February 1994 - cypherpunks-legacy

Another Brick in the Wall
by farber＠central.cis.upenn.edu 23 Feb '94

23 Feb '94

CyberWire Dispatch//Copyright (c) 1994 Jacking in from Another Brick in the Wall Port: Washington, DC -- The White House is being heavily lobbied by law enforcement agencies and national intelligence agencies to make the use of the government designed Clipper Chip mandatory in telephones, fax machines and cable systems, according to classified documents obtained by Dispatch. When the Administration announced on February 4th that it was endorsing the controversial Clipper Chip program, it asserted that any use of the chip would be voluntary. But the White House carefully hedged its bet: Buried deep in the background briefing papers that accompanied the announcement was the Administration's official policy that U.S. citizens weren't guaranteed any constitutional right to choose their own encryption technologies. Government officials have brushed aside concerns from civil liberties groups and privacy advocates that sporadic adoption of Clipper would eventually spawn a mandatory use policy. To try and forestall that, however, the government has instituted a subtle coercion tactic: You can't do business with Uncle Sam unless your products are "clipper equipped," according to National Institute for Standards and Technology Assistant Deputy Director Raymond Kammer. The Administration's desire for industry to sign-on as an early Clipper "team player" was so overwhelming that it bribed AT&T into agreeing to publicly support the idea, according to classified documents obtained by Dispatch. On the same day last April when Clipper was first unveiled, AT&T publicly proclaimed it would be installing the chip in its encryption products. A classified April 30, 1993 memo from the Assistant Secretary of Defense says: "[T]he President has directed that the Attorney General request that manufacturers of communications hardware use the trapdoor chip, and at least AT&T has been reported willing to do so (having been suitably incentivised by promises of Government purchases)." The government says "incentivised" while prosecuting attorney's all over the country say, "bribed." You make the call. Take Your Privacy and Shove It ============================== That same memo says the Clipper proposal is a "complex set of issues [that] places the public's right to privacy in opposition to the public's desire for safety." If "privacy prevails... criminals and spies... consequently prosper," the memo says. What's the answer to such freeflowing privacy? The memo says law enforcement and national security agencies "propose that cryptography be made available and required which contains a 'trapdoor' that would allow law enforcement and national security officials, under proper supervision, to decrypt enciphered communications." The operative word here is "required." Two Track Dialog ================ While Clinton's policy wonks wring their hands over such issues as universal access to the National Information Infrastructure, law enforcement and national security officials couldn't care less, frankly. The Working Group on Privacy for the Information Infrastructure Task Force was told in clean, cold language that the desire of law enforcement is to "front load" the NII with "intercept technologies." Under the guise of "do it now or we'll catch less bad guys." It's all black or white to these guys. Other classified Dept. of Defense documents chime on this debate: "This worthy goal (of building the NII) is independent of arguments as to whether or not law enforcement and national security officials will be able to read at will traffic passing along the information superhighway." This is not science fiction. The Clipper chip is like a cancer that has eaten into the fabric of all levels of government, including the military. Classified DoD documents state that a "full-scale public debate is needed to ascertain the wishes of U.S. citizens with regard to their privacy, and the impact on public safety of preserving privacy at the expense of wiretapping and communications intercept capabilities of law enforcement and national security personnel." In other words, they don't think you know what you want. To them, it's a kind of tradeoff, a twisted sort of privacy auction. What do you bid? Your privacy for two drug lords, a former KGB spy and a pedophile. What's the price? Your government wants to know. Honest. The jury's still out, according to these classified documents: "It is not clear what the public will decide." But you can rest safely, the Pentagon does. Why? Again from a secret memo: "In the meantime, DoD has trapdoor technology and the Government is proceeding with development of the processes needed to apply that technology in order to maintain the capability to perform licit intercept of communications in support of law enforcement and national security." Meeks out...

