The New York Times, October 1, 1996, pp. D1, D2. Accord Near On Computer Security Codes 'Key' System Required For Law Enforcement By David E. Sanger Washington, Sept. 30 -- After several years of debate between the computer industry and American intelligence agencies, President Clinton has decided to permit American computer companies to export more powerful data-scrambling software but only if they establish a system that will enable keys to the code to be obtained by law enforcement officials with a court warrant. Administration officials, speaking on the condition of anonymity, said Mr. Clinton reached his decision late last week and that Vice President Al Gore would announce it on Wednesday or Thursday. Several big computer companies, led by the I.B.M., have agreed to the new system, but many others, which have opposed past proposals by the Administration for data- scrambling policies, are likely to object. Many American computer and software executives have long argued that United States export controls on the most sophisticated data-privacy technology put American industry at a disadvantage versus products sold by their foreign competitors. But the Clinton White House, like previous Administrations, citing national security issues and fears of foreign terrorists or criminals, is loath to permit the export of some of the most powerful data-scrambling software. The reason has chiefly been that intelligence agencies feared such equipment would be used by foreign terrorists, drug cartels and other criminals to hide transactions and communications. Now, in a compromise, according to two senior officials in the Administration who have been deeply involved in the new policy, American companies will be permitted on Jan. 1 to export software that encrypts, or scrambles, data using "keys" -- lengthy numeric codes -- that are up to 56 bits long. Until now, companies have been prohibited from selling products abroad that have keys longer than 40 bits. Mr. Clinton has also decided to move the authority for exporting the encryption software from the State Department, which has had export-licensing authority because the technology has been classified as munitions, to the Commerce Department, which controls the export of products that have both commercial and military use. Industry officials have long urged that change, betting the Commerce Department would be more inclined to give a higher priority to American competitive interests. But starting in two years, American companies choosing to export the more sophisticated software would have to set up what the industry is calling a "key recovery" system. That system would enable intelligence officials and law enforcement agents, armed with court warrants, to go through a lengthy multi-step process that would give them the mathematical key to decoding scrambled communications. The approach replaces the Administration's earlier proposed "key escrow" system in which the Government would have been the repository of the numeric keys -- leading to fears of potential Government abuse, or a reluctance by legitimate foreign users to buy the software. Under the new plan, the keys may be held by third-party companies. And large institutions, like banks may be allowed to hold their keys in escrow -- assuming they pass some kind of Government certification. Still, the success of the system will depend on large part on the Administration's efforts to persuade other countries to adopt the same "key recovery" system, allowing their intelligence agencies and justice systems to cooperate in trailing criminals across national borders. But Mr. Clinton's aides acknowledged today that this process has just begun, and so far only England and France have expressed much enthusiasm. "It is going to take a while to persuade people that their data is safe under this system, that it protects privacy, and yet that we can use the system to trace terrorists or drug dealers," one senior Administration official said. Officials at I.B.M., which is expected to announce on Wednesday the creation of an industry consortium to aid in establishing the "key recovery" system, said today that no single entity would hold the entire key. Instead, it will be divided up across several companies that would handle any given message, much the way the launching officials in nuclear missile silos each had only part of the key instructions needed to begin a nuclear attack. If the C.I.A., for example, obtained a court order to decode a message, it would have to go to several groups with its warrant to piece together the key. "We believe that this solves the, biggest weak point in the previous plans, where one entity held the key," said an I.B.M. official familiar with the company's announcement. But these steps are not likely to silence all the critics. "There is still a perception that the U.S. is trying to extend its intelligence capability by setting standards around the world," said Marc Rotenberg, director of the Electronic Privacy Information Center. There are other potential holes in the system. Customers in the United States will be free to buy encryption software of any complexity -- as they can today -- with keys that are much longer than 56 bits and are nearly impossible to break. That means terrorist groups or drug dealers could still buy such software and sneak it out of the country, or even transmit it over computer networks. "There is nothing we can do about bright students or Joe Terrorist who use sophisticated encryption systems to communicate with each other," one senior administration official said. "But when they brush up against legitimate groups, especially banks," the official said, "then they are more likely to be dealing with a system" where law enforcement could use the key recovery system to decode the communications. On Capitol Hill, several bills had been pending that would lift all export controls on encryption software, but the legislation did not move as the current session of Congress wound down. In Congressional testimony last week, Jamie S. Gorelick, Deputy Attorney General, said lifting all export controls would "undermine our leadership role in fighting international crime and damage our own national security interests." [End]