US abandons key escrow encryption plan

US Senator Judd Gregg has abandoned his efforts to impose legislative controls over key escrow technology.

US Senator Judd Gregg has abandoned his efforts to impose legislative controls over key escrow technology.

Key escrow, a system whereby digital keys are generated and copies are acknowledged with a third party that keeps them in escrow until recovered, was being bandied about in light of the 11 September bombings. The attackers are suspected of having used encryption methods during their preparation.

US Senator Judd Gregg abandoned his stance in pushing legislation that would give law enforcement agencies a "master key", granting full backdoor access to all encryption products made in the US.

The Computer & Communications Industry Association (CCIA), which voiced its disapproval of Gregg's radical plan, was happy with the abrupt turnaround.

"We are happy to learn that Senator Gregg has decided against efforts to implement new controls on encryption technology," said Jason Mahler, CCIA vice-president and general counsel of the Washington-based lobby group.

"Without strong encryption technology, all Americans would be at risk of exposure of their most sensitive information," he added.

Before Gregg's proposed anti-encryption legislation ever saw the light of day, overwhelming criticism from the public and private sector over both privacy and technical concerns sealed the fate of the bold directive.

"I have not found anybody in the private sector that does not understand the value of encryption without hidden keys and vulnerabilities without hidden access," said Ed Blake, president and chief executive of CCIA.

Blake said the temptation to abuse key escrow or create a mass repository of stored keys would pose a security risk unlike ever before. Furthermore, he added that fear of its abuse could have a chilling effect on people's sense of privacy and security, forcing users to shy away from the very technology created to safeguard their transmitted messages.

The key escrow debate mirrors a failed effort on the part of the US government to institute a "Clipper chip" a few years ago. The chip was designed to reserve the right for the government to review any information passing through a communications device.

"Clipper was a heavy-handed way of forcing a particular design into things, and the reason Clipper failed is due to the same reasons that this [key escrow] will fail," said John Pescatore, vice-president and research director of network security at research group Gartner. "Users lose out if cryptography is weakened or ineffective or much harder to use."

Pescatore said law enforcement entities, national intelligence agencies, businesses and end users need to seek common ground on encryption by increasing the investment on new techniques to break encryption.

Encryption vendors argue that techniques such as key escrow and key recovery fundamentally weaken systems built around them.

"It's never a good idea to increase complexity of cryptographic processes unnecessarily," said Alex Van Someren, chief executive of security specialist Woburn.

"It's considered likely any unintentional side-effects could occur, which can be dangerous and potentially undermines security of any system employing those techniques."

Read more on IT legislation and regulation