CPSR Secrecy Statement
Computer Professionals for Social Responsibility (CPSR) has
called for a complete overhaul in the federal government's
information classification system, including the removal of
cryptography from the categories of information automatically
deemed to be secret. In a letter to a special Presidential task
force examining the classification system, CPSR said that the
current system -- embodied in an Executive Order issued by
President Reagan in 1982 -- "has limited informed public debate on
technological issues and has restricted scientific innovation and
technological development."
The CPSR statement, which was submitted in response to a
task force request for public comments, strongly criticizes a
provision in the Reagan secrecy directive that presumptively
classifies any information that "concerns cryptology." CPSR notes
that "while cryptography -- the science of making and breaking
secret security codes -- was once the sole province of the
military and the intelligence agencies, the technology today plays
an essential role in assuring the security and privacy of a wide
range of communications affecting finance, education, research and
personal correspondence." With the end of the Cold War and the
growth of widely available computer network services, the outdated
view of cryptography reflected in the Reagan order must change,
according to the statement.
CPSR's call for revision of the classification system is
based upon the organization's experience in attempting to obtain
government information relating to cryptography and computer
security issues. CPSR is currently litigating Freedom of
Information Act lawsuits against the National Security Agency
(NSA) seeking the disclosure of technical data concerning the
digital signature standard (DSS) and the administration's recent
"Clipper Chip" proposal. NSA has relied on the Reagan Executive
Order as authority for withholding the information from the
public.
In its submission to the classification task force, CPSR
also called for the following changes to the current secrecy
directive:
* A return to the "balancing test," whereby the public
interest in the disclosure of information is weighed
against the claimed harm that might result from such
disclosure;
* A prohibition against the reclassification of
information that has been previously released;
* The requirement that the economic cost of classifying
scientific and technical be considered before such
information may be classified;
* The automatic declassification of information after
20 years, unless the head of the original classifying
agency, in the exercise of his or her non-delegable
authority, determines in writing that the material
requires continued classification for a specified
period of time; and
* The establishment of an independent oversight
commission to monitor the operation of the security
classification system.
The task force is scheduled to submit a draft revision of
the Executive Order to President Clinton on November 30.
The full text of the CPSR statement can be obtained via
ftp, wais and gopher from cpsr.org, under the filename
cpsr\crypto\secrecy_statement.txt.
CPSR is a national organization of professionals in the
computing field. Membership is open to the public. For more
information on CPSR, contact .
July 14, 1993
Information Security Oversight Office
750 17th Street, N.W.
Suite 530
Washington, DC 20006
Attention: PRD Task Force
Re: Proposed Changes to the Security Classification System
This submission is made in response to the Notice published
in the Federal Register on May 20, 1993 (58 FR 29480). According
to the Notice, the Task Force is soliciting submissions "by
interested parties on proposals to change the system under which
information is classified, safeguarded, and declassified in the
interest of national security." Computer Professionals for Social
Responsibility (CPSR), a national organization of professionals in
the computing field, has a long-standing interest in the problems
surrounding the current information classification system -- a
system that has limited informed public debate on technological
issues and has restricted scientific innovation and technological
development. Based on our experience conducting litigation under
the Freedom of Information Act and our efforts to assess certain
government policies concerning cryptography and computer security,
we have the following recommendations regarding changes to the
security classification system.
General Recommendations
CPSR believes that the current Executive Order 12356 is far
too broad in its definition of classifiable information and that
post Cold War realities require the substantial revision of this
outdated directive. We share the views of many public interest,
journalistic, academic, historical, and scientific organizations
that have recommended a complete revision of the classification
scheme. We believe such a revision is both necessary and
appropriate. In particular, we support the following changes to
the classification system:
* A return to the "balancing test," whereby the public
interest in the disclosure of information is weighed
against the claimed harm that might result from such
disclosure;
* A prohibition against the reclassification of
information that has been previously released;
* The requirement that the economic cost of classifying
scientific and technical be completed before such
information may be classified;
* The automatic declassification of information after
20 years, unless the head of the original classifying
agency, in the exercise of his or her non-delegable
authority, determines in writing that the material
requires continued classification for a specified
period of time; and
* The establishment of an independent oversight
commission to monitor the operation of the security
classification system.
"Cryptology" as a Classification Category
In addition to endorsing these general recommendations, we
wish to address in detail one particular provision of the current
Executive Order that unnecessarily restricts the dissemination of
technical data that should be routinely available to the public
and the scientific community. At the time EO 12356 was
promulgated in 1982, a new classification category was
established, simply defined as "cryptology." EO 12356, Sec.
