From: Declan McCullagh <declan@well.com>
Date: Mon, 18 Nov 1996 09:05:26 -0800 (PST)
To: cypherpunks@toad.com
Subject: HP crypto-announcement and key recovery, from The Netly News
Message-ID: <Pine.GSO.3.95.961118090444.15248D-100000@well.com>
MIME-Version: 1.0
Content-Type: text/plain




---------- Forwarded message ----------
Date: Mon, 18 Nov 1996 09:03:25 -0800 (PST)
From: Declan McCullagh <declan@well.com>
To: fight-censorship@vorlon.mit.edu
Subject: HP crypto-announcement and key recovery, from The Netly News

The Netly News
http://netlynews.com/
November 18, 1996

Under Lock And Key Recovery
By Declan McCullagh (declan@well.com)
                                       
        As a non-event, it was a rather well-attended one. This morning
   Hewlett-Packard Co. threw a press conference in Washington, DC to
   announce that it had vaulted the Federal government's export
   restriction hurdles by including "key recovery" technology in its
   encryption products.
   
        At least that's what the press release said. The reality is
   somewhat less exciting: HP's announcement is crypto-vaporware. "We're
   not making any specific announcements of products today," admitted
   Doug McGowan, HP development director.
   
        HP's move comes after competitors such as IBM and DEC stole the
   limelight last month by being the first to buy into the Clinton
   administration's latest key escrow scheme which would allow U.S. law
   enforcement agencies to locate copies of the private keys used to
   encode files and communications. The company's announcement follows a
   presidential executive order signed last Friday codifying the
   administration's "key recovery" proposal unveiled in October, which
   the White House hopes will splinter an industry previously united in
   opposition to Federal regulations governing encryption exports.
   
        HP responded by flying CEO Lew Platt into town today to announce
   a product using plug-in hardware or software "activation tokens" that
   can vary by country -- but Platt admitted that the tokens don't exist
   yet. Rather, he admitted, it's only a product with "a security
   framework built into it" that currently uses woefully-insecure 40-bit
   DES encryption. Eventually, HP hopes to export crypto that's stronger,
   but the company declined to discuss details.
   
        Dave Banisar, a policy analyst at EPIC, says such a system would
   be "worse" than current policy. "It's got this new detection system in
   it that requires monitoring of your crypto use and program use to
   determine what the national government says is correct," he says.
   
        The "key recovery" technology HP licensing is likely to come from
   Trusted Information Systems Inc., a company founded by former NSAers
   that still enjoys close ties to the spook community. TIS's Commercial
   Key Escrow uses the 56-bit Data Encryption Standard and so was cleared
   for export on January 18, 1996.
   
       "This is the first step toward implementing key recovery. That's a
   policy that's just not going to solve the privacy problem for Internet
   users," says Alan Davidson, staff counsel for the Center for Democracy
   and Technology. "This is the first step on that road toward building
   key recovery for the world. It's a very dangerous thing."
   
        Clinton's executive order is carefully crafted to counter the
   three strategies that crypto privacy proponents have devised to kill
   the export rules: the public relations, the judicial and the
   legislative approaches.
   
        Netizens, privacy advocates and high-tech firms rightfully
   blasted the old export policy, which classified crypto as a
   "munition," as a relic of the cold war -- a sentiment with which even
   The New York Times agreed. So Clinton has reclassified it as a
   non-munition, yet the change is in name only: Netscape browsers remain
   subject to export controls.
   
        Several lawsuits are challenging the constitutionality of the old
   export regulations. So Clinton's executive order contains language
   that EFF's John Gilmore says is designed "to evade the current
   lawsuits" by taking aim at some of the legal arguments.
   
        Administration officials spent an unhappy summer on Capitol Hill
   being grilled by senators who were considering legislation to lift the
   crypto export embargo. So Clinton carefully crafted his announcement
   to defuse some of the reasons to pass this legislation when Congress
   returns in January.

       In other words, the White House has been able to answer or deflect
   many issues that netizens have raised in favor of strong encryption.
   But another argument may not be as easy to counter.
   
        Patrick Ball is a senior program associate at the American
   Association for the Advancement of Science who has traveled the globe
   teaching human rights workers how to protect themselves from
   oppressive governments. The stamps on his passport read like a who's
   who of censor-happy regimes: El Salvador, Ethiopia, Haiti, Guatemala,
   South Africa and Turkey. "I have done PGP training in every country
   I've worked in," says Ball.
   
        To Ball, the debate over crypto isn't about civil rights or
   businesses losing export dollars, but over something much more
   fundamental: human rights. He says: "Why do security police grab
   people and torture them? To get their information. If you build an
   information management system that concentrates information from
   dozens of people, you've made that dozens of times more attractive.
   You've focused the repressive regime's attention on the hard disk. And
   hard disks put up no resistance to torture. You need to give the hard
   disk a way to resist. That's cryptography."
   
        And that's a winning argument.

###