Lotus Breaks Cryptography Coalition

P> The infotech industry's solid opposition to the government's control of data-scrambling technology shows signs of cracking, said industry and government officials.

"This is something they [Lotus] came up with. Maybe it will stimulate other companies" to offer deals that meet the government's demands for limits on data-scrambling exports, said Clinton Brooks, an official at the National Security Agency, Fort Meade, Md., which unscrambles foreign messages.

"That would certainly be the trend indicated" by Lotus' deal, said Doug Miller, an encryption expert with the Software Publishers Association in Washington.

The next step depends on Lotus' customers, who might reject the new Lotus Notes software because of the U.S. government's involvement, said Stewart Baker, a former NSA official and now an international trade lawyer with Steptoe &amp Johnson in Washington. If the customers buy the Lotus product, other companies might cut similar deals with the government, he said.

The new pact follows three years of disputes over the government's encryption policy, which focused mostly on the controversial Clipper chip. Government officials said they need to limit the spread of data-scrambling technology to help them track criminals, terrorists and foreign military activities. But a coalition of industry groups and Internet boosters said the government's efforts hurt U.S. software sales and limit citizens' privacy.

Although the market for encryption technology is small, any failure by U.S. companies to keep pace with foreign encryption vendors will undermine the United States' massive software industry, industry officials said. In 1996, the U.S. market for hardware and software encryption products is expected to reach $946 million, or roughly half of the $1.8 billion worldwide demand. Software encryption products comprise roughly 2 percent of the total software market.

Under the pact, Lotus can export its improved Notes Release 4 groupware software, which can encrypt data using improved 64-bit electronic keys -- up 24 bits from the 40-bit keys allowed under current rules.

The 24 extra bits ensure that data prepared with the Lotus software -- such as a financial report or a contract bid -- can be much better shielded from any electronic eavesdropper, such as a foreign government or a commercial spy. For example, decrypting a message hidden by the 64-bit key would require perhaps 17 million times more computing power than needed to crack open a 40-bit key, said Peter Tippett, president of the National Computer Security Association, Carlisle, Pa.

To break a 64-bit key, "you're talking about thousands of years versus a couple of days" needed to break 40-bit keys, said Stephen Walker, president of Trusted Information Systems Inc., the Glenwood, Md., computer security company.

In return for approval to export the improved 64-bit software, Lotus agreed to reveal to the U.S. government 24 bits of the 64-bit key included in each Lotus Notes Release 4 package that is exported. This "differential work factor cryptography" helps the U.S. government unscramble selected messages encrypted by Lotus' product, while giving customers greater protection against all other electronic eavesdroppers.

The government's deal with Lotus was accompanied by a decision to give Walker's company approval to export 56-bit encryption software bundled with its Gauntlet Internet Firewall, a product designed to keep electronic intruders out of private communications networks. The system, which is intended to allow customers such as multinational companies to communicate safely via the Internet, received approval because of a feature that allows law-enforcement authorities to crack open messages after a judge decides there is evidence of a crime underway.

Also, Microsoft Corp., Redmond, Wash., decided to equip its software with a special slot for various companies' encryption products. The slot, dubbed the Crypto API, won't work unless the foreign or U.S. companies show Microsoft officials that they have permission from their national governments.

This procedure allows Microsoft to sell software programs that can be modified to fit national encryption laws in countries such as Denmark, Russia, China, Israel or France.

Encryption supporters and industry officials acknowledged the government's victories, but downplayed their long-term effect.

"It is a short-term, pragmatic, less-than-ideal solution," said Peter Cohen, a spokesman for Lotus, a subsidiary of IBM Corp. The company will continue to press for relaxed export controls, which are needed to preserve the United States' dominance in the world markets for software and data-encryption technology, he said.

"The industry is still united [against the export rules]. The political pressure is still on," said Diane Smiroldo, a spokeswoman for the Washington-based Business Software Alliance, a lobbying group.

And even if other companies follow Lotus' example and cut deals with the government, they will still lobby for easier export rules, said Miller.

Also, the NSA's efforts to control the international encryption market may be resisted by foreign governments, said Walker. With the Lotus pact, "the U.S. government has unleashed upon [foreign governments] almost unbreakable 64-bit crypto," he said.

Also, foreign governments such as South Korea are trying to defeat NSA eavesdropping by encouraging the local development of software protected by unbreakable home-grown encryption, said Jim Bidzos, president of RSA Data Security Inc., Redwood City, Calif.

U.S. industry officials are trying to recruit congressional support for a measure that would scale back export controls. "It is becoming clearer to Congress that the economic interests [of easy data-scrambling exports] outweigh the intelligence interests" of NSA eavesdropping, Bidzos said.

For evidence, Bidzos pointed to a report prepared by the NSA and the Department of Commerce on the worldwide availability of encryption technology. The report, "A Study of the International Market for Computer Software With Encryption," was released Jan. 11. The report concludes that foreign encryption software can "have a negative effect on U.S. competitiveness."

However, industry officials have won few congressional supporters beyond Sen. Patrick Leahy, D-Vt.

Also, the White House shows little sign of rolling back its export controls. Recent terrorist attacks in the United States, combined with increased concern in the Justice Department over criminals' use of data-scrambling technology, have hardened the White House's determination to control the spread of encryption technology, said Baker.

Government officials also can find evidence in the encryption report to justify the export control regime, he said.