Industry Split Forces a Global Encryption Skirmish

P> The infotech sector's united front against government controls on encryption is weakening as a long-awaited compromise draws nearer, say industry officials.

The shrink-wrapped software industry -- represented by the Washington-based Business Software Alliance -- was overpowered in the meetings, where executives from hardware companies and systems integrators pushed for a compromise solution. Among the speakers were executives from IBM Corp. and Electronic Data Systems Corp., as well as Bankers Trust, a New York-based bank, and Royal Dutch/Shell, an international oil company.

The software industry was overpowered in the meeting because it is demanding too much from the OECD governments, said one industry official. The software industry, led by BSA, has pressed the U.S. government to control the export of encryption technology.

The banks and the major companies "are in a position to get something sooner [and] require less difficult decisions by the governments," said Kawika Daguio, the encryption expert for the Washington-based American Bankers Association. For example, the companies are willing to accept voluntary use of government-backed key-escrow technology and also to embed encryption software within computer chips, he said.

These companies also are more willing to compromise because an encryption agreement will jump-start the world market for their products, said an industry official.

"That might be overstating the situation... [but] it is true to some extent," said Rebecca Gould, the BSA's encryption expert. However, all industry wants is immediate relief from government encryption rules, she said.

It is too soon to tell whether the software industry will be adequately represented at the OECD negotiations, said one executive from a software company. At the next OECD meeting to be held in June in Paris, "you'll see where the chips are falling," he said.

The OECD Guidelines on Cryptography Policy should be finished by February 1997.

U.S. government officials say they need industry to use key-escrow encryption technology because it will allow courts and law-enforcement authorities to decipher data encrypted by criminals and terrorists. Also, government officials prefer encryption-within-a-chip technology because it cannot be copied or transmitted over the Internet, as has happened with encryption software, such as the widely available PGP encryption software.

Governments in Europe, including the United Kingdom, are developing a policy based on key-escrow technology, while the Japanese government has just begun to develop a policy.

Software industry executives said the U.S. government-backed key-escrow technology will undermine their exports and weaken the U.S. software industry. "They can talk about [key escrow] all they want, but there is no market for it. [Customers] want strong, non-key escrow software," said Doug Miller, an encryption expert for the Washington-based Software Publishers Association.

Miller said the software industry wants to freely export encryption software with a key length of at least 56 bits. Generally, an encrypted message becomes twice as difficult to crack for every extra bit added to the key length. Current export rules require companies to get special permission to export software with a bit-length longer than 40 bits. There are no limits on the bit-length of encryption used within the United States.

Last August, the White House offered to allow easy export of 64-bit encryption equipped with government-backed key-escrow technology. Two companies -- Lotus Development Corp., Cambridge, Mass., and Trusted Information Systems Inc., Glenwood, Md. -- have won easier export rules for new products after incorporating key-escrow technology.

Industry officials said the U.S. government soon will offer a modified encryption proposal relaxing the detailed rules for the organizations that hold spare encryption keys in storage. The organizations -- dubbed trusted third parties -- would be required to give spare decryption keys to law enforcement officials once a court approves a wiretap.

EDS and the other companies that spoke at the OECD meeting are willing to accept government controls on encryption because they are more familiar with government regulations than the new software industry, said an industry executive.

By asking for so much, the software executives hurt the chances for an international industry-government compromise that could allow easy export of 64-bit key-escrow encryption products, he said.

To press their case, BSA, other industry groups and companies such as IBM have united with libertarians and privacy proponents, such as the Washington-based Electronic Privacy Information Center. The privacy proponents strongly oppose government-backed key-escrow technology and support wide distribution of encryption software.

After industry lobbying, several Republican and Democratic members of Congress have introduced three bills that would greatly reduce government limits on encryption exports. One bill introduced by Sen. Conrad Burns, R-Mont., is co-sponsored by Sen. Larry Pressler, R-S.D., the chairman of the Senate Committee on Commerce, Science and Transportation, and by Sen. Robert Dole, the Republican party leader and likely Republican presidential candidate.

Dole's participation "has a tremendous significance -- [giving the bill] a good chance of" passage, said Gould. His participation in the controversy is driven by his campaign priorities, which include winning greater support from California's infotech industry.

But encryption won't change voters' opinions in the 1996 election. In 1994, Washington state Rep. Maria Cantwell lost her re-election bid despite having worked closely with Redmond, Wash.-based Microsoft Corp. to decrease government controls on encryption.