1 0

FIPS 185 - EES
by jet＠nas.nasa.gov 23 Feb '94

23 Feb '94

[From the NIST Computer Security Bulletin Board] FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION 185 1994 February 9 U.S. DEPARTMENT OF COMMERCE/National Institute of Standards and Technology ESCROWED ENCRYPTION STANDARD CATEGORY: TELECOMMUNICATIONS SECURITY U.S. DEPARTMENT OF COMMERCE, Ronald H. Brown, Secretary NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY, Arati Prabhakar, Director Foreword The Federal Information Processing Standards Publication Series of the National Institute of Standards and Technology (NIST) is the official series of publications relating to standards and guidelines adopted and promulgated under the provisions of Section 111(d) of the Federal Property and Administrative Services Act of 1949 as amended by the Computer Security Act of 1987, Public Law 100-235. These mandates have given the Secretary of Commerce and NIST important responsibilities for improving the utilization and management of computer and related telecommunications systems in the Federal Government. The NIST, through the Computer Systems Laboratory, provides leadership, technical guidance, and coordination of Government efforts in the development of standards and guidelines in these areas. Comments concerning Federal Information Processing Standards Publications are welcomed and should be addressed to the Director, Computer Systems Laboratory, National Institute of Standards and Technology, Gaithersburg, MD 20899. James H. Burrows, Director Computer Systems Laboratory Abstract This standard specifies an encryption/decryption algorithm and a Law Enforcement Access Field (LEAF) creation method which may be implemented in electronic devices and used for protecting government telecommunications when such protection is desired. The algorithm and the LEAF creation method are classified and are referenced, but not specified, in the standard. Electronic devices implementing this standard may be designed into cryptographic modules which are integrated into data security products and systems for use in data security applications. The LEAF is used in a key escrow system that provides for decryption of telecommunications when access to the telecommunications is lawfully authorized. Key words: Cryptography, Federal Information Processing Standard, encryption, key escrow system, security. FIPS PUB 185 Federal Information Processing Standards Publication 185 1994 February 9 Announcing the Escrowed Encryption Standard (EES) Federal Information Processing Standards Publications (FIPS PUBS) are issued by the National Institute of Standards and Technology (NIST) after approval by the Secretary of Commerce pursuant to Section 111(d) of the Federal Property and Administrative Services Act of 1949 as amended by the Computer Security Act of 1987, Public Law 100-235. Name of Standard: Escrowed Encryption Standard (EES). Category of Standard: Telecommunications Security. Explanation: This Standard specifies use of a symmetric-key encryption (and decryption) algorithm (SKIPJACK) and a Law Enforcement Access Field (LEAF) creation method (one part of a key escrow system) which provides for decryption of encrypted telecommunications when interception of the telecommunications is lawfully authorized. Both the SKIPJACK algorithm and the LEAF creation method are to be implemented in electronic devices (e.g., very large scale integration chips). The devices may be incorporated in security equipment used to encrypt (and decrypt) sensitive unclassified telecommunications data. Decryption of lawfully intercepted telecommunications may be achieved through the acquisition and use of the LEAF, the decryption algorithm and the two escrowed key components. One definition of "escrow" means that something (e.g., a document, an encryption key) is "delivered to a third person to be given to the grantee only upon the fulfillment of a condition" (Webster's Seventh New Collegiate Dictionary). The term, "escrow", for purposes of this standard, is restricted to this dictionary definition. A key escrow system, for purposes of this standard, is one that entrusts the two components comprising a cryptographic key (e.g., a device unique key) to two key component holders (also called "escrow agents"). In accordance with the above definition of "escrow", the key component holders provide the components of a key to a "grantee" (e.g., a law enforcement official) only upon fulfillment of the condition that the grantee has properly demonstrated legal authorization to conduct electronic surveillance of telecommunications which are encrypted using the specific device whose device unique key is being requested. The key components obtained through this process are then used by the grantee to reconstruct the device unique key and obtain the session key which is then used to decrypt the telecommunications that are encrypted with that session key. The SKIPJACK encryption/decryption algorithm has been approved for government applications requiring encryption of sensitive but unclassified data telecommunications as defined herein. The specific operations of the SKIPJACK algorithm and the LEAF creation method are classified and hence are referenced, but not specified, in this standard. Data for purposes of this standard includes voice, facsimile and computer information communicated in a telephone system. A telephone system for purposes of this standard is limited to a system which is circuit switched and operating at data rates of standard commercial modems over analog voice circuits or which uses basic-rate ISDN or a similar grade wireless service. Data that is considered sensitive by a responsible authority should be encrypted if it is vulnerable to unauthorized disclosure during telecommunications. A risk analysis should be performed under the direction of a responsible authority to determine potential threats and risks. The costs of providing encryption using this standard as well as alternative methods and their respective costs should be projected. A responsible authority should then make a decision, based on the risk and cost analyses, whether or not to use encryption and then whether or not to use this standard. Approving Authority: Secretary of Commerce. Maintenance Agency: Department of Commerce, National Institute of Standards and Technology. Applicability: This standard is applicable to all Federal departments and agencies and their contractors under the conditions specified below. This standard may be used in designing and implementing security products and systems, which Federal departments and agencies use or operate or which are operated for them under contract. These products may be used when replacing Type II and Type III (DES) encryption devices and products owned by the government and government contractors. This standard may be used when the following conditions apply: 1. An authorized official or manager responsible for data security or the security of a computer system decides that encryption is required and cost justified as per OMB Circular A- 130; and 2. The data is not classified according to Executive Order 12356, entitled "National Security Information," or to its successor orders, or to the Atomic Energy Act of 1954, as amended. However, Federal departments or agencies which use encryption devices for protecting data that is classified according to either of these acts may use those devices also for protecting unclassified data in lieu of this standard. In addition, this standard may be adopted and used by non-Federal Government organizations. Such use is encouraged when it provides the desired security. Applications: This standard may be used in any unclassified government and commercial communications. Use of devices conforming to this standard is voluntary for unclassified government applications and for commercial security applications. Implementations: The encryption/decryption algorithm and the LEAF creation method shall be implemented in electronic devices (e.g., electronic chip packages) which are protected against unauthorized entry, modification and reverse engineering. Implementations which are tested and validated by NIST will be considered as complying with this standard. An electronic device shall be incorporated into a cryptographic module in accordance with FIPS 140-1. NIST will test for conformance with FIPS 140-1. Conforming cryptographic modules can then be integrated into security equipment for sale and use in a security application. Information about devices that have been validated, procedures for testing equipment for conformance with NIST standards, and information about approved security equipment are available from the Computer Systems Laboratory, NIST, Gaithersburg, MD 20899. Export Control: Implementations of this standard are subject to Federal Government export controls as specified in Title 22, Code of Federal Regulations, Parts 120 through 131 (International Traffic of Arms Regulations - ITAR). Exporters of encryption devices, equipment and technical data are advised to contact the U.S. Department of State, Office of Defense Trade Controls for more information. Patents: Implementations of this standard may be covered by U.S. and foreign patents. Implementation Schedule: This standard becomes effective thirty days following publication of this FIPS PUB. Specifications: Federal Information Processing Standard (FIPS 185), Escrowed Encryption Standard (EES) (affixed). Cross Index: a. FIPS PUB 46-2, Data Encryption Standard. b. FIPS PUB 81, Modes of Operation of the DES c. FIPS PUB 140-1, Security Requirements for Cryptographic Modules. GLOSSARY: The following terms are used as defined below for purposes of this standard: Data - Unclassified voice, facsimile and computer information communicated over a telephone system. Decryption - Conversion of ciphertext to plaintext through the use of a cryptographic algorithm. Device (cryptographic) - An electronic implementation of the encryption/decryption algorithm and the LEAF creation method as specified in this standard. Digital data - Data that have been converted to a binary representation. Encryption - Conversion of plaintext to ciphertext through the use of a cryptographic algorithm. Key components - The two values from which a key can be derived (e.g., KU1 ~ KU2). Key escrow - The processes of managing (e.g., generating, storing, transferring, auditing) the two components of a cryptographic key by two key component holders. LEAF Creation Method - A part of a key escrow system that is implemented in a cryptographic device and creates a Law Enforcement Access Field. Type I cryptography - A cryptographic algorithm or device approved by the National Security Agency for protecting classified information. Type II cryptography - A cryptographic algorithm or device approved by the National Security Agency for protecting sensitive unclassified information in systems as specified in section 2315 of Title 10 United States Code, or section 3502(2) of Title 44, United States Code. Type III cryptography - A cryptographic algorithm or device approved as a Federal Information Processing Standard. Type III(E) cryptography - A Type III algorithm or device that is approved for export from the United States. Qualifications: The protection provided by a security product or system is dependent on several factors. The protection provided by the SKIPJACK algorithm against key search attacks is greater than that provided by the DES algorithm (e.g., the cryptographic key is longer). However, provisions of this standard are intended to ensure that information encrypted through use of devices implementing this standard can be decrypted by a legally authorized entity. Where to Obtain Copies of the Standard: Copies of this publication are for sale by the National Technical Information Service, U.S. Department of Commerce, Springfield, VA 22161. When ordering, refer to Federal Information Processing Standards Publication 185 (FIPS PUB 185), and identify the title. When microfiche is desired, this should be specified. Prices are published by NTIS in current catalogs and other issuances. Payment may be made by check, money order, deposit account or charged to a credit card accepted by NTIS. Federal Information Processing Standards Publication 185 1994 February 9 Specifications for the ESCROWED ENCRYPTION STANDARD 1. INTRODUCTION This publication specifies Escrowed Encryption Standard (EES) functions and parameters. 2. GENERAL This standard specifies use of the SKIPJACK cryptographic algorithm and a LEAF Creation Method to be implemented in an approved electronic device (e.g., a very large scale integration electronic chip). The device is contained in a logical cryptographic module which is then integrated in a security product for encrypting and decrypting telecommunications. Approved implementations may be procured by authorized organizations for integration into security equipment. Devices must be tested and validated by NIST for conformance to this standard. Cryptographic modules must be tested and validated by NIST for conformance to FIPS 140-1. 3. ALGORITHM SPECIFICATIONS The specifications of the encryption/decryption algorithm (SKIPJACK) and LEAF Creation Method 1 (LCM-1) are classified. The National Security Agency maintains these classified specifications and approves the manufacture of devices which implement the specifications. NIST tests for conformance of the devices implementing this standard in cryptographic modules to FIPS 140-1 and FIPS 81. 4. FUNCTIONS AND PARAMETERS 4.1 FUNCTIONS The following functions, at a minimum, shall be implemented: 1. Data Encryption: A session key (80 bits) shall be used to encrypt plaintext information in one or more of the following modes of operation as specified in FIPS 81: ECB, CBC, OFB (64), CFB (1, 8, 16, 32, 64). 2. Data Decryption: The session key (80 bits) used to encrypt the data shall be used to decrypt resulting ciphertext to obtain the data . 3. LEAF Creation: A Family Key (e.g., KF-1) shall be used to create a Law Enforcement Access Field (LEAF) in accordance with a LEAF Creation Method (e.g., LCM-1). The security equipment shall ensure that the LEAF is transmitted in such a manner that the LEAF and ciphertext may be decrypted with legal authorization. No additional encryption or modification of the LEAF is permitted. 4.2 PARAMETERS The following parameters shall be used in performing the prescribed functions: 1. Device Unique Identifier (UID): The identifier unique to a particular device and used by the Key Escrow System. 2. Device Unique Key (KU): The cryptographic key unique to a particular device and used by the Key Escrow System. 3. Cryptographic Protocol Field (CPF): The field identifying the registered cryptographic protocol used by a particular application and used by the Key Escrow System (reserved for future specification and use). 4. Escrow Authenticator (EA): A binary pattern that is inserted in the LEAF to ensure that the LEAF is transmitted and received properly and has not been modified, deleted or replaced in an unauthorized manner. 5. Initialization Vector (IV): A mode and application dependent vector of bytes used to initialize, synchronize and verify the encryption, decryption and key escrow functions. 6. Family Key (KF): The cryptographic key stored in all devices designated as a family that is used to create a LEAF. 7. Session Key (KS): The cryptographic key used by a device to encrypt and decrypt data during a session. 8. Law Enforcement Access Field (LEAF): The field containing the encrypted session key and the device identifier and the escrow authenticator. 5. IMPLEMENTATION The Cryptographic Algorithm (i.e., SKIPJACK) and a LEAF Creation Method (e.g., LCM-1) shall be implemented in an electronic device (e.g., VLSI chip) which is highly resistant to reverse engineering (destructive or non-destructive) to obtain or modify the cryptographic algorithm, the UID, the KF, the KU, the EA, the CPF, the operational KS, and any other security or Key Escrow System relevant information. The device shall be able to be programmed/personalized (i.e., made unique) after mass production in such a manner that the UID, KU (or its components), KF (or its components) and EA fixed pattern can be entered once (and only once) and maintained without external electrical power. The LEAF and the IV shall be transmitted with the ciphertext. The specifics of the protocols used to create and transmit the LEAF, IV, and encrypted data shall be registered and a CPF assigned. The CPF (and the KF-ID, LCM-ID) shall then be transmitted in accordance with the registered specifications. Various devices implementing this standard are anticipated. The implementation may vary with the application. The specific electric, physical and logical interface will vary with the implementation. Each approved, registered implementation shall have an unclassified electrical, physical and logical interface specification sufficient for an equipment manufacturer to understand the general requirements for using the device. Some of the requirements may be classified and therefore would not be specified in the unclassified interface specification. The device Unique Key shall be composed of two components (each a minimum of 80 bits long) and each component shall be independently generated and stored by an escrow agent. The session key used to encrypt transmitted information shall be the same as the session key used to decrypt received information in a two-way simultaneous communication. The Lead Creation Method (LCM), the Cryptographic Protocol Field (CPF), and the Family Key Identifier (KF-ID) shall be registered in the NIST Computer Security Object Register. This standard is not an interoperability standard. It does not provide sufficient information to design and implement a security device or equipment. Other specifications and standards will be required to assure interoperability of EES devices in various applications. Specifications of a particular EES device must be obtained from the manufacturer. The specifications for the SKIPJACK algorithm are contained in the R21 Informal Technical Report entitled "SKIPJACK" (S), R21-TECH- 044-91, May 21, 1991. The specifications for LEAF Creation Method 1 are contained in the R21 Informal Technical Report entitled "Law Enforcement Access Field for the Key Escrow Microcircuit" (S). Organizations holding an appropriate security clearance and entering into a Memorandum of Agreement with the National Security Agency regarding implementation of the standard will be provided access to the classified specifications. Inquiries may be made regarding the Technical Reports and this program to Director, National Security Agency, Fort George G. Meade, MD 20755-6000, ATTN: R21. -- Stanton McCandlish * mech(a)eff.org * Electronic Frontier Found. OnlineActivist F O R M O R E I N F O, E - M A I L T O: I N F O @ E F F . O R G O P E N P L A T F O R M O N L I N E R I G H T S V I R T U A L C U L T U R E C R Y P T O

