cypherpunks-legacy
Threads by month
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2004 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2003 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2002 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2001 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2000 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1999 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1998 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1997 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1996 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1995 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1994 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1993 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1992 -----
- December
- November
- October
- September
February 1994
- 11 participants
- 40 discussions
CyberWire Dispatch//Copyright (c) 1994
Jacking in from Another Brick in the Wall Port:
Washington, DC -- The White House is being heavily lobbied by law
enforcement agencies and national intelligence agencies to make the use of
the government designed Clipper Chip mandatory in telephones, fax machines
and cable systems, according to classified documents obtained by Dispatch.
When the Administration announced on February 4th that it was endorsing
the controversial Clipper Chip program, it asserted that any use of the
chip would be voluntary. But the White House carefully hedged its bet:
Buried deep in the background briefing papers that accompanied the
announcement was the Administration's official policy that U.S. citizens
weren't guaranteed any constitutional right to choose their own encryption
technologies.
Government officials have brushed aside concerns from civil liberties
groups and privacy advocates that sporadic adoption of Clipper would
eventually spawn a mandatory use policy. To try and forestall that,
however, the government has instituted a subtle coercion tactic: You can't
do business with Uncle Sam unless your products are "clipper equipped,"
according to National Institute for Standards and Technology Assistant
Deputy Director Raymond Kammer.
The Administration's desire for industry to sign-on as an early Clipper
"team player" was so overwhelming that it bribed AT&T into agreeing to
publicly support the idea, according to classified documents obtained by
Dispatch.
On the same day last April when Clipper was first unveiled, AT&T publicly
proclaimed it would be installing the chip in its encryption products. A
classified April 30, 1993 memo from the Assistant Secretary of Defense
says: "[T]he President has directed that the Attorney General request that
manufacturers of communications hardware use the trapdoor chip, and at
least AT&T has been reported willing to do so (having been suitably
incentivised by promises of Government purchases)."
The government says "incentivised" while prosecuting attorney's all over
the country say, "bribed." You make the call.
Take Your Privacy and Shove It
==============================
That same memo says the Clipper proposal is a "complex set of issues [that]
places the public's right to privacy in opposition to the public's desire
for safety." If "privacy prevails... criminals and spies... consequently
prosper," the memo says.
What's the answer to such freeflowing privacy? The memo says law
enforcement and national security agencies "propose that cryptography be
made available and required which contains a 'trapdoor' that would allow
law enforcement and national security officials, under proper supervision,
to decrypt enciphered communications." The operative word here is
"required."
Two Track Dialog
================
While Clinton's policy wonks wring their hands over such issues as
universal access to the National Information Infrastructure, law
enforcement and national security officials couldn't care less, frankly.
The Working Group on Privacy for the Information Infrastructure Task Force
was told in clean, cold language that the desire of law enforcement is to
"front load" the NII with "intercept technologies." Under the guise of "do
it now or we'll catch less bad guys."
It's all black or white to these guys. Other classified Dept. of Defense
documents chime on this debate: "This worthy goal (of building the NII) is
independent of arguments as to whether or not law enforcement and national
security officials will be able to read at will traffic passing along the
information superhighway."
This is not science fiction. The Clipper chip is like a cancer that has
eaten into the fabric of all levels of government, including the military.
Classified DoD documents state that a "full-scale public debate is needed
to ascertain the wishes of U.S. citizens with regard to their privacy, and
the impact on public safety of preserving privacy at the expense of
wiretapping and communications intercept capabilities of law enforcement
and national security personnel."
In other words, they don't think you know what you want. To them, it's a
kind of tradeoff, a twisted sort of privacy auction. What do you bid?
Your privacy for two drug lords, a former KGB spy and a pedophile. What's
the price? Your government wants to know. Honest.
The jury's still out, according to these classified documents: "It is not
clear what the public will decide."
But you can rest safely, the Pentagon does. Why? Again from a secret
memo: "In the meantime, DoD has trapdoor technology and the Government is
proceeding with development of the processes needed to apply that
technology in order to maintain the capability to perform licit intercept
of communications in support of law enforcement and national security."
Meeks out...
1
0
[From the NIST Computer Security Bulletin Board]
FEDERAL INFORMATION
PROCESSING STANDARDS PUBLICATION 185
1994 February 9
U.S. DEPARTMENT OF COMMERCE/National Institute of Standards and Technology
ESCROWED ENCRYPTION STANDARD
CATEGORY: TELECOMMUNICATIONS SECURITY
U.S. DEPARTMENT OF COMMERCE, Ronald H. Brown, Secretary
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY,
Arati Prabhakar, Director
Foreword
The Federal Information Processing Standards Publication Series of
the National Institute of Standards and Technology (NIST) is the
official series of publications relating to standards and
guidelines adopted and promulgated under the provisions of Section
111(d) of the Federal Property and Administrative Services Act of
1949 as amended by the Computer Security Act of 1987, Public Law
100-235. These mandates have given the Secretary of Commerce and
NIST important responsibilities for improving the utilization and
management of computer and related telecommunications systems in
the Federal Government. The NIST, through the Computer Systems
Laboratory, provides leadership, technical guidance, and
coordination of Government efforts in the development of standards
and guidelines in these areas.
Comments concerning Federal Information Processing Standards
Publications are welcomed and should be addressed to the Director,
Computer Systems Laboratory, National Institute of Standards and
Technology, Gaithersburg, MD 20899.
James H. Burrows, Director
Computer Systems Laboratory
Abstract
This standard specifies an encryption/decryption algorithm and a
Law Enforcement Access Field (LEAF) creation method which may be
implemented in electronic devices and used for protecting
government telecommunications when such protection is desired. The
algorithm and the LEAF creation method are classified and are
referenced, but not specified, in the standard. Electronic devices
implementing this standard may be designed into cryptographic
modules which are integrated into data security products and
systems for use in data security applications. The LEAF is used in
a key escrow system that provides for decryption of
telecommunications when access to the telecommunications is
lawfully authorized.
Key words: Cryptography, Federal Information Processing Standard,
encryption, key escrow system, security.
FIPS PUB 185
Federal Information
Processing Standards Publication 185
1994 February 9
Announcing the
Escrowed Encryption Standard (EES)
Federal Information Processing Standards Publications (FIPS PUBS)
are issued by the National Institute of Standards and Technology
(NIST) after approval by the Secretary of Commerce pursuant to
Section 111(d) of the Federal Property and Administrative Services
Act of 1949 as amended by the Computer Security Act of 1987, Public
Law 100-235.
Name of Standard: Escrowed Encryption Standard (EES).
Category of Standard: Telecommunications Security.
Explanation: This Standard specifies use of a symmetric-key
encryption (and decryption) algorithm (SKIPJACK) and a Law
Enforcement Access Field (LEAF) creation method (one part of a key
escrow system) which provides for decryption of encrypted
telecommunications when interception of the telecommunications is
lawfully authorized. Both the SKIPJACK algorithm and the LEAF
creation method are to be implemented in electronic devices (e.g.,
very large scale integration chips). The devices may be
incorporated in security equipment used to encrypt (and decrypt)
sensitive unclassified telecommunications data. Decryption of
lawfully intercepted telecommunications may be achieved through the
acquisition and use of the LEAF, the decryption algorithm and
the two escrowed key components.
One definition of "escrow" means that something (e.g., a document,
an encryption key) is "delivered to a third person to be given to
the grantee only upon the fulfillment of a condition" (Webster's
Seventh New Collegiate Dictionary). The term, "escrow", for
purposes of this standard, is restricted to this dictionary
definition.
A key escrow system, for purposes of this standard, is one that
entrusts the two components comprising a cryptographic key (e.g.,
a device unique key) to two key component holders (also called
"escrow agents"). In accordance with the above definition of
"escrow", the key component holders provide the components of a key
to a "grantee" (e.g., a law enforcement official) only upon
fulfillment of the condition that the grantee has properly
demonstrated legal authorization to conduct electronic surveillance
of telecommunications which are encrypted using the specific device
whose device unique key is being requested. The key components
obtained through this process are then used by the grantee to
reconstruct the device unique key and obtain the session key which
is then used to decrypt the telecommunications that are encrypted
with that session key.
The SKIPJACK encryption/decryption algorithm has been approved for
government applications requiring encryption of sensitive but
unclassified data telecommunications as defined herein. The
specific operations of the SKIPJACK algorithm and the LEAF creation
method are classified and hence are referenced, but not specified,
in this standard.
Data for purposes of this standard includes voice, facsimile and
computer information communicated in a telephone system. A
telephone system for purposes of this standard is limited to a
system which is circuit switched and operating at data rates of
standard commercial modems over analog voice circuits or which uses
basic-rate ISDN or a similar grade wireless service.
