WASHINGTON-The Clinton administration’s new encryption policy could force wireless firms over time to use scrambling products that are potentially more expensive and less secure, shortcomings that don’t sit well with key lawmakers and privacy advocates.
The president, acting on recommendations from an inter-agency task force led by Vice President Gore, soon will sign an executive order that puts the policy into effect and will seek legislation next year governing the key recovery component of its encryption plan.
But that will not end the debate.
“The administration has prevented Congress from weighing in on this issue just as support was building for a legislative solution,” said Conrad Burns (R-Mont.), a member of the Senate Commerce Committee whose encryption bill does not tie the elimination of export restrictions to adoption of a key recovery system as does the White House plan.
Sen. Patrick Leahy (D-Vt.), a co-sponsor of the Burns’ bill, also was upset with the White House announcement last week.
“This issue simply cannot be resolved by executive fiat,” said Leahy. The White House policy also does not address major privacy and security questions, Leahy added.
While encryption-like copyright-is not a frontline issue for the wireless telecommunications industry, both have major implications for carriers and manufacturers in the new, competitive era of convergence.
Burns said he plans to reintroduce his bill when Congress reconvenes early next year.
Some observers see the link between liberalized export controls and key escrow as an administration ploy to turn a voluntary system into a government-mandated one. And they see the White House conceding far less than it claims.
Indeed, the White House has refused to back down on its demand that key recovery be part of the new encryption regime, which it argues is necessary to aid law enforcement and intelligence officials in combating drug trafficking and terrorism.
“If you allow easy access to encryption without the possibility of law enforcement overseas having access to those communications, you will make the problem of interdicting drugs more difficult. And that is a serious problem,” said John Deutch, director of the Central Intelligence Agency.
When asked how big a problem, Deutch said, “there’s no question we see the possibility today. It’s not a theoretical
Michael Batis, deputy assistant U.S. attorney general for national security at the Justice Department, said wiretaps are crucial to cracking big cases and that the agency is “trying to … address the problem before it is actually widespread.”
Thus, easing export controls would likely force software and hardware suppliers to not only convert to key recovery encryption for overseas sales, but also to change out their entire product lines here in the United States.
American firms will want secure wireless and wireline communications that are interoperable with offices abroad. It won’t work for them to have key recovery encryption overseas and not have it here.
As a result, a de facto key recovery standard could evolve for wireless, wireline, cable and fiber telecom networks. That is precisely what the administration wants.
Some countries are already moving in that direction.
But questions remain. Will computer hardware and software companies support key recovery? There is initial evidence that they will. But even then, what will it cost for a more complex, untested key recovery encryption system? And what procedure would be used for law enforcement to obtain a key outside the United States? Will the policy stifle development of stronger encryption models?
Today, there are no restrictions on the sale of encryption products in the United States. Yet U.S. firms cannot export encryption products with algorithms stronger than 40 bits.
The White House plan would permit the export of 56-bit key length encryption products under a six-month general license-following a one-time review-in exchange for industry commitments to convert to a system in which `keys’ to unlock the encryption code would be held by two trusted parties. The government would renew the license for up to two years if software and hardware makers meet certain recovery benchmarks.
If presented with a court-ordered wiretap, the key holders would have to cooperate with law enforcement agents.
The Commerce Department will take over responsibility from the State Department for issuing encryption export licenses beginning Jan. 1.
“I think there are a lot of problems,” said Marc Rotenberg, director of the Electronic Privacy Information Center. He added the policy still resembles the so-called Clipper Chip encryption plan that the Clinton administration inherited from the Bush administration, and continued to support early on.