1 0

NIST Crypto Update
by jet＠nas.nasa.gov 23 Feb '94

23 Feb '94

[From the NIST Computer Security Bulletin Board] (EMBARGOED FOR RELEASE: 3:00 P.M., Friday, Feb. 4, 1994) Fact Sheet NIST Cryptography Activities Escrowed Encryption Standard On April 16, 1993, the White House announced that the President approved a directive on "Public Encryption Management." Among other items, the President directed the Secretary of Commerce, in consultation with other appropriate U.S. agencies, to initiate a process to write standards to facilitate the procurement and use of encryption devices fitted with key-escrow microcircuits in federal communications systems that process sensitive but unclassified information. In response to the President's directive, on July 30, 1993, the Department of Commerce's National Institute of Standards and Technology (NIST) announced the voluntary Escrowed Encryption Standard (EES) as a draft Federal Information Processing Standard (FIPS) for public comment. The FIPS would enable federal agencies to procure escrowed encryption technology when it meets their requirements; the standard is not to be mandatory for either federal agency or private sector use. During the public review of the draft standard, a group of independent cryptographers were provided the opportunity to examine the strength of the classified cryptographic algorithm upon which the EES is based. They found that the algorithm provides significant protection and that it will be 36 years until the cost of breaking the EES algorithm will be equal to the cost of breaking the current Data Encryption Standard. They also found that there is no significant risk that the algorithm can be broken through a shortcut method of attack. Public comments were received by NIST on a wide range of issues relevant to the EES. The written comments submitted by interested parties and other information available to the Department relevant to this standard were reviewed by NIST. Nearly all of the comments received from industry and individuals opposed the adoption of the standard. However, many of those comments reflected misunderstanding or skepticism about the Administration's statements that the EES would be a voluntary standard. The Administration has restated that the EES will be a strictly voluntary standard available for use as needed to provide more secure telecommunications. The standard was found to be technically sound and to meet federal agency requirements. NIST made technical and editorial changes and recommended the standard for approval by the Secretary of Commerce. The Secretary now has approved the EES as a FIPS voluntary standard. In a separate action, the Attorney General has now announced that NIST has been selected as one of the two trusted agents who will safeguard components of the escrowed keys.Digital Signature Standard In 1991, NIST proposed a draft digital signature standard as a federal standard for publiccomment. Comments were received by NIST on both technical and patent issues. NIST has reviewed the technical comments and made appropriate changes to the draft. In order to resolve the patent issues, on June 3, 1993, NIST proposed a cross-licensing arrangement for a "Digital Signature Algorithm" for which NIST has received a patent application. The algorithm forms the basis of the proposed digital signature standard. Extensive public comments were received on the proposed arrangement, many of them negative and indicating the need for royalty-free availability of the algorithm. The Administration has now concluded that a royalty-free digital signature technique is necessary in order to promote widespread use of this important information security technique. NIST is continuing negotiations with the aim of obtaining a digital signature standard with royalty-free use worldwide. NIST also will pursue other technical and legal options to attain that goal. Cooperation with Industry During the government's review of cryptographic policies and regulations, NIST requested assistance from the Computer System Security and Privacy Advisory Board to obtain public input on a wide range of cryptographic-related issues, including the key escrow encryption proposal, legal and Constitutional issues, social and public policy issues, privacy, vendor and business perspectives, and users' perspectives. The Board held five days of public meetings. Comments obtained by the Board were useful during the government's review of these issues. In addition, NIST met directly with many industry and public interest organizations, including those on the Digital Privacy and Security Working Group and the Electronic Frontier Foundation. As directed by the President when the key escrow encryption initiative was announced, the government continues to be open to other approaches to key escrowing. On August 24, 1993, NIST also announced the opportunity to join a Cooperative Research and Development Agreement (CRADA) to develop secure software encryption with integrated cryptographic key escrowing techniques. Three industry participants have expressed their interest to NIST in this effort; however, the government still seeks fuller participation from the commercial software industry. NIST now is announcing an opportunity for industry to join in a CRADA to develop improved and alternative hardware technologies that contain key escrow encryption capabilities. Additionally, the Administration has decided to strengthen NIST's cryptographic capabilities in order to better meet the needs of U.S. industry and federal agencies. 2/4/94 -- Stanton McCandlish * mech(a)eff.org * Electronic Frontier Found. OnlineActivist F O R M O R E I N F O, E - M A I L T O: I N F O @ E F F . O R G O P E N P L A T F O R M O N L I N E R I G H T S V I R T U A L C U L T U R E C R Y P T O

