From: newsbytes@clarinet.com (NB-WAS) Subject: Business Group Gets Specific On Encryption 10/11/94 Keywords: Bureau-WAS, NEWS Date: 11 Oct 94 22:13:39 GMT WASHINGTON, D.C., U.S.A., 1994 OCT 11 (NB) -- An internationally- acceptable approach to encryption and information security is necessary, says the US Council for International Business. In a statement released this week, the council, the US representative to the International Chamber of Commerce and other international business groups, called on the Clinton administration to enter into bilateral and multilateral discussions with other nations over encryption. The US Council said it continues to oppose the export requirements on encryption products that are in place in the United States. But it said it acknowledges government needs for national security and law enforcement. The council says that "government, with proper authority" needs the ability to obtain keys to decode encrypted information. The group developed a list of seven "requirements" for an international policy on encryption. Free choice: "Users need different encryption methods to fulfill a variety of needs," says the statement. This freedom includes the freedom to choose the strength of encryption and to those the encryption algorithm and key management system. Open to the public: Encryption algorithms "must be available for public scrutiny," says the US Council, referring indirectly to the Clipper chip encryption, which is based on a classified algorithm developed by the National Security Agency. International acceptance: The encryption methods must be widely accepted by business and government around the world and be free of export and import controls and other restrictions. Flexibility of implementation: Encryption should be implementable in either hardware or software. User key management: "The user must retain the ability to change and otherwise manage keys so that the user can have confidence in the degree of security provided." Key escrow: If a key escrow system is used, the government must not be the sole holder of the key except at the user's discretion; the key escrow agent must be responsible to make keys available to "lawfully authorized entities when provided with proper, written legal authorizations; and the process of obtaining keys for wiretaps must be auditable. Liability: The key escrow agent should be liable for any improper disclosure of the key through fault or negligence. "An overriding issues that should be addressed," says the report, "is the ability to exercise and enforce this set of requirements internationally. Rights of recourse and redress for violations of domestic laws require international cooperation." The council has asked for a meeting with the Clinton administration to discuss its statement. (Kennedy Maize/19941011/Press Contact: Nanette Di Tosto, 212-354-4855)