Data that is considered sensitive by a responsible authority should
be encrypted if it is vulnerable to unauthorized disclosure during
telecommunications. A risk analysis should be performed under the
direction of a responsible authority to determine potential threats
and risks. The costs of providing encryption using this standard
as well as alternative methods and their respective costs should be
projected. A responsible authority should then make a decision,
based on the risk and cost analyses, whether or not to use
encryption and then whether or not to use this standard.
Approving Authority: Secretary of Commerce.
Maintenance Agency: Department of Commerce, National Institute of
Standards and Technology.
Applicability: This standard is applicable to all Federal
departments and agencies and their contractors under the conditions
specified below. This standard may be used in designing and
implementing security products and systems, which Federal
departments and agencies use or operate or which are operated for
them under contract. These products may be used when replacing
Type II and Type III (DES) encryption devices and products owned by
the government and government contractors.
This standard may be used when the following conditions apply:
1. An authorized official or manager responsible for data
security or the security of a computer system decides that
encryption is required and cost justified as per OMB Circular A-
130; and
2. The data is not classified according to Executive Order
12356, entitled "National Security Information," or to its
successor orders, or to the Atomic Energy Act of 1954, as amended.
However, Federal departments or agencies which use encryption
devices for protecting data that is classified according to either
of these acts may use those devices also for protecting
unclassified data in lieu of this standard.
In addition, this standard may be adopted and used by non-Federal
Government organizations. Such use is encouraged when it provides
the desired security.
Applications: This standard may be used in any unclassified
government and commercial communications. Use of devices
conforming to this standard is voluntary for unclassified
government applications and for commercial security applications.
Implementations: The encryption/decryption algorithm and the LEAF
creation method shall be implemented in electronic devices (e.g.,
electronic chip packages) which are protected against unauthorized
entry, modification and reverse engineering. Implementations which
are tested and validated by NIST will be considered as complying
with this standard. An electronic device shall be incorporated
into a cryptographic module in accordance with FIPS 140-1. NIST
will test for conformance with FIPS 140-1. Conforming
cryptographic modules can then be integrated into security
equipment for sale and use in a security application. Information
about devices that have been validated, procedures for testing
equipment for conformance with NIST standards, and information
about approved security equipment are available from the Computer
Systems Laboratory, NIST, Gaithersburg, MD 20899.
Export Control: Implementations of this standard are subject to
Federal Government export controls as specified in Title 22, Code
of Federal Regulations, Parts 120 through 131 (International
Traffic of Arms Regulations - ITAR). Exporters of encryption
devices, equipment and technical data are advised to contact the
U.S. Department of State, Office of Defense Trade Controls for more
information.
Patents: Implementations of this standard may be covered by U.S.
and foreign patents.
Implementation Schedule: This standard becomes effective thirty
days following publication of this FIPS PUB.
Specifications: Federal Information Processing Standard (FIPS 185),
Escrowed Encryption Standard (EES) (affixed).
Cross Index:
a. FIPS PUB 46-2, Data Encryption Standard.
b. FIPS PUB 81, Modes of Operation of the DES
c. FIPS PUB 140-1, Security Requirements for Cryptographic
Modules.
GLOSSARY:
The following terms are used as defined below for purposes of this
standard:
Data - Unclassified voice, facsimile and computer information
communicated over a telephone system.
Decryption - Conversion of ciphertext to plaintext through the use
of a cryptographic algorithm.
Device (cryptographic) - An electronic implementation of the
encryption/decryption algorithm and the LEAF creation method as
specified in this standard.
Digital data - Data that have been converted to a binary
representation.
Encryption - Conversion of plaintext to ciphertext through the use
of a cryptographic algorithm.
Key components - The two values from which a key can be derived
(e.g., KU1 ~ KU2).
Key escrow - The processes of managing (e.g., generating, storing,
transferring, auditing) the two components of a cryptographic key
by two key component holders.
LEAF Creation Method - A part of a key escrow system that is
implemented in a cryptographic device and creates a Law Enforcement
Access Field.
Type I cryptography - A cryptographic algorithm or device approved
by the National Security Agency for protecting classified
information.
Type II cryptography - A cryptographic algorithm or device approved
by the National Security Agency for protecting sensitive
unclassified information in systems as specified in section 2315 of
Title 10 United States Code, or section 3502(2) of Title 44, United
States Code.
Type III cryptography - A cryptographic algorithm or device
approved as a Federal Information Processing Standard.
Type III(E) cryptography - A Type III algorithm or device that is
approved for export from the United States.
Qualifications: The protection provided by a security product or
system is dependent on several factors. The protection provided by
the SKIPJACK algorithm against key search attacks is greater than
that provided by the DES algorithm (e.g., the cryptographic key is
longer). However, provisions of this standard are intended to
ensure that information encrypted through use of devices
implementing this standard can be decrypted by a legally authorized
entity.
Where to Obtain Copies of the Standard: Copies of this publication
are for sale by the National Technical Information Service, U.S.
Department of Commerce, Springfield, VA 22161. When ordering,
refer to Federal Information Processing Standards Publication 185
(FIPS PUB 185), and identify the title. When microfiche is
desired, this should be specified. Prices are published by NTIS in
current catalogs and other issuances. Payment may be made by
check, money order, deposit account or charged to a credit card
accepted by NTIS.
Federal Information
Processing Standards Publication 185
1994 February 9
Specifications for the
ESCROWED ENCRYPTION STANDARD
1. INTRODUCTION
This publication specifies Escrowed Encryption Standard (EES)
functions and parameters.
2. GENERAL
This standard specifies use of the SKIPJACK cryptographic algorithm
and a LEAF Creation Method to be implemented in an approved
electronic device (e.g., a very large scale integration electronic
chip). The device is contained in a logical cryptographic module
which is then integrated in a security product for encrypting and
decrypting telecommunications.
Approved implementations may be procured by authorized
organizations for integration into security equipment. Devices
must be tested and validated by NIST for conformance to this
standard. Cryptographic modules must be tested and validated by
NIST for conformance to FIPS 140-1.
3. ALGORITHM SPECIFICATIONS
The specifications of the encryption/decryption algorithm
(SKIPJACK) and LEAF Creation Method 1 (LCM-1) are classified. The
National Security Agency maintains these classified specifications
and approves the manufacture of devices which implement the
specifications. NIST tests for conformance of the devices
implementing this standard in cryptographic modules to FIPS 140-1
and FIPS 81.
4. FUNCTIONS AND PARAMETERS
4.1 FUNCTIONS
The following functions, at a minimum, shall be implemented:
1. Data Encryption: A session key (80 bits) shall be used to
encrypt plaintext information in one or more of the following modes
of operation as specified in FIPS 81: ECB, CBC, OFB (64), CFB (1,
8, 16, 32, 64).
2. Data Decryption: The session key (80 bits) used to
encrypt the data shall be used to decrypt resulting ciphertext to
obtain the data .
3. LEAF Creation: A Family Key (e.g., KF-1) shall be used to
create a Law Enforcement Access Field (LEAF) in accordance with a
LEAF Creation Method (e.g., LCM-1). The security equipment shall
ensure that the LEAF is transmitted in such a manner that the LEAF
and ciphertext may be decrypted with legal authorization. No
additional encryption or modification of the LEAF is permitted.
4.2 PARAMETERS
The following parameters shall be used in performing the
prescribed functions:
1. Device Unique Identifier (UID): The identifier unique to
a particular device and used by the Key Escrow System.
2. Device Unique Key (KU): The cryptographic key unique to
a particular device and used by the Key Escrow System.
3. Cryptographic Protocol Field (CPF): The field identifying
the registered cryptographic protocol used by a particular
application and used by the Key Escrow System (reserved for future
specification and use).
4. Escrow Authenticator (EA): A binary pattern that is
inserted in the LEAF to ensure that the LEAF is transmitted and
received properly and has not been modified, deleted or replaced in
an unauthorized manner.
5. Initialization Vector (IV): A mode and application
dependent vector of bytes used to initialize, synchronize and
verify the encryption, decryption and key escrow functions.
6. Family Key (KF): The cryptographic key stored in all
devices designated as a family that is used to create a LEAF.
7. Session Key (KS): The cryptographic key used by a device
to encrypt and decrypt data during a session.
8. Law Enforcement Access Field (LEAF): The field
containing the encrypted session key and the device identifier and
the escrow authenticator.
5. IMPLEMENTATION
The Cryptographic Algorithm (i.e., SKIPJACK) and a LEAF Creation
Method (e.g., LCM-1) shall be implemented in an electronic device
(e.g., VLSI chip) which is highly resistant to reverse engineering
(destructive or non-destructive) to obtain or modify the
cryptographic algorithm, the UID, the KF, the KU, the EA, the CPF,
the operational KS, and any other security or Key Escrow System
relevant information. The device shall be able to be
programmed/personalized (i.e., made unique) after mass production
in such a manner that the UID, KU (or its components), KF (or its
components) and EA fixed pattern can be entered once (and only
once) and maintained without external electrical power.