1 0

Gopher File
by brenner＠netcom.com 16 Feb '94

16 Feb '94

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- =-=-=-=-=-=-Copyright 1993,4 Wired USA Ltd. All Rights Reserved=-=-=-=-=-= -=-=For complete copyright information, please see the end of this file=-=- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= WIRED 2.04 Electrosphere ************* Jackboots on the Infobahn ^^^^^^^^^^^^^^^^^^^^^^^^^ Clipper is a last ditch attempt by the United States, the last great power from the old Industrial Era, to establish imperial control over cyberspace. By John Perry Barlow [Note: The following article will appear in the April 1994 issue of WIRED. We, the editors of WIRED, are net-casting it now in its pre-published form as a public service. Because of the vital and urgent nature of its message, we believe readers on the Net should hear and take action now. You are free to pass this article on electronically; in fact we urge you to replicate it throughout the net with our blessings. If you do, please keep the copyright statements and this note intact. For a complete listing of Clipper-related resources available through WIRED Online, send email to <infobot(a)wired.com> with the following message: "send clipper.index". - The Editors of WIRED] On January 11, I managed to schmooze myself aboard Air Force 2. It was flying out of LA, where its principal passenger had just outlined his vision of the information superhighway to a suited mob of television, show- biz, and cable types who fervently hoped to own it one day - if they could ever figure out what the hell it was. >From the standpoint of the Electronic Frontier Foundation the speech had been wildly encouraging. The administration's program, as announced by Vice President Al Gore, incorporated many of the concepts of open competition, universal access, and deregulated common carriage that we'd been pushing for the previous year. But he had said nothing about the future of privacy, except to cite among the bounties of the NII its ability to "help law enforcement agencies thwart criminals and terrorists who might use advanced telecommunications to commit crimes." On the plane I asked Gore what this implied about administration policy on cryptography. He became as noncommittal as a cigar-store Indian. "We'll be making some announcements.... I can't tell you anything more." He hurried to the front of the plane, leaving me to troubled speculation. Despite its fundamental role in assuring privacy, transaction security, and reliable identity within the NII, the Clinton administration has not demonstrated an enlightenment about cryptography up to par with the rest of its digital vision. The Clipper Chip - which threatens to be either the goofiest waste of federal dollars since President Gerald Ford's great Swine Flu program or, if actually deployed, a surveillance technology of profound malignancy - seemed at first an ugly legacy of the Reagan-Bush modus operandi. "This is going to be our Bay of Pigs," one Clinton White House official told me at the time Clipper was introduced, referring to the disastrous plan to invade Cuba that Kennedy inherited from Eisenhower. (Clipper, in case you're just tuning in, is an encryption chip that the National Security Agency and FBI hope will someday be in every phone and computer in America. It scrambles your communications, making them unintelligible to all but their intended recipients. All, that is, but the government, which would hold the "key" to your chip. The key would separated into two pieces, held in escrow, and joined with the appropriate "legal authority.") Of course, trusting the government with your privacy is like having a Peeping Tom install your window blinds. And, since the folks I've met in this White House seem like extremely smart, conscious freedom-lovers - hell, a lot of them are Deadheads - I was sure that after they were fully moved in, they'd face down the National Security Agency and the FBI, let Clipper die a natural death, and lower the export embargo on reliable encryption products. Furthermore, the National Institutes of Standards and Technology and the National Security Council have been studying both Clipper and export embargoes since April. Given that the volumes of expert testimony they had collected overwhelmingly opposed both, I expected the final report would give the administration all the support it needed to do the right thing. I was wrong. Instead, there would be no report. Apparently, they couldn't draft one that supported, on the evidence, what they had decided to do instead. THE OTHER SHOE DROPS On Friday, February 4, the other jackboot dropped. A series of announcements from the administration made it clear that cryptography would become their very own "Bosnia of telecommunications" (as one staffer put it). It wasn't just that the old Serbs in the National Security Agency and the FBI were still making the calls. The alarming new reality was that the invertebrates in the White House were only too happy to abide by them. Anything to avoid appearing soft on drugs or terrorism. So, rather than ditching Clipper, they declared it a Federal Data Processing Standard, backing that up with an immediate government order for 50,000 Clipper devices. They appointed the National Institutes of Standards and Technology and the Department of Treasury as the "trusted" third parties that would hold the Clipper key pairs. (Treasury, by the way, is also home to such trustworthy agencies as the Secret Service and the Bureau of Alcohol, Tobacco, and Firearms.) They reaffirmed the export embargo on robust encryption products, admitting for the first time that its purpose was to stifle competition to Clipper. And they outlined a very porous set of requirements under which the cops might get the keys to your chip. (They would not go into the procedure by which the National Security Agency could get them, though they assured us it was sufficient.) They even signaled the impending return of the dread Digital Telephony, an FBI legislative initiative requiring fundamental reengineering of the information infrastructure; providing wiretapping ability to the FBI would then become the paramount design priority. INVASION OF THE BODY SNATCHERS Actually, by the time the announcements thudded down, I wasn't surprised by them. I had spent several days the previous week in and around the White House. I felt like I was in another remake of The Invasion of the Body Snatchers. My friends in the administration had been transformed. They'd been subsumed by the vast mindfield on the other side of the security clearance membrane, where dwell the monstrous bureaucratic organisms that feed on fear. They'd been infected by the institutionally paranoid National Security Agency's Weltanschauung. They used all the telltale phrases. Mike Nelson, the White House point man on the NII, told me, "If only I could tell you what I know, you'd feel the same way I do." I told him I'd been inoculated against that argument during Vietnam. (And it does seem to me that if you're going to initiate a process that might end freedom in America, you probably need an argument that isn't classified.) Besides, how does he know what he knows? Where does he get his information? Why, the National Security Agency, of course. Which, given its strong interest in the outcome, seems hardly an unimpeachable source. However they reached it, Clinton and Gore have an astonishingly simple bottom line, to which even the future of American liberty and prosperity is secondary: They believe that it is their responsibility to eliminate, by whatever means, the possibility that some terrorist might get a nuke and use it on, say, the World Trade Center. They have been convinced that such plots are more likely to ripen to hideous fruition behind a shield of encryption. The staffers I talked to were unmoved by the argument that anyone smart enough to steal a nuclear device is probably smart enough to use PGP or some other uncompromised crypto standard. And never mind that the last people who popped a hooter in the World Trade Center were able to get it there without using any cryptography and while under FBI surveillance. We are dealing with religion here. Though only ten American lives have been lost to terrorism in the last two years, the primacy of this threat has become as much an article of faith with these guys as the Catholic conviction that human life begins at conception or the Mormon belief that the Lost Tribe of Israel crossed the Atlantic in submarines. In the spirit of openness and compromise, they invited the Electronic Frontier Foundation to submit other solutions to the "problem" of the nuclear-enabled terrorist than key escrow devices, but they would not admit into discussion the argument that such a threat might, in fact, be some kind of phantasm created by the spooks to ensure their lavish budgets into the post-Cold War era. As to the possibility that good old-fashioned investigative techniques might be more valuable in preventing their show-case catastrophe (as it was after the fact in finding the alleged perpetrators of the last attack on the World Trade Center), they just hunkered down and said that when wiretaps were necessary, they were damned well necessary. When I asked about the business that American companies lose because of their inability to export good encryption products, one staffer essentially dismissed the market, saying that total world trade in crypto goods was still less than a billion dollars. (Well, right. Thanks more to the diligent efforts of the National Security Agency than to dim sales potential.) I suggested that a more immediate and costly real-world effect of their policies would be to reduce national security by isolating American commerce, owing to a lack of international confidence in the security of our data lines. I said that Bruce Sterling's fictional data-enclaves in places like the Turks and Caicos Islands were starting to look real-world inevitable. They had a couple of answers to this, one unsatisfying and the other scary. The unsatisfying answer was that the international banking community could just go on using DES, which still seemed robust enough to them. (DES is the old federal Data Encryption Standard, thought by most cryptologists to be nearing the end of its credibility.) More frightening was their willingness to counter the data-enclave future with one in which no data channels anywhere would be secure from examination by one government or another. Pointing to unnamed other countries that were developing their own mandatory standards and restrictions regarding cryptography, they said words to the effect of, "Hey, it's not like you can't outlaw the stuff. Look at France." Of course, they have also said repeatedly - and for