By Elizabeth Corcoran
The industry group hopes to win a license to export the technology as part of "routers," computer hardware and software that transmit data over electronic networks. If approved, the proposal will mark an important shift in the more than five-year struggle over encryption technology that has pitted the government against high-tech companies and privacy advocates.
The coalition of about 10 companies is led by networking giant Cisco Systems Inc.
There are no restrictions on use of encryption technology in the United States. But both law enforcement and national security agents have long worried that if sophisticated encryption technology becomes widely used, it will hinder their efforts to track down terrorists and criminals. As a result, the government has tightly controlled the export of such technology, reasoning that U.S. companies are unlikely to build different types of encryption products for use at home and abroad.
Computer companies and privacy advocates, however, argue that unfettered access to the strongest forms of encryption is essential to ensuring privacy and promoting commerce in the information age. The conflicting concerns for privacy and security have made for a bitter ideological battle.
Recently, officials on both sides have been struggling with whether they should devise a global solution or put together a mosaic of regulations that lets some companies sell sophisticated products to certain users under certain conditions. If the government and the private companies agree on the doorbell proposal, that would solidify the more piecemeal approach. The doorbell proposal also would be an important piece in the mosaic because it would make sophisticated encryption technology much more available than it is today.
"The administration and the industry have all hit on the notion that they should take this a bite at a time," said Stewart Baker, former general counsel for the National Security Agency and now an attorney in private practice in Washington.
"We're pushing the issue, bringing it to a head," said John Chambers, Cisco's chief executive. If industry is broadly restricted from selling its best encryption products abroad, "I think you slow down the growth in business's ability to use the Internet [and to] have influence over how it evolves," he said.
Other companies in the coalition include Sun Microsystems Inc., Novell Inc., Hewlett-Packard Co. and Network Associates, which makes security software. Although other major names in the industry, including Intel Corp., Microsoft Corp. and Netscape Communications Corp., are not currently filing for a "private doorbell" license, those companies said they support the approach.
Here's how it would work: Many organizations, whether they are private companies or Internet service providers, serve as gateways for managing the electronic messages sent by their employees or subscribers. Just before messages are released to the Internet, such organizations could encrypt or scramble them to protect the content from unwanted eavesdroppers.
Every snippet of electronic mail carries with it the Internet address of the sender and receiver. And "routers," the equipment that oversees the traffic, can be programmed to fish out specific addresses from the stream of data flowing through them. So either just before outgoing mail is scrambled or after incoming mail is deciphered, a router could pull out messages that law enforcement officers would specify in a warrant.
"We think this is a simple market solution to a complicated problem," said Kelly Huebner Blough, director of government relations at Network Associates in Santa Clara, Calif.
Americans for Computer Privacy, a lobbying organization focused on encryption, is strongly backing the "private doorbell" plan, said its counsel, Jeffrey Smith. "It's true that this does not give the government everything it wants," he said. But it shows how industry and government can work together to solve the encryption problem, piece by piece, he added.
"We think it's a fair compromise," said Dan Scheinman, vice president of legal affairs for Cisco. "Law enforcement gets legitimate access to data and people have a reasonable expectation of privacy when they use [data] networks, just like they have with the phone system."
Cisco executives contend their solution mirrors how law enforcement works in telephone tapping. But to get what they're after this time, authorities need the cooperation of whoever manages the router.
"This doesn't solve the problem of what happens if the manager of the network is corrupt," Scheinman said. But he noted that if a phone system manager is corrupt, authorities would have the same problem. Similarly, the proposal does not stop an individual from encrypting a message on a home personal computer.
Overseas, U.S. law enforcement would have to have the cooperation of local authorities as well as the relevant network managers to get access to information. Again, this is what they currently have to do when they want to monitor telephone calls.
Sources said U.S. domestic law enforcement agencies, which are accustomed to working with court warrants for wiretaps, are willing to accept this proposal. However, strong opposition continues to come from the National Security Agency, which today can eavesdrop on communications overseas without asking permission from anyone.
Under current regulations, companies wanting to export powerful encryption products must create a plan to build a "spare key" into their systems. Such keys are stored by a "trusted" party -- either an independent organization or perhaps the company itself -- that would surrender the keys to law enforcement officials equipped with the proper warrant.
Privacy advocates also have argued the current system is vulnerable because any collection of spare keys makes data potentially more accessible to eavesdroppers. But David Sobel, counsel with the Electronic Privacy Information Center, stopped short of endorsing the new doorbell proposal. Any effort that lets people better protect their information improves privacy, he said. But, he cautioned, relying on a third party such as a company or Internet service provider to ensure security raises privacy concerns.