1.3(a)(8). When the House Government Operations Committee
examined the Executive Order shortly after its issuance, the
Committee concluded that "[t]he need for this new category is
uncertain" and noted that "[t]he word 'cryptology,' as added by
the Reagan order, is not qualified or defined." H. Rep. No. 731,
97th Cong., 2d Sess. 16 (1982).
This concern carries even more weight today. The designation
of a routine privacy-enhancing technology as presumptively a
national security matter is inconsistent with the end of the Cold
War and the dramatic growth of commercial and civilian
telecommunications networks. While cryptography -- the science of
making and breaking secret security codes -- was once the sole
province of the military and the intelligence agencies, the
technology today plays an essential role in assuring the security
and privacy of a wide range of communications affecting finance,
education, research, and personal correspondence.
Electronic communications are now widely used in the civilian
sector and have become an integral component of the global
economy. Computers store and exchange an ever increasing amount
of personal information, including medical and financial data. In
this electronic environment, the need for privacy-enhancing
technologies is apparent. Communications applications such as
electronic mail and electronic funds transfers require secure
means of encryption and authentication -- goals that can be
achieved only through the development and dissemination of robust
cryptographic technology within the civilian sector.
The Computer Security Act and Civilian Cryptography
In recognition of the emerging significance of civilian
cryptography, Congress enacted the Computer Security Act (P.L.
100-235) in 1987. When Congress enacted the legislation, it
expressed particular concern that the National Security Agency
("NSA"), a secretive military intelligence agency, would
improperly limit public access to information concerning civilian
computer security activities. H. Rep. No. 153 (Part 2), 100th
Cong., 1st Sess. 21 (1987). The House Report on the Act notes
that NSA's
natural tendency to restrict and even deny access to
information that it deems important would disqualify
that agency from being put in charge of the protection
of non-national security information in the view of many
officials in the civilian agencies and the private
sector.
Id.
To alleviate these concerns, Congress granted sole authority
to the National Institute of Standards and Technology ("NIST") --
a civilian agency within the Department of Commerce -- to
establish technical cryptography standards for civilian computer
security. During Congress' consideration of the legislation, "NSA
opposed its passage and asserted that NSA should be in control of
this nation's computer standards program." Id. at 7. Congress
forthrightly rejected NSA's position, noting that continued
military control over all cryptographic development "would
jeopardize the entire Federal standards program." Id. at 26.
Since the enactment of the Computer Security Act, CPSR has
sought to monitor compliance with its provisions. In keeping with
those efforts, CPSR requested relevant information from NIST under
the Freedom of Information Act ("FOIA") concerning the development
of the "digital signature standard" -- the agency's first proposed
cryptographic standard since passage of the legislation. It is
important to note that the proposed standard itself would be
"applicable to all federal departments and agencies for the
protection of unclassified information." 56 Fed. Reg. 42981
(August 30, 1991) (emphasis added).
After CPSR filed a lawsuit to compel disclosure of the
information, NIST acknowledged that the great bulk of responsive
material was under the jurisdiction of NSA. NSA, in turn, has
sought to withhold a substantial amount of that information on the
grounds that it "concerns cryptology" and is therefore classified.
CPSR v. National Institute of Standards and Technology, et al.,
C.A. 92-0972-RCL (D.D.C.). The current Executive Order is thus
being used to classify information relating to a civilian agency's
development of a security standard intended to protect
unclassified information. Such a result contravenes Congress'
intent that non-military cryptographic standards would be
developed openly and subject to public scrutiny.
The Public Interest in Cryptography
More recent developments further illustrate how the
application of cryptographic technology is moving out of the
"national security" realm and is thus an inappropriate subject for
presumptive classification. On April 16, 1993, the President
announced that "government engineers" had developed a new
cryptographic device known as the "Clipper Chip" that is intended
for widespread public use. The President noted that
"[s]ophisticated encryption technology has been used for years to
protect electronic funds transfer ... [and] is now being used to
protect electronic mail and computer files." He also recognized
that "encryption technology can help Americans protect business
secrets and the unauthorized release of personal information."
Unfortunately, the administration subsequently acknowledged
that the "Clipper" technology was developed by NSA and that the
underlying technical data is classified. As in the case of the
digital signature standard, a new technology that may have a
significant impact on the nation's telecommunications
infrastructure was developed in secrecy behind a shield of NSA-
imposed classification. There is a great deal of interest in the
development of civilian cryptography, but public involvement in
the process has been substantially hampered by the improper
classification of relevant technical information. See, e.g.,
Markoff, U.S. as Big Brother of Computer Age, New York Times, May
6, 1993 at D1.
