Government Cryptography Ruling Stirs Dissension

ICF is progress, but not enough, critics say



The always-volatile issue of U.S. government controls over the export of cryptographic technology is bubbling over again. The question had been simmering for months as the government considered industry pleas to relax its ban on the export of products using the strongest cryptographic keys--that is, keys containing 56 bits or more.

Then in November, the government announced approval of an International Cryptography Framework (ICF), which essentially will allow export of products with strong cryptography, as long as a "key recovery" capability is built in. That means that the strong cryptographic keys can be exported but can't be used unless the government has the ability to break in when it needs to by going through a trusted third party that has a master key. Users of the technology for domestic transmissions would not have to submit their communications to key recovery.

The U.S. business partners that supported ICF--including Hewlett-Packard, Intel, Microsoft, RSA and Trusted Information Systems--hailed the decision as an important breakthrough in making electronic commerce more pervasive. HP, for example, said it expects ICF to become the favored secured passageway for companies sending electronic files--either domestically or internationally. Intel said it would manufacture and distribute cryptographic hardware that includes HP's ICF technology. Applications vendors supporting ICF include Informix, Netscape and VeriFone.

The Government's Business?
However, the ICF decision has not silenced critics of the government's cryptography policy, many of them still saying the government should get out of cryptographic regulation altogether. "Breakable cryptography is cryptography that doesn't work," said Michael Tilson, chief information officer at SCO and president of UniForum. "The government wants you to have cryptography that doesn't work." Tilson added that the ICF decision is a step forward, but that industry's hands are still being unnecessarily tied. "The commercial appetite for cryptography that doesn't work is limited," he said. "The real hope, in my mind, is that this is like unbreaking a logjam. It's a step forward, but the demand for cryptography is overwhelming and the U.S. government has single-handedly regressed the development of the commercial Internet by three or four years by being obstinate."

"The demand for cryptography is overwhelming and the U.S. government has single-handedly regressed the development of the commercial Internet by three or four years by being obstinate."

The ability of businesses to protect their most private communications is considered vital to the continued development of Internet commerce, but government agencies fear criminals or international terrorists who might gain access to unbreakable cryptography. Opponents of government regulation--including industry groups with commercial interests and civil libertarians--argue that as the technology has already been developed, criminals will get their hands on it when they want to, despite attempts to regulate its spread.

Supporters of key recovery argue that such a system is workable and actually needed by U.S. and international businesses who need some kind of safeguard.

Key Recovery
With key recovery, the key to an encrypted message would be contained within a lock box that's sent along with the message. A trusted third party would hold a master key to the lock box. Supporters of key recovery argue that such a system is workable and actually needed by U.S. and international businesses who need some kind of safeguard in case of employee turnover, mistakes or lost keys. In those cases, the business itself might need to take advantage of key recovery by going to the trusted third party to get the master key. "You can choose any kind of key recovery center you want and choose none if you want," explains Homayoon Tajalli, executive vice president of Trusted Information Systems, Glenwood, MD, developers of RecoverKey technology. "When you have to talk to somebody overseas, then you would add a digital lock box for you to be able to talk together. But for talking internally to anybody within the U.S., you might never put in mandatory key recovery." In that way, key recovery differs from other key escrow technologies, he notes.

But that argument fell flat with the Business Software Alliance, an industry group with a history of opposition to government regulation. "What we're seeing right now is that they are manipulating the marketplace back into key escrow, which is the Justice Department's Holy Grail," said Rebecca Gould, vice president of the Business Software Alliance in Washington, DC, in a letter to Vice President Al Gore last week. "Key escrow means, most of the time, we're back to the government-approved third parties."

However, Tajalli was optimistic: "I think the government is willing to listen," he said. "I think they are going to come around and really understand that there are better ways of drafting these rules so that people can really buy into them more easily and see that they can work in their business model."

Back | Table of Contents | Next