PRIVACY Forum Archive Document

PRIVACY Forum Home Page

PFIR - "People For Internet Responsibility" Home Page

Vortex Technology Home Page


PRIVACY Forum Digest     Saturday, 17 April 1993     Volume 02 : Issue 13

         Moderated by Lauren Weinstein (lauren@cv.vortex.com)
                Vortex Technology, Topanga, CA, U.S.A.
        
                     ===== PRIVACY FORUM =====

          The PRIVACY Forum digest is supported in part by the 
              ACM Committee on Computers and Public Policy.


CONTENTS
        *** Special Issue on "Clipper" Encryption System ***

        White House Public Encryption Management Fact Sheet
           (Clipper Chip Announcement)
        Clipper chip encryption (Bruce O'Neel)
        CPSR Calls for Public Debate (Dave Banisar)
        Which countries outlaw encryption? (Dave Bakken)
        Initial EFF Analysis of Clinton Privacy and Security Proposal
           (EFFector Online Volume 5 No. 6)


 *** Please include a RELEVANT "Subject:" line on all submissions! ***
            *** Submissions without them may be ignored! ***

-----------------------------------------------------------------------------
The PRIVACY Forum is a moderated digest for the discussion and analysis of
issues relating to the general topic of privacy (both personal and
collective) in the "information age" of the 1990's and beyond.  The
moderator will choose submissions for inclusion based on their relevance and
content.  Submissions will not be routinely acknowledged.

ALL submissions should be addressed to "privacy@cv.vortex.com" and must have
RELEVANT "Subject:" lines.  Submissions without appropriate and relevant
"Subject:" lines may be ignored.  Subscriptions are by an automatic
"listserv" system; for subscription information, please send a message
consisting of the word "help" (quotes not included) in the BODY of a message
to: "privacy-request@cv.vortex.com".  Mailing list problems should be
reported to "list-maint@cv.vortex.com".  All submissions included in this
digest represent the views of the individual authors and all submissions
will be considered to be distributable without limitations. 

The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "cv.vortex.com/",
in the "/privacy" directory.  Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password.  The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access.  PRIVACY Forum materials may also be obtained automatically via
e-mail through the listserv system.  Please follow the instructions above
for getting the listserv "help" information, which includes details
regarding the "index" and "get" listserv commands, which are used to access
the PRIVACY Forum archive.  All PRIVACY Forum materials are also
available through the Internet Gopher system via a gopher server on
site "cv.vortex.com/".

For information regarding the availability of this digest via FAX, please
send an inquiry to privacy-fax@cv.vortex.com, call (310) 455-9300, or FAX
to (310) 455-2364.
-----------------------------------------------------------------------------

VOLUME 02, ISSUE 13

   Quote for the day:

        "Listen, do you want to know a secret?
         Do you promise not to tell?"

                -- "Do You Want to Know a Secret?"
                    John Lennon / Paul McCartney; 1963
        
----------------------------------------------------------------------

Date:    Fri, 16 Apr 93 16:42:31 EDT
From:    Clipper Chip Announcement <clipper@first.org>
Subject: White House Public Encryption Management Fact Sheet


Note:     The following was released by the White House today in
          conjunction with the announcement of the Clipper Chip
          encryption technology.

                           FACT SHEET

                  PUBLIC ENCRYPTION MANAGEMENT

The President has approved a directive on "Public Encryption
Management."  The directive provides for the following:

Advanced telecommunications and commercially available encryption
are part of a wave of new computer and communications technology. 
Encryption products scramble information to protect the privacy of
communications and data by preventing unauthorized access. 
Advanced telecommunications systems use digital technology to
rapidly and precisely handle a high volume of communications. 
These advanced telecommunications systems are integral to the
infrastructure needed to ensure economic competitiveness in the
information age.

Despite its benefits, new communications technology can also
frustrate lawful government electronic surveillance.  Sophisticated
encryption can have this effect in the United States.  When
exported abroad, it can be used to thwart foreign intelligence
activities critical to our national interests.  In the past, it has
been possible to preserve a government capability to conduct
electronic surveillance in furtherance of legitimate law
enforcement and national security interests, while at the same time
protecting the privacy and civil liberties of all citizens.  As
encryption technology improves, doing so will require new,
innovative approaches.