now I believe them - that they have absolutely no plans to outlaw non-Clipper crypto in the US. But that doesn't mean that such plans wouldn't develop in the presence of some pending "emergency." Then there is that White House briefing document, issued at the time Clipper was first announced, which asserts that no US citizen "as a matter of right, is entitled to an unbreakable commercial encryption product." Now why, if it's an ability they have no intention of contesting, do they feel compelled to declare that it's not a right? Could it be that they are preparing us for the laws they'll pass after some bearded fanatic has gotten himself a surplus nuke and used something besides Clipper to conceal his plans for it? If they are thinking about such an eventuality, we should be doing so as well. How will we respond? I believe there is a strong, though currently untested, argument that outlawing unregulated crypto would violate the First Amendment, which surely protects the manner of our speech as clearly as it protects the content. But of course the First Amendment is, like the rest of the Constitution, only as good as the government's willingness to uphold it. And they are, as I say, in the mood to protect our safety over our liberty. This is not a mind-frame against which any argument is going to be very effective. And it appeared that they had already heard and rejected every argument I could possibly offer. In fact, when I drew what I thought was an original comparison between their stand against naturally proliferating crypto and the folly of King Canute (who placed his throne on the beach and commanded the tide to leave him dry), my government opposition looked pained and said he had heard that one almost as often as jokes about roadkill on the information superhighway. I hate to go to war with them. War is always nastier among friends. Furthermore, unless they've decided to let the National Security Agency design the rest of the National Information Infrastructure as well, we need to go on working closely with them on the whole range of issues like access, competition, workplace privacy, common carriage, intellectual property, and such. Besides, the proliferation of strong crypto will probably happen eventually no matter what they do. But then again, it might not. In which case we could shortly find ourselves under a government that would have the automated ability to log the time, origin and recipient of every call we made, could track our physical whereabouts continuously, could keep better account of our financial transactions than we do, and all without a warrant. Talk about crime prevention! Worse, under some vaguely defined and surely mutable "legal authority," they also would be able to listen to our calls and read our e-mail without having to do any backyard rewiring. They wouldn't need any permission at all to monitor overseas calls. If there's going to be a fight, I'd rather it be with this government than the one we'd likely face on that hard day. Hey, I've never been a paranoid before. It's always seemed to me that most governments are too incompetent to keep a good plot strung together all the way from coffee break to quitting time. But I am now very nervous about the government of the United States of America. Because Bill 'n' Al, whatever their other new-paradigm virtues, have allowed the very old-paradigm trogs of the Guardian Class to define as their highest duty the defense of America against an enemy that exists primarily in the imagination - and is therefore capable of anything. To assure absolute safety against such an enemy, there is no limit to the liberties we will eventually be asked to sacrifice. And, with a Clipper Chip in every phone, there will certainly be no technical limit on their ability to enforce those sacrifices. WHAT YOU CAN DO GET CONGRESS TO LIFT THE CRYPTO EMBARGO The administration is trying to impose Clipper on us by manipulating market forces. By purchasing massive numbers of Clipper devices, they intend to induce an economy of scale which will make them cheap while the export embargo renders all competition either expensive or nonexistent. We have to use the market to fight back. While it's unlikely that they'll back down on Clipper deployment, the Electronic Frontier Foundation believes that with sufficient public involvement, we can get Congress to eliminate the export embargo. Rep. Maria Cantwell, D-Washington, has a bill (H.R. 3627) before the Economic Policy, Trade, and Environment Subcommittee of the House Committee on Foreign Affairs that would do exactly that. She will need a lot of help from the public. They may not care much about your privacy in DC, but they still care about your vote. Please signal your support of H.R. 3627, either by writing her directly or e-mailing her at cantwell(a)eff.org. Messages sent to that address will be printed out and delivered to her office. In the subject header of your message, please include the words "support HR 3627." In the body of your message, express your reasons for supporting the bill. You may also express your sentiments to Rep. Lee Hamilton, D-Indiana, the House Committee on Foreign Affairs chair, by e-mailing hamilton(a)eff.org. Furthermore, since there is nothing quite as powerful as a letter from a constituent, you should check the following list of subcommittee and committee members to see if your congressional representative is among them. If so, please copy them your letter to Rep. Cantwell. > Economic Policy, Trade, and Environment Subcommittee: Democrats: Sam Gejdenson (Chair), D-Connecticut; James Oberstar, D- Minnesota; Cynthia McKinney, D-Georgia; Maria Cantwell, D-Washington; Eric Fingerhut, D-Ohio; Albert R. Wynn, D-Maryland; Harry Johnston, D-Florida; Eliot Engel, D-New York; Charles Schumer, D-New York. Republicans: Toby Roth (ranking), R-Wisconsin; Donald Manzullo, R-Illinois; Doug Bereuter, R-Nebraska; Jan Meyers, R-Kansas; Cass Ballenger, R-North Carolina; Dana Rohrabacher, R-California. > House Committee on Foreign Affairs: Democrats: Lee Hamilton (Chair), D-Indiana; Tom Lantos, D-California; Robert Torricelli, D-New Jersey; Howard Berman, D-California; Gary Ackerman, D-New York; Eni Faleomavaega, D-Somoa; Matthew Martinez, D- California; Robert Borski, D-Pennsylvania; Donal Payne, D-New Jersey; Robert Andrews, D-New Jersey; Robert Menendez, D-New Jersey; Sherrod Brown, D-Ohio; Alcee Hastings, D-Florida; Peter Deutsch, D-Florida; Don Edwards, D-California; Frank McCloskey, D-Indiana; Thomas Sawyer, D-Ohio; Luis Gutierrez, D-Illinois. Republicans: Benjamin Gilman (ranking), R-New York; William Goodling, R- Pennsylvania; Jim Leach, R-Iowa; Olympia Snowe, R-Maine; Henry Hyde, R- Illinois; Christopher Smith, R-New Jersey; Dan Burton, R-Indiana; Elton Gallegly, R-California; Ileana Ros-Lehtinen, R-Florida; David Levy, R-New York; Lincoln Diaz-Balart, R-Florida; Ed Royce, R-California. BOYCOTT CLIPPER DEVICES AND THE COMPANIES WHICH MAKE THEM. Don't buy anything with a Clipper Chip in it. Don't buy any product from a company that manufactures devices with Big Brother inside. It is likely that the government will ask you to use Clipper for communications with the IRS or when doing business with federal agencies. They cannot, as yet, require you to do so. Just say no. LEARN ABOUT ENCRYPTION AND EXPLAIN THE ISSUES TO YOUR UNWIRED FRIENDS The administration is banking on the likelihood that this stuff is too technically obscure to agitate anyone but nerds like us. Prove them wrong by patiently explaining what's going on to all the people you know who have never touched a computer and glaze over at the mention of words like "cryptography." Maybe you glaze over yourself. Don't. It's not that hard. For some hands-on experience, download a copy of PGP - Pretty Good Privacy - a shareware encryption engine which uses the robust RSA encryption algorithm. And learn to use it. GET YOUR COMPANY TO THINK ABOUT EMBEDDING REAL CRYPTOGRAPHY IN ITS PRODUCTS If you work for a company that makes software, computer hardware, or any kind of communications device, work from within to get them to incorporate RSA or some other strong encryption scheme into their products. If they say that they are afraid to violate the export embargo, ask them to consider manufacturing such products overseas and importing them back into the United States. There appears to be no law against that. Yet. You might also lobby your company to join the Digital Privacy and Security Working Group, a coalition of companies and public interest groups - including IBM, Apple, Sun, Microsoft, and, interestingly, Clipper phone manufacturer AT&T - that is working to get the embargo lifted. ENLIST! Self-serving as it sounds coming from me, you can do a lot to help by becoming a member of one of these organizations. In addition to giving you access to the latest information on this subject, every additional member strengthens our credibility with Congress. > Join the Electronic Frontier Foundation by writing membership(a)eff.org. > Join Computer Professionals for Social Responsibility by e-mailing cpsr.info@cpsr .org. CPSR is also organizing a protest, to which you can lend your support by sending e-mail to clipper.petition(a)cpsr.org with "I oppose Clipper" in the message body. Ftp/gopher/WAIS to cpsr.org /cpsr/privacy/ crypto/clipper for more info. In his LA speech, Gore called the development of the NII "a revolution." And it is a revolutionary war we are engaged in here. Clipper is a last ditch attempt by the United States, the last great power from the old Industrial Era, to establish imperial control over cyberspace. If they win, the most liberating development in the history of humankind could become, instead, the surveillance system which will monitor our grandchildren's morality. We can be better ancestors than that. San Francisco, California Wednesday, February 9, 1994 * * * John Perry Barlow (barlow(a)eff.org) is co-founder and Vice-Chairman of the Electronic Frontier Foundation, a group which defends liberty, both in Cyberspace and the Physical World. He has three daughters. =-=-=-=-=-=-=-=-=-=-=-=WIRED Online Copyright Notice=-=-=-=-=-=-=-=-=-=-=-= Copyright 1993,4 Wired USA Ltd. All rights reserved. This article may be redistributed provided that the article and this notice remain intact. This article may not under any circumstances be resold or redistributed for compensation of any kind without prior written permission from Wired Ventures, Ltd. If you have any questions about these terms, or would like information about licensing materials from WIRED Online, please contact us via telephone (+1 (415) 904 0660) or email (info(a)wired.com) WIRED and WIRED Online are trademarks of Wired Ventures, Ltd. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