The LEAF and the IV shall be transmitted with the ciphertext. The
specifics of the protocols used to create and transmit the LEAF,
IV, and encrypted data shall be registered and a CPF assigned. The
CPF (and the KF-ID, LCM-ID) shall then be transmitted in
accordance with the registered specifications.
Various devices implementing this standard are anticipated. The
implementation may vary with the application. The specific
electric, physical and logical interface will vary with the
implementation. Each approved, registered implementation shall
have an unclassified electrical, physical and logical interface
specification sufficient for an equipment manufacturer to
understand the general requirements for using the device. Some of
the requirements may be classified and therefore would not be
specified in the unclassified interface specification.
The device Unique Key shall be composed of two components (each a
minimum of 80 bits long) and each component shall be independently
generated and stored by an escrow agent. The session key used to
encrypt transmitted information shall be the same as the session
key used to decrypt received information in a two-way simultaneous
communication. The Lead Creation Method (LCM), the Cryptographic
Protocol Field (CPF), and the Family Key Identifier (KF-ID) shall
be registered in the NIST Computer Security Object Register.
This standard is not an interoperability standard. It does not
provide sufficient information to design and implement a security
device or equipment. Other specifications and standards will be
required to assure interoperability of EES devices in various
applications. Specifications of a particular EES device must be
obtained from the manufacturer.
The specifications for the SKIPJACK algorithm are contained in the
R21 Informal Technical Report entitled "SKIPJACK" (S), R21-TECH-
044-91, May 21, 1991. The specifications for LEAF Creation Method
1 are contained in the R21 Informal Technical Report entitled "Law
Enforcement Access Field for the Key Escrow Microcircuit" (S).
Organizations holding an appropriate security clearance and
entering into a Memorandum of Agreement with the National Security
Agency regarding implementation of the standard will be provided
access to the classified specifications. Inquiries may be made
regarding the Technical Reports and this program to Director,
National Security Agency, Fort George G. Meade, MD 20755-6000,
ATTN: R21.
--
Stanton McCandlish * mech(a)eff.org * Electronic Frontier Found. OnlineActivist
F O R M O R E I N F O, E - M A I L T O: I N F O @ E F F . O R G
O P E N P L A T F O R M O N L I N E R I G H T S
V I R T U A L C U L T U R E C R Y P T O
1
0
[From the NIST Computer Security Bulletin Board]
(EMBARGOED FOR RELEASE: 3:00 P.M., Friday, Feb. 4, 1994)
Fact Sheet
NIST Cryptography Activities
Escrowed Encryption Standard
On April 16, 1993, the White House announced that the President
approved a directive on "Public Encryption Management." Among
other items, the President directed the Secretary of Commerce, in
consultation with other appropriate U.S. agencies, to initiate a
process to write standards to facilitate the procurement and use of
encryption devices fitted with key-escrow microcircuits in federal
communications systems that process sensitive but unclassified
information.
In response to the President's directive, on July 30, 1993, the
Department of Commerce's National Institute of Standards and
Technology (NIST) announced the voluntary Escrowed Encryption
Standard (EES) as a draft Federal Information Processing Standard
(FIPS) for public comment. The FIPS would enable federal agencies
to procure escrowed encryption technology when it meets their
requirements; the standard is not to be mandatory for either
federal agency or private sector use.
During the public review of the draft standard, a group of
independent cryptographers were provided the opportunity to examine
the strength of the classified cryptographic algorithm upon which
the EES is based. They found that the algorithm provides
significant protection and that it will be 36 years until the cost
of breaking the EES algorithm will be equal to the cost of breaking
the current Data Encryption Standard. They also found that there
is no significant risk that the algorithm can be broken through a
shortcut method of attack.
Public comments were received by NIST on a wide range of issues
relevant to the EES. The written comments submitted by interested
parties and other information available to the Department relevant
to this standard were reviewed by NIST. Nearly all of the comments
received from industry and individuals opposed the adoption of the
standard. However, many of those comments reflected
misunderstanding or skepticism about the Administration's
statements that the EES would be a voluntary standard. The
Administration has restated that the EES will be a strictly
voluntary standard available for use as needed to provide more
secure telecommunications. The standard was found to be
technically sound and to meet federal agency requirements. NIST
made technical and editorial changes and recommended the standard
for approval by the Secretary of Commerce. The Secretary now has
approved the EES as a FIPS voluntary standard.
In a separate action, the Attorney General has now announced that
NIST has been selected as one of the two trusted agents who will
safeguard components of the escrowed keys.Digital Signature Standard
In 1991, NIST proposed a draft digital signature standard as a
federal standard for publiccomment. Comments were received by NIST
on both technical and patent issues. NIST has reviewed the
technical comments and made appropriate changes to the draft.
In order to resolve the patent issues, on June 3, 1993, NIST
proposed a cross-licensing arrangement for a "Digital Signature
Algorithm" for which NIST has received a patent application. The
algorithm forms the basis of the proposed digital signature
standard. Extensive public comments were received on the
proposed arrangement, many of them negative and indicating the need
for royalty-free availability of the algorithm. The
Administration has now concluded that a royalty-free
digital signature technique is necessary in order to promote
widespread use of this important information security technique.
NIST is continuing negotiations with the aim of obtaining a
digital signature standard with royalty-free use worldwide. NIST
also will pursue other technical and legal options to attain that
goal.
Cooperation with Industry
During the government's review of cryptographic policies and
regulations, NIST requested assistance from the Computer System
Security and Privacy Advisory Board to obtain public
input on a wide range of cryptographic-related issues, including
the key escrow encryption proposal, legal and Constitutional
issues, social and public policy issues, privacy, vendor and
business perspectives, and users' perspectives. The Board held
five days of public meetings. Comments obtained by the Board were
useful during the government's review of these
issues. In addition, NIST met directly with many industry and
public interest organizations, including those on the Digital
Privacy and Security Working Group and the Electronic
Frontier Foundation.
As directed by the President when the key escrow encryption
initiative was announced, the government continues to be open to
other approaches to key escrowing. On August 24,
1993, NIST also announced the opportunity to join a Cooperative
Research and Development Agreement (CRADA) to develop secure
software encryption with integrated cryptographic key escrowing
techniques. Three industry participants have expressed their
interest to NIST in this effort; however, the government still
seeks fuller participation from the commercial software industry.
NIST now is announcing an opportunity for industry to join in a
CRADA to develop improved and alternative hardware technologies
that contain key escrow encryption capabilities.
Additionally, the Administration has decided to strengthen NIST's
cryptographic capabilities in order to better meet the needs of
U.S. industry and federal agencies.
2/4/94
--
Stanton McCandlish * mech(a)eff.org * Electronic Frontier Found. OnlineActivist
F O R M O R E I N F O, E - M A I L T O: I N F O @ E F F . O R G
O P E N P L A T F O R M O N L I N E R I G H T S
V I R T U A L C U L T U R E C R Y P T O
1
0
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
=-=-=-=-=-=-Copyright 1993,4 Wired USA Ltd. All Rights Reserved=-=-=-=-=-=
-=-=For complete copyright information, please see the end of this file=-=-
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
WIRED 2.04
Electrosphere
*************
Jackboots on the Infobahn
^^^^^^^^^^^^^^^^^^^^^^^^^
Clipper is a last ditch attempt by the United States, the last great power
from the old Industrial Era, to establish imperial control over cyberspace.
By John Perry Barlow
[Note: The following article will appear in the April 1994 issue of WIRED.
We, the editors of WIRED, are net-casting it now in its pre-published form
as a public service. Because of the vital and urgent nature of its message,
we believe readers on the Net should hear and take action now. You are free
to pass this article on electronically; in fact we urge you to replicate it
throughout the net with our blessings. If you do, please keep the copyright
statements and this note intact. For a complete listing of Clipper-related
resources available through WIRED Online, send email to <infobot(a)wired.com>
with the following message: "send clipper.index". - The Editors of WIRED]
On January 11, I managed to schmooze myself aboard Air Force 2. It was
flying out of LA, where its principal passenger had just outlined his
vision of the information superhighway to a suited mob of television, show-
biz, and cable types who fervently hoped to own it one day - if they could
ever figure out what the hell it was.
>From the standpoint of the Electronic Frontier Foundation the speech had
been wildly encouraging. The administration's program, as announced by Vice
President Al Gore, incorporated many of the concepts of open competition,
universal access, and deregulated common carriage that we'd been pushing
for the previous year.
But he had said nothing about the future of privacy, except to cite among
the bounties of the NII its ability to "help law enforcement agencies
thwart criminals and terrorists who might use advanced telecommunications
to commit crimes."
On the plane I asked Gore what this implied about administration policy on
cryptography. He became as noncommittal as a cigar-store Indian. "We'll be
making some announcements.... I can't tell you anything more." He hurried
to the front of the plane, leaving me to troubled speculation.
