White House shifts encryption strategy

The Clinton administration last week released the details of a new information security and privacy strategy that loosens export controls on encryption technology and provides law enforcement agencies with powerful tools to read encrypted messages by criminal suspects.

The strategy would be carried out through a revision of the current export policy on encryption technology and a bill, the Cyberspace Electronic Security Act, introduced Sept. 16 by the administration. The act extends law enforcement searching powers to the world of secure electronic communications.

Both are part of a plan, "Preserving America's Privacy and Security in the Next Century: A Strategy for America in Cyberspace," crafted by the Defense, Justice and Commerce departments and the Office of Management and Budget.

Government and industry leaders had mixed reactions to the strategy. Alan Davidson, staff counsel for the Center for Democracy and Technology, said the proposed policy and law represents a "mixed bag from a privacy point of view.

"On the one hand, the export release, if the administration delivers it as promised, would make it much easier for people around the world to get strong encryption products. That would be a step forward for personal privacy," he said. "On the other hand, the administration also announced support for a legislative package that we believe gives law enforcement authority access to sensitive encryption keys without adequate privacy protections."

"It's really a revolution in the way the federal government is approaching these issues, almost shockingly revolutionary," said Eric London, a spokesman for House Minority Leader Richard Gephardt, (D-Mo.). "From what we've heard so far, it really has teeth in it - it's not just a cosmetic change."

Others said the strategy could make it much easier for agencies to fully put in place public-key infrastructure (PKI) systems that are needed to move their business functions to the World Wide Web.

"I think the decision was a very wise one and I think it was a decision that recognized market realities," said Richard Guida, security champion on the Government Information Technology Services Board. "Anything that makes it easier to do encryption makes it easier for agencies to spread PKI."

Concerns by law enforcement, defense and intelligence agencies were a large part of why the administration resisted changing the policy in the past. Officials from those agencies said the new policy would not lessen the need to guard against threats.

"It's not a relaxation, it's really a very different approach," said Deputy Defense Secretary John Hamre at a briefing to announce the policy. "We're still going to have to do a lot of work, we in the national security establishment, to live in this kind of environment. It's going to take a good deal of research. We'll have to develop new tools and techniques."

One of those tools is the Cyberspace Electronic Security Act, which will allow federal, state and local law enforcement agents seeking evidence of a crime to access decryption keys held by a third party in some limited circumstances.

But unlike the draft of the bill, law enforcement agents now will have to notify a suspect that the key is being used.

The bill will not require people to give their keys to third parties. Instead, it provides for $80 million over four years to create a technical support center at the FBI. The center will work with industry to provide law enforcement with ways to decrypt seized information. Another provision would protect the confidentiality of the methods used.

But some groups worry that the administration's strategy will simply lead intelligence and law enforcement agencies to find more creative ways to get around the privacy protections.