On March 8, Dr. Dorothy Denning was a guest speaker for LRNG 572 - Taming the Electronic Frontier, a course at George Mason University. The professor, Dr. Brad Cox, is a veteran software developer who has turned his attention to developing models for electronic commerce and "student-centered education". The latter is my own term for his concept of students, through a demand-based process, having much more control over and interaction with the university education process. Brad has expressed strong opinions on several issues regarding personal privacy and the Clipper/Digital Telephony proposals; I don't presume to speak for him, but I should note that our homework includes installing PGP 2.2 or 2.3a on our personal machines, generating key pairs, distributing our public keys, and broadcasting an essay encrypted with everyone else's public keys. The lecture was broadcast on the George Mason University channel, 48 on Media General Cable Systems in Fairfax County, VA, and other channels around the DC Metro Area. Tapes are available in the GMU Library and, I believe, may be copied and distributed freely. If any of you would like a copy of the session, I'll look into what has to happen to get it done. I do not have a VCR at home and am not referring to the tape as I write this summary, so there may be some inaccuracies. Further, as I was not taking careful notes, my own comments and questions are most prominent in this summary. In my note to the class, I'll ask them to contribute their own views of the proceedings. I am forwarding this note to Brad, Dr. Denning, and the class to ensure all parties have the opportunity to correct any misrepresentations or omissions. ***The Presentation*** Dr. Denning was clearly nervous -- she indicated that she had never worked with the combination of television, overhead projector and computer-cueing system in the video classroom. Also, I surmise that Brad had warned her that she wouldn't be facing the most sympathetic audience in the world. Each student had written an essay about Clipper and emailed it to Brad, cc'ing the rest of the class. Most of the class didn't think Clipper/Digital Telephony was a hot idea, but there were several supporters. After a brief intro describing Clipper as a "voluntary" standard, she quickly described the key initialization and two-party decryption processes. This part of the lecture was notation-laden and somewhat hard for me to follow, and I've read most of Schneier's _Applied Cryptography_! The folks around me seemed to be lost in the particulars of how the various keys were generated and interacted (especially the session key). However, I believe the basic points got through clearly enough - the class is mostly professionals and is sophisticated enough to pick up anything that's explained well. After Denning indicated that NIST and Treasury were to be the two escrow agents, I asked about VP Gore's 9 February remarks on the potential problems of both agents being in the Executive Branch etc. She glossed over the issue by replying that the process was still being examined and that she didn't see a problem with the two agents residing in the same branch of government. The theme that "the key escrow system prevents abuse" resonated throughout her presentation. A few minutes later, I asked Dr. Denning whether she her earlier published (on Usenet, anyway) statements to the effect that if Clipper were made mandatory she would probably withdraw her support for the standard. She did not dispute the basis of the question but did not answer it per se, either. Her final response (paraphrased) was that she could not foresee all possible outcomes and did not want to commit herself to a position without observable results. After further questions, Denning described the Digital Telephony proposal, stressing that the idea was to maintain the current level of wiretap capabilities despite technological advances. She was very careful to delineate the goals for Clipper and Digital Telephony as follows: o Clipper is designed to provide US citizens strong cryptography that won't threaten US national security; o Clipper is *not* designed to catch crooks; o Digital Telephony is designed to maintain the current level of wiretap capabilities and gives law enforcement officials no new abilities. The first statement is hard to dispute on its face, despite the invocation of that vague concept called "national security". As many others, including Tim May, have said, the government is fighting an imaginary enemy which is, by virtue of it being imaginary, capable of anything. If cellular phones, baby monitors (!) and regular telephones used Clipper-like technology, many citizen-to-citizen privacy worries would be solved since ham radio and scanner operators would be unable to monitor these transmissions. However, the idea that the standard is voluntary, an idea she defended even when pressed that everyone in the government (except the judiciary) answers to the same guy raises a question as to how voluntary the standard is. The second statement goes against much of the rhetoric Clipper supporters have used to link the proposal to the War on Drugs and the general fear of crime. It's interesting to note that, even while she was disavowing Clipper's link to catching crooks, she read anecdotes from the back cover of a book entitled something like _The World's Dumbest Criminals_ and opined that, if someone is dumb enough to call hotel security and report $1000 of cocaine missing from his room, they just might be dumb enough to use Clipper. After all, they talk in the clear now! I think this argument has gotten short shrift on Cypherpunks and does deserve more attention. If the price of ClipperPhones comes down enough so that they're affordable _and_ there's no market competitor of note, why wouldn't drug dealers use the equipment? After all, even assuming the full search warrent process is bypassed, the government needs to know what's happening before they tap the line. The solution, of course, is to market alternative crypto-boxes that can fit between the phone unit and the wall socket. Price competition against high volume manufacturers will be a serious obstacle to successfully circumventing the escrowed technologies. The difference in the rhetorical significance of crime-fighting when Clipper is presented to technical and non-technical audiences is interesting. The final theme, that Digital Telephony adds no new law enforcement capabilities, was not something anyone in the class seemed to have the knowledge to dispute on technical grounds. When I raised the issue of phone calls being directed to central law enforcement sites instead of requiring agents to move to a remote location, Dr. Denning indicated that wiretaps are done by directing calls to a central location now. While J.P. Barlow challenged related issues in the America On Line debate, I have not seen a refutation of this particular point. Can anyone elaborate? ***Personal Notes and Editorials*** o None of us brought up the government ability to request and examine phone usage information without a warrant or pointed out that law enforcement agencies currently do this more than 100,000 times per year. [I wasn't aware of the number until Barlow cited it on AOL.] o I would hope that the ability of government to accumulate behavioral dossiers on private citizens through the information mosaic and link analysis tools is something that would appear in _Time_ right beside the Clipper and Digital Telephony expository articles in the future. If Digital Telephony makes this ability stronger, there is a greater danger of the fishing expeditions and data matching exercises the 1974 Privacy Act is designed to prevent. o In my opinion Dr. Denning sincerely believes these proposals will make a positive difference; however, the sincerity of the advocate does not give credence to the position advocated. -- Best regards, Curtis D. Frye - Job Search Underway!!! cfrye@ciis.mitre.org or cfrye@mason1.gmu.edu "MITRE's in the past, now. Time to move on!"