CommunicationsWeek April 26, 1993 Encryption Policy Spurs Concern SHARON FISHER WASHINGTON Members of the networking and security community have expressed concern that a new government policy on data encryption may restrict the use of the technology. The White House earlier this month called for the implementation of a special encryption chip that offers a "back door" for decryption by federal law enforcement agencies. The chip uses a secret algorithm called "Skipjack" that prevents users from encoding data in such a way that it cannot be read by law enforcement officials. Under the new policy, electronic keys will be stored in two "escrow" locations for release to law enforcement organizations that have been warranted to wiretap and decrypt voice transmissions. The escrow locations have not been named. The encryption chip was initially called the Clipper chip, but the government has received complaints from Intergraph Corp., which holds a registered trademark on a product called Clipper chip, according to John Droge, vice president of program development for Mykotronx Inc., Torrance, Calif., which developed the chip. "We call it the MYK-78," he said. AT&T has already announced a device based on the chip that attaches to a telephone to let users encrypt telephone calls. The AT&T Telephone Security Device will cost around $1,195 and will be available at the end of the second quarter. In addition, Mykotronx is working on a more complex chip, called the Capstone or MYK-80, that adds a key exchange algorithm, digital signature standard and other technologies to the MYK-78, Droge said. Key exchange lets two devices agree on a common encryption key; digital signature is a way to guarantee the identity of the originator of the message. Industry members expressed concern that the federal government's policy review on encryption, privacy protection and law enforcement could result in further changes or restrictions to communications technology. The review is taking place under a classified Presidential directive that does not publicly state its exact scope or procedure. The review, which will be managed and directed by the National Security Council, calls for an interim report by the end of June and a final report in late August or early September, said Lynn McNulty, associate director for computer security for the National Institute of Standards and Technology, Gaithersburg, Md. Many members of the encryption community are concerned that a policy review might result in restrictions on encryption technology already in use. There are currently no restrictions in the United States on the use of encryption technology. "Why (else) would the government go through all this time and trouble and expense to do this?" said Jim Bidzos, president of RSA Data Security Inc., a Redwood City, Calif., company that licenses encryption and key technology to vendors such as Apple Computer Inc., Lotus Development Corp. and Novell Inc. "I'm not sure anybody has a complaint with the FBI wanting to wiretap with a legitimate court order, but when the FBI says it's so important that we need to force a new communications system on the country, I have a problem with that," Bidzos said. "I am afraid, from the FBI's viewpoint, if this is the solution, how can it work unless you eliminate the other kinds of use?" But McNulty said such an expanded policy was not likely. "Those concerns are not well-founded," he said, though he said the issue probably will be addressed in the policy review. "I don't think in our society that people would accept that restriction on their technology and freedoms. It's absolutely the last recommendation that would be made."