I just got back from the first day of PC Expo at Javits Center here
in New Yawk. (God, how I love these shows. Trinkets, trinkets and
more trinkets.) To make a long story short, I picked up a copy (and
renewed my subscription) of the latest PC Week. The following article
shows (at least) that the Clipper/Capstone debate has not subsided,
but rather, is just becoming public knowledge thanks to coverage in
trade publications and popular press.
This particular article is included amongst several others in a
"Special Report" section in the June 28 issue of PC Week relating
to Privacy in the Workplace, "Privacy issue comes of age in the
networked world." Other articles in this issue include "Encryption,
monitoring and E-mail spur the privacy debate," "Some companies
spell it right out: We will be watching you," "Privacy Act would
force firms to inform their employees about E-mail monitoring,
"Electronic monitoring raises legal and societal questions,
"Encryption technology is on the rise in the private sector," "UPS
toes the line with its package-tracking technologies" and two
side-bar articles entitled " Cellular phones: Some like'em and some
don't" and "From A too Z: Privacy policies run the gamut."
Cheers from Times Square, Manhattan.
8<------- Article follows ---------------
PC Week Special Report
"Workplace Privacy"
"News Analysis"
PC Week
June 28, 1993
pages 207, 211
Crypto policy and business privacy
The White House wants businesses to protect data but leave doors
open to law-enforcement agencies
by Winn Schwartau
Following the Clinton administration's April 16 endorsement of
the Clipper chip, law-enforcement and privacy advocates are
staking out positions that will likely test the bounds of the
Constitution.
The Clipper chip, manufactured by Mykotronx Inc., of Torrance,
Calif., and officially designated the MYK-78, contains a
sophisticated encryption algorithm that protects a company's
communications by scrambling the data.
Announced as a joint technical effort between the NSA (National
Security Agency) and NIST (National Institute for Standards and
Technology), the chip is supposed to balance the needs of law
enforcement with businesses' need for data privacy.
The Clinton administration is encouraging American businesses to
adopt Clipper to ensure their own privacy, yet still permit
"lawful government electronic surveillance," according to a
statement released by the White House. Third-party products that
contain the Clipper chip are expected to be announced by fall.
The keys to decrypting Clipper communications will be held by two
independent parties, such as the Federal Reserve Board and a
private company. Attorney General Janet Reno had expected to
announce the holders of the keys in early May, but has delayed
the announcement until midsummer, according to a spokesman at the
Attorney General's office.
The Clipper endeavor stems from Bush-era intelligence-agency
attempts at adding legislative riders to congressional bills that
would have forced telecommunications and networking companies to
build in back doors for encrypted transmissions. The EFF
(Electronic Frontier Foundation) and CPSR (Computer Professionals
for Social Responsibility), citizen groups based in Washington,
are generally credited with having such riders removed from
the bills.
Deep concern drives the anti-Clipper privacy advocates, many of
whom focus on the integrity of the encryption key-escrow agents
who will ultimately hold the keys to the U.S. digital kingdom if
the proposed program is successful. Said Kevin Murray, president
of Murray & Assoc., a security-consulting firm in Clinton, N.J.,
"I don't like Clipper at all. If you're going to offer privacy,
then offer it. I've seen too many cases where secrets easily
leaked out."
Few, if any, businesses appear willing to sign on with the
government's plan. Spearheaded by the EFF and the ACLU (American
Civil Liberties Union), 31 companies sent a letter last month to
the White House and Congress stating "... We believe that there
are fundamental privacy and other constitutional rights that must
be taken into account when any domestic surveillance is
proposed." Among the companies signing the letter were AT&T,
Apple Computer Inc., Digital Equipment Corp., IBM,
Hewlett-Packard Co., Lotus Development Corp., MCI Communications
Corp., Microsoft Corp., RSA Data Security Inc. and Sun
Microsystems Inc.
One area of concern among the companies is that the government
intends to keep all technical information about the Clipper
encryption algorithm secret. Conventional cryptological wisdom
says that only after wide-spread public analysis and comment can
an encryption technique be trusted.
CPSR last month filed a lawsuit against the National Security
Council seeking information about the Clipper chip.
"The Clipper plan was developed behind a veil of secrecy," said
Marc Rotenberg, director of CPSR's Washington office. "We need to
know why the standard was developed, what alternatives were
considered and what the impact will be on privacy.
"As the proposal currently stands, Clipper looks a lot like
desktop surveillance," Rotenberg said.
Said Mitch Kapor, founder of Lotus and chairman of the EFF, "An
[encryption] system based upon classified, secret technology will
not and should not gain the confidence of the American public."
On the other hand, Clipper chip supporters such as Dorothy
Denning, chairman of the Computer Science Dept. at Georgetown
University in Washington and a noted expert in the field of
cryptography, say the key-escrow system is more than adequate to
protect legitimate American interests.
Padgett Peterson, information-security specialist at defense
contractor Martin Marietta Corp., in Orlando, Fla., said, "I
believe Clipper's going to work. The government has more to lose
than we do." The Justice Department has already placed large
orders with AT&T for telephones fitted with Clipper encryption
chips. Said Peterson,"Soon enough, everyone will be using
Clipper: doctors, lawyers and CPAs."
However, the chip's use in other governmental agencies is not
assured. Neither the Federal Reserve Board nor the Department of
the Treasury has indicated that they will adopt Clipper.
Many business executives believe the government's encouragement
of voluntary adoption is only the first step in a plan drawn by
the intelligence community years ago that will eventually mandate
Clipper encryption for private businesses and outlaw all other
forms of encryption. The ACLU, EFF, CPSR and other watchdog
groups aim to ensure that the government never goes that far.
American businesses that adopt Clipper encryption in their
networks and communications systems will have to accept some
far-reaching assumptions, according to its skeptics:
- that the Clipper algorithm is robust enough to secure their
corporate information assets domestically and internationally.
The international security community already believes American
data to be less secure than it should be and worries about
leaving doors open to the United States;
- that the government does not have its own back door to read
encrypted communications;
- that the key-escrow agents, once named, can be trusted;
- that the key-escrow repository, a vault that contains the
Clipper chip serial numbers and encrypting and decrypting keys,
will be secure enough to withstand a dedicated attack. The
Attorney General's office also plans to announce this summer
what form the repository will take -- electronic or otherwise
-- and how it will be secured;
- that by its very use, the company is not unintentionally giving
up its right to privacy or other constitutional rights; and
- that purchasing machines that include the hardware-based
Clipper chip is better than using currently available and
field-tested software encryption techniques such as DES and
RSA.
The response to Clipper has been negative despite pleas from the
administration that "while [other forms of] encryption technology
can help Americans protect business secrets and the unauthorized
release of personal information, [they] also can be used by
terrorists, drug dealers and other criminals."
Martin Marietta's Peterson still believes Clipper is "good
enough" for business, but he is in the minority. The majority
opinion holds that Clipper may be what the government wants, but
it shouldn't even think about making any laws mandating its use.
------
Winn Schwartau is the executive director of INTERPACT, a
Seminole, Fla., consultancy, publisher of the Security Insider
Report and author of "Terminal Compromise" and "Information
Warfare: How To Wage It, How To Win It."
Paul Ferguson | "Confidence is the feeling you get
Network Integrator | just before you fully understand
Centreville, Virginia USA | the problem."
fergp(a)sytex.com | - Murphy's 7th Law of Computing
Quis Custodiet Ipsos Custodes?