Even as FBI director Louis Freeh and software industry stakeholders reach stalemate in official encryption talks (see separate story), Tennessee security company Computer Sentry Systems Inc has exploited a loophole in the Commerce Department’s export ban. Lucky CSS is now licensed to sell its CyberAngel EXR technology with up to 448-bit encryption to virtually anyone anywhere in the world, except embargoed nations. For privacy advocates, however, it’s something of a Pyrrhic victory. CSS won its export license under the key management infrastructure (KMI) exception. Although there’s no single, universal key to CyberAngel EXR which might be kept in a government file somewhere, every user’s account is controlled by a specific key which can be made known to their employer or to a law enforcement agent. That’s just the kind of watered-down privacy protection Louis Freeh wants to see catch on in the rest of the world – and in the USA too, if he has his way. CSS says its software does not have a back door, which is true – it has many back doors, one for each user. In its defense, the company points out that the existence of a key means data can be recovered even if the user forgets his or her password. Again, that’s true, but it’s not exactly what most people have in mind when they encrypt their data. Still, the weakest of CyberAngel EXR’s three algorithms – 56-bit Data Encryption Standard (DES), 128-bit EMD-2 and 448-bit Blowfish – is stronger by far than the 40-bit official limit on exports of US encryption software, still classified as a munition under legislation dating back to WW2. CSS’s software might be just the thing for those unscrupulous governments and organizations who want to protect their data from others’ prying eyes, while reserving the right to a prying eye of their own.