Despite its fundamental role in assuring privacy, transaction security, and
reliable identity within the NII, the Clinton administration has not
demonstrated an enlightenment about cryptography up to par with the rest of
its digital vision.
The Clipper Chip - which threatens to be either the goofiest waste of
federal dollars since President Gerald Ford's great Swine Flu program or,
if actually deployed, a surveillance technology of profound malignancy -
seemed at first an ugly legacy of the Reagan-Bush modus operandi. "This is
going to be our Bay of Pigs," one Clinton White House official told me at
the time Clipper was introduced, referring to the disastrous plan to invade
Cuba that Kennedy inherited from Eisenhower.
(Clipper, in case you're just tuning in, is an encryption chip that the
National Security Agency and FBI hope will someday be in every phone and
computer in America. It scrambles your communications, making them
unintelligible to all but their intended recipients. All, that is, but the
government, which would hold the "key" to your chip. The key would
separated into two pieces, held in escrow, and joined with the appropriate
"legal authority.")
Of course, trusting the government with your privacy is like having a
Peeping Tom install your window blinds. And, since the folks I've met in
this White House seem like extremely smart, conscious freedom-lovers -
hell, a lot of them are Deadheads - I was sure that after they were fully
moved in, they'd face down the National Security Agency and the FBI, let
Clipper die a natural death, and lower the export embargo on reliable
encryption products.
Furthermore, the National Institutes of Standards and Technology and the
National Security Council have been studying both Clipper and export
embargoes since April. Given that the volumes of expert testimony they had
collected overwhelmingly opposed both, I expected the final report would
give the administration all the support it needed to do the right thing.
I was wrong. Instead, there would be no report. Apparently, they couldn't
draft one that supported, on the evidence, what they had decided to do
instead.
THE OTHER SHOE DROPS
On Friday, February 4, the other jackboot dropped. A series of
announcements from the administration made it clear that cryptography would
become their very own "Bosnia of telecommunications" (as one staffer put
it). It wasn't just that the old Serbs in the National Security Agency and
the FBI were still making the calls. The alarming new reality was that the
invertebrates in the White House were only too happy to abide by them.
Anything to avoid appearing soft on drugs or terrorism.
So, rather than ditching Clipper, they declared it a Federal Data
Processing Standard, backing that up with an immediate government order for
50,000 Clipper devices. They appointed the National Institutes of Standards
and Technology and the Department of Treasury as the "trusted" third
parties that would hold the Clipper key pairs. (Treasury, by the way, is
also home to such trustworthy agencies as the Secret Service and the Bureau
of Alcohol, Tobacco, and Firearms.)
They reaffirmed the export embargo on robust encryption products, admitting
for the first time that its purpose was to stifle competition to Clipper.
And they outlined a very porous set of requirements under which the cops
might get the keys to your chip. (They would not go into the procedure by
which the National Security Agency could get them, though they assured us
it was sufficient.)
They even signaled the impending return of the dread Digital Telephony, an
FBI legislative initiative requiring fundamental reengineering of the
information infrastructure; providing wiretapping ability to the FBI would
then become the paramount design priority.
INVASION OF THE BODY SNATCHERS
Actually, by the time the announcements thudded down, I wasn't surprised by
them. I had spent several days the previous week in and around the White
House.
I felt like I was in another remake of The Invasion of the Body Snatchers.
My friends in the administration had been transformed. They'd been subsumed
by the vast mindfield on the other side of the security clearance membrane,
where dwell the monstrous bureaucratic organisms that feed on fear. They'd
been infected by the institutionally paranoid National Security Agency's
Weltanschauung.
They used all the telltale phrases. Mike Nelson, the White House point man
on the NII, told me, "If only I could tell you what I know, you'd feel the
same way I do." I told him I'd been inoculated against that argument during
Vietnam. (And it does seem to me that if you're going to initiate a
process that might end freedom in America, you probably need an argument
that isn't classified.)
Besides, how does he know what he knows? Where does he get his information?
Why, the National Security Agency, of course. Which, given its strong
interest in the outcome, seems hardly an unimpeachable source.
However they reached it, Clinton and Gore have an astonishingly simple
bottom line, to which even the future of American liberty and prosperity is
secondary: They believe that it is their responsibility to eliminate, by
whatever means, the possibility that some terrorist might get a nuke and
use it on, say, the World Trade Center. They have been convinced that such
plots are more likely to ripen to hideous fruition behind a shield of
encryption.
The staffers I talked to were unmoved by the argument that anyone smart
enough to steal a nuclear device is probably smart enough to use PGP or
some other uncompromised crypto standard. And never mind that the last
people who popped a hooter in the World Trade Center were able to get it
there without using any cryptography and while under FBI surveillance.
We are dealing with religion here. Though only ten American lives have been
lost to terrorism in the last two years, the primacy of this threat has
become as much an article of faith with these guys as the Catholic
conviction that human life begins at conception or the Mormon belief that
the Lost Tribe of Israel crossed the Atlantic in submarines.
In the spirit of openness and compromise, they invited the Electronic
Frontier Foundation to submit other solutions to the "problem" of the
nuclear-enabled terrorist than key escrow devices, but they would not admit
into discussion the argument that such a threat might, in fact, be some
kind of phantasm created by the spooks to ensure their lavish budgets into
the post-Cold War era.
As to the possibility that good old-fashioned investigative techniques
might be more valuable in preventing their show-case catastrophe (as it was
after the fact in finding the alleged perpetrators of the last attack on
the World Trade Center), they just hunkered down and said that when
wiretaps were necessary, they were damned well necessary.
When I asked about the business that American companies lose because of
their inability to export good encryption products, one staffer essentially
dismissed the market, saying that total world trade in crypto goods was
still less than a billion dollars. (Well, right. Thanks more to the
diligent efforts of the National Security Agency than to dim sales
potential.)
I suggested that a more immediate and costly real-world effect of their
policies would be to reduce national security by isolating American
commerce, owing to a lack of international confidence in the security of
our data lines. I said that Bruce Sterling's fictional data-enclaves in
places like the Turks and Caicos Islands were starting to look real-world
inevitable.
They had a couple of answers to this, one unsatisfying and the other scary.
The unsatisfying answer was that the international banking community could
just go on using DES, which still seemed robust enough to them. (DES is the
old federal Data Encryption Standard, thought by most cryptologists to be
nearing the end of its credibility.)
More frightening was their willingness to counter the data-enclave future
with one in which no data channels anywhere would be secure from
examination by one government or another. Pointing to unnamed other
countries that were developing their own mandatory standards and
restrictions regarding cryptography, they said words to the effect of,
"Hey, it's not like you can't outlaw the stuff. Look at France."
Of course, they have also said repeatedly - and for now I believe them -
that they have absolutely no plans to outlaw non-Clipper crypto in the US.
But that doesn't mean that such plans wouldn't develop in the presence of
some pending "emergency." Then there is that White House briefing
document, issued at the time Clipper was first announced, which asserts
that no US citizen "as a matter of right, is entitled to an unbreakable
commercial encryption product."
Now why, if it's an ability they have no intention of contesting, do they
feel compelled to declare that it's not a right? Could it be that they are
preparing us for the laws they'll pass after some bearded fanatic has
gotten himself a surplus nuke and used something besides Clipper to
conceal his plans for it?
If they are thinking about such an eventuality, we should be doing so as
well. How will we respond? I believe there is a strong, though currently
untested, argument that outlawing unregulated crypto would violate the
First Amendment, which surely protects the manner of our speech as clearly
as it protects the content.
But of course the First Amendment is, like the rest of the Constitution,
only as good as the government's willingness to uphold it. And they are, as
I say, in the mood to protect our safety over our liberty.
This is not a mind-frame against which any argument is going to be very
effective. And it appeared that they had already heard and rejected every
argument I could possibly offer.
In fact, when I drew what I thought was an original comparison between
their stand against naturally proliferating crypto and the folly of King
Canute (who placed his throne on the beach and commanded the tide to leave
him dry), my government opposition looked pained and said he had heard
that one almost as often as jokes about roadkill on the information
superhighway.
I hate to go to war with them. War is always nastier among friends.
Furthermore, unless they've decided to let the National Security Agency
design the rest of the National Information Infrastructure as well, we need
to go on working closely with them on the whole range of issues like
access, competition, workplace privacy, common carriage, intellectual
property, and such. Besides, the proliferation of strong crypto will
probably happen eventually no matter what they do.
But then again, it might not. In which case we could shortly find ourselves
under a government that would have the automated ability to log the time,
origin and recipient of every call we made, could track our physical
whereabouts continuously, could keep better account of our financial
transactions than we do, and all without a warrant. Talk about crime
prevention!
Worse, under some vaguely defined and surely mutable "legal authority,"
they also would be able to listen to our calls and read our e-mail without
having to do any backyard rewiring. They wouldn't need any permission at
all to monitor overseas calls.
