At 08:19 PM 8/13/96 -0400, Matt Blaze wrote:
My comments included below Rivest's message. ------- Forwarded Message from Rivest Here is another MIT professor's (Dave Staelin's) suggestion for a national crypto policy. I thought you might be interested in seeing it; given the difficulty of the debate, any variant, even if only slightly different from previous ones, should be considered. Feel free to pass this note around, or to post it...
Here is Staelin's idea: (1) You can use any crypto you want, but you must keep a record of the crypto keys you used. (2) The government can ask for the crypto keys later, if they have a court order, just as they can ask for any of your other papers or documents. You must give the key(s) to them, just as you must turn over your private papers in such a situation. (There would have to be an appropriate penalty for losing the key...)
The attractive feature of this proposal is that it puts encrypted communications in the same category as private papers; the government is required to give notice to (at least one of) the affected individual(s) _before_ the search can be undertaken. This cures what is in my mind a defect in the current wire-tapping laws.
While I agree that there is a defect in current wire-tapping laws, it's a lot more serious than this. The defect, I think, is that wiretapping is thoroughly unconstitutional. The reason I believe it's unconstitutional is that unlike any other kind of search warrant that preceeded it, a wiretap warrant authorizes a continuing violation of privacy. It also allows police to violate that privacy secretly. Indeed, as I understand it current practice is to not inform the target of the tap even once the tap is removed. It appears far more likely that the technical fact that wiretaps can be done without informing the target has allowed the cops to conveniently re-interpret the Constitution to assume that no notification is necessary. Regular search warrants simply allow police to visit a location, ONCE, and collect evidence. The police must show up, identify themselves, and do their search, and LEAVE. Once they're gone, privacy is restored. And the target is informed of the police's interest, and so the police are motivated to not engage in "shotgun wiretaps" against people who aren't likely worthy of them. I contend that there is no logical reason to believe that the current practice of wiretapping is anticipated by any other search warrant. The _reason_ wiretaps are done in a manner so hostile to privacy and the Constitution, I believe, is that when they were "legalized" in 1968, police had already had a long history of doing them illegally, but because they were illegal they couldn't be entered into evidence in court. That legalization was ostensibly a compromise to make them admissable, but also make the police obey the law. The problem is that since the police were ALREADY violating the law, any "compromise" they were likely to agree to would have been strongly weighted against a Constitutional interpretation. (If you already have 3/4s of the loaf, why give it up?) In fact, the police gave up NOTHING: If they were able to get illegal wiretaps before 1968, there is no reason to believe that they couldn't get them after 1968. If, on the other hand, the police had genuinely obeyed the law and Constitution before 1968, more effective protections against violations of privacy would have been obtainable in exchange for legalizing wiretaps. For example, they might have been forced to agree to informing the target of every wiretap when it is removed, or maybe even informing them when the tap is placed! This will appear quite odd to the police, who will claim that wiretaps won't do any good against informed targets, but then again they probably objected to being prohibited from using thumbscrews and beating confessions out of prisoners. The fact is, not every police practice which is arguably useful is bound to be Constitutional. Another problem is with item 2 above: It amounts to an obvious violation of the 5th amendment to the Constitution, because it criminalizes the refusal to provide evidence against yourself. Even worse, it requires that you maintain, effectively, all conversations done by electronic/encrypted means. It is somewhat as if you were required to carry a tape recorder around and keep a record of every conversation you ever have, to be released to the cops whenever they get a search warrant. Rivest may be an excellent cryptographer, but a constitutional scholar he ain't.
DISCUSSION In a variant of Staelin's proposal (my twist) you could append to each encrypted message an encrypted form of the message key. The encryption could be with the public-key of a trusted third party who will not (and legally may not) reveal the message key without notifying you first (or ensuring that you have been appropriately served with the corresponding warrant). For example, the ACLU might be such a TTP. This protects the government's right to access and protects the individual from the penalties (or benefits) of losing the key. This procedure is technically simple; what is more complex is ensuring that the TTP's are appropriately registered and protected from undue government influence. The use of such a TTP would in any case be optional; the communicants need not use a TTP if they understand their obligation to keep the crypto keys around for some period of time afterwards.
What about an alternate system that takes a poll, and requires a vote of 90% or more to allow the government to get the escrowed key? If the target is REALLY a "big bad criminal" then likely they'll get approval. OTOH, if the government had just "done a Waco" and a substantial fraction of the population were seriously pissed, the government wouldn't have a prayer. (not that I'd find even this system "acceptable," but at least it would be better... The problem is, none of these proposals reflect any recognition that there may come a time where it would be far better for society to NOT give the government the evidence it wants. This "government is always right" patina is wearing mighty thin.)