1 0

text of info file on Cantwell bill
by ssteele＠eff.org 08 Feb '94

08 Feb '94

Following are Representative Maria Cantwell's remarks to the House of Representatives when she introduced H.R. 3627, Legislation to Amend the Export Administration Act of 1979. Her synopsis of the bill appears at the end. These remarks appeared in the Congressional Record on November 24, 1993, at Volume 139, Page 3110. Please write to Rep. Cantwell today at cantwell(a)eff.org letting her know you support her bill. In the Subject header of your message, type "I support HR 3627." In the body of your message, express your reasons for supporting the bill. EFF will deliver printouts of all letters to Rep. Cantwell. With a strong showing of support from the Net community, Rep. Cantwell can tell her colleagues on Capitol Hill that encryption is not only an industry concern, but also a grassroots issue. *Again: remember to put "I support HR 3627" in your Subject header.* The text of the Cantwell bill can be found with the any of the following URLs (Universal Resource Locaters): ftp://ftp.eff.org/pub/Policy/Legislation/cantwell.bill http://www.eff.org/ftp/EFF/Policy/Legislation/cantwell.bill gopher://gopher.eff.org/00/EFF/legislation/cantwell.bill ********************************************************************** Mr. Speaker, I am today introducing legislation to amend the Export Administration Act of 1979 to liberalize export controls on software with encryption capabilities. A vital American industry is directly threatened by unilateral U.S. Government export controls which prevent our companies from meeting worldwide user demand for software that includes encryption capabilities to protect computer data against unauthorized disclosure, theft, or alteration. The legislation I am introducing today is needed to ensure that American companies do not lose critical international markets to foreign competitors that operate without significant export restrictions. Without this legislation, American software companies, some of America's star economic performers, have estimated they stand to lose between $6 and $9 billion in revenue each year. American hardware companies are already losing hundreds of millions of dollars in lost computer system sales because increasingly sales are dependent on the ability of a U.S. firm to offer encryption as a feature of an integrated customer solution involving hardware, software, and services. The United States' export control system is broken. It was designed as a tool of the cold-war, to help fight against enemies that no longer exist. The myriad of Federal agencies responsible for controlling the flow of exports from our country must have a new charter, recognizing today's realities. Next year, the House Foreign Affairs Subcommittee of Economic Policy, Trade and the Environment, of which I am a member, will be marking up legislation to overhaul the Export Administration Act. It is my hope that the legislation I introduce today will be included in the final Export Administration Act rewrite. This legislation takes some important steps to resolve a serious problem facing some of our most dynamic industries. It would give the Secretary of Commerce exclusive authority over dual use information security programs and products, eliminates the requirement for export licenses for generally available software with encryption capabilities, and requires the Secretary to grant such validated licenses for exports of other software with encryption capabilities to any country to which we already approve exports for foreign financial institutions. The importance of this legislation cannot be overstated. America's computer software and hardware companies, including such well-known companies as Apple, DEC, Hewlett-Packard, IBM, Lotus, Microsoft, Novell, and WordPerfect, have been among the country's most internationally competitive firms earning more than one-half of their revenues from exports. The success of American software and hardware companies overseas is particularly dramatic and the importance of foreign markets is growing. Currently, American software companies hold a 75 percent worldwide market share and many derive over 50 percent of their revenues from foreign sales. American computer hardware manufacturers earn more than 60 percent of their revenues from exports. As my colleagues are well-aware, we are participants in a new information age that is quickly transforming local and national marketplaces and creating new international marketplaces where none previously existed. President Clinton and Vice President Gore have both spent considerable time explaining their vision of the National Information Infrastructure that is essential to our continued economic growth. Part of that infrastructure is already in place. International business transactions that just a few years ago took days or weeks or months to complete can now be accomplished in minutes. Driving this marketplace transformation is the personal computer. And, at the heart of every personal computer is computer software. Even the most computer illiterate of us recognize that during the past decade, computer prices have dropped dramatically while computer capabilities have increased exponentially. That combination has made it possible to exchange information and conduct business at a scale that was considered science fiction only a few years ago. Indeed, we all now rely on computer networks to conduct business and exchange information. Whether it be the electronic mail or "e-mail" system that we all now use in our congressional offices or the automated teller system relied on to conduct our personal financial affairs, we rely on computer networks of information. In the future, individuals will use information technologies to conduct virtually any of the routine transactions that they do today in person, over the telephone, and through paper files. From personal computers at home, in schools, and in public libraries, they will access books, magazine articles, videos, and multimedia resources on any topic they want. People will use computer networks to locate and access information about virtually any subject imaginable, such as background on the candidates in local political races, information on job opportunities in distant cities, the weather in the city or country they will be visiting on their vacation, and the highlights of specific sports events. Consumers will use their computers and smart televisions to shop and pay for everything from clothing and household goods to airline tickets, insurance, and all types of on-line services. Electronic records of the items they purchase and their credit histories will be easy to compile and maintain. Individuals will access home health programs from their personal computers for instant advice on medical questions, including mental health problems, information about the symptoms of AIDS, and a variety of personal concerns that they would not want other family members, or their neighbors and employers to know about. They will renew their prescriptions and obtain copies of their lab results electronically. The U.S. economy is becoming increasingly reliant on this information network. While we may not often think about these networks, they now affect every facet of our professional, business, and personal lives. They are present when we make an airline reservation; when we use a credit card to make a purchase; or when we visit a doctor who relies on a computer network to store our medical information or to assist in making a diagnosis. These networks contain information concerning every facet of our lives. For businesses, the reliance on information security is even greater. While businesses rely on the same commercial use networks that individual consumers use, in addition, businesses are now transmitting information across national and international borders with the same ease that the information was once transmitted between floors of the same office building. While all of this information exchange brings with it increased efficiencies and lower operating costs, it has also brought with it the need to protect the information from improper use and tampering. Information security is quickly becoming a top priority for businesses that rely on computer networks to conduct business. According to a recent survey of Fortune 500 companies conducted for the Business Software Alliance, 90 percent of the participants said that information security was important to their operations. Indeed, almost half of the Fortune 500 companies surveyed recently stated that data encryption was important to protect their information. One third of those companies said they look for encryption capabilities when buying software. The challenge for information security can be met by America's computer companies. American companies are deeply involved in efforts to ensure that the information transmitted on computer networks is secure. Numerous companies have developed and are developing software products with encryption capabilities that can ensure that transmitted information is received only by the intended user and that it is received in an unaltered form. Those encryption capabilities are based on mathematical formulas or logarithms of such a size that makes it almost impossible to corrupt data sources or intercept information being transmitted. I wish I could stand here today and tell my colleagues that U.S. export control laws were working and encryption technology was only available to American software companies. However, this is not the case. Sophisticated encryption technology has been available as a published public standard for over a decade and many private sources, both domestic and foreign, have developed encryption technology that they are marketing to customers today. It is an industry where commercial competition is fierce and success will go to the swift. Software is being developed and manufactured with encryption capabilities for the simple reason that software customers are demanding it. Computer users recognize the vulnerability of our information systems to corruption and improper use and are insisting on protection. That protection will be purchased or obtained from American companies or from foreign software companies. The choice is not whether the protection will be obtained, but from which company. Incredible as it may seem to most of my colleagues, the Executive Branch has seen fit to regulate exports of American computer software with encryption capabilities -- that is, the same software that is available across the counter at your local Egghead or Computerland software store -- munitions and thereby substantially prohibit its export to foreign customers. This policy, which has all the practical effect of shutting the barn door after the horses have left in preventing access to software with encryption capabilities, does have the actual detrimental effect of seriously endangering sales of both generally available American software and American computer systems. This is because increasingly sales are dependent on the ability of a U.S. firm to offer encryption as a feature of an integrated customer solution involving hardware, software and services. Indeed, software can be exported abroad by the simplest measures and our intelligence gathering agencies have no hope of ever preventing it. Unlike most munitions that are on the prohibited export list, generally available software with encryption capabilities can be purchased without any record by anyone from thousands of commercial retail outlets, or ordered from hundreds of commercial mail order houses, or obtained for free from computer bulletin boards or networks. Once obtained, it can be exported on a single indistinguishable floppy disk in the coat pocket of any traveler or in any business envelope mailed abroad. Moreover, both generally available and customized software can be exported without anyone ever actually leaving the United States. All that is necessary are two computers with modems, one located in the United States and one located abroad. A simple international phone call and a few minutes is all that it takes to export any software program. Once a software program with encryption capabilities is in a foreign country, any computer can act as a duplicating machine, producing as many perfect copies of the software as needed. The end result is that the software is widely available to foreign users. All this was demonstrated at a hearing held on October 12 by Chairman Gejdenson's Economic Policy Trade and Environment Subcommittee of the Foreign Affairs Committee. Furthermore, while current Executive Branch policy regulates the export of American manufactured software with encryption capabilities, it is obviously powerless to prevent the development and manufacture of such software by foreign competitors. Not surprisingly, that is exactly what is happening. We heard testimony at the subcommittee's hearing that over 200 foreign hardware, software and combination products for text, file, and data encryption are available from 20 foreign countries. As a result, foreign customers, that have, in the past, spent their software dollars on American-made software, are now being forced, by American policy, to buy foreign software -- and in some cases, entire foreign computer systems. The real impact of these policies is that customers and revenue are being lost with little hope of regaining them, once lost. All precipitated by a well-intentioned, but completely misguided and inappropriate policy. There were efforts, in the last Congress to correct this policy. In response, the Bush Administration did, in fact, marginally improve its export licensing process with regard to mass market software with limited encryption capabilities. However, those changes are simply insufficient to eliminate the damage being done to American software companies. My legislation is strongly supported by the Business Software Alliance. The Business Software Alliance represents the leading American software businesses, including Aldus, Apple Computer, Autodesk, Borland International, Computer Associates, GO Corp., Lotus Development, Microsoft, Novell, and WordPerfect. In addition, Adobe Systems, Central Point, Santa Cruz Operation, and Symantec are members of BSA's European operation. Together, BSA members represent 70 percent of PC software sales. The legislation is also supported by the Industry Coalition on Technology Transfer, an umbrella group representing 10 industry groups including the Aerospace Industries Association, American Electronic Association, Electronics Industry Association, and Computer and Business Equipment Manufacturing Association. All these companies are at the forefront of the software revolution. Their software, developed for commercial markets, is available throughout the world and is at the core of the information revolution. They represent the finest of America's future in the international marketplace, and the industry has repeatedly been recognized as crucial to America's technological leadership in the 21st century. My legislation is straightforward. It would allow American companies to sell the commercial software they develop in the United States to their overseas customers including our European allies -- something that is very difficult if not impossible under present policies. I urge my colleagues to support this legislation and ask unanimous consent that the text of the bill and a section-by-section explanation be printed at this point. ************************************************************************ Section-By-Section Analysis of Report Control Liberalization for Information Security Programs and Products Section 1 Section 1 amends the Export Administration Act by adding a new subsection that specifically addresses exports of computer hardware, software and technology for information security including encryption. The new subsection has three basic provisions. First, it gives the Secretary of Commerce exclusive authority over the export of such programs and products except those which are specifically designed for military use, including command, control and intelligence applications or for deciphering encrypted information. Second, the government is generally prohibited from requiring a validated export license for the export of generally available software (e.g., mass market commercial or public domain software) or computer hardware simply because it incorporates such software. Importantly, however, the Secretary will be able to continue controls on countries of terrorists concern (like Libya, Syria, and Iran) or other embargoed countries (like Cuba and North Korea) pursuant to the Trading With The Enemy Act or the International Emergency Economic Powers Act (except for instances where IEEPA is employed to extend EAA-based controls when the EAA is not in force). Third, the Secretary is required to grant validated licenses for exports of software to commercial users in any country to which exports of such software has been approved for use by foreign financial institutions. Importantly, the Secretary is not required to grant such export approvals if there is substantial evidence that the software will be diverted or modified for military or terrorists' end-use or re-exported without requisite U.S. authorization. Section 2 Section 2 provides definitions necessary for the proper implementation of the substantive provisions. For example, generally available software is offered for sale or licensed to the public without restriction and available through standard commercial channels of distribution, is sold as is without further customization, and is designed so as to be installed by the purchaser without additional assistance from the publisher. Computer hardware and computing devices are also defined.

