The Journal of Commerce, October 10, 1996. Editorial/ Encryption Technology Policy Oct. 10 -- SECRET CODES: Let's say you're selling your house and, after months of searching, you've found a potential buyer. But there's a problem: The local sheriff wants a spare set of keys in case the house is used for unlawful purposes. Your buyer, a solid citizen, doesn't want his privacy invaded. He decides to look in another neighborhood, with a less intrusive sheriff. This improbable scenario describes, more or less, Washington's policy toward U.S. exports of encryption technology -- devices that scramble computerized data. Under a revised policy, the Clinton administration says that, following a partial two-year grace period, it will require exporters of sophisticated encryption devices to keep a spare set of "keys" -- the formulas that turn encrypted data back into plain text -- in a place accessible to the government. That may seem like a sensible precaution, but it is likely to hurt exporters while doing little for law enforcement. The government's effort to control encryption goes to the heart of the information networks that are becoming a bigger part of people's lives almost by the day. Individuals and companies leave behind them an ever-broadening wake of electronic records -- on everything from video rentals and catalog sales to car registrations and health records. As hackers get better at breaking into these files, it becomes more urgent to use encryption to protect them. The government, however, has other ideas. It says encryption sold overseas poses a threat because law enforcement officials may not be able to decode the secret communications of terrorists and drug dealers. To ease its access to such files, the government essentially is building a trap door into billions of records stored in computers overseas. Of course, there are caveats and loopholes. The policy applies only to foreign sales; U.S. law forbids government prying into domestic computer files. Also, the policy grants exporters a two-year period in which they can sell encryption up to a moderate level of sophistication -- 56 bits in key length -- without restriction. After that, a key-access requirement would take effect. The government-access rule will force U.S. exporters to do some fancy sales footwork. Foreign buyers, after all, may not be thrilled to know Uncle Sam can gain access to their private files. They may worry that if Washington has keys, their own governments may demand the same, and that the strangers holding the keys may not guard them carefully, no matter what the rules say. Terrorists, meanwhile, will have plenty of ways to circumvent the U.S. rules. They have a choice of 179 foreign-made encryption devices of at least 56-bit strength that are not burdened by key-access requirements. Terrorists also could make their own scrambling devices -- there are books available on how to write encryption codes -- or buy them in the United States, which has no domestic sales restrictions, and carry them out of the country. Why, then, is Washington bothering with export controls? In part, it's an attempt at back-door control of the domestic market. If companies are forced to limit the sophistication of encryption destined for export markets they may do the same for domestic products, to cut production costs. That would make life easier for law enforcement officials, who worry increasingly about impenetrable barriers to suspected criminals' computerized information.Those agencies indeed have a problem. Technology has given the world's bad actors a better cover of secrecy than ever before. But trying to control exports and limit domestic technology is not the solution. As a practical matter, the encryption horse has long since departed the law enforcement barn. Absent an agreement among all nations on a key access system -- an impossible goal and not a very desirable one, given different countries' views on protecting privacy -- unilateral restrictions will be futile. They will serve mainly to scare customers away from U.S. manufacturers. Rather than try to restrict the encryption industry, the administration should promote it, and find other ways to improve criminal surveillance. ----- On the Internet: Visit The Journal of Commerce on the World Wide Web. Point your browser to: http://www.joc.com/ -----