NIST taps private sector for testing

The National Institute of Standards and Technology is preparing to release a request for information to expand private-sector participation in a pilot program testing methods to decode encrypted data.

The Emergency Access Demonstration Project is testing so-called key-recovery systems that make up the core technology embedded in the Clinton administration's controversial public-key recovery system announced in July. As proposed the system would allow organizations to voluntarily hand over their keys for accessing secured data to a trusted third party whom law enforcement agencies could then contact if given the legal authority such as a search warrant to access the data.

NIST is preparing the solicitations to learn more about how the private sector is using the technology and to encourage additional members of industry to participate in the project. Industry participants already in the project include GTE Corp. Netscape Communications Corp. Microsoft Corp. Lotus Development Corp. Motorola Inc. Tandem Computers Inc. Nortel Federal Systems Inc. and RSA among others.

"The government cannot dictate this market " said Bruce McConnell director of the Office of Management and Budget's Information Technology Branch. "The only way key recovery is going to come about is if there is a private-sector demand for it. We believe there is a market for this."

The $8 million demonstration project also is looking at several key-recovery systems. "We don't want to restrict it to just one method " said Patricia Edfors champion for security and privacy for the Government Information Technology Services Working Group. "It appears to us so far there are three or four ways to do it."

Edfors emphasized that the working group will not be recovering digital signature keys creating a key-management infrastructure limiting the technology used or mandating which cryptography is used.

Besides NIST agencies participating in the project include the departments of Energy Transportation and Treasury the Lawrence Livermore National Laboratory the Customs Service the National Technical Information Service the Social Security Administration and the Small Business Administration.

The projects include a diverse mix of federal government business applications. For example SSA will make available annual wage reporting forms via the Internet to 140 small businesses in Maryland and Connecticut. It also will provide users with a way to access Social Security benefit information.

SSA is the only agency providing public access to real data via the Internet said John Erwin program manager for electronic service delivery at SSA. Still the administration is grappling with how to secure on-line responses about benefit information.

"This agency is not in the business of opening up a data center for the world to look at records " he said. "Security is paramount. We need to know that the public is satisfied that we're protecting the movement of their very private information.