If there's going to be a fight, I'd rather it be with this government than
the one we'd likely face on that hard day.
Hey, I've never been a paranoid before. It's always seemed to me that most
governments are too incompetent to keep a good plot strung together all the
way from coffee break to quitting time. But I am now very nervous about the
government of the United States of America.
Because Bill 'n' Al, whatever their other new-paradigm virtues, have
allowed the very old-paradigm trogs of the Guardian Class to define as
their highest duty the defense of America against an enemy that exists
primarily in the imagination - and is therefore capable of anything.
To assure absolute safety against such an enemy, there is no limit to the
liberties we will eventually be asked to sacrifice. And, with a Clipper
Chip in every phone, there will certainly be no technical limit on their
ability to enforce those sacrifices.
WHAT YOU CAN DO
GET CONGRESS TO LIFT THE CRYPTO EMBARGO
The administration is trying to impose Clipper on us by manipulating market
forces. By purchasing massive numbers of Clipper devices, they intend to
induce an economy of scale which will make them cheap while the export
embargo renders all competition either expensive or nonexistent.
We have to use the market to fight back. While it's unlikely that they'll
back down on Clipper deployment, the Electronic Frontier Foundation
believes that with sufficient public involvement, we can get Congress to
eliminate the export embargo.
Rep. Maria Cantwell, D-Washington, has a bill (H.R. 3627) before the
Economic Policy, Trade, and Environment Subcommittee of the House Committee
on Foreign Affairs that would do exactly that. She will need a lot of help
from the public. They may not care much about your privacy in DC, but they
still care about your vote.
Please signal your support of H.R. 3627, either by writing her directly or
e-mailing her at cantwell(a)eff.org. Messages sent to that address will be
printed out and delivered to her office. In the subject header of your
message, please include the words "support HR 3627." In the body of your
message, express your reasons for supporting the bill. You may also express
your sentiments to Rep. Lee Hamilton, D-Indiana, the House Committee on
Foreign Affairs chair, by e-mailing hamilton(a)eff.org.
Furthermore, since there is nothing quite as powerful as a letter from a
constituent, you should check the following list of subcommittee and
committee members to see if your congressional representative is among
them. If so, please copy them your letter to Rep. Cantwell.
> Economic Policy, Trade, and Environment Subcommittee:
Democrats: Sam Gejdenson (Chair), D-Connecticut; James Oberstar, D-
Minnesota; Cynthia McKinney, D-Georgia; Maria Cantwell, D-Washington; Eric
Fingerhut, D-Ohio; Albert R. Wynn, D-Maryland; Harry Johnston, D-Florida;
Eliot Engel, D-New York; Charles Schumer, D-New York.
Republicans: Toby Roth (ranking), R-Wisconsin; Donald Manzullo, R-Illinois;
Doug Bereuter, R-Nebraska; Jan Meyers, R-Kansas; Cass Ballenger, R-North
Carolina; Dana Rohrabacher, R-California.
> House Committee on Foreign Affairs:
Democrats: Lee Hamilton (Chair), D-Indiana; Tom Lantos, D-California;
Robert Torricelli, D-New Jersey; Howard Berman, D-California; Gary
Ackerman, D-New York; Eni Faleomavaega, D-Somoa; Matthew Martinez, D-
California; Robert Borski, D-Pennsylvania; Donal Payne, D-New Jersey;
Robert Andrews, D-New Jersey; Robert Menendez, D-New Jersey; Sherrod Brown,
D-Ohio; Alcee Hastings, D-Florida; Peter Deutsch, D-Florida; Don Edwards,
D-California; Frank McCloskey, D-Indiana; Thomas Sawyer, D-Ohio; Luis
Gutierrez, D-Illinois.
Republicans: Benjamin Gilman (ranking), R-New York; William Goodling, R-
Pennsylvania; Jim Leach, R-Iowa; Olympia Snowe, R-Maine; Henry Hyde, R-
Illinois; Christopher Smith, R-New Jersey; Dan Burton, R-Indiana; Elton
Gallegly, R-California; Ileana Ros-Lehtinen, R-Florida; David Levy, R-New
York; Lincoln Diaz-Balart, R-Florida; Ed Royce, R-California.
BOYCOTT CLIPPER DEVICES AND THE COMPANIES WHICH MAKE THEM.
Don't buy anything with a Clipper Chip in it. Don't buy any product from a
company that manufactures devices with Big Brother inside. It is likely
that the government will ask you to use Clipper for communications with the
IRS or when doing business with federal agencies. They cannot, as yet,
require you to do so. Just say no.
LEARN ABOUT ENCRYPTION AND EXPLAIN THE ISSUES TO YOUR UNWIRED FRIENDS
The administration is banking on the likelihood that this stuff is too
technically obscure to agitate anyone but nerds like us. Prove them wrong
by patiently explaining what's going on to all the people you know who have
never touched a computer and glaze over at the mention of words like
"cryptography."
Maybe you glaze over yourself. Don't. It's not that hard. For some hands-on
experience, download a copy of PGP - Pretty Good Privacy - a shareware
encryption engine which uses the robust RSA encryption algorithm. And learn
to use it.
GET YOUR COMPANY TO THINK ABOUT EMBEDDING REAL CRYPTOGRAPHY IN ITS PRODUCTS
If you work for a company that makes software, computer hardware, or any
kind of communications device, work from within to get them to incorporate
RSA or some other strong encryption scheme into their products. If they say
that they are afraid to violate the export embargo, ask them to consider
manufacturing such products overseas and importing them back into the
United States. There appears to be no law against that. Yet.
You might also lobby your company to join the Digital Privacy and Security
Working Group, a coalition of companies and public interest groups -
including IBM, Apple, Sun, Microsoft, and, interestingly, Clipper phone
manufacturer AT&T - that is working to get the embargo lifted.
ENLIST!
Self-serving as it sounds coming from me, you can do a lot to help by
becoming a member of one of these organizations. In addition to giving you
access to the latest information on this subject, every additional member
strengthens our credibility with Congress.
> Join the Electronic Frontier Foundation by writing membership(a)eff.org.
> Join Computer Professionals for Social Responsibility by e-mailing
cpsr.info@cpsr
.org. CPSR is also organizing a protest, to which you can lend your support
by sending e-mail to clipper.petition(a)cpsr.org with "I oppose Clipper" in
the message body. Ftp/gopher/WAIS to cpsr.org /cpsr/privacy/
crypto/clipper for more info.
In his LA speech, Gore called the development of the NII "a revolution."
And it is a revolutionary war we are engaged in here. Clipper is a last
ditch attempt by the United States, the last great power from the old
Industrial Era, to establish imperial control over cyberspace. If they
win, the most liberating development in the history of humankind could
become, instead, the surveillance system which will monitor our
grandchildren's morality. We can be better ancestors than that.
San Francisco, California
Wednesday, February 9, 1994
* * *
John Perry Barlow (barlow(a)eff.org) is co-founder and Vice-Chairman of the
Electronic Frontier Foundation, a group which defends liberty, both in
Cyberspace and the Physical World. He has three daughters.
=-=-=-=-=-=-=-=-=-=-=-=WIRED Online Copyright Notice=-=-=-=-=-=-=-=-=-=-=-=
Copyright 1993,4 Wired USA Ltd. All rights reserved.
This article may be redistributed provided that the article and this
notice remain intact. This article may not under any circumstances
be resold or redistributed for compensation of any kind without prior
written permission from Wired Ventures, Ltd.
If you have any questions about these terms, or would like information
about licensing materials from WIRED Online, please contact us via
telephone (+1 (415) 904 0660) or email (info(a)wired.com)
WIRED and WIRED Online are trademarks of Wired Ventures, Ltd.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
1
0
Following are Representative Maria Cantwell's remarks to the House of
Representatives when she introduced H.R. 3627, Legislation to Amend the
Export Administration Act of 1979. Her synopsis of the bill appears at the
end. These remarks appeared in the Congressional Record on November 24,
1993, at Volume 139, Page 3110.
Please write to Rep. Cantwell today at cantwell(a)eff.org letting her know
you support her bill. In the Subject header of your message, type "I
support HR 3627." In the body of your message, express your reasons for
supporting the bill. EFF will deliver printouts of all letters to Rep.
Cantwell. With a strong showing of support from the Net community, Rep.
Cantwell can tell her colleagues on Capitol Hill that encryption is not
only an industry concern, but also a grassroots issue. *Again: remember to
put "I support HR 3627" in your Subject header.*
The text of the Cantwell bill can be found with the any of the following
URLs (Universal Resource Locaters):
ftp://ftp.eff.org/pub/Policy/Legislation/cantwell.bill
http://www.eff.org/ftp/EFF/Policy/Legislation/cantwell.bill
gopher://gopher.eff.org/00/EFF/legislation/cantwell.bill
**********************************************************************
Mr. Speaker, I am today introducing legislation to amend the Export
Administration Act of 1979 to liberalize export controls on software with
encryption capabilities.
