From: jya@pipeline.com (John Young)
Date: Thu, 3 Oct 1996 10:33:11 +0800
To: cypherpunks@toad.com
Subject: GAK Rat Pack
Message-ID: <199610022231.WAA11402@pipe3.ny2.usa.pipeline.com>
MIME-Version: 1.0
Content-Type: text/plain


   C|NET, October 2, 1996, 1:45 p.m. PT 
 
  
   Computer alliance supports encryption policy  
 
 
   By Alex Lash 
 
   An alliance of 11 software and hardware companies has 
   just announced its formation to develop key-recovery 
   solutions for electronic encryption, a crucial component 
   of the Clinton administration's latest plan to loosen the 
   export of encryption technology. 
 
   Announced yesterday, the administration's plan gives 
   exporters of encryption or encrypted software a two-year 
   window starting January 1, 1997, to build what the 
   administration calls "key recovery" into their products. 
   IBM, Apple Computer, Atalla, Digital Equipment, Groupe 
   Bull, Hewlett-Packard, NCR, RSA Data Security, Sun 
   Microsystems, Trusted Information Systems, and United 
   Parcel Service have banded together to develop systems 
   that will give the government what it wants, which is 
   access to suspicious encrypted messages, so that 
   compliant software companies will be able to get export 
   licenses for hard-to-crack encryption codes.  
 
   "Export controls are a fact of life," RSA President Jim 
   Bidzos said today. "In an imperfect world this technique 
   will at least allow you to take advantage of what 
   governments around the world will allow."  
 
   RSA's presence in the alliance is not only a coup for the 
   government but a big surprise, as Bidzos has been one of 
   the most vocal opponents of the Clinton administration's 
   key escrow efforts. He has even accused the government of 
   offering software companies special "sweetheart" deals to 
   gain support for its encryption regulation plans. 
 
   A key-recovery plan not only satisfies the government's 
   desire for court-ordered access to encrypted messages, 
   but also sets off alarm bells for privacy advocates and 
   civil libertarians. Some within the U.S. software 
   industry also claim they won't be able to sell encrypted 
   products overseas if customers know the U.S. government 
   has access to a skeleton key.  
 
   "While some companies might choose to cast their lot with 
   the government's key-escrow policy, the marketplace is 
   likely to reject the approved products," said David 
   Sobel, legal counsel for the Electronic Privacy 
   Information Center. "Users want strong security, not 
   guaranteed government access to their communications." 
 
   However, the concept of key recovery is not anathema to 
   companies that acknowledge that firms and folks using 
   encryption to secure electronic transactions and 
   communications will need backup copies of their keys, 
   just as homeowners keep an extra house key under a flower 
   pot. 
 
   Under the new government plan, a company that promises to 
   participate in key recovery will receive a six-month 
   license to export up to 56-bit DES encryption. When the 
   promise is fulfilled and the government can get access to 
   the decryption keys, the 56-bit limit is lifted. If by 
   the end of the two-year grace period the company has not 
   fulfilled its promise to implement a key-recovery scheme, 
   the 56-bit limit is dropped back down to the current 
   40-bit limit. 
 
   "The fact that 56-bit DES [a type of encryption] will be 
   available from significant sources is going to jump-start 
   electronic commerce," said Ken Kay, executive director of 
   the Computer Systems Policy Project, a public policy 
   group comprised of 12 computer industry CEOs.  
 
   Now that the details are out and endorsements are coming 
   in, executive action is expected in the next two to three 
   weeks, according to one senior administration official. 
   President Clinton will soon sign an executive order that 
   transfers jurisdiction over encryption export licenses 
   from the State Department to the Commerce Department, a 
   move that the computer industry has asked for in the past 
   because they see Commerce as a more sympathetic agency. 
   At the same time, Commerce will announce a new set of 
   streamlined rules to grant companies a "fast track" to an 
   export license if they comply with key recovery, the 
   official said. 
 
   Commerce plans to begin licensing on January 1. 
 
   But the new plan will also give the Justice Department a 
   voice in the licensing process, a detail that angers 
   privacy advocates and software companies alike.  
 
   "The transfer from State to Commerce has been called for 
   for a long time, but a small tweak is that the FBI now 
   has veto power," said Peter Harter, legal counsel to 
   Netscape Communications. "Domestic law enforcement 
   shouldn't have a seat at the table."  
 
   Harter acknowledged that Netscape has not ruled out key 
   recovery but said that the market must show demand for 
   it. The administration has said it hopes to introduce a 
   bill next spring that would encourage the build-up of key 
   recovery by establishing laws on the conduct of 
   third-party key holders. But it will not try to mandate 
   key recovery through legislation.  
 
   "I think we have a critical mass of companies willing to 
   work with us," said Heidi Kukis, spokesperson for the 
   Vice President's office. "That would make legislation to 
   mandate key recovery very unlikely."  
 
   Another fear is that the administration is using export 
   limits to control domestic use of encryption. While Gore 
   directly stated yesterday that domestic use of encryption 
   will remain unregulated, the double standard for domestic 
   and international products might discourage U.S. 
   companies from developing two different versions, leaving 
   U.S. and Canadian customers with the same products that 
   the federal government has deemed safe to ship overseas.  
 
   "We obtained and intend to hold the administration to its 
   assurances that export controls would not be used to 
   control domestic use," said Kay of the CSPP. "The CEOs 
   have told the administration that if they want to do 
   domestic controls, they should do it frontally through 
   the democratic process and introduce legislation."  
 
   [End]