1 0

EFF Wants You (to add your voice to the crypto fight)
by Mike Godwin 07 Feb '94

07 Feb '94

* DISTRIBUTE WIDELY * Monday, February 7th, 1994 From: Jerry Berman, Executive Director of EFF jberman(a)eff.org Dear Friends on the Electronic Frontier, I'm writing a personal letter to you because the time has now come for action. On Friday, February 4, 1994, the Administration announced that it plans to proceed on every front to make the Clipper Chip encryption scheme a national standard, and to discourage the development and sale of alternative powerful encryption technologies. If the government succeeds in this effort, the resulting blow to individual freedom and privacy could be immeasurable. As you know, over the last three years, we at EFF have worked to ensure freedom and privacy on the Net. Now I'm writing to let you know about something *you* can do to support freedom and privacy. *Please take a moment to send e-mail to U.S. Rep. Maria Cantwell (cantwell(a)eff.org) to show your support of H.R. 3627, her bill to liberalize export controls on encryption software.* I believe this bill is critical to empowering ordinary citizens to use strong encryption, as well as to ensuring that the U.S. software industry remains competitive in world markets. Here are some facts about the bill: Rep. Cantwell introduced H.R. 3627 in the House of Representatives on November 22, 1993. H.R. 3627 would amend the Export Control Act to move authority over the export of nonmilitary software with encryption capabilities from the Secretary of State (where the intelligence community traditionally has stalled such exports) to the Secretary of Commerce. The bill would also invalidate the current license requirements for nonmilitary software containing encryption capablities, unless there is substantial evidence that the software will be diverted, modified or re-exported to a military or terroristic end-use. If this bill is passed, it will greatly increase the availability of secure software for ordinary citizens. Currently, software developers do not include strong encryption capabilities in their products, because the State Department refuses to license for export any encryption technology that the NSA can't decipher. Developing two products, one with less secure exportable encryption, would lead to costly duplication of effort, so even software developed for sale in this country doesn't offer maximum security. There is also a legitimate concern that software companies will simply set up branches outside of this country to avoid the export restrictions, costing American jobs. The lack of widespread commercial encryption products means that it will be very easy for the federal government to set its own standard--the Clipper Chip standard. As you may know, the government's Clipper Chip initiative is designed to set an encryption standard where the government holds the keys to our private conversations. Together with the Digital Telephony bill, which is aimed at making our telephone and computer networks "wiretap-friendly," the Clipper Chip marks a dramatic new effort on the part of the government to prevent us from being able to engage in truly private conversations. We've been fighting Clipper Chip and Digital Telephony in the policy arena and will continue to do so. But there's another way to fight those initiatives, and that's to make sure that powerful alternative encryption technologies are in the hands of any citizen who wants to use them. The government hopes that, by pushing the Clipper Chip in every way short of explicitly banning alternative technologies, it can limit your choices for secure communications. Here's what you can do: I urge you to write to Rep. Cantwell today at cantwell(a)eff.org. In the Subject header of your message, type "I support HR 3627." In the body of your message, express your reasons for supporting the bill. EFF will deliver printouts of all letters to Rep. Cantwell. With a strong showing of support from the Net community, Rep. Cantwell can tell her colleagues on Capitol Hill that encryption is not only an industry concern, but also a grassroots issue. *Again: remember to put "I support HR 3627" in your Subject header.* This is the first step in a larger campaign to counter the efforts of those who would restrict our ability to speak freely and with privacy. Please stay tuned--we'll continue to inform you of things you can do to promote the removal of restrictions on encryption. In the meantime, you can make your voice heard--it's as easy as e-mail. Write to cantwell(a)eff.org today. Sincerely, Jerry Berman Executive Director, EFF jberman(a)eff.org P.S. If you want additional information about the Cantwell bill, send e-mail to cantwell-info(a)eff.org. To join EFF, write membership(a)eff.org. The text of the Cantwell bill can be found with the any of the following URLs (Universal Resource Locaters): ftp://ftp.eff.org/pub/Policy/Legislation/cantwell.bill http://www.eff.org/ftp/EFF/Policy/Legislation/cantwell.bill gopher://gopher.eff.org/00/EFF/legislation/cantwell.bill

1 0

Newspaper coverage of Administration encryption announcements
by Mike Godwin 07 Feb '94

07 Feb '94

The Washington Post, the New York Times, and the Wall Street Journal have all published stories over the last three days concerning the Administration's announcement on Friday, Feb. 5, 1994, that it will continue to deploy the controversial "Clipper Chip" encryption technology and will not significantly change its export controls. >From the Post on Saturday: "That means the administration will continue long-standing restrictions on exports of powerful encryption devices that the NSA cannot crack, and continue to encourage use of NSA-developed encryption gear, called the "Clipper chip," by all U.S. firms. The Clipper Chip makes it relatively easy for the government to eavesdrop on encrypted communications.... "Further, government officials said, the administration is expected in a few weeks to endorse an FBI proposal that U.S. telecommunications firms be required to guarantee law enforcement agencies' ability to tape phone and computer lines regardless of where the technology goes. "At the core of these high-tech disputes lies a fundamental conflict between Americans' cherished privacy rights and the government's investigative needs." >From the Times on Saturday: "But the Administration's action immediately drew a chorus of criticism from both business and privacy-rights groups. Computer and software companies, including Apple Computer, I.B.M. and Microsoft, have adamantly opposed the Clipper Chip because they believe customers will not trust an encryption program that was built by the government and whose inner workings remain a secret. "Perhaps more importantly, they fear that it will harm their ability to export products; they predict that foreign customers will resist buying computers and telecommunications equipment built with decoding technology devised by the National Security Agency. "Privacy-rights groups argue that the technology could lead to unauthorized eavesdropping, because the keys for unscrambling the code will remain in official hands. "'This is bad for privacy, bad for security and bad for exports,' said Jerry Berman, executive director of the Electronic Frontier Foundation, a Washington nonprofit group that lobbies on privacy issues related to electronic networks. 'The Administration is preparing to implement systems that the public will not trust, that foreign countries will not buy, and that terrorists will overcome.'" >From the Wall Street Journal on Monday: "The issue has become a controversial one between law enforcement officials and the computer industry and civil libertarians. In unfolding details of the administration's decision, Mike Nelson, an official at the Office of Science and Technology Policy, said the issue was so difficult it represented 'the Bosnia of telecommunications policy.' "Jerry Berman, executive director of the Electronic Frontier Foundation, a Washington-based computer users' civil-rights group, said the administration's handling of the Clipper Chip policy could make it 'as successful' as the Bosnia policy, which has come under widespread criticism." William Safire has also written about this in today's NYTimes. >From owner-cypherpunks Mon Feb 7 15:40:40 1994

