By Elizabeth Corcoran
President Clinton has decided to sign an executive order that changes the rules restricting the overseas sale of the technology, the officials said. Although the full details of the plan had yet to be revealed, privacy advocates and some industry executives contended that it would be difficult to put into practice.
Under current rules, companies can sell only relatively easy-to-crack scrambling technology. Under the plan, they would get permission to export somewhat more sophisticated versions of the software and hardware, which prevents eavesdroppers from looking at information.
The issue has caused enormous friction between the government and computer industry and privacy groups, which contend that keeping any restrictions in place will harm the protection of personal information everywhere and slow the development of on-line commerce, which relies on keeping credit card numbers and other sensitive information secure.
The administration counters that it has come a long way in meeting such objections. However, last night some companies and privacy advocates were still worried that the constraints will leave U.S. companies at a disadvantage abroad and will not ensure that individuals will be able to protect their communications.
The government's plan preserves what has been its unnegotiable cornerstone since the debate began in the early day of the Clinton administration that law enforcement officials must have the means for peeking at encrypted information when they are properly equipped with court authorization.
Earlier versions of the plan tightly limited what kinds of technology could be sold abroad. They also called for makers of encryption technology to deposit "keys" with approved third parties so that law enforcement authorities could decode material. The new plan doesn't specify who would have the keys.
Last night, several companies, led by International Business Machines Corp., said they have a technical plan that they believe could comply with the new rules on keys.
Although the government has not explicitly tried to mandate what kind of encryption technology can be used within U.S. borders, it has indirectly influenced what technology companies sell here by limiting what they can sell overseas. (Companies are reluctant to make both a "domestic" and an "export" version of the same product because it boosts their costs.)
Current rules prohibit companies from exporting encryption technology with keys for unlocking it that are above a certain level of sophistication namely, above a level known as 40 bits.
The government's new proposal would work like this: Companies would be able to sell any type of encryption technology up to the more sophisticated level of 56 bits provided they submit a plan to the Commerce Department outlining how they would ensure that law enforcement officers would be able to "recover," or unscramble, encrypted information.
Those plans would not have to go into action for two years' time, though companies would have to update the government on their progress as frequently as every six months. Once the mechanics for "key recovery" are in place, the government would lift the 56-bit ceiling.
Devising such a key recovery policy is no small feat but that's where IBM and its partners believe they can help. In the past, both companies and privacy advocates have criticized plans that would store the key for unlocking encrypted information with one or even with a small number of key holders. (A key holder could either maliciously or inadvertently give away the keys, making scrambling information vulnerable.)
Sources at IBM say scientists there have devised a scheme that uses several steps to encrypt information and the keys for unlocking it. Law enforcement officials authorized to unscramble information would not get a key for unlocking a message but instead the instructions for how to break open a specific encrypted message.
Industry officials say they ultimately want to be able to use the most sophisticated encryption technology available. "It's really critical to doing business around the world," said an IBM source. "But governments exist. It's a balancing act . . . to satisfy the needs of the governments and make sure that markets and individuals trust the integrity of what's being sent over the networks."
Marc Rotenberg, who heads the Electronic Privacy Information Center, an advocacy group, said he and other encryption experts worried that such frameworks for key recovery are enormously difficult to make work in practice.