WASHINGTON-The Department of Commerce is expected to ask other federal agencies for advice on applications filed last week by leading computer firms to export a new form of strong encryption.
Encryption products are computer codes that scramble data so it can only be read by the authorized user. The new product aligns encryption to the process law enforcement uses for wiretaps. The entire approval process for the applications must be completed within three months.
Rather than using so-called “key recovery” for governments to gain access to scrambled material sent over computer networks-both private and the Internet-law enforcement would present a search warrant for all material sent to or from a particular computer address. All information sent over computer networks is given a specific address before it is sent to another specific address. If key recovery is like a house key, this new approach is like a private doorbell. The new “private doorbell” approach would require network systems managers to program routers to decode information sent to or from the specified addresses.
Up to this point, the encryption debate has raged over key recovery. Computer experts believe law enforcement only can gain immediate access with a key-recovery mechanism where a government-sponsored entity keeps the key to the encrypted data and that entity gives the key to law enforcement when asked. The world’s leading cryptographers have said that building a key recovery infrastructure would be prohibitively expensive and would create a less secure network.
Cisco Systems Inc., a large networking company, is leading the computer industry’s effort. Microsoft Corp. and Intel Corp. have not filed for licenses but reportedly support the private-doorbell plan.
The private-doorbell proposal was hailed by industry and government as evidence continuing negotiations among the Clinton administration, computer industry officials and privacy advocates may bear fruit. Privacy advocates still seemed concerned over the proposal because network managers would have control of what information gets decrypted, which could lead to invasions of privacy.
The debate over controls on encryption products has been waging since 1996 when the Clinton administration moved encryption export control policy from Department of State jurisdiction to the Commerce Department.
The move from the State Department to Commerce resulted in an export control policy that said American computer companies could not export encryption products with bit strengths greater than 56 bits with restrictions and 40 bits without restrictions. These bit strengths are considered weak by the computer industry, which has developed products with bit strengths of at least 128 bits. Throughout the debate, the FBI has advocated controls on the domestic sale of encryption products as a way to gain access to encrypted data. There are no domestic controls on encryption today.
The ranking Democrat on the Senate Judiciary Committee, Sen. Patrick Leahy (D-Vt.), recently sponsored a bill that has been endorsed by the computer industry and privacy advocates but is opposed by the FBI.