A vital American industry is directly threatened by unilateral U.S.
Government export controls which prevent our companies from meeting
worldwide user demand for software that includes encryption capabilities to
protect computer data against unauthorized disclosure, theft, or
alteration.
The legislation I am introducing today is needed to ensure that
American companies do not lose critical international markets to foreign
competitors that operate without significant export restrictions. Without
this legislation, American software companies, some of America's star
economic performers, have estimated they stand to lose between $6 and $9
billion in revenue each year. American hardware companies are already
losing hundreds of millions of dollars in lost computer system sales
because increasingly sales are dependent on the ability of a U.S. firm to
offer encryption as a feature of an integrated customer solution involving
hardware, software, and services.
The United States' export control system is broken. It was designed
as a tool of the cold-war, to help fight against enemies that no longer
exist. The myriad of Federal agencies responsible for controlling the flow
of exports from our country must have a new charter, recognizing today's
realities.
Next year, the House Foreign Affairs Subcommittee of Economic
Policy, Trade and the Environment, of which I am a member, will be marking
up legislation to overhaul the Export Administration Act. It is my hope
that the legislation I introduce today will be included in the final Export
Administration Act rewrite.
This legislation takes some important steps to resolve a serious
problem facing some of our most dynamic industries. It would give the
Secretary of Commerce exclusive authority over dual use information
security programs and products, eliminates the requirement for export
licenses for generally available software with encryption capabilities, and
requires the Secretary to grant such validated licenses for exports of
other software with encryption capabilities to any country to which we
already approve exports for foreign financial institutions.
The importance of this legislation cannot be overstated. America's
computer software and hardware companies, including such well-known
companies as Apple, DEC, Hewlett-Packard, IBM, Lotus, Microsoft, Novell,
and WordPerfect, have been among the country's most internationally
competitive firms earning more than one-half of their revenues from
exports.
The success of American software and hardware companies overseas is
particularly dramatic and the importance of foreign markets is growing.
Currently, American software companies hold a 75 percent worldwide market
share and many derive over 50 percent of their revenues from foreign sales.
American computer hardware manufacturers earn more than 60 percent of their
revenues from exports.
As my colleagues are well-aware, we are participants in a new
information age that is quickly transforming local and national
marketplaces and creating new international marketplaces where none
previously existed. President Clinton and Vice President Gore have both
spent considerable time explaining their vision of the National Information
Infrastructure that is essential to our continued economic growth.
Part of that infrastructure is already in place. International
business transactions that just a few years ago took days or weeks or
months to complete can now be accomplished in minutes.
Driving this marketplace transformation is the personal computer.
And, at the heart of every personal computer is computer software. Even the
most computer illiterate of us recognize that during the past decade,
computer prices have dropped dramatically while computer capabilities have
increased exponentially. That combination has made it possible to exchange
information and conduct business at a scale that was considered science
fiction only a few years ago.
Indeed, we all now rely on computer networks to conduct business
and exchange information. Whether it be the electronic mail or "e-mail"
system that we all now use in our congressional offices or the automated
teller system relied on to conduct our personal financial affairs, we rely
on computer networks of information.
In the future, individuals will use information technologies to
conduct virtually any of the routine transactions that they do today in
person, over the telephone, and through paper files. From personal
computers at home, in schools, and in public libraries, they will access
books, magazine articles, videos, and multimedia resources on any topic
they want. People will use computer networks to locate and access
information about virtually any subject imaginable, such as background on
the candidates in local political races, information on job opportunities
in distant cities, the weather in the city or country they will be visiting
on their vacation, and the highlights of specific sports events.
Consumers will use their computers and smart televisions to shop
and pay for everything from clothing and household goods to airline
tickets, insurance, and all types of on-line services. Electronic records
of the items they purchase and their credit histories will be easy to
compile and maintain.
Individuals will access home health programs from their personal
computers for instant advice on medical questions, including mental health
problems, information about the symptoms of AIDS, and a variety of personal
concerns that they would not want other family members, or their neighbors
and employers to know about. They will renew their prescriptions and obtain
copies of their lab results electronically.
The U.S. economy is becoming increasingly reliant on this
information network. While we may not often think about these networks,
they now affect every facet of our professional, business, and personal
lives. They are present when we make an airline reservation; when we use a
credit card to make a purchase; or when we visit a doctor who relies on a
computer network to store our medical information or to assist in making a
diagnosis. These networks contain information concerning every facet of our
lives.
For businesses, the reliance on information security is even
greater. While businesses rely on the same commercial use networks that
individual consumers use, in addition, businesses are now transmitting
information across national and international borders with the same ease
that the information was once transmitted between floors of the same office
building.
While all of this information exchange brings with it increased
efficiencies and lower operating costs, it has also brought with it the
need to protect the information from improper use and tampering.
Information security is quickly becoming a top priority for businesses that
rely on computer networks to conduct business. According to a recent survey
of Fortune 500 companies conducted for the Business Software Alliance, 90
percent of the participants said that information security was important to
their operations. Indeed, almost half of the Fortune 500 companies surveyed
recently stated that data encryption was important to protect their
information. One third of those companies said they look for encryption
capabilities when buying software.
The challenge for information security can be met by America's
computer companies. American companies are deeply involved in efforts to
ensure that the information transmitted on computer networks is secure.
Numerous companies have developed and are developing software products with
encryption capabilities that can ensure that transmitted information is
received only by the intended user and that it is received in an unaltered
form. Those encryption capabilities are based on mathematical formulas or
logarithms of such a size that makes it almost impossible to corrupt data
sources or intercept information being transmitted.
I wish I could stand here today and tell my colleagues that U.S.
export control laws were working and encryption technology was only
available to American software companies.
However, this is not the case. Sophisticated encryption technology
has been available as a published public standard for over a decade and
many private sources, both domestic and foreign, have developed encryption
technology that they are marketing to customers today. It is an industry
where commercial competition is fierce and success will go to the swift.
Software is being developed and manufactured with encryption
capabilities for the simple reason that software customers are demanding
it. Computer users recognize the vulnerability of our information systems
to corruption and improper use and are insisting on protection. That
protection will be purchased or obtained from American companies or from
foreign software companies. The choice is not whether the protection will
be obtained, but from which company.
Incredible as it may seem to most of my colleagues, the Executive
Branch has seen fit to regulate exports of American computer software with
encryption capabilities -- that is, the same software that is available
across the counter at your local Egghead or Computerland software store --
munitions and thereby substantially prohibit its export to foreign
customers. This policy, which has all the practical effect of shutting the
barn door after the horses have left in preventing access to software with
encryption capabilities, does have the actual detrimental effect of
seriously endangering sales of both generally available American software
and American computer systems.
This is because increasingly sales are dependent on the ability of
a U.S. firm to offer encryption as a feature of an integrated customer
solution involving hardware, software and services.
Indeed, software can be exported abroad by the simplest measures
and our intelligence gathering agencies have no hope of ever preventing it.
Unlike most munitions that are on the prohibited export list, generally
available software with encryption capabilities can be purchased without
any record by anyone from thousands of commercial retail outlets, or
ordered from hundreds of commercial mail order houses, or obtained for free
from computer bulletin boards or networks. Once obtained, it can be
exported on a single indistinguishable floppy disk in the coat pocket of
any traveler or in any business envelope mailed abroad.
Moreover, both generally available and customized software can be
exported without anyone ever actually leaving the United States. All that
is necessary are two computers with modems, one located in the United
States and one located abroad. A simple international phone call and a few
minutes is all that it takes to export any software program.
Once a software program with encryption capabilities is in a
foreign country, any computer can act as a duplicating machine, producing
as many perfect copies of the software as needed. The end result is that
the software is widely available to foreign users.
All this was demonstrated at a hearing held on October 12 by
Chairman Gejdenson's Economic Policy Trade and Environment Subcommittee of
the Foreign Affairs Committee.
Furthermore, while current Executive Branch policy regulates the
export of American manufactured software with encryption capabilities, it
is obviously powerless to prevent the development and manufacture of such
software by foreign competitors. Not surprisingly, that is exactly what is
happening. We heard testimony at the subcommittee's hearing that over 200
foreign hardware, software and combination products for text, file, and
data encryption are available from 20 foreign countries. As a result,
foreign customers, that have, in the past, spent their software dollars on
American-made software, are now being forced, by American policy, to buy
foreign software -- and in some cases, entire foreign computer systems. The
real impact of these policies is that customers and revenue are being lost
with little hope of regaining them, once lost. All precipitated by a
well-intentioned, but completely misguided and inappropriate policy.
