When Netscape Communications announced this week that it gained US Commerce Department approval for exporting stronger encryption locks in international products, the news was hardly earth-shattering.
The company, whose public-policy legal counsel expressed frustration with US encryption policy in the news release, is only one of many US tech companies - including IBM and DEC - that have been adding or planning to add key-recovery provisions in some of their software to attain export privileges.
And these plans for government access to keys have been grist for several discussion threads on cypherpunk and security-related mailing lists over the past months.
To be sure, Netscape's move is a pure business decision.
"Technically everybody's convinced that this does the job everybody needs, and I think we'll be able to sell the product," said Taher Elgamal, chief scientist at Netscape.
"I just want to be able to design a product that can fit whatever policy a country has - I can't build 300 different versions because there's that many countries in the world."
But Netscape's action also signals a changing tide of attitudes toward encryption among companies whose core business is built around the Internet and intranets. Namely, the companies are putting business - and Wall Street - concerns before those of individual users.
"There is a difference between voluntary method recovery and government-mandated access to keys," said Pretty Good Privacy Inc.'s Mike Hunt, whose company offers no government-specified key recovery wares. "And we do not support government-mandated access to keys - period."
Key recovery - a method of obtaining the secret key used to lock encrypted data - can be a means for providing fail-safe access to a corporation's own encrypted information in times of disaster. It is also a surrender of privacy, allowing government or third-party access to what was intended to be private information. And it's being pushed by the Commerce Department as mandatory procedure on software companies that implement encryption and plan to export it.
And privacy advocates see the ruse.
"There's no user demand for key recovery, there's no market demand for key recovery," said Marc Rotenberg, director of the Electronic Privacy Information Center.
Even an employee at key- and software-recovery specialists DSI Escrow admits, "At this point in time, there is not a lot of demand for key recovery, period."
For its part, Netscape says it is not taking a "one-world" approach to its products in implementing key recovery. Elgamal said email - where encrypted data is decrypted when the recipient tries to read it - will have a key recovery scheme. But they are providing it "in a way that's completely flexible." Companies can decide whether to implement it or not. "It's an added feature in the product," Elgamal said.
But for the function of connecting to a Web site, where data is encrypted in transit, there will be no key recovery. Since the Secure Sockets Layer (SSL) protocol always includes at the beginning of each transaction a digital certificate with the server's identification, network managers have proof of where the server is, and Netscape doesn't have to add any key recovery provisions to its code, said Elgamal.
The approval states that Netscape can use 56-bit encryption for the next two years, until email key recovery is implemented. Then, an unlimited key length could be used for email-type applications. Current negotiations are to use domestic-level 128-bit keys in international SSL products.
Despite reassurances like Elgamal's, civil liberties groups are not impressed. "I don't think there's any question about why they're doing this - I don't think Elgamal woke up one morning and thought to himself, 'Gee, key recovery's a great idea, why don't we do it?' Obviously, the government is bringing a lot of pressure to bear on companies, and Netscape is feeling that pressure," said Rotenberg.
After all, this is the government that once pushed mandatory use of its wiretap-friendly Clipper chip, and is now doing the exact same thing - only calling it "key recovery," said Rotenberg. "We like to say it's Clipper with a fresh coat of paint. The basic functional description hasn't changed: you encrypt, the government decrypts. And we think it was bad when it started, and it's still bad today."
