Wall Street Journal, Jan 18, 1996 IBM Compromises on Encryption Keys, U.S. Allows Export of More-Secure Notes By Thomas E. Weber New York -- International Business Machines Corp., caving in to intense government pressure, agreed to include a special key that helps investigators tap into data messages in return for permission to export a more-secure version of its Lotus Notes software. The U.S. has prevented software makers from exporting sophisticated encryption technology for fear that terrorists and other criminals would gain access to a snoop-proof communications system. Industry observers said IBM's move marked the first time a supplier agreed to give the government special access to its software's security code. Encryption keys have stirred the concern of privacy experts in the past. While IBM's Lotus Development Corp. software unit defended the move as a stopgap compromise until a broader agreement on data security can be reached, Notes creator Ray Ozzie clearly found the controversial plan somewhat distasteful. "We were desperate enough to try to negotiate a short-term, pragmatic solution," Mr. Ozzie said. "But we do not believe this is the right long-term solution." One privacy advocate would agree. "The irreducible fact is that foreign customers are reluctant to rely on security products that have been compromised in some way" by federal intelligence agencies, said Mike Godwin, staff counsel for the Electronic Frontier Foundation. Several years ago the government proposed the "Clipper" computer chip that was programmed to let investigators tap into phone calls and data messages transmitted digitally. While that plan died after privacy advocates accused the government of trying to spy on users, the idea of leaving a back door open for government agents has remained alive. Under the Lotus plan, government investigators would still need to employ sophisticated code breaking to read messages sent via Notes software, which lets users at different computers collaborate. Security software encrypts information by using a unique key of software code. The length of a key is measured in computer bits, and longer keys are better -- they're more complex and more difficult for would-be spies, not to mention government agents, to unravel. Until now, to obtain an export license for Notes, Lotus has been restricted to an encryption system of 40 bits in its international version. Domestic users have been permitted to use a higher-level, more-secure 64-bit system. The new overseas version of Notes, tagged Release 4, will give foreign users 64-bit security. But to get permission to export the software, Lotus agreed to give the government access to 24 of those bits by using a special 24-bit key supplied by the National Security Agency. The plan effectively gives the government a headstart in trying to break the encryption scheme. With 24 bits of the key already in hand, the government need only crack the remaining 40 bits -- a task considered trivial for the code-masters at the NSA. As far as the U.S. government is concerned, this version of Notes is no more difficult to crack than the previous one. The advantage to customers, Mr. Ozzie said, is that anyone other than the U.S. government -- say, a malevolent criminal or computer hacker -- would face the more daunting task of breaking the 64-bit key. Mr. Ozzie said the move was a response to complaints from foreign purchasers of Notes. "Our customers have been telling us that, unless we did something about the security, we could no longer call it a secure system," Mr. Ozzie said. It remains to be seen whether Lotus's move will allow it to sell more software. "The idea is a good stopgap measure," said Stephen Franco, an analyst at Yankee Group in Boston. "But the most important thing is pushing the U.S. government to relax some of its restrictions" on exports. --