http://www.nytimes.com/library/tech/99/11/cyber/articles/19encrypt.html
(registration required)
November 19, 1999
Germany Awards Grant for Encryption
By PETER WAYNER
A branch of the German government on Thursday announced plans to give a
grant of 318,000 marks (about $170,000) to a grass-roots effort to help
create new data-scrambling software. The move is controversial because the
United States government has been lobbying the German government to
restrict such technology for fear that criminals and terrorists will use it
to cloak their actions. The German government cited the need to protect
electronic commerce and private communications against these same criminals
and terrorists.
The grant from the German Federal Ministry of Finance and Technology will
go to the German Unix Users Group (GUUG) to help them enhance a program
known as GNU Privacy Guard.
A spokeswoman from the United States Commerce Department's Bureau of Export
Administration, which enforces the government's control of encryption
software, declined to comment on the grant until the agency received
further details. The GNU project is a loosely knit international group of
programmers who openly share the form of the software known as the source
code. This openness allows users to examine the inner workings of the
software, search for bugs, and create enhancements for the software. GNU
Privacy Guard is an open version of the popular software package Pretty
Good Privacy (PGP), which prevents eavesdropping with secret codes.
Werner Koch, a programmer in Duesseldorf and the leader of the project,
said in a telephone interview on Thursday that the project would be
producing a "shrinkwrapped" version of the software that would be easy to
use for Microsoft Windows owners. "There will be a personal version and a
business version with some additional features, which will mainly support
contracts," he said. "We'll also integrate the software with popular e-mail
programs like Microsoft Outlook."
The project will also focus on strengthening the infrastructure for
managing the "keys" - actually strings of numbers -- used in the
encryption. Each user of a program has a number of personalized keys, which
are used to create what are called digital signatures. In cyberspace, these
digital keys must be stored in a central directory in much the same way
that telephone numbers are assigned to each person. Some of the money in
the German government grant will go to build and maintain a robust version
of these key server computers.
Another project focus is to create a version that integrates with Lotus
Notes, a program for manipulating and sharing documents that is popular in
business and government. Koch pointed out that Lotus, an American division
of IBM, can only ship a version with crippled privacy protection because of
the United States's export control laws.
In 1997, the Swedish government was astounded to learn that the version of
Lotus Notes that they were using came with a "key escrow" feature that
apparently made it easy for the U.S. government to read documents. The
system was being used by members of the Swedish Parliament and the military.
Koch emphasized that the bulk of the work will be released to the world
under the loose control of a license like the GNU General Public License.
This agreement gives everyone the freedom to copy and use the software and
prevents them from selling closed or proprietary versions.
Some members of the open-source movement reject the idea that software
could be owned by a person or a company and explicitly draft licenses like
the GNU GPL to prevent this from happening. The members are also adamant in
their belief that anyone should have access to the instructions a
programmer gives to the computer in human readable form. These
instructions, or source code, are freely distributed in the hope that other
users will read it, critique, debug it, and enhance it.
This approach to circulating the source code stands at odds with historical
practices in the software industry, which has guarded the source code as a
trade secret. This attitude has been fading quickly because the open source
movement demonstrated remarkable success crafting high-quality operating
systems like the GNU/Linux.
The United States government long supported open source software before it
became known by that name. Most of the research contracts granted by
agencies like the National Science Foundation or the Defense Advanced
Research Projects Agency require the recipients to publish the final source
code.
Koch says the German government is interested in his project because it is
one that is best accomplished with open source software. "It's easy to
explain that you need open source to look for holes and mistakes." he
explained, echoing a commonly held belief that open-source software is more
secure because everyone can audit it.
In recent months, the branches of the United States government devoted to
intelligence gathering and law enforcement have taken a cautious view of
the technology. In May, Attorney General Janet Reno sent a letter to the
German government requesting that it restrict the export of so-called open
source encryption software like the GNU Privacy Guard.
William Reinsch is the undersecretary of commerce responsible for the
Bureau of Export Administration, said in an interview earlier this month
that source code is more dangerous than shrink-wrapped software because it
is so easy to modify. "We have always, across the board, controlled
production technology more than the end products," he said. "We control
machine tools and other production technology very strictly."
The distinction is notable because earlier this fall the Clinton
Administration pledged to loosen the export restrictions for software after
substantial pressure from the computer industry. These pledges, however,
were just broad promises and the industry is still waiting to learn the
crucial details, which will be included in the final regulations, due Dec.
15.
One of the biggest sticking points is the treatment of source code. Some of
Silicon Valley's biggest companies, like Sun and Apple, distribute the
source code to major sections of their operating system. They have begun
this practice recently due to demands from customers and competitive
pressure from companies like Red Hat, which sells a version of GNU/Linux.
Another sticking point is how the regulations will handle source code. The
United States government and many private companies are already importing
encryption software from Canada and Australia.
Koch predicts that the new grant will help cement Germany's leadership in
electronic commerce.
"United States is the land of software, but not in the field of
cryptography any more." Koch said. "Other countries like Germany are much
better now. We are still lucky. In Germany, we are really free to do
anything now." On June 2, the German government issued a broad decision,
known "Kryptoeckwertebeschluss," which committed the government to
encouraging the development of cryptography. It was largely seen as a
rebuff of the United States.
Some programmers in the United States feel that it is only a matter of time
before the United States embraces strong, unbreakable encryption
technology. Phil Zimmerman, a developer of another encryption package known
as PGP, said, "We're in the endgame now."