Consider the following hypothetical: Iraqi agents smuggle Clipper phones out of the U.S. Saddam Hussein uses them to communicate with his military commander in Basra. NSA intercepts the communications. Question: How does NSA decrypt the messages? You raise a valid point. I think there are several possible answers. First, of course, since the key escrow mechanism has not yet been established, an exception could be written into the procedures. (And whether they would be established by law or executive order remains to be seen.) There might be some clause saying, ``NSA may have access to escrowed keys, provided that they certify that the targets of their surveillance are foreign powers, as defined in the FISA. If, upon decryption, it is determined that a U.S. citizen's conversations have been intercepted, the procedures of the FISA for such eventualities will apply.'' Yes, they could abuse such a clause -- but by that logic, they could be listening in to cleartext domestic phone calls today. (And of course, there have been such abuses.) A second possible answer is for export phones to come from a separate production run, using a different family key. These would be export-only, and you'd never get a license to export a ``secure'' model. For U.S. residents to make an encrypted phone call to such a site, either they, too, would need such a phone, or they need some way to interoperate with a phone with a different family key. The obstacle there is the verification procedures such phones have, to guard against bogus narc headers being inserted. I'm not certain whether or not such a solution can be found. --Steve Bellovin