From: jya@pipeline.com (John Young)
Date: Wed, 2 Oct 1996 02:07:00 +0800
To: cypherpunks@toad.com
Subject: NYT on New GAK
Message-ID: <199610011242.MAA07002@pipe2.ny3.usa.pipeline.com>
MIME-Version: 1.0
Content-Type: text/plain


   The New York Times, October 1, 1996, pp. D1, D2. 
 
 
   Accord Near On Computer Security Codes 
 
      'Key' System Required For Law Enforcement 
 
   By David E. Sanger 
 
 
   Washington, Sept. 30 -- After several years of debate 
   between the computer industry and American intelligence 
   agencies, President Clinton has decided to permit American 
   computer companies to export more powerful data-scrambling 
   software but only if they establish a system that will 
   enable keys to the code to be obtained by law enforcement 
   officials with a court warrant. 
 
   Administration officials, speaking on the condition of 
   anonymity, said Mr. Clinton reached his decision late last 
   week and that Vice President Al Gore would announce it on 
   Wednesday or Thursday. 
 
   Several big computer companies, led by the I.B.M., have 
   agreed to the new system, but many others, which have 
   opposed past proposals by the Administration for data- 
   scrambling policies, are likely to object. 
 
   Many American computer and software executives have long 
   argued that United States export controls on the most 
   sophisticated data-privacy technology put American industry 
   at a disadvantage versus products sold by their foreign 
   competitors. 
 
   But the Clinton White House, like previous Administrations, 
   citing national security issues and fears of foreign 
   terrorists or criminals, is loath to permit the export of 
   some of the most powerful data-scrambling software. The 
   reason has chiefly been that intelligence agencies feared 
   such equipment would be used by foreign terrorists, drug 
   cartels and other criminals to hide transactions and 
   communications. 
 
   Now, in a compromise, according to two senior officials in 
   the Administration who have been deeply involved in the new 
   policy, American companies will be permitted on Jan. 1 to 
   export software that encrypts, or scrambles, data using 
   "keys" -- lengthy numeric codes -- that are up to 56 bits 
   long. Until now, companies have been prohibited from 
   selling products abroad that have keys longer than 40 bits. 
 
   Mr. Clinton has also decided to move the authority for 
   exporting the encryption software from the State 
   Department, which has had export-licensing authority 
   because the technology has been classified as munitions, to 
   the Commerce Department, which controls the export of 
   products that have both commercial and military use. 
   Industry officials have long urged that change, betting the 
   Commerce Department would be more inclined to give a higher 
   priority to American competitive interests. 
 
   But starting in two years, American companies choosing to 
   export the more sophisticated software would have to set up 
   what the industry is calling a "key recovery" system. That 
   system would enable intelligence officials and law 
   enforcement agents, armed with court warrants, to go 
   through a lengthy multi-step process that would give them 
   the mathematical key to decoding scrambled communications. 
 
   The approach replaces the Administration's earlier proposed 
   "key escrow" system in which the Government would have been 
   the repository of the numeric keys -- leading to fears of 
   potential Government abuse, or a reluctance by legitimate 
   foreign users to buy the software. 
 
   Under the new plan, the keys may be held by third-party 
   companies. And large institutions, like banks may be 
   allowed to hold their keys in escrow -- assuming they pass 
   some kind of Government certification. 
 
   Still, the success of the system will depend on large part 
   on the Administration's efforts to persuade other countries 
   to adopt the same "key recovery" system, allowing their 
   intelligence agencies and justice systems to cooperate in 
   trailing criminals across national borders. But Mr. 
   Clinton's aides acknowledged today that this process has 
   just begun, and so far only England and France have 
   expressed much enthusiasm. 
 
   "It is going to take a while to persuade people that their 
   data is safe under this system, that it protects privacy, 
   and yet that we can use the system to trace terrorists or 
   drug dealers," one senior Administration official said. 
 
   Officials at I.B.M., which is expected to announce on 
   Wednesday the creation of an industry consortium to aid in 
   establishing the "key recovery" system, said today that no 
   single entity would hold the entire key. 
 
   Instead, it will be divided up across several companies 
   that would handle any given message, much the way the 
   launching officials in nuclear missile silos each had only 
   part of the key instructions needed to begin a nuclear 
   attack. 
 
   If the C.I.A., for example, obtained a court order to 
   decode a message, it would have to go to several groups 
   with its warrant to piece together the key. 
 
   "We believe that this solves the, biggest weak point in the 
   previous plans, where one entity held the key," said an 
   I.B.M. official familiar with the company's announcement. 
 
   But these steps are not likely to silence all the critics. 
 
   "There is still a perception that the U.S. is trying to 
   extend its intelligence capability by setting standards 
   around the world," said Marc Rotenberg, director of the 
   Electronic Privacy Information Center. 
 
   There are other potential holes in the system. Customers in 
   the United States will be free to buy encryption software 
   of any complexity -- as they can today -- with keys that 
   are much longer than 56 bits and are nearly impossible to 
   break. That means terrorist groups or drug dealers could 
   still buy such software and sneak it out of the country, or 
   even transmit it over computer networks. 
 
   "There is nothing we can do about bright students or Joe 
   Terrorist who use sophisticated encryption systems to 
   communicate with each other," one senior administration 
   official said. "But when they brush up against legitimate 
   groups, especially banks," the official said, "then they 
   are more likely to be dealing with a system" where law 
   enforcement could use the key recovery system to decode the 
   communications. 
 
   On Capitol Hill, several bills had been pending that would 
   lift all export controls on encryption software, but the 
   legislation did not move as the current session of Congress 
   wound down. In Congressional testimony last week, Jamie S. 
   Gorelick, Deputy Attorney General, said lifting all export 
   controls would "undermine our leadership role in fighting 
   international crime and damage our own national security 
   interests." 
 
   [End]