There were efforts, in the last Congress to correct this policy. In
response, the Bush Administration did, in fact, marginally improve its
export licensing process with regard to mass market software with limited
encryption capabilities. However, those changes are simply insufficient to
eliminate the damage being done to American software companies.
My legislation is strongly supported by the Business Software
Alliance. The Business Software Alliance represents the leading American
software businesses, including Aldus, Apple Computer, Autodesk, Borland
International, Computer Associates, GO Corp., Lotus Development, Microsoft,
Novell, and WordPerfect. In addition, Adobe Systems, Central Point, Santa
Cruz Operation, and Symantec are members of BSA's European operation.
Together, BSA members represent 70 percent of PC software sales.
The legislation is also supported by the Industry Coalition on
Technology Transfer, an umbrella group representing 10 industry groups
including the Aerospace Industries Association, American Electronic
Association, Electronics Industry Association, and Computer and Business
Equipment Manufacturing Association.
All these companies are at the forefront of the software
revolution. Their software, developed for commercial markets, is available
throughout the world and is at the core of the information revolution. They
represent the finest of America's future in the international marketplace,
and the industry has repeatedly been recognized as crucial to America's
technological leadership in the 21st century.
My legislation is straightforward. It would allow American
companies to sell the commercial software they develop in the United States
to their overseas customers including our European allies -- something that
is very difficult if not impossible under present policies.
I urge my colleagues to support this legislation and ask unanimous
consent that the text of the bill and a section-by-section explanation be
printed at this point.
************************************************************************
Section-By-Section Analysis of Report Control Liberalization for
Information Security Programs and Products
Section 1
Section 1 amends the Export Administration Act by adding a new
subsection that specifically addresses exports of computer hardware,
software and technology for information security including encryption. The
new subsection has three basic provisions.
First, it gives the Secretary of Commerce exclusive authority over
the export of such programs and products except those which are
specifically designed for military use, including command, control and
intelligence applications or for deciphering encrypted information.
Second, the government is generally prohibited from requiring a
validated export license for the export of generally available software
(e.g., mass market commercial or public domain software) or computer
hardware simply because it incorporates such software.
Importantly, however, the Secretary will be able to continue
controls on countries of terrorists concern (like Libya, Syria, and Iran)
or other embargoed countries (like Cuba and North Korea) pursuant to the
Trading With The Enemy Act or the International Emergency Economic Powers
Act (except for instances where IEEPA is employed to extend EAA-based
controls when the EAA is not in force).
Third, the Secretary is required to grant validated licenses for
exports of software to commercial users in any country to which exports of
such software has been approved for use by foreign financial institutions.
Importantly, the Secretary is not required to grant such export approvals
if there is substantial evidence that the software will be diverted or
modified for military or terrorists' end-use or re-exported without
requisite U.S. authorization.
Section 2
Section 2 provides definitions necessary for the proper
implementation of the substantive provisions. For example, generally
available software is offered for sale or licensed to the public without
restriction and available through standard commercial channels of
distribution, is sold as is without further customization, and is designed
so as to be installed by the purchaser without additional assistance from
the publisher. Computer hardware and computing devices are also defined.
1
0
* DISTRIBUTE WIDELY *
Monday, February 7th, 1994
From: Jerry Berman, Executive Director of EFF
jberman(a)eff.org
Dear Friends on the Electronic Frontier,
I'm writing a personal letter to you because the time has now come for
action. On Friday, February 4, 1994, the Administration announced that it
plans to proceed on every front to make the Clipper Chip encryption scheme
a national standard, and to discourage the development and sale of
alternative powerful encryption technologies. If the government succeeds
in this effort, the resulting blow to individual freedom and privacy could
be immeasurable.
As you know, over the last three years, we at EFF have worked to ensure
freedom and privacy on the Net. Now I'm writing to let you know about
something *you* can do to support freedom and privacy. *Please take a
moment to send e-mail to U.S. Rep. Maria Cantwell (cantwell(a)eff.org) to
show your support of H.R. 3627, her bill to liberalize export controls on
encryption software.* I believe this bill is critical to empowering
ordinary citizens to use strong encryption, as well as to ensuring that
the U.S. software industry remains competitive in world markets.
Here are some facts about the bill:
Rep. Cantwell introduced H.R. 3627 in the House of Representatives on
November 22, 1993. H.R. 3627 would amend the Export Control Act to move
authority over the export of nonmilitary software with encryption
capabilities from the Secretary of State (where the intelligence community
traditionally has stalled such exports) to the Secretary of Commerce. The
bill would also invalidate the current license requirements for
nonmilitary software containing encryption capablities, unless there is
substantial evidence that the software will be diverted, modified or
re-exported to a military or terroristic end-use.
If this bill is passed, it will greatly increase the availability of
secure software for ordinary citizens. Currently, software developers do
not include strong encryption capabilities in their products, because the
State Department refuses to license for export any encryption technology
that the NSA can't decipher. Developing two products, one with less secure
exportable encryption, would lead to costly duplication of effort, so even
software developed for sale in this country doesn't offer maximum
security. There is also a legitimate concern that software companies will
simply set up branches outside of this country to avoid the export
restrictions, costing American jobs.
The lack of widespread commercial encryption products means that it will
be very easy for the federal government to set its own standard--the
Clipper Chip standard. As you may know, the government's Clipper Chip
initiative is designed to set an encryption standard where the government
holds the keys to our private conversations. Together with the Digital
Telephony bill, which is aimed at making our telephone and computer
networks "wiretap-friendly," the Clipper Chip marks a dramatic new effort
on the part of the government to prevent us from being able to engage in
truly private conversations.
We've been fighting Clipper Chip and Digital Telephony in the policy arena
and will continue to do so. But there's another way to fight those
initiatives, and that's to make sure that powerful alternative encryption
technologies are in the hands of any citizen who wants to use them. The
government hopes that, by pushing the Clipper Chip in every way short of
explicitly banning alternative technologies, it can limit your choices for
secure communications.
Here's what you can do:
I urge you to write to Rep. Cantwell today at cantwell(a)eff.org. In the
Subject header of your message, type "I support HR 3627." In the body of
your message, express your reasons for supporting the bill. EFF will
deliver printouts of all letters to Rep. Cantwell. With a strong showing
of support from the Net community, Rep. Cantwell can tell her colleagues
on Capitol Hill that encryption is not only an industry concern, but also
a grassroots issue. *Again: remember to put "I support HR 3627" in your
Subject header.*
This is the first step in a larger campaign to counter the efforts of
those who would restrict our ability to speak freely and with privacy.
Please stay tuned--we'll continue to inform you of things you can do to
promote the removal of restrictions on encryption.
In the meantime, you can make your voice heard--it's as easy as e-mail.
Write to cantwell(a)eff.org today.
Sincerely,
Jerry Berman
Executive Director, EFF
jberman(a)eff.org
P.S. If you want additional information about the Cantwell bill, send
e-mail to cantwell-info(a)eff.org. To join EFF, write membership(a)eff.org.
The text of the Cantwell bill can be found with the any of the following
URLs (Universal Resource Locaters):
ftp://ftp.eff.org/pub/Policy/Legislation/cantwell.bill
http://www.eff.org/ftp/EFF/Policy/Legislation/cantwell.bill
gopher://gopher.eff.org/00/EFF/legislation/cantwell.bill
1
0
The Washington Post, the New York Times, and the Wall Street Journal have
all published stories over the last three days concerning the
Administration's announcement on Friday, Feb. 5, 1994, that it will
continue to deploy the controversial "Clipper Chip" encryption technology
and will not significantly change its export controls.
>From the Post on Saturday:
"That means the administration will continue long-standing restrictions on
exports of powerful encryption devices that the NSA cannot crack, and
continue to encourage use of NSA-developed encryption gear, called the
"Clipper chip," by all U.S. firms. The Clipper Chip makes it relatively
easy for the government to eavesdrop on encrypted communications....
"Further, government officials said, the administration is expected in a
few weeks to endorse an FBI proposal that U.S. telecommunications firms be
required to guarantee law enforcement agencies' ability to tape phone and
computer lines regardless of where the technology goes.
"At the core of these high-tech disputes lies a fundamental conflict
between Americans' cherished privacy rights and the government's
investigative needs."
>From the Times on Saturday:
"But the Administration's action immediately drew a chorus of criticism
from both business and privacy-rights groups. Computer and software
companies, including Apple Computer, I.B.M. and Microsoft, have adamantly
opposed the Clipper Chip because they believe customers will not trust an
encryption program that was built by the government and whose inner
workings remain a secret.
"Perhaps more importantly, they fear that it will harm their ability to
export products; they predict that foreign customers will resist buying
computers and telecommunications equipment built with decoding technology
devised by the National Security Agency.
"Privacy-rights groups argue that the technology could lead to
unauthorized eavesdropping, because the keys for unscrambling the code
will remain in official hands.
