21 June 1998
Source: Hardcopy Defense Information and Electronics Report, June 5, 1998. Thanks to Richard Lardner

See related July 14 Senate debate: http://jya.com/cr071598.htm

and July 16 response by Senator Daschle: http://jya.com/cr071698.htm

Information Security

Response should guide legislative schedule


American for Computer Privacy, a new but increasingly influential coalition of high-tech companies and public interest groups, has proposed the Clinton administration approve a series of near-term encryption policy solutions that would pave the way for a long-term encryption strategy that has so far proved too difficult to develop.

The ACP proposal, outlined in a May 8 document, calls for the White House to renounce any plans to control the domestic use of encryption products, allow the export of a greater variety of crypto products, and commit to the creation of a technical center that would help federal officials break encoded communications.

Speaking Wednesday (June 3) at a meeting of the Computer Security and Privacy Advisory Board, Greg Garcia, ACP's coalition manager, said he expects a response from the administration soon. That response, he added, should help influence activity on Capitol Hill, where a number of encryption measures are pending.

"As we continue these talks, we're looking for some kind of good faith, but short-term resolution. There's no sense in running up to the Hill and calling for a full-scale legislative assault," Garcia said. "So we want to see how these discussions play out ... We have heard that we may be hearing back from the administration in the next few weeks."

In the May 8 proposal, ACP requested a firm response from the White House by May 20. Specifically, the coalition wanted the president to announce "an agreement in principle." This week, however, Garcia acknowledged that deadline was not realistic. The request for a speedy response, he said, was meant "to highlight the need for early resolution."

In hopes of breaking the logjam that has prevented the White House and the private sector from agreeing on a long-term plan for the development, domestic use, and export of encryption products, the two sides have been meeting intensively since March. ACP has represented the private sector interests, which include a hodgepodge of computer companies, public interest groups, and trade associations. Administration officials and ACP representatives have both described the sessions as productive.

Nonetheless, both sides are firmly entrenched in their positions, and resolution of all the issues involved will likely take quite some time. Law enforcement and national security officials, for example, insist on strict export controls as well as key recovery capabilities in encryption systems that would assure them access to plaintext. The administration also envisions a larger key management infrastructure of which key recovery functions would be a central part.

U.S. software publishers and others, meanwhile, question the economic viability and constitutionality of the administration's long-term encryption strategy. In particular, industry insists overseas companies are not constrained by the same key recovery rules and will be able to make significant in-roads in traditional computer markets.

To that end, ACP's May 8 proposal urges the administration to decontrol the overseas sale of 56-bit Data Encryption Standard products and 1024-bit asymmetric encryption. Currently, the group says, these products may be exported if a company has proved it is developing key recovery systems.

However, Vice president Gore, in a March 4 letter to Senate Majority Leader Tom Daschle (D-SD), seemed to back away from the key recovery requirement, noting that the "administration is not wedded to any single technology solution (Defense Information and Electronics Report, March 13, p18).

"Because the administration has stated that it is no longer wed to a particular technology solution ... the time has come to remove the [key recovery] linkage as a condition of export approval," the ACP proposal reads. 56-bit DES and 1024-bit asymmetric systems are available throughout the world "from uncontrolled sources," adds the proposal, which is reprinted along with this article.

ACP also recommends the Commerce Department grant license exceptions for the export of encryption products of any strength to organizations that have been determined to be "legitimate and responsible."

"These types of organizations and entities would, by their very nature, have sufficient incentives to be good corporate citizens and to cooperate with law enforcement agencies," the proposal reads.

Further, ACP says U.S. Policy should back heightened privacy protection for keys and other decryption information that needs to be held outside the control of a decryption use. "The Congress should enact court order standards for access to keys and/or plaintext that address the privacy needs of the communications age," ACP says.

Finally, the ACP proposal details plans for a National Center for Secure Network Communications, which the group describes as a "secure conduit for the exchange of threat information from government to industry and vulnerability information form industry to government." Ideally, the NET Center would be a forum for the exchange of technical data and support research and development efforts "that enhance network security and/or encryption and decryption."

In its version of the Security and Freedom Through Encryption Act, the House Commerce Committee proposed a similar NET Center. Administration officials have said, however, that while the Net Center is a worthwhile idea it would not replace the need for third-party key recovery systems (DI&ER, May 1, p1) -- Richard Lardner

ACP encryption policy proposal (At ACP Web site)