|
|
|
||||
|
|
|
|||||
|
|
|
| Scaling the encryption-policy wall | ||
|
Companies make end run around U.S. restrictions on cryptography
By Barton Crockett |
For
a computer company, the security breach couldn’t be more serious and
the need for a fix more immediate. Proprietary information about Apple Computer products has been publicly leaking through the Internet. Tim Mather, the company’s manager of information systems security, declines to describe the breach in detail. But he is effusive about the fix. |
|||||||||||||
|
Apple is
buying industrial-grade encryption software from a Belgian company called
Highware Inc. for more than 5,000 employees, several hundred of whom will
be overseas. They will use the SafeMail software to encode all e-mail sent
through the Internet to business partners. Not especially surprising. Except when you consider this: It represents an end run around the Clinton administration’s efforts to limit the spread of powerful encryption beyond U.S. borders. “Frankly, our first choice would have been to buy from a U.S. supplier,” Mather says. “But given the export restrictions, you say, ‘Forget it, I’ll buy overseas.’ ” |
|||||||||||||
|
And Apple
is not alone. A handful of cryptography experts and computer companies are
using foreign contacts and the open protocols of the World Wide Web to make
strong encryption more available overseas than ever before. “It’s a huge gaping hole in the efforts to control strong cryptography, and it’s going to get bigger,” says Douglas Barnes, vice president of Oakland, Calif.-based C2Net Software, a privately held company at the forefront of those circumventing the U.S. policy. The U.S. export rules are this: American citizens and companies are prohibited from exporting any encryption technology stronger than 40 bits (considered easily crackable by crypto experts) without getting a license from the government. Such licenses typically allow internal use of stronger encryption by a big American company or to handle electronic funds transfers. |
|||||||||||||
|
(For
now, the restrictions apply only to exports, not imports or domestic use,
although some in the computer industry predict that domestic restrictions
are on the way). The Clinton administration is pushing modifications to the export rules. It has disclosed the limit will be expanded to 56 bits if companies adopt “key recovery” procedures that allow the government to decrypt the messages for law enforcement or national security reasons. But even with the changes, crypto exports will be tightly controlled. The Clinton administration, like those before it, justifies the export restrictions on these grounds: The United States is the global leader in software, and if U.S. vendors were allowed to freely export strong encryption, criminals and terrorists would almost always use it to conceal their files and e-mails from snooping. Many high-tech execs argue vehemently that the policy is misguided, since many foreign companies make top-notch encryption, and that the restrictions hurt U.S. companies by keeping them out of a potentially lucrative market. They even say that foreign companies could someday use a crypto edge to challenge American software companies domestically. But U.S. officials say the overseas suppliers generally aren’t strong in consumer software. Furthermore, they say the crypto solutions available overseas, even the widely circulated PGP freeware, are too difficult for most average computer users to handle. This means that the U.S. spies and FBI agents typically can read the files they need to. But the Web may be bringing the ease-of-use barrier crashing down, and American companies may play a crucial role in making that happen. For instance, a British company called U.K. Web Ltd. last month made available for downloading from its Web site software called SafePassage that offers virtually unbreakable encryption for any standard Web browser, including those from Microsoft and Netscape. Users can download and configure it once, and then it works seamlessly, much like a browser plug-in, says C2Net’s Barnes. His company is a marketing partner with U.K. Web. In classic Internet marketing style, U.K. Web is letting people download SafePassage free for personal use but is charging commercial users a $5-per-person licensing fee. |
||||||||||||||
|
U.K. Web
and C2Net also are jointly marketing globally a version of their popular
Stronghold Web server with industrial-grade encryption. Barnes says all of
this is within U.S. law. “We haven’t heard a peep” from the government, he says. But he adds that the companies are developing an international network of crypto developers just in case the government tries to crack down. Indeed, this kind of international decentralization gives their effort a sense of inevitability. Their products rely on crypto technology called “SSLeay” that is freely available from an Australian Web site. With minimal programming, the SSLeay tools can supply industrial-grade encryption for any standard Web server and browser. “There’s basically this vast, international shell game,” Barnes says. Others selling strong encryption via the Web include Systems Comunicazioni srl. This Italian company is offering tools for concealing files in Windows computers. Will people buy the stuff? Apparently so, if Apple is any litmus test. Mather says that while Apple technically could have bought from a U.S. supplier, it would have taken too long to get a license from the government to move the product overseas. Meanwhile, it could buy from a Belgian company immediately and deploy the encryption software both domestically and internationally. Privately, a top official of one of the world’s largest and most influential software companies added that the open nature of the Web — in which security is handled by a “Secure Sockets Layer” standard developed and openly published by Netscape Communications Corp., and in which open standards make it easier than ever before to mix and match applications — may make broad distribution of strong encryption inevitable. “The combination of Web products that have fairly open interfaces, and that rely on newly developed security protocols based on published specifications, has created a whole new business model for these companies,” he says. A senior U.S. official, who asked not to be named, acknowledged that Web distribution of encryption could take off. But does that mean that U.S. export restrictions are worthless? Not exactly, he argued. Instead, the United States is pushing for the governments of all the major industrialized countries to quickly adopt export policies that mirror those in the United States He said the United States expects the Organization for Economic Cooperation and Development to publish a policy paper in the spring supporting such a policy, and that it has broad backing by key governments. “We’re definitely concerned about it, but at this point, we don’t believe we should throw in the towel,’’ the official said. MSNBC Washington correspondent Brock Meeks contributed to this report. |
|||||||||||||
|
||||||||||||||
|
| Cover | On Air | Personal Front | Help | Feedback | Find | Next |
| World | Commerce | Sports | SciTech | Life | Opinion | Weather | Local | Index |