From: Declan McCullagh <declan@well.com>
Date: Sat, 28 Feb 1998 15:00:34 -0800 (PST)
To: Tim May <tcmay@got.net>
Subject: Re: HP Crypto Export
In-Reply-To: <3.0.2.32.19980228141822.006aee98@descartes.coker.edu>
Message-ID: <v0300780fb11e4688182c@[204.254.22.36]>
MIME-Version: 1.0
Content-Type: text/plain


At 12:08 -0800 2/28/98, Tim May wrote:
>A constant danger with any of these "solutions" is that they make later
>imposition of controls so much easier. Consider the implications of
>widespread deployment of the HP-type system (which, BTW, I don't think will
>happen in the U.S., or elsewhere).
>
>A simple change in the law and all new tokens (and they must be renewed
>yearly, so says HP) will implement the new law.

It's a sign of the times when Tim and I can agree on these things, or at
least recognize the same problems. Note NONE of HP's press materials
included that 1 year detail. --Declan

====

http://cgi.pathfinder.com/netly/afternoon/0,1012,1771,00.html

One-Year Itch

Even if you studiously ignore the arcana of encryption export rules, it's
worth paying attention to a new product from Hewlett Packard.
The government has OK'ed the overseas sale of HP's "VerSecure" boards and
computer chips that have full-strength encryption built in -- but turned
off by default. To engage the data-scrambling features, you'll need an
"activation token."

Catch is, however, that they last only one year, and the tokens also can
open a "key recovery" electronic peephole for snooping government agents.
This is the only way HP can hawk these things in France, a country with no
shortage of such police.

Now, the FBI wants to ban U.S. software without such peepholes. Doesn't
crypto-crippleware make it much easier for the government to issue only
key recovery tokens when everyone's existing ones expire?
"Whatever the law is in the U.S., we will comply," says CEO Lewis Platt.
--By Declan McCullagh/Washington