See Hal Finney's November 18 post on HP's ICF and URLs.

The Netly News

November 18, 1996

Under Lock And Key Recovery

By Declan McCullagh (

As a non-event, it was a rather well-attended one. This morning Hewlett-Packard Co. threw a press conference in Washington, DC to announce that it had vaulted the Federal government's export restriction hurdles by including "key recovery" technology in its encryption products.

At least that's what the press release said. The reality is somewhat less exciting: HP's announcement is crypto-vaporware. "We're not making any specific announcements of products today," admitted Doug McGowan, HP development director.

HP's move comes after competitors such as IBM and DEC stole the limelight last month by being the first to buy into the Clinton administration's latest key escrow scheme which would allow U.S. law enforcement agencies to locate copies of the private keys used to encode files and communications. The company's announcement follows a presidential executive order signed last Friday codifying the administration's "key recovery" proposal unveiled in October, which the White House hopes will splinter an industry previously united in opposition to Federal regulations governing encryption exports.

HP responded by flying CEO Lew Platt into town today to announce a product using plug-in hardware or software "activation tokens" that can vary by country -- but Platt admitted that the tokens don't exist yet. Rather, he admitted, it's only a product with "a security framework built into it" that currently uses woefully-insecure 40-bit DES encryption. Eventually, HP hopes to export crypto that's stronger, but the company declined to discuss details.

Dave Banisar, a policy analyst at EPIC, says such a system would be "worse" than current policy. "It's got this new detection system in it that requires monitoring of your crypto use and program use to determine what the national government says is correct," he says.

The "key recovery" technology HP licensing is likely to come from Trusted Information Systems Inc., a company founded by former NSAers that still enjoys close ties to the spook community. TIS's Commercial Key Escrow uses the 56-bit Data Encryption Standard and so was cleared for export on January 18, 1996.

"This is the first step toward implementing key recovery. That's a policy that's just not going to solve the privacy problem for Internet users," says Alan Davidson, staff counsel for the Center for Democracy and Technology. "This is the first step on that road toward building key recovery for the world. It's a very dangerous thing."

Clinton's executive order is carefully crafted to counter the three strategies that crypto privacy proponents have devised to kill the export rules: the public relations, the judicial and the legislative approaches.

Netizens, privacy advocates and high-tech firms rightfully blasted the old export policy, which classified crypto as a "munition," as a relic of the cold war -- a sentiment with which even The New York Times agreed. So Clinton has reclassified it as a non-munition, yet the change is in name only: Netscape browsers remain subject to export controls.

Several lawsuits are challenging the constitutionality of the old export regulations. So Clinton's executive order contains language that EFF's John Gilmore says is designed "to evade the current lawsuits" by taking aim at some of the legal arguments.

Administration officials spent an unhappy summer on Capitol Hill being grilled by senators who were considering legislation to lift the crypto export embargo. So Clinton carefully crafted his announcement to defuse some of the reasons to pass this legislation when Congress returns in January.

In other words, the White House has been able to answer or deflect many issues that netizens have raised in favor of strong encryption.

But another argument may not be as easy to counter.

Patrick Ball is a senior program associate at the American Association for the Advancement of Science who has traveled the globe teaching human rights workers how to protect themselves from oppressive governments. The stamps on his passport read like a who's who of censor-happy regimes: El Salvador, Ethiopia, Haiti, Guatemala, South Africa and Turkey. "I have done PGP training in every country I've worked in," says Ball.

To Ball, the debate over crypto isn't about civil rights or businesses losing export dollars, but over something much more fundamental: human rights. He says: "Why do security police grab people and torture them? To get their information. If you build an information management system that concentrates information from dozens of people, you've made that dozens of times more attractive. You've focused the repressive regime's attention on the hard disk. And hard disks put up no resistance to torture. You need to give the hard disk a way to resist. That's cryptography."

And that's a winning argument.


Thanks to Declan McCullagh

The Washington Post, November 18, 1996, Business, p. 17.

Scramble Over Encryption

A handful of companies plan to announce today how they will move closer to receiving permission to export strong data scrambling, or encryption, at a meeting at the National Press Club. One essential ingredient in the equation: technology developed by Trusted Information Systems, Inc., of Glenwood, Md.

TIS so far is the only company that has received federal permission to export encryption technology overseas that exceeds the government's existing threshold. TIS developed a technological system that enables companies or "trusted third parties" to store the means for unlocking scrambled data. As long as some authorized party holds such a spare key, law enforcement officers believe that, if they have the need and court authorization, they will be able to decipher encrypted information.

Hewlett-Packard Co. is one of the companies planning to license TIS's work and integrate it into its own products.