White House proposal sparks new debate over public keys
- By Elana Varon, Heather Harreld
- Mar 30, 1997
The Clinton administration last week rekindled the debate over whether law enforcement officials should have special access to encrypted data when it circulated draft legislation that the White House contends is needed to promote secure electronic commerce.
The legislation is designed to spur electronic commerce by supporting and building a public-key infrastructure. A public-key infrastructure is a framework of law policy and procedures for the use of digital signatures which verify the authenticity of electronic documents.
Legislation also is needed to facilitate electronic transactions between the public and the government said a spokeswoman for the Bureau of Export Administration which is the Commerce Department organization leading the effort.
While few disagree on the broad goal there is little agreement about whether and when the computer codes or keys people use to protect their data should be provided to law enforcement officials investigating crimes. Lack of agreement has stymied previous efforts to promote the technology.
"Like any other business that is interested in managing its affairs a prudent institution would implement a rigorous policy to validate keys " said Richard Horning who follows the issue as special counsel with Tomlinson Zisco Morosoli & Maser Palo Alto Calif. Horning said the legislation would enable federal agencies and those who communicate with them to use the technology by establishing a framework to manage the keys.
However he continued the government's proposal "has received mixed support - lukewarm support at best" because businesses are not sure how much it would cost to participate in the proposed system and they feel threatened by provisions that would make it easy for government investigators to obtain encrypted data.
The controversy over the proposal centers around giving law enforcement officials access to keys needed to decode messages.
The way a public-key infrastructure commonly works is users register one of the two keys they need to encode and decode data with a "certificate authority " which verifies who owns the key to anyone who needs to decode a message. Users keep their second key secret so no one can impersonate them.
But some users want a way to recover this secret key if it is lost or stolen so they give a copy to a "trusted third party " sometimes called a key-recovery agent. Under the legislation users could only obtain validation of their public keys if they register their secret keys with a government-certified key-recovery agent. According to the draft bill law enforcement agencies could obtain these keys with a court order or some other "written authorization in a form to be specified by the attorney general."
"History suggests there may be some abuses " Horning said. "Adding legislation where the attorney general can direct people to cough up the information doesn't provide the oversight mandated by the Constitution."
Administration officials said last week that policy-makers had not completed the bill. "The draft legislation seeks to find the right compromise which still preserves public safety and national security " said one source.
But some believe that legislation is not necessary and that officials are floating the proposal to ensure law enforcement access to encrypted data.
"It's driven by the desire of the administration to try to proliferate this concept of key recovery " said Lynn McNulty director of government affairs with RSA Data Security Inc. a maker of encryption software. McNulty said however that frequent interactions between agencies and the public probably require some framework for authenticating transactions.
The government floated a policy in 1993 which mandated that users provide their secret keys to the government. This ignited a firestorm of debate and that policy was abandoned.