In Staelin's proposal government gains access to the communications, but does not gain "real-time access" as desired by the FBI. This loss may be tolerable, given the benefit obtained (forcing access to be made in accordance with the Constitutional requirements for notification before search).
It sounds like you're saying that the government must inform the target of the wiretap BEFORE doing it. ("notification before search") Right? That would at least be better than the status quo.
The use of wiretapping encrypted communications as a preventive measure might be severely limited, but its use as a means of gathering evidence to force a conviction would be preserved.
For international communications, each communicant might be required to use a TTP that is bound to honor the laws of his country (which TTP to be used should be the choice of the communicant).
It may be seem a bit strange to force individuals to keep around information (keys) that they no longer really need. However, this is more-or-less the case for financial records right now.
However, people aren't obligated to keep financial records around, or keep them in a form the cops can read.
CONCLUSION
The fundamental idea is to give the government a right to access encrypted communication in return for a guarantee that access may not be obtained until there is BOTH proper legal authorization AND proper prior notice to (at least one of) the communicants.
Two giant steps backward! I genuinely don't see that I, as an ordinary citizen, am EVER likely to be a victim of a crime which could be prevented or solved by the system as Rivest describes it. OTOH, I believe that it is almost certain that my rights will continue to be abused by a government which will be able to use this system to protect itself from being removed, either by vote or by gunfire. I conclude that proposals like this will rarely be used to protect ordinary citizens, and are almost entirely intended to buttress the government.
Is this workable??
NO!
------- End of Forwarded Message
[Matt's comments follow] [much deleted] While Ron's twist decreases some of the burden on the user it eliminates the main benefit of the Staelin proposal - that one cannot obtain cleartext without the knowledge of at least one party. The TTP could be compelled (as the phone company is now for regular wiretaps) to keep the request secret, under court order.
Which, of course, is yet another problem with the current wiretap system. Given the 1st amendment, I see NOTHING which should allow the government to prohibit a third party (the phoneco) from telling me of the police's interest. I realize that this is "assumed without question" by the various suck-ups who populate government and probably most lawyers, but it seems to me that one of the disadvantages of the government going outself itself to obtain evidence SHOULD BE that in doing so, it reveals its interests to those third parties. As far as I'm aware, if the police serve an ordinary search warrant at a particular address, they can't prohibit the targets of that warrant from telling anyone else of this. It seems to me that the main reason police have gotten used to the idea of doing search warrants secretly is that the local phonecos have been monopolies so long, and they're so used to cooperating with government and the cops (as evidenced by the fact that police regularly got illegal wiretaps before 1968), that this has soaked in as being expected. Indeed, the pre-'68 illegal wiretaps prove beyond a shadow of a doubt that government and the telephone company never have had any sort of arm's-length relationship, and strongly suggest that the Constitutionality of wiretapping (vis a vis the constitutionality of phoneco's claimed responsibility to keep the whole thing secret) has never been legitimately tested. Remember, since the phoneco has had no competition, they've never been at risk from being shunned by customers who object to this secret cooperation. A more "realistic" position, I think, would be to conclude that if there was true competition, customers would be able to negotiate varying levels of non-cooperation in order to win customers. I suspect that post-Ruby Ridge/post-Waco, there would be a substantial fraction of the public who would conclude that it cannot trust its own government. I can think of at least one suck-up lawyer who will pooh-pooh this, claiming that wiretaps are now legal, but when looked at from a pre-1968 standpoint, wiretaps were illegal, so it seems logical that customers should have been entitled to insist that telephone companies obey the law. It's hard to avoid the conclusion that the reason this kind of illegal behavior was done by the cops as well as the phonecos is the fact that no phoneco ever had to fear loss of any kind of profit as a consequence of illegal cooperation. Indeed, I doubt that any telephone company EVER _publicly_ refused an illegal wiretap request by police. (By this, I mean the phoneco informed the public of an illegal request on its own initiative.) The total or near-total absence of such practices would make it clear that nothing that occurred before 1968 could possibly be considered the norm for constitutionality, casting further doubt on the 1968 "compromise." It doesn't seem likely (from a constitutional standpoint, anyway) that the "normal" level of cooperation that police can get from a monopolized, regulated industry should, retroactively, become considered to be the "constitutional" amount of cooperation that the cops can legally expect to get from everyone else. Jim Bell jimbell@pacifier.com