July 1, 1998 1:35 PM PDT
Who will win the crypto war?
If only that were enough to end the ongoing battle over encryption, data-scrambling technology that protects the privacy of digital communication.
The complicated struggle between national security officials and proponents of crypto export relief is almost as hard to crack as the strongest encryption products on the market.
The White House and a growing number of lawmakers say they are looking for a middle ground, but their search could be in vain. Experts on the issue say the only real way to end the tug-of-war is for Congress or President Clinton to pick a side--and soon.
Simply put, U.S. companies want to export strong encryption products without being forced to make a "spare key" for law enforcement officials--a current mandate they say is bad for sales. On industry's side, for the most part, are privacy advocates, who say these "key recovery" schemes could allow the government to snoop on computer users without due process.
The FBI counters these assertions, saying encryption helps tech-savvy criminals and international terrorists cover their tracks. Despite reports that key-recovery systems are hard to build and not necessarily secure, the FBI also has pitched a similar mandate for domestic encryption.
The FBI has yet to win domestic controls on crypto, but currently companies can't export strong encryption without promising to build a key-recovery system.
Despite House Speaker Newt Gingrich's pledge yesterday to ease crypto export limits this year and similar statements from Senate leader Trent Lott, it will be difficult for Congress to pass any solution that doesn't give national security agencies some concessions.
If such concessions were to include key-recovery, the "free encryption" camp would beat its collective chest, potentially costing lawmakers clout with the increasingly powerful high-tech industry.
This is why veteran negotiators in the crypto struggle say Congress plays a serious role in ending the encryption debate, but that in the end President Clinton just has to pick a winner.
"The administration can solve this problem with the stroke of a pen," said Alan Davidson, staff counsel for the Center for Democracy and Technology. "It is completely in the power of the president to make encryption available and to help protect people's privacy."
To be sure, Congress can raise public awareness through hearings and legislation and by keeping a fire lit under the administration to resolve this embattled issue.
In the best-case scenario, privacy advocates say, Congress could solve the problem itself by passing legislation to lift the export controls on encryption and to prohibit government mandates for key-recovery or key-escrow systems.
And to its credit, the 105th Congress had made notable progress on this front by pushing the Security and Freedom Through Encryption (SAFE) Act through major committees and by introducing a popular compromise bill, the E-Privacy Act. Still, the chairman of the House Rules Committee, Rep. Jerry Solomon (R- New York), has been holding up SAFE because he favors key-recovery mandates.
Some say the administration--which has been internally torn over encryption--is in a better power position to take a stance.
"I think we're going to finish the year without a bill," said a Washington political consultant who has been working on this issue for about five years.
"Congress' role is more for political pressure," he added. "But somebody in the White House is going to have make a political calculation as to who is going to win. You can't split the difference. Either you have back doors for law enforcement or you don't."
What remains to be seen, however, is who will be crowned the crypto Homecoming Queen--software makers and privacy advocates or FBI director Louis Freeh. Although Congress is promising to take action, there is no telling at this point how the final legislation will look.
"There is not much time to get it through both houses," said Kelly Blough, director of government affairs for Network Associates, the world's largest supplier of independent computer security products.
"But if Gingrich is willing to weigh in and put some pressure on the Rules Committee, then that is the only obstacle to overcome to get the SAFE Act on to the House floor for a vote," she added. "Still, they'll probably push it out of the Rules Committee with some amendments industry doesn't like. Then there will be a battle for compromise and industry could end up wanting to kill a bill rather than see it pass."
Despite the difficulties, some privacy advocates say Congress has a responsibility to protect U.S. residents' right to use encryption and to prohibit domestic and international key-recovery mandates.
"The primary role of Congress is to get the administration out of the middle of the road," said Marc Rotenberg, director of the Electronic Privacy Information Center.
"On the other hand, I would not absolve Congress of its own responsibility to pass legislation," he added. "The truth is, Congress has a role to reform the export control regime; they could do that and they should."
For now, the Americans for Computer Privacy (ACP) is putting its money on Congress to end the debate. The ACP kicked off this year, and soon after was invited to closed-door meetings to discuss the policy with White House officials.
Like similar discussions over the past three years, the meetings have yet to lead to the export policy being overturned by the administration.
"The fact they are willing to talk is a good sign," said Ed Gillespie, executive director of the ACP. "But we are at a point where we need to see good policy results. Right now it seems that the best opportunity for good policy lies in the House and the Senate."