http://www.wired.com/news W I R E D N E W S - - - - - - - - - - Decoding the Crypto Policy Change by Declan McCullagh Why did the Clinton administration cave on crypto? What caused the nation's top generals and cops to back down this week after spending the better part of a decade warning Congress of the dangers of privacy -protecting encryption products? Why would attorney general Janet Reno inexplicably change her mind and embrace overseas sales of encryption when as recently as July she warned Congress of the "rising threat from the criminal community of commercially available encryption?" See also: Clinton Relaxes Crypto Exports and Crypto Law: Little Guy Loses It can't simply be that tech firms were pressing forward this fall with a House floor vote to relax export rules. National security and law enforcement backers in the Senate could easily filibuster the measure. Besides, Clinton had threatened to veto it. It could be the presidential ambitions of Vice President Gore, who just happened to be in Silicon Valley around the time of the White House press conference Thursday. Still, while tech CEOs can get angry over the antediluvian crypto regulations Gore has supported, they regard Y2K liability and Internet taxation as more important issues. Another answer might lie in a little-noticed section of the legislation the White House has sent to Congress. It says that during civil cases or criminal prosecutions, the Feds can use decrypted evidence in court without revealing how they descrambled it. "The court shall enter such orders and take such other action as may be necessary and appropriate to preserve the confidentiality of the technique used by the governmental entity," Section 2716 of the proposed Cyberspace Electronic Security Act says. There are a few explanations. The most obvious one goes as follows: Encryption programs, like other software, can be buggy. The US National Security Agency and other supersecret federal codebreakers have the billion-dollar budgets and hyper-smart analysts needed to unearth the bugs that lurk in commercial products. (As recent events have shown, Microsoft Windows and Hotmail have as many security holes as a sieve after an encounter with a 12-gauge shotgun.) If the Clinton crypto proposal became law, the codebreakers' knowledge could be used to decipher communications or introduce decrypted messages during a trial. "Most crypto products are insecure. They have bugs. They have them all the time. The NSA and the FBI will be working even harder to find them," says John Gilmore, a veteran programmer and board member of the Electronic Frontier Foundation. Providing additional evidence for that view are Reno's comments on Thursday. When asked why she signed onto a deal that didn't seem to provide many obvious benefits to law enforcement, she had a ready response. "[The bill covers] the protection of methods used so that ... we will not have to reveal them in one matter and be prevented, therefore, from using them in the next matter that comes along," the attorney general said. Funding for codebreaking and uncovering security holes also gets a boost. The White House has recommended US$80 million be allocated to an FBI technical center that it says will let police respond "to the increasing use of encryption by criminals." Anther reason for the sea change on crypto is decidedly more conspiratorial. But it has backers among civil libertarians and a former NSA analyst who told Wired News the explanation was "likely." It says that since the feds will continue to have control of legal encryption exports, and since they can stall a license application for years and cost a company millions in lost sales, the US government has a sizeable amount of leverage. The Commerce Department and NSA could simply pressure a firm to insert flaws into its encryption products with a back door for someone who knows how to pick the lock. Under the current and proposed new regulations, the NSA conducts a technical analysis of the product a company wishes to export. According to cryptographers who have experienced the process, it usually takes a few months and involves face-to-face meetings with NSA officials. "This may be a recipe for government-industry collusion, to build back doors into encryption products," says David Sobel, general counsel for the Electronic Privacy Information Center and a veteran litigator. Sobel points to another part of the proposed law to bolster his claim : It says any such information that a company whispers to the Feds will remain secret. That section "generally prohibits the government from disclosing trade secrets disclosed to it [by a company] to assist it in obtaining access to information protected by encryption," according to a summary prepared by the administration. Is there precedent? You bet. Just this month, a debate flared over whether or not Microsoft put a back door in Windows granting the NSA secret access to computers that run the operating system. While that widespread speculation has not been confirmed, other NSA back doors have been. In the 1982 book The Puzzle Palace, author James Bamford showed how the agency's predecessor in 1945 coerced Western Union, RCA, and ITT Communications to turn over telegraph traffic to the feds. "Cooperation may be expected for the complete intercept coverage of this material," an internal agency memo said. ITT and RCA gave the government full access, while Western Union limited the number of messages it handed over. The arrangement, according to Bamford, lasted at least two decades. In 1995, The Baltimore Sun reported that for decades NSA had rigged the encryption products of Crypto AG, a Swiss firm, so US eavesdroppers could easily break their codes. The six-part story, based on interviews with former employees and company documents, said Crypto AG sold its security products to some 120 countries, including prime US intelligence targets such as Iran, Iraq, Libya, and Yugoslavia. Crypto AG disputed the allegation. "It's a popular practice. It has long historical roots," says EFF's Gilmore. "There's a very long history of [the NSA] going quietly to some ex-military guy who happens to run the company and say, 'You could do your country a big favor if...'" Could the security flaw be detected? Probably not, said Gilmore, who during a previous job paid a programmer to spend months disassembling parts of Adobe's PostScript interpreter. "Reverse engineering is real work. The average company would rather pay an engineer to build a product rather than tear apart a competitors'." ----------------------- NOTE: In accordance with Title 17 U.S.C. section 107, this material is distributed without profit or payment to those who have expressed a prior interest in receiving this information for non-profit research and educational purposes only. This material may not be copied or quoted, placed on any web site or other open forum without the express consent of the copyright owner. -----------------------