"'This is bad for privacy, bad for security and bad for exports,' said
Jerry Berman, executive director of the Electronic Frontier Foundation, a
Washington nonprofit group that lobbies on privacy issues related to
electronic networks. 'The Administration is preparing to implement systems
that the public will not trust, that foreign countries will not buy, and
that terrorists will overcome.'"
>From the Wall Street Journal on Monday:
"The issue has become a controversial one between law enforcement
officials and the computer industry and civil libertarians. In unfolding
details of the administration's decision, Mike Nelson, an official at the
Office of Science and Technology Policy, said the issue was so difficult
it represented 'the Bosnia of telecommunications policy.'
"Jerry Berman, executive director of the Electronic Frontier Foundation, a
Washington-based computer users' civil-rights group, said the
administration's handling of the Clipper Chip policy could make it 'as
successful' as the Bosnia policy, which has come under widespread
criticism."
William Safire has also written about this in today's NYTimes.
>From owner-cypherpunks Mon Feb 7 15:40:40 1994
1
0
------- Forwarded Message
To: gnu(a)toad.com
From: whitfield.diffie(a)Eng.Sun.COM
1
0
THE WHITE HOUSE CONTACT: 202 156-7035
OFFlCE OF THE PRESS SECRETARY
EMBARGOED UNTIL 3 PM (EST) FRIDAY, February 4, 1994
STATEMENT OF THE PRESS SECRETARY
Last April, the Administration announced a comprehensive
interagency review of encryption technology, to be overseen by the
National Security Council. Today, the Administration is taking a
number of steps to implement the recommendations resulting from
that review.
Advanced encryption technology offers individuals and businesses
an inexpensive and easy way to encode data and telephone
conversations. Unfortunately, the same encryption technology that
can help Americans protect business secrets and personal privacy
can also be used by terrorists, drug dealers, and other criminals.
In the past, Federal policies on encryption have reflected primarily
the needs of law enforcement and national security. The Clinton
Administration has sought to balance these needs with the needs of
businesses and individuals for security and privacy. That is why,
today the National Institute of Standards ant Technology (NIST) is
committing to ensure a royalty-free, public-domain Digital Signature
Standard. Over many years, NIST has been developing digital
signature technology that would provide a way to verify the author
and sender of an electronic message. Such technology will be critical
for a wide range of business applications for the National
Information Infrastructure. A digital signature standard will enable
individuals to transact business electronically rather than having to
exchange signed paper contracts. The Administration has determined
that such technology should not be subject to private royalty
payments, and it will be taking steps to ensure that royalties are not
required for use of a digital signature. Had digital signatures been in
widespread use, the recent security problems with the Intemet
would have been avoided.
Last April, the Administration released the Key Escrow chip (also
known as the "Clipper Chip") that would provide Americans with
secure telecommunications without compromising the ability of law
enforcement agencies to carry out legally authorized wiretaps. Today,
the Department of Commerce and the Department of Justice are
taking steps to enable the use of such technology both in the U.S. and
overseas. At the same time, the Administration is announcing its
intent to work with industry to develop other key escrow products
that might better meet the needs of individuals and industry,
particularly the American computer and telecommunications
industry. Specific steps being announced today include:
- Approval by the Commerce Secretary of the Escrowed Encryption
Standard (EES) as a voluntary Federal Informahon Processing
Standard, which will enable govemment gencies to purchase the
Key Escrow chip for use with telephones nd modems. The
department's National Institute of Standards and Technology
(NIST) will publish the standard.
- Publication by the Department of Justice of procedurs for the
release of escrowed keys and the announcement of NIST and the
Automated Services Division of the Treasury Department as the
escrow agents that will store the keys needed for decryption of
communications using the Key Escrow chip. Nothing in these
procedures will diminish tne existing legal and procedural
requirements that protect Americans from unauthorized wiretaps.
- New procedures to allow export of products containing the Key
Escrow chip to most countries.
In addition, the Department of State will streamline export licensing
procedures for encryption products that can be exported under
current export regulations in order to help American companies sell
their products overseas. In the past, it could take weeks for a
company to obtain an export license for encryption products, and
each shipment might require a separate license. The new procedures
announced today will substantially reduce administrative delays and
paperwork for encryption exports.
To implement the Administration's encryption policy, an interagency
Working Group on Encryption and Telecommunications has been
established. It will be chaired by the White House Office of Science
and Technology Policy and the National Security Council and will
include representatives of the Departments of Commerce, Justice,
State, and Treasury as well as the FBI, the National Security Agency,
the Office of Management and Budget, and the National Economic
Council. This group will work with industry and public-interest
groups to develop new encryption technologies and to review and
refine Administration policies regarding encryption, as needed.
The Administration is expanding its efforts to work with industry to
improve on the Key Escrow chip, to develop key-escrow software,
and to examine alternatives to the Key Escrow chip. NIST will lead
these efforts and will request additional staff and resources for this
purpose.
We understand that many in industry would like to see all
encryption products exportable. However, if encryption technology is
made freely available worldwide, it would no doubt be usod
extensively by terrorists, drug dealers, and other criminals to harm
Americans both in the U.S. and abroad. For this reason, the
Administration will continue to restrict export of the most
sophisticated encryption devices, both to preserve our own foreign
intelligence gathering capability and because of the concerns of our
allies who fear that strong encryption technology would inhibit their
law enforcement capabilities.
At the same time, the Administration understands the benefits that
encryption and related technologies can provide to users of
computers and telecommunications networks. Indeed, many of the
applications of the evolving National Information Infrastructure will
require some form of encryption. That is why the Administration
plans to work more closely with the private sector to develop new
forms of encryption that can protect privacy and corporate secrets
without undermining the ability of law-enforcement agencies to
conduct legally authorized wiretaps. That is also why the
Administration is committed to make available free of charge a
Digital Signature Standard.
The Administration believes that the steps being announced today
will help provide Americans with the telecommunications security
they need without compromising the capability of law enforcement
agencies and national intelligence agencies. Today, any American can
purchase and use any type of encryption product. The
Administration does not intend to change that policy. Nor do we have
any intention of restrictiog domestic encryption or mandating the use
of a particular technology.
1
0
Department of Justice
EMBARGOED FOR 3 P.M. RELEASE AG
FRIDAY, FEBRUARY 4, 1994 (202) 616-2771
ATTORNEY GENERAL MAKES KEY ESCROW ENCRYPTION ANNOUNCEMENTS
Attorney General Janet Reno today announced selection of the two
U.S. Government entities that will hold the escrowed key
components for encryption using the key escrow encryption method.
At the same time, the Attorney General made public procedures
under which encryption key components will be released to
government agencies for decrypting communications subject to
lawful wiretaps.
Key Escrow Encryption (formerly referred to as Clipper Chip )
strikes an excellent balance between protection of communications
privacy and protection of society. It permits the use in
commercial telecommunications products of chips that provide
extremely strong encryption, but can be decrypted, when necessary,
by government agencies conducting legally authorized wiretaps.
Decryption is accomplished by use of keys--80-bit binary numbers--
that are unique to each individual encryption chip. Each unique
key is in turn split into two components, which must be recombined
in order to decrypt communications. Knowing one component does not
make decryption any more feasible than not knowing either one.
The two escrow agents are the National Institute of Standards and
Technology (NIST), a part of the Department of Commerce, and the
Automated Systems Division of the Department of the Treasury. The
two escrow agents were chosen because of their abilities to
safeguard sensitive information, while at the same time being able
to respond in a timely fashion when wiretaps encounter encrypted
communications. In addition, NIST is responsible for establishing
standards for protection of sensitive, unclassified information in
Federal computer systems.
The escrow agents will act under strict procedures, which are
being made public today, that will ensure the security of the key
components and govern their release for use in conjunction with
lawful wiretaps. They will be responsible for holding the key
components: for each chip, one agent will hold one of the key
components, and the second agent will hold the other. Neither will
release a key component, except to a government agency with a
requirement to obtain it in connection with a lawfully authorized
wiretap. The system does not change the rules under which
government agencies are authorized to conduct wiretaps.
When an authorized government agency encounters suspected key-
escrow encryption, a written request will have to be submitted to
the two escrow agents. The request will, among other things, have
to identify the responsible agency and the individuals involved;
certify that the agency is involved in a lawfully authorized
wiretap; specify the wiretap's source of authorization and its
duration; and specify the serial number of the key-escrow
encryption chip being used. In every case, an attorney involved in
the investigation will have to provide the escrow agents assurance
that a validly authorized wiretap is being conducted.
Upon receipt of a proper request, the escrow agents will transmit
their respective key components to the appropriate agency. The
components will be combined within a decrypt device, which only
then will be able to decrypt communications protected by key-
escrow encryption. When the wiretap authorization ends, the device
s ability to decrypt communications using that particular chip
will also be ended.
The Department of Justice will, at the various stages of the
process, take steps to monitor compliance with the procedures.
1
0