In the Cold War atmosphere that prevailed for 45 years,
cryptography was often viewed as a national security matter and
policy makers were at times willing to permit the National
Security Agency and the military establishment to maintain a
shroud of secrecy around the technology, even to the detriment of
scientific research and public accountability. With the end of
the Cold War and the growth of widely available computer network
services, this view of cryptography must change. Indeed, Congress
recognized the need for reform when it enacted the Computer
Security Act in 1987, even before the demise of the Soviet Union.
At the same time, cryptographic technology has become an
increasingly vital component of the nation's civilian information
infrastructure. Under these circumstances, there is no rational
basis for continuing the presumption that information that
"concerns cryptology" should be classified. The economic and
scientific cost to the country of the continuation of this policy
will be substantial and cannot be justified.
We believe that cryptographic information should only be
classified upon a specific showing that such disclosure will
result in an identifiable harm to legitimate national security
interests. Such a showing could clearly be made, for instance,
with respect to the actual "keys" to government cryptographic
systems. However, the wholesale classification of all information
relating to this increasingly important field of computer science
cannot be justified and may even slow the development of more
secure systems. We urge the Task Force to recommend to the
President that "cryptology" be removed from any listing of
classification categories that might be contained in a revised
Executive Order on security classification.
* "Cryptology" should be removed from the designated
"Classification Categories."
Limitations on Quasi-Classification Authority
In addition to our concern regarding classification for
cryptology, we wish to raise several additional points about the
operation of the Executive Order. One aspect of the Executive
Order concerning classification authority with which we agree has
not received proper notice by federal agencies. That is
paragraph (b) or Part 1 which states that "Except as otherwise
provided by statute, no other terms shall be used to identify
classified information." It has been CPSR's experience that
agencies continue to use the designation "sensitive but
unclassified" to invoke a national security concern when in fact
there is no basis for such a claim and when such a "quasi-
classification" is disfavored by the Executive Order and contrary
to the intent of the Computer Security Act. In one instance, the
Federal Bureau of Investigation specifically restricted public
access to information regarding the development of certain
computer systems because it designated technical documents
"sensitive but unclassified."
We believe that these activities improperly restrict public
access to government information that should otherwise be made
available. For this reason, we believe that a revised Executive
Order should make very clear that classification authority is
narrowly restricted.
* Classification authority must be narrowly construed and
invoked only pursuant to designated classification levels,
recognized by statute or executive order.
Limitations on Classification to Conceal Misconduct
We are further concerned that Section 1.6(a)-(b) and Section
5.4(b)(2)(c) in the current Executive Order have not received
adequate attention by the national security community. Section
1.6(a) states that:
In no case shall administrative information be
classified in order to conceal violations of law,
inefficiencies, or administrative error; to prevent
embarrassment to a person, organization, or agency; to
restrain competition; or to prevent or delay the release
of information that does not require protection in the
interest of national security.
Section 1.6(b) further states that "[b]asic scientific information
not clearly related to the national security may not be
classified."
Section 5.4 (Sanctions) states, in pertinent part, that:
(b) Officers and employees of the United States
government and its contractors, licensees, and grantees
shall be subject to appropriate sanctions if they: . . .
(2) knowingly and willfully classify or continue the
classification of information in violation of this Order
or any implementing directive;
(c) sanctions may include reprimand, suspension without
pay, removal, termination of classification authority,
loss or denial of access to classified information, or
other sanctions in accordance with applicable law and
agency regulation.
As indicated above, it has been CPSR's experience that the
National Security Agency sought to conceal its activities under
the Computer Security Act through improper assertion of the (b)(1)
exemption to the Freedom of Information Act. It is clearly an
improper use of classification authority to conceal agency conduct
in this manner. Such activities frustrate public oversight and
permit the abuse of powers.
Based on this experience, we make the following
recommendations:
* ISOO should conduct an investigation to determine whether
the NSA's classification of documents regarding
cryptography was improper and, if so, whether sanctions are
appropriate for the agency officials involved.
* Any agency or government official exercising
classification authority with the intent of concealing
misconduct, inefficiencies or improper conduct should be
subject to sanctions and the ISOO should make known on an
annual basis its efforts to ensure that such activities do
not occur.
Implementation and Review
It is also our belief that it would be appropriate to
establish an independent commission on classification authority
that would meet periodically to review the activities of the
Information Security Oversight Office and to solicit public input
on issues regarding information classification and national
security. Such a commission could include a representative of the
National Security Council and the Director of the ISOO. It would
also include distinguished archivists, historians, journalists,
librarians, scientists and academics. Such a commission could
provide ongoing oversight of the classification program and help
ensure that future policies reflect the widespread needs of our
country in information policy and the changing nature of our
national security interest.
We appreciate this opportunity to present our views and would
be pleased to provide you with any additional information you
might require.
Marc Rotenberg David L. Sobel
CPSR Washington Director CPSR Legal Counsel