1 0

[whitfield.diffie@Eng.Sun.COM: Preliminary remarks]
by gnu 07 Feb '94

07 Feb '94

------- Forwarded Message To: gnu(a)toad.com From: whitfield.diffie(a)Eng.Sun.COM

1 0

wh_press_secy.statement
by Dan Brown 04 Feb '94

04 Feb '94

THE WHITE HOUSE CONTACT: 202 156-7035 OFFlCE OF THE PRESS SECRETARY EMBARGOED UNTIL 3 PM (EST) FRIDAY, February 4, 1994 STATEMENT OF THE PRESS SECRETARY Last April, the Administration announced a comprehensive interagency review of encryption technology, to be overseen by the National Security Council. Today, the Administration is taking a number of steps to implement the recommendations resulting from that review. Advanced encryption technology offers individuals and businesses an inexpensive and easy way to encode data and telephone conversations. Unfortunately, the same encryption technology that can help Americans protect business secrets and personal privacy can also be used by terrorists, drug dealers, and other criminals. In the past, Federal policies on encryption have reflected primarily the needs of law enforcement and national security. The Clinton Administration has sought to balance these needs with the needs of businesses and individuals for security and privacy. That is why, today the National Institute of Standards ant Technology (NIST) is committing to ensure a royalty-free, public-domain Digital Signature Standard. Over many years, NIST has been developing digital signature technology that would provide a way to verify the author and sender of an electronic message. Such technology will be critical for a wide range of business applications for the National Information Infrastructure. A digital signature standard will enable individuals to transact business electronically rather than having to exchange signed paper contracts. The Administration has determined that such technology should not be subject to private royalty payments, and it will be taking steps to ensure that royalties are not required for use of a digital signature. Had digital signatures been in widespread use, the recent security problems with the Intemet would have been avoided. Last April, the Administration released the Key Escrow chip (also known as the "Clipper Chip") that would provide Americans with secure telecommunications without compromising the ability of law enforcement agencies to carry out legally authorized wiretaps. Today, the Department of Commerce and the Department of Justice are taking steps to enable the use of such technology both in the U.S. and overseas. At the same time, the Administration is announcing its intent to work with industry to develop other key escrow products that might better meet the needs of individuals and industry, particularly the American computer and telecommunications industry. Specific steps being announced today include: - Approval by the Commerce Secretary of the Escrowed Encryption Standard (EES) as a voluntary Federal Informahon Processing Standard, which will enable govemment gencies to purchase the Key Escrow chip for use with telephones nd modems. The department's National Institute of Standards and Technology (NIST) will publish the standard. - Publication by the Department of Justice of procedurs for the release of escrowed keys and the announcement of NIST and the Automated Services Division of the Treasury Department as the escrow agents that will store the keys needed for decryption of communications using the Key Escrow chip. Nothing in these procedures will diminish tne existing legal and procedural requirements that protect Americans from unauthorized wiretaps. - New procedures to allow export of products containing the Key Escrow chip to most countries. In addition, the Department of State will streamline export licensing procedures for encryption products that can be exported under current export regulations in order to help American companies sell their products overseas. In the past, it could take weeks for a company to obtain an export license for encryption products, and each shipment might require a separate license. The new procedures announced today will substantially reduce administrative delays and paperwork for encryption exports. To implement the Administration's encryption policy, an interagency Working Group on Encryption and Telecommunications has been established. It will be chaired by the White House Office of Science and Technology Policy and the National Security Council and will include representatives of the Departments of Commerce, Justice, State, and Treasury as well as the FBI, the National Security Agency, the Office of Management and Budget, and the National Economic Council. This group will work with industry and public-interest groups to develop new encryption technologies and to review and refine Administration policies regarding encryption, as needed. The Administration is expanding its efforts to work with industry to improve on the Key Escrow chip, to develop key-escrow software, and to examine alternatives to the Key Escrow chip. NIST will lead these efforts and will request additional staff and resources for this purpose. We understand that many in industry would like to see all encryption products exportable. However, if encryption technology is made freely available worldwide, it would no doubt be usod extensively by terrorists, drug dealers, and other criminals to harm Americans both in the U.S. and abroad. For this reason, the Administration will continue to restrict export of the most sophisticated encryption devices, both to preserve our own foreign intelligence gathering capability and because of the concerns of our allies who fear that strong encryption technology would inhibit their law enforcement capabilities. At the same time, the Administration understands the benefits that encryption and related technologies can provide to users of computers and telecommunications networks. Indeed, many of the applications of the evolving National Information Infrastructure will require some form of encryption. That is why the Administration plans to work more closely with the private sector to develop new forms of encryption that can protect privacy and corporate secrets without undermining the ability of law-enforcement agencies to conduct legally authorized wiretaps. That is also why the Administration is committed to make available free of charge a Digital Signature Standard. The Administration believes that the steps being announced today will help provide Americans with the telecommunications security they need without compromising the capability of law enforcement agencies and national intelligence agencies. Today, any American can purchase and use any type of encryption product. The Administration does not intend to change that policy. Nor do we have any intention of restrictiog domestic encryption or mandating the use of a particular technology.

1 0

reno_key_escrow.statement
by Dan Brown 04 Feb '94

04 Feb '94

Department of Justice EMBARGOED FOR 3 P.M. RELEASE AG FRIDAY, FEBRUARY 4, 1994 (202) 616-2771 ATTORNEY GENERAL MAKES KEY ESCROW ENCRYPTION ANNOUNCEMENTS Attorney General Janet Reno today announced selection of the two U.S. Government entities that will hold the escrowed key components for encryption using the key escrow encryption method. At the same time, the Attorney General made public procedures under which encryption key components will be released to government agencies for decrypting communications subject to lawful wiretaps. Key Escrow Encryption (formerly referred to as Clipper Chip ) strikes an excellent balance between protection of communications privacy and protection of society. It permits the use in commercial telecommunications products of chips that provide extremely strong encryption, but can be decrypted, when necessary, by government agencies conducting legally authorized wiretaps. Decryption is accomplished by use of keys--80-bit binary numbers-- that are unique to each individual encryption chip. Each unique key is in turn split into two components, which must be recombined in order to decrypt communications. Knowing one component does not make decryption any more feasible than not knowing either one. The two escrow agents are the National Institute of Standards and Technology (NIST), a part of the Department of Commerce, and the Automated Systems Division of the Department of the Treasury. The two escrow agents were chosen because of their abilities to safeguard sensitive information, while at the same time being able to respond in a timely fashion when wiretaps encounter encrypted communications. In addition, NIST is responsible for establishing standards for protection of sensitive, unclassified information in Federal computer systems. The escrow agents will act under strict procedures, which are being made public today, that will ensure the security of the key components and govern their release for use in conjunction with lawful wiretaps. They will be responsible for holding the key components: for each chip, one agent will hold one of the key components, and the second agent will hold the other. Neither will release a key component, except to a government agency with a requirement to obtain it in connection with a lawfully authorized wiretap. The system does not change the rules under which government agencies are authorized to conduct wiretaps. When an authorized government agency encounters suspected key- escrow encryption, a written request will have to be submitted to the two escrow agents. The request will, among other things, have to identify the responsible agency and the individuals involved; certify that the agency is involved in a lawfully authorized wiretap; specify the wiretap's source of authorization and its duration; and specify the serial number of the key-escrow encryption chip being used. In every case, an attorney involved in the investigation will have to provide the escrow agents assurance that a validly authorized wiretap is being conducted. Upon receipt of a proper request, the escrow agents will transmit their respective key components to the appropriate agency. The components will be combined within a decrypt device, which only then will be able to decrypt communications protected by key- escrow encryption. When the wiretap authorization ends, the device s ability to decrypt communications using that particular chip will also be ended. The Department of Justice will, at the various stages of the process, take steps to monitor compliance with the procedures.

1 0