In the area of communications encryption, the U. S. Government has
developed a microcircuit that not only provides privacy through
encryption that is substantially more robust than the current
government standard, but also permits escrowing of the keys needed
to unlock the encryption.  The system for the escrowing of keys
will allow the government to gain access to encrypted information
only with appropriate legal authorization.

To assist law enforcement and other government agencies to collect
and decrypt, under legal authority, electronically transmitted
information, I hereby direct the following action to be taken:

INSTALLATION OF GOVERNMENT-DEVELOPED MICROCIRCUITS

The Attorney General of the United States, or her representative,
shall request manufacturers of communications hardware which
incorporates encryption to install the U.S. government-developed
key-escrow microcircuits in their products.  The fact of law
enforcement access to the escrowed keys will not be concealed from
the American public.  All appropriate steps shall be taken to
ensure that any existing or future versions of the key-escrow
microcircuit are made widely available to U.S. communications
hardware manufacturers, consistent with the need to ensure the
security of the key-escrow system.  In making this decision, I do
not intend to prevent the private sector from developing, or the
government from approving, other microcircuits or algorithms that
are equally effective in assuring both privacy and a secure key-
escrow system.

KEY-ESCROW

The Attorney General shall make all arrangements with appropriate
entities to hold the keys for the key-escrow microcircuits
installed in communications equipment.  In each case, the key
holder must agree to strict security procedures to prevent
unauthorized release of the keys.  The keys shall be released only
to government agencies that have established their authority to
acquire the content of those communications that have been
encrypted by devices containing the microcircuits.  The Attorney
General shall review for legal sufficiency the procedures by which
an agency establishes its authority to acquire the content of such
communications.

PROCUREMENT AND USE OF ENCRYPTION DEVICES

The Secretary of Commerce, in consultation with other appropriate
U.S. agencies, shall initiate a process to write standards to
facilitate the procurement and use of encryption devices fitted
with key-escrow microcircuits in federal communications systems
that process sensitive but unclassified information.  I expect this
process to proceed on a schedule that will permit promulgation of
a final standard within six months of this directive. 

The Attorney General will procure and utilize encryption devices to
the extent needed to preserve the government's ability to conduct
lawful electronic surveillance and to fulfill the need for secure
law enforcement communications.  Further, the Attorney General
shall utilize funds from the Department of Justice Asset Forfeiture
Super Surplus Fund to effect this purchase.

------------------------------

Date:    Fri, 16 Apr 93 16:59:16 EDT
From:    oneel@aplcenmp.apl.jhu.edu (Bruce O'Neel)
Subject: Clipper chip encryption

In Volume 02, Issue 12:
> For Immediate Release                           April 16, 1993
> 
> 
>                 STATEMENT BY THE PRESS SECRETARY
> 
> 
> The President today announced a new initiative that will bring
> the Federal Government together with industry in a voluntary
> program to improve the security and privacy of telephone
> communications while meeting the legitimate needs of law
> enforcement.

A few thoughts from a practical vein rather than  a subversive vein
from someone who isn't a cryptographer and doesn't play one on TV... 

1.  What's an "encryption" device?  Is a V.32 modem one?  Without
another modem it's pretty hard to figure out what's going on.   What
about programs such as compress?  With out the "key" of the
compress/decompress program it's a bit difficult to decode compressed
files.  

2.  What happens if I make for my own use an "encryption" device for
data and/or voice communications?  Will that become illegal?  The
Press Secretary dodged the question about individuals purchasing the
chips.   Or will transmission methods only be encryption if I use
unpublished methods and non-commercial devices?  Say I come up with a
breakthrough to compress voice and can multiplex multiple voice
channels together on a regular telephone circuit.  If I make a one-off
device to do this (one for each end of the circuit) is this
encryption?  Will I have to get a permit to use it?

3.  Does that mean that voice/data communications would have to have
"headers" telling what the "encryption" method is?  [The following is
in ascii text] ABC [The following is in ...] and so on.   Will
UUENCODE become encryption? 

