Controversial Encryption Plan Abandoned

As concern grows over the vulnerability of government and industry organizations, a familiar yet controversial battle once again reared its head on Capitol Hill that would grant government authoritative control over encrypted messages.

Key escrow, a system whereby digital keys are generated and copies are acknowledged with a third party that keeps them in escrow until recovered, was being bandied about in light of the September 11 attacks. The attackers are suspected of having used encryption methods during preparations.

Last week, a spokesperson for Senator Judd Gregg (R-New Hampshire) announced that the senator has abandoned his stance in pushing legislation that would give law enforcement entities a "master key" granting full backdoor access to all encryption products made in the United States.

The Computer & Communications Industry Association, which outlined its disapproval of Gregg's radical plan in a letter to the senator shortly after the news was first made public, was happy with the abrupt turnaround.

"We are happy to learn that Senator Gregg has decided against efforts to implement new controls on encryption technology," Jason Mahler, CCIA vice president and general counsel of the Washington, D.C.-based lobbying group, says in a statement. "Without strong encryption technology, all Americans would be at risk of exposure of their most sensitive information."

Before Gregg's proposed antiencryption legislation ever saw the light of day, overwhelming criticism from the public and private sector over both privacy and technical concerns sealed the fate of the bold directive.

"I have not found anybody in the private sector that does not understand the value of encryption without hidden keys and vulnerabilities without hidden access," says Ed Blake, president and chief executive officer of CCIA. "The bombing attacks basically woke up and rekindled something that should be in deep hibernation."

Blake says the temptation to abuse key escrow or create a mass repository of stored keys would pose a single point of security risk unlike ever before. Furthermore, he says fear of its abuse could have a chilling effect on people's sense of privacy and security, forcing users to shy away from the very technology created to safeguard their transmitted messages.

The key escrow debate mirrors a dropped effort on the part of the government to institute a "Clipper chip" a few years ago. The chip was a device to be included in telephones in government departments and corporate enterprises. It was designed to reserve the right for the government to review any information passing through the device.

"Clipper was a heavy-handed way of forcing a particular design into things, and the reason Clipper failed is the same reasons that this will fail," says John Pescatore, vice president and research director of network security at Stamford, Connecticut-based Gartner. "Users lose out if cryptography is weakened or ineffective or much harder to use."

Pescatore says law enforcement, national intelligence agencies, businesses, and end-users need to seek common ground on encryption by increasing the investment on new techniques to break encryption.

Encryption vendors argue that techniques such as key escrow and key recovery fundamentally weaken systems built around them.

"It's never a good idea to increase complexity of cryptographic processes unnecessarily," said Alex Van Someren, chief executive officer of Woburn, Massachusetts-based nCipher. "It's considered likely [that] unintentional side effects could occur [that could] be dangerous and potentially undermine security of any system employing those techniques."