SPA and others.  Next week we will be sending two representatives
to the NIST key escrow conference in DC.  In preparation for that
meeting we have been formulating an official company position on
key escrow and export restrictions.  Phil, myself, and other folks with
cypherpunk leanings are involved in writing the policy statement.
We are planning on taking a firm position against the government's
key escrow proposals.  Some time next week we will be posting our
statement publicly, and will welcome your comments on it then.

  After the NIST meeting we will also be talking to folks in congress
and the white house about our position, looking for help in getting the
current export limitations removed.  We will also be looking for
help in getting the government's position on export controlled FTP
sites clarified so that we can make the US version of the Navigator
with 128-bit crypto available for download by those people who are
legally allowed to use it.

  We don't have any plans to stop doing separate US and export
versions of our software.  As long as our customers want strong
crypto and the government lets us sell it, I think we will keep
doing it.

	--Jeff

Jim Clark wrote:
> 
> I made some pragmatic comments.
> 
> I said that if we are to use this encryption technology in business, we must
> have a better solution than to limit keylength or put keys in escrow. All
> governments of the world have a valid concern about terrorism and other
> activities of concern to the security of their nations. All of them will
> continue to restrict our ability to provide products to their markets unless
> we build in some mechanism that allows them to legally access
> information that is in the interest of their national security. (We obviously
> cannot be involved in determining what is legal by the laws of that country.)
> This is not just a US government problem. Until recently, France did not even
> allow us to sell products with 40-bit keys, much less 128-bit keys.
> 
> A lot of ordinary citizens are rightly concerned about their own privacy. I
> am one of them. I do not want the government to snoop on me, but in fact the
> government, through the FBI, can now tap my phone without my knowing it by
> simply getting sufficient evidence that I am conducting illegal activities,
> then presenting this evidence to a court to get permission. I have no say in
> the matter.
> 
> If we as a company were to take the position that in no case will we allow
> a government to get access to our encrypted messages, or refuse to allow
> key escrow with our products, the governments of the world will quickly put
> us out of business by outlawing the sale of our products in their countries.
> The fundamental issue is how do we accommodate the requirements of governments,
> while protecting our rights as citizens.
> 
> None of this represents the position of Netscape with respect to what we
> will do. But if we do not come up with a solution to this problem that is
> acceptable to each government, we will not be able to export our products,
> except with a short key length (e.g. 40 bit keys), and that will not be
> acceptable to corporate customers in other countries. They will create their
> own solution, and we will not be able to sell to a larger world market. In
> fact, we could even be ordered by our own government to establish a key
> escrow system for its use inside the US.
> 
> Ironically, anyone in the US may import unbreakable encryption technology from
> another country -- we just cannot sell it back to them. No one ever accused the
> government of being rational.
> 
> I chair an industry group called the "Global Internet Project", with members
> from almost twenty companies, including companies from Asia and Europe. This
> was the central issue we all agreed upon this morning, and we are putting
> together a policy statement whose purpose is to educate lawmakers on the
> importance of quick resolution of this matter.
> 
> Thanks for your concern. Let me know what you like and don't like.
Jeff Weinstein - Electronic Munitions Specialist
Netscape Communication Corporation
jsw@netscape.com - http://home.netscape.com/people/jsw
Any opinions expressed above are mine.