4.  Will we therefore get "approved" or "standardized" transmission
formats?  You don't need a permit|permission|whatever to stay within
the law if you use ascii, LZ compressed ascii, english over telephones
and so on?

5. What if I use some sort of Huffman compression and transmit the
frequency table in a separate message?  Common algorithm but without
the "key" in the form of a frequency table it'll be a bit difficult to
figure out.

Just some thoughts.

bruce
-- 
Measure with a micrometer.  Mark with chalk.  Cut with an axe.

------------------------------

Date:    Fri, 16 Apr 1993 16:43:02 EST    
From:    Dave Banisar <banisar@washofc.cpsr.org>
Subject: CPSR Calls for Public Debate

April 16, 1993
Washington, DC

               COMPUTER PROFESSIONALS CALL FOR PUBLIC 
           DEBATE ON NEW GOVERNMENT ENCRYPTION INITIATIVE

        Computer Professionals for Social Responsibility (CPSR) 
today called for the public disclosure of technical data 
underlying the government's newly-announced "Public Encryption 
Management" initiative.  The new cryptography scheme was 
announced today by the White House and the National Institute 
for Standards and Technology (NIST), which will implement the 
technical specifications of the plan.  A NIST spokesman 
acknowledged that the National Security Agency (NSA), the super-
secret military intelligence agency, had actually developed the 
encryption technology around which the new initiative is built.

        According to NIST, the technical specifications and the 
Presidential directive establishing the plan are classified.  To 
open the initiative to public review and debate, CPSR today 
filed a series of Freedom of Information Act (FOIA) requests 
with key agencies, including NSA, NIST, the National Security 
Council and the FBI for information relating to the encryption 
plan.  The CPSR requests are in keeping with the spirit of the 
Computer Security Act, which Congress passed in 1987 in order to 
open the development of non-military computer security standards 
to public scrutiny and to limit NSA's role in the creation of 
such standards.

        CPSR previously has questioned the role of NSA in 
developing the so-called "digital signature standard" (DSS), a 
communications authentication technology that NIST proposed for 
government-wide use in 1991.  After CPSR sued NIST in a FOIA 
lawsuit last year, the civilian agency disclosed for the first 
time that NSA had, in fact, developed that security standard.  
NSA is due to file papers in federal court next week justifying 
the classification of records concerning its creation of the 
DSS.

        David Sobel, CPSR Legal Counsel, called the 
administration's apparent commitment to the privacy of 
electronic communications, as reflected in today's official 
statement,  "a step in the right direction."  But he questioned 
the propriety of NSA's role in the process and the apparent 
secrecy that has thus far shielded the development process from 
public scrutiny.  "At a time when we are moving towards the 
development of a new information infrastructure, it is vital 
that standards designed to protect personal privacy be 
established openly and with full public participation.  It is 
not appropriate for NSA -- an agency with a long tradition of 
secrecy and opposition to effective civilian cryptography -- to 
play a leading role in the development process." 

        CPSR is a national public-interest alliance of computer 
industry professionals dedicated to examining the impact of 
technology on society.   CPSR has 21 chapters in the U.S. and 
maintains offices in Palo Alto, California, Cambridge, 
Massachusetts and Washington, DC.  For additional information on 
CPSR, call (415) 322-3778 or e-mail <cpsr@csli.stanford.edu>.

------------------------------

Date:    Fri, 16 Apr 1993 14:51:36 MST
From:    "Dave Bakken" <bakken@cs.arizona.edu>
Subject: Which countries outlaw encryption?

Friday's announcement about the new Clipper Chip 
mentioned in passing that some countries have effectively
outlawed encryption.  Where can one find a list of such countries
or a paper discussing this?  Thanks!

