I just got back from the first day of PC Expo at Javits Center here in New Yawk. (God, how I love these shows. Trinkets, trinkets and more trinkets.) To make a long story short, I picked up a copy (and renewed my subscription) of the latest PC Week. The following article shows (at least) that the Clipper/Capstone debate has not subsided, but rather, is just becoming public knowledge thanks to coverage in trade publications and popular press. This particular article is included amongst several others in a "Special Report" section in the June 28 issue of PC Week relating to Privacy in the Workplace, "Privacy issue comes of age in the networked world." Other articles in this issue include "Encryption, monitoring and E-mail spur the privacy debate," "Some companies spell it right out: We will be watching you," "Privacy Act would force firms to inform their employees about E-mail monitoring, "Electronic monitoring raises legal and societal questions, "Encryption technology is on the rise in the private sector," "UPS toes the line with its package-tracking technologies" and two side-bar articles entitled " Cellular phones: Some like'em and some don't" and "From A too Z: Privacy policies run the gamut." Cheers from Times Square, Manhattan. 8<------- Article follows --------------- PC Week Special Report "Workplace Privacy" "News Analysis" PC Week June 28, 1993 pages 207, 211 Crypto policy and business privacy The White House wants businesses to protect data but leave doors open to law-enforcement agencies by Winn Schwartau Following the Clinton administration's April 16 endorsement of the Clipper chip, law-enforcement and privacy advocates are staking out positions that will likely test the bounds of the Constitution. The Clipper chip, manufactured by Mykotronx Inc., of Torrance, Calif., and officially designated the MYK-78, contains a sophisticated encryption algorithm that protects a company's communications by scrambling the data. Announced as a joint technical effort between the NSA (National Security Agency) and NIST (National Institute for Standards and Technology), the chip is supposed to balance the needs of law enforcement with businesses' need for data privacy. The Clinton administration is encouraging American businesses to adopt Clipper to ensure their own privacy, yet still permit "lawful government electronic surveillance," according to a statement released by the White House. Third-party products that contain the Clipper chip are expected to be announced by fall. The keys to decrypting Clipper communications will be held by two independent parties, such as the Federal Reserve Board and a private company. Attorney General Janet Reno had expected to announce the holders of the keys in early May, but has delayed the announcement until midsummer, according to a spokesman at the Attorney General's office. The Clipper endeavor stems from Bush-era intelligence-agency attempts at adding legislative riders to congressional bills that would have forced telecommunications and networking companies to build in back doors for encrypted transmissions. The EFF (Electronic Frontier Foundation) and CPSR (Computer Professionals for Social Responsibility), citizen groups based in Washington, are generally credited with having such riders removed from the bills. Deep concern drives the anti-Clipper privacy advocates, many of whom focus on the integrity of the encryption key-escrow agents who will ultimately hold the keys to the U.S. digital kingdom if the proposed program is successful. Said Kevin Murray, president of Murray & Assoc., a security-consulting firm in Clinton, N.J., "I don't like Clipper at all. If you're going to offer privacy, then offer it. I've seen too many cases where secrets easily leaked out." Few, if any, businesses appear willing to sign on with the government's plan. Spearheaded by the EFF and the ACLU (American Civil Liberties Union), 31 companies sent a letter last month to the White House and Congress stating "... We believe that there are fundamental privacy and other constitutional rights that must be taken into account when any domestic surveillance is proposed." Among the companies signing the letter were AT&T, Apple Computer Inc., Digital Equipment Corp., IBM, Hewlett-Packard Co., Lotus Development Corp., MCI Communications Corp., Microsoft Corp., RSA Data Security Inc. and Sun Microsystems Inc. One area of concern among the companies is that the government intends to keep all technical information about the Clipper encryption algorithm secret. Conventional cryptological wisdom says that only after wide-spread public analysis and comment can an encryption technique be trusted. CPSR last month filed a lawsuit against the National Security Council seeking information about the Clipper chip. "The Clipper plan was developed behind a veil of secrecy," said Marc Rotenberg, director of CPSR's Washington office. "We need to know why the standard was developed, what alternatives were considered and what the impact will be on privacy. "As the proposal currently stands, Clipper looks a lot like desktop surveillance," Rotenberg said. Said Mitch Kapor, founder of Lotus and chairman of the EFF, "An [encryption] system based upon classified, secret technology will not and should not gain the confidence of the American public." On the other hand, Clipper chip supporters such as Dorothy Denning, chairman of the Computer Science Dept. at Georgetown University in Washington and a noted expert in the field of cryptography, say the key-escrow system is more than adequate to protect legitimate American interests. Padgett Peterson, information-security specialist at defense contractor Martin Marietta Corp., in Orlando, Fla., said, "I believe Clipper's going to work. The government has more to lose than we do." The Justice Department has already placed large orders with AT&T for telephones fitted with Clipper encryption chips. Said Peterson,"Soon enough, everyone will be using Clipper: doctors, lawyers and CPAs." However, the chip's use in other governmental agencies is not assured. Neither the Federal Reserve Board nor the Department of the Treasury has indicated that they will adopt Clipper. Many business executives believe the government's encouragement of voluntary adoption is only the first step in a plan drawn by the intelligence community years ago that will eventually mandate Clipper encryption for private businesses and outlaw all other forms of encryption. The ACLU, EFF, CPSR and other watchdog groups aim to ensure that the government never goes that far. American businesses that adopt Clipper encryption in their networks and communications systems will have to accept some far-reaching assumptions, according to its skeptics: - that the Clipper algorithm is robust enough to secure their corporate information assets domestically and internationally. The international security community already believes American data to be less secure than it should be and worries about leaving doors open to the United States; - that the government does not have its own back door to read encrypted communications; - that the key-escrow agents, once named, can be trusted; - that the key-escrow repository, a vault that contains the Clipper chip serial numbers and encrypting and decrypting keys, will be secure enough to withstand a dedicated attack. The Attorney General's office also plans to announce this summer what form the repository will take -- electronic or otherwise -- and how it will be secured; - that by its very use, the company is not unintentionally giving up its right to privacy or other constitutional rights; and - that purchasing machines that include the hardware-based Clipper chip is better than using currently available and field-tested software encryption techniques such as DES and RSA. The response to Clipper has been negative despite pleas from the administration that "while [other forms of] encryption technology can help Americans protect business secrets and the unauthorized release of personal information, [they] also can be used by terrorists, drug dealers and other criminals." Martin Marietta's Peterson still believes Clipper is "good enough" for business, but he is in the minority. The majority opinion holds that Clipper may be what the government wants, but it shouldn't even think about making any laws mandating its use. ------ Winn Schwartau is the executive director of INTERPACT, a Seminole, Fla., consultancy, publisher of the Security Insider Report and author of "Terminal Compromise" and "Information Warfare: How To Wage It, How To Win It." Paul Ferguson | "Confidence is the feeling you get Network Integrator | just before you fully understand Centreville, Virginia USA | the problem." fergp@sytex.com | - Murphy's 7th Law of Computing Quis Custodiet Ipsos Custodes?