Disclaimer: This information comes from sources that cannot be verified. As such, make no assumptions about its completeness or accuracy. We endeavor to keep this information up to date as much as possible. Feel free to send comments/ updates to the Security News Editor.

October 09, 1997

Encryption Stalemate Threatens E-Commerce, National Security
By David Braun,
ORLANDO, Fla. -- The impasse over the use and control of encryption in online communications and databases in the United States is eroding the country's competitive edge, delaying the onset of electronic commerce and threatening national security, according to a panel of privacy and security experts.
This broad consensus came at a session on encryption and the need to safeguard digital information held in Orlando, Fla., Wednesday at Gartner Group's conference on the future of IT.
Among the panelists were former Federal Trade Commissioner Christine Varney; former CIA director John Deutch; constitutional lawyer and free-speech advocate Floyd Abrams; and Ira Winkler, director of technology of the National Computer Security Association.
"I'm concerned about information privacy and security, which could harm all of us," said Deutch. "We have networks out there that are easily penetrated and disrupted." Among the exposed systems he listed: the civil aviation network owned by the Federal Aviation Administration and the public dial-up telecommunications networks.
Deutch said the great majority of illegal penetration of networks came from companies' own disaffected employees. However, there was a very small, but growing, incidence of foreign governments and terrorists compromising U.S. data network security. "Screaming at each other about security and the government's role is not going to get us there," he said.
There has to be a balance, Deutch said, between strong encryption to protect the security of data and the need to accommodate the needs of law enforcement to access the keys to encryption to solve crimes and prevent acts of terror.
Winkler said most companies did not realize how much they could do to protect their data. Many were quite lax and, consequently, left loopholes for hackers and criminals to penetrate their security. He was in favor of industry self-regulation of privacy, but he wanted Congress to enact regulations to set standards for the collection and processing of information collected for purposes of E-commerce.
Varney said companies doing business online have to draw up privacy policies and publish them, clearly telling customers what personal information is being collected, what it is being used for, and whether it is going to be passed on to a third party. Any company that did not adhere to its published privacy policy would be guilty of fraud and punishable under existing laws, she said.
Abrams opposed the notion posed by some panelists that the Constitution should be amended to protect privacy specifically. The Supreme Court, he said, had looked hard to find privacy protection in the Bill of Rights because it was not explicitly listed. However, from the overall tone, "the music of the Constitution," he said, the court had found privacy protection in the Constitution. It was not necessary, and it might even be dangerous, to constantly run to the Constitution every time a problem arose, he said.
The panelists agreed that unless the issue of data security is not resolved satisfactorily, E-commerce will not get off the ground. Everyone agreed that strong encryption is the only way to be assured of security. However, government demands to have built-in access to encrypted messages undermine people's confidence in the product.
Panelists also concurred that the debate over the regulation of encryption has to be resolved as soon as possible. If it isn't, U.S. encryption makers will be driven offshore to get away from government controls. Online security will not be enhanced, and companies operating in foreign countries would be vulnerable to espionage.
Varney said whereas Europe protected data privacy with laws -- specific measures aimed at abuse by companies -- in the United States, almost every privacy law was aimed at preventing abuse by the government. The two systems could be heading for a collision, she said.
The panel agreed that the complex problems of privacy, security, and access by authorities to encryption started in individual companies, but ultimately could be resolved only by international agreement.