------------------------------

Date:    Fri, 16 Apr 1993 23:00:00 PDT
From:    "EFFector Online Volume 5 No. 6"
Subject: Initial EFF Analysis of Clinton Privacy and Security Proposal

    [ This item is extracted from "EFF Effector Online" Volume 5 No. 6.
      Contact address is "editors@eff.org". -- MODERATOR ]


                       April 16, 1993

      INITIAL EFF ANALYSIS OF CLINTON PRIVACY AND SECURITY  
                           PROPOSAL

       The Clinton Administration today made a major announcement 
on cryptography policy which will effect the privacy and security of 
millions of Americans.  The first part of the plan is to begin a 
comprehensive inquiry into major communications privacy issues 
such as export controls which have effectively denied most people 
easy access to robust encryption as well as law enforcement issues 
posed by new technology.

       However, EFF is very concerned that the Administration has 
already reached a conclusion on one critical part of the inquiry, before 
any public comment or discussion has been allowed.  Apparently, the 
Administration is going to use its leverage to get all telephone 
equipment vendors to adopt a voice encryption standard developed 
by the National Security Agency. The so-called "Clipper Chip" is an 
80-bit, split key escrowed encryption scheme which will be built into 
chips manufactured by a military contractor.  Two separate escrow 
agents would store users' keys, and be required to turn them over 
law enforcement upon presentation of a valid warrant.  The 
encryption scheme used is to be classified, but they chips will be 
available to any manufacturer for incorporation into their 
communications products.

       This proposal raises a number of serious concerns .

       First, the Administration appears to be adopting a solution 
before conducting an inquiry.  The NSA-developed Clipper chip may 
not be the most secure product. Other vendors or developers may 
have better schemes. Furthermore, we should not rely on the 
government as the sole source for Clipper or any other chips.  Rather,
independent chip manufacturers should be able to produce chipsets 
based on open standards.

       Second, an algorithm can not be trusted unless it can be tested. 
Yet the Administration proposes to keep the chip algorithm 
classified.  EFF believes that any standard adopted ought to be public 
and open.  The public will only have confidence in the security of a 
standard that is open to independent, expert scrutiny.  

       Third, while the use of the split-key, dual-escrowed 
system may prove to be a reasonable balance between privacy and 
law enforcement needs, the details of this scheme must be explored 
publicly before it is adopted.  What will give people confidence in the 
safety of their keys?  Does disclosure of keys to a third party waive 
individual's fifth amendment rights in subsequent criminal 
inquiries?  

       In sum, the Administration has shown great sensitivity to the 
importance of these issues by planning a comprehensive inquiry into 
digital privacy and security.  However, the "Clipper chip" solution 
ought to be considered as part of the inquiry, not be adopted before 
the discussion even begins.

DETAILS OF THE PROPOSAL:

ESCROW

The 80-bit key will be divided between two escrow agents, each of 
whom hold 40 bits of each key.  Upon presentation of a valid 
warrant, the two escrow agents would have to turn the key parts 
over to law enforcement agents.  Most likely the Attorney General 
will be asked to identify appropriate escrow agents.  Some in the 
Administration have suggested one non-law enforcement federal 
agency, perhaps the Federal Reserve, and one non-governmental 
organization.  But, there is no agreement on the identity of the agents 
yet.

Key registration would be done by the manufacturer of the 
communications device.  A key is tied to the device, not to the person 
using it.

CLASSIFIED ALGORITHM AND THE POSSIBILITY OF BACK DOORS

The Administration claims that there are no back door means by 
which the government or others could break the code without 
securing keys from the escrow agents and that the President will 
be told there are no back doors to this classified algorithm.  In order 
to prove this, Administration sources are interested in arranging for 
an all-star crypto cracker team to come in, under a security 
arrangement, and examine the algorithm for trap doors.  The results 
of the investigation would then be made public.

GOVERNMENT AS MARKET DRIVER

In order to get a market moving, and to show that the government 
believes in the security of this system, the feds will be the first big 
customers for this product.  Users will include the FBI, Secret Service, 
VP Al Gore, and maybe even the President. 

FROM MORE INFORMATION CONTACT:

Jerry Berman, Executive Director
Daniel J. Weitzner, Senior Staff Counsel

------------------------------

End of PRIVACY Forum Digest 02.13
************************


PRIVACY Forum Home Page

Vortex Technology Home Page

Copyright © 2005 Vortex Technology. All Rights Reserved.