26Jun1998 USA: US effort on encryption "backdoors" ends in failure

26Jun1998 USA: US effort on encryption "backdoors" ends in failure.

By Aaron Pressman

WASHINGTON, June 25 (Reuters) - A U.S. government panel has failed in a two-year effort to design a federal computer security system that includes "back doors," a feature that would enable snooping by law enforcement agencies, people familiar with the effort said this week.

The failure casts further doubt on the Clinton administration policy - required for government agencies and strongly encouraged for the private sector - of including such back doors in computer encryption technology used to protect computer data and communications, according to outside experts.

But administration officials said the panel, which is set to expire in July, simply needed more time.

"I wouldn't pronounce the issue dead by any means," Undersecretary of Commerce William Reinsch told Reuters. "It clearly has turned out to be a difficult task.... This one was a hard one."

The 22-member panel appointed by the secretary of commerce in 1996 concluded at a meeting last week that it could not overcome the technical hurdles involved in creating a large-scale infrastructure that would meet the needs of law enforcers, panel members said.

The group was tapped to write a formal government plan known as a "Federal Information Processing Standard," or FIPS, detailing how government agencies should build systems including back doors.

In a letter to Commerce Secretary William Daley obtained by Reuters, the panel said it "encountered some significant technical problems that, without resolution, prevent the development of a useful FIPS."

"Because the focus of this work is security, we feel that it is critically important that we produce a document that is complete, coherent, and comprehensive in addressing the many facets of this complex security technology," the group added. "The attached document does not satisfy these criteria."

The group is formally known as the Technical Advisory Committee to Develop a Federal Information Processing Standard for the Federal Key Management Infrastructure, but with the unwieldy acronym of TACDFIPSFKMI, members of the panel jokingly referred to themselves as "Bob."

The failure after two years to write a FIPS vindicates the view of critics of the administration's encryption policy, said Alan Davidson, staff counsel at the Centre for Democracy and Technology, a nonprofit advocacy group.

"The administration keeps spending taxpayer money to pursue a ... strategy that's wrong-headed and won't protect security," Davidson said. "Its own advisory committee can't answer basic questions about how to make it work for the government, yet they continue to push for its adoption by everyone, worldwide."

The administration and law enforcement agencies have been at odds with high-tech companies, Internet users and civil liberties groups for years over encryption regulation.

Encryption products - which use mathematical formulas to scramble information and render it unreadable without a password or software "key" - have become critical tools for protecting all kinds of digital data, including cellular phone calls and credit card numbers sent over the Internet.

But law enforcement agencies, fearing such products will be used by criminals or others to hide wrongdoing, have pushed for the inclusion of back doors in all encryption.

High-tech industry groups, Internet users and privacy advocates have opposed those requirements, joined by leading lawmakers, including the Senate majority leader and the House minority and majority leaders.

They worry that back doors will weaken the security of all encrypted data, allow for improper government snooping and add tremendous cost and complexity to security systems.

Foreign governments and companies have also expressed concern about the prospect that the policy will enable U.S. government agencies to read their e-mail.

Bruce Schneier, a leading cryptography researcher and critic of the government policy, said the FIPS panel failed because of the impossibility of meeting the needs of both law enforcers and industry.

"You can't solve this problem," said Schneier, president of the computer consulting firm Counterpane Systems. "If it was obvious, they could have agreed. The interests of government and business aren't the same, and when you try to balance the two, you end up with nothing."

But Edward Roback, an official with the U.S. National Institution of Standards and Technology who worked closely with the panel, said the technical problems the group encountered were surmountable with more time.

"These technical experts wanted more time," Roback said, pointing out that the panel's charter expires in July. "I wouldn't characterise it that they ran into roadblocks but more that they have a road ahead of them." ((Aaron Pressman, Washington newsroom, 202-898-8312)).

-30-