Easing of Rules on Encryption Worries Experts

The computer industry is euphoric over this week’s decision by the Clinton administration to ease the rules on export of U.S. data-scrambling technology that protects the security of online credit card and business transactions.

But experts say the celebration may be misguided.

In recent months, hackers, thieves and computer hobbyists have succeeded in purloining credit card numbers from supposedly “secure” Internet transactions. They have unscrambled Hollywood hit movies on digital videodiscs, broken into government Web sites and cracked the codes on thousands of computer software products.

“We keep seeing product broken after product broken every week, and it’s going to get worse as computing technology gets more complex,” said Bruce Schneier, an encryption expert and founder of Counterpane Internet Security Inc. of San Jose. Encryption, he added, “is an important tool, but it is not magic security dust that makes your computer impenetrable.”

Silicon Valley fought for seven years for permission to export its encryption technology abroad. The industry argued that the spread of strong encryption would fuel electronic commerce and reassure consumers that their credit card numbers and other private communications would not be compromised.

After battling the industry over the politically charged issue, the White House on Wednesday did an about-face and announced new rules that clear the way for the high-tech industry--major contributors to Democratic campaigns--to more freely sell the hardest-to-crack scrambling technology overseas.

Under the rules, which take effect today, virtually any software program or hardware item sold on the U.S. retail market to encrypt data can be sold overseas. The new rules represent a reversal by the administration, which had previously argued that strong encryption technology would be abused by terrorists.

“We view these new rules in a very positive light; they come a long way to enacting reforms we have sought,” said David Rose, director of import-export affairs for Intel Corp.

Encryption is based on mathematical algorithms that create electronic keys and locks that can scramble and unscramble computer data. But experts say it is often compromised by the way it is implemented and by the notoriously open and lax Internet. As a result, businesses and consumers may have a false sense of security.

Earlier this month, the online retailer CD Universe disclosed that a computer hacker had swiped 300,000 credit cards numbers from the company and threatened to post the numbers on the Internet unless the Wallingford, Conn.-based firm paid $100,000 in ransom. The card numbers had been encrypted during their transmission to CD Universe by buyers on the Internet but apparently were stored on the company’s computers in unencrypted form.

That incident came to light about two months after a group of Norwegian hackers did what Hollywood had thought was impossible: They cracked the encryption code used to prevent the copying of movies on DVDs. In that case, the hackers apparently tracked down inside information about the key to unlock the encryption scheme.

Even online banking transactions, which use some of the highest forms of encryption security, have been compromised.

Six years ago, a Russian hacker was arrested in London after he allegedly tapped into Citibank’s central computer in New York and stole $10 million in 40 different electronic transfers.

Long used by spies and many governments to shield their most sensitive data, encryption is coming up short in the fast-moving digital world.

Encrypted data such as credit card numbers are often stored unscrambled on the computer of either the sender or recipient. What’s more, encryption performance is generally degraded the more complex the encryption method is and the more information one tries to scramble at a time. Thus, computer programmers must make trade-offs between performance and security, said Edward A. Roback, acting chief of the computer security division of the National Institute of Standards and Technology.

Silicon Valley executives say they realize that liberalized encryption export rules are not a complete security salvation.

“Clearly, encryption is not a complete solution for security. There needs to be a comprehensive approach that takes into account other types of technologies,” said Fred Mailman, director of export for Hewlett Packard Corp. And encryption technology itself must be improved, he added.

Last year, a team from the Electronic Frontier Foundation and Distributed.net set out to prove that the government’s encryption standard could be cracked. Within 22 hours, they had succeeded.

And using 292 computers at 11 different sites over a seven-month period, the Weizman Institute of Science in Israel successfully cracked a 512-bit security key, a feat that most computer experts previously had thought would take decades.

“Like a lot of things in life, you have to make risk choices to protect information,” said NIST’s Roback.

“People, in general, need to pay a lot more attention then they are now to the protection of computer data. Right now, we are not doing a very good job.”