CPSR Secrecy Statement Computer Professionals for Social Responsibility (CPSR) has called for a complete overhaul in the federal government's information classification system, including the removal of cryptography from the categories of information automatically deemed to be secret. In a letter to a special Presidential task force examining the classification system, CPSR said that the current system -- embodied in an Executive Order issued by President Reagan in 1982 -- "has limited informed public debate on technological issues and has restricted scientific innovation and technological development." The CPSR statement, which was submitted in response to a task force request for public comments, strongly criticizes a provision in the Reagan secrecy directive that presumptively classifies any information that "concerns cryptology." CPSR notes that "while cryptography -- the science of making and breaking secret security codes -- was once the sole province of the military and the intelligence agencies, the technology today plays an essential role in assuring the security and privacy of a wide range of communications affecting finance, education, research and personal correspondence." With the end of the Cold War and the growth of widely available computer network services, the outdated view of cryptography reflected in the Reagan order must change, according to the statement. CPSR's call for revision of the classification system is based upon the organization's experience in attempting to obtain government information relating to cryptography and computer security issues. CPSR is currently litigating Freedom of Information Act lawsuits against the National Security Agency (NSA) seeking the disclosure of technical data concerning the digital signature standard (DSS) and the administration's recent "Clipper Chip" proposal. NSA has relied on the Reagan Executive Order as authority for withholding the information from the public. In its submission to the classification task force, CPSR also called for the following changes to the current secrecy directive: * A return to the "balancing test," whereby the public interest in the disclosure of information is weighed against the claimed harm that might result from such disclosure; * A prohibition against the reclassification of information that has been previously released; * The requirement that the economic cost of classifying scientific and technical be considered before such information may be classified; * The automatic declassification of information after 20 years, unless the head of the original classifying agency, in the exercise of his or her non-delegable authority, determines in writing that the material requires continued classification for a specified period of time; and * The establishment of an independent oversight commission to monitor the operation of the security classification system. The task force is scheduled to submit a draft revision of the Executive Order to President Clinton on November 30. The full text of the CPSR statement can be obtained via ftp, wais and gopher from cpsr.org, under the filename cpsr\crypto\secrecy_statement.txt. CPSR is a national organization of professionals in the computing field. Membership is open to the public. For more information on CPSR, contact <cpsr@cpsr.org>. July 14, 1993 Information Security Oversight Office 750 17th Street, N.W. Suite 530 Washington, DC 20006 Attention: PRD Task Force Re: Proposed Changes to the Security Classification System This submission is made in response to the Notice published in the Federal Register on May 20, 1993 (58 FR 29480). According to the Notice, the Task Force is soliciting submissions "by interested parties on proposals to change the system under which information is classified, safeguarded, and declassified in the interest of national security." Computer Professionals for Social Responsibility (CPSR), a national organization of professionals in the computing field, has a long-standing interest in the problems surrounding the current information classification system -- a system that has limited informed public debate on technological issues and has restricted scientific innovation and technological development. Based on our experience conducting litigation under the Freedom of Information Act and our efforts to assess certain government policies concerning cryptography and computer security, we have the following recommendations regarding changes to the security classification system. General Recommendations CPSR believes that the current Executive Order 12356 is far too broad in its definition of classifiable information and that post Cold War realities require the substantial revision of this outdated directive. We share the views of many public interest, journalistic, academic, historical, and scientific organizations that have recommended a complete revision of the classification scheme. We believe such a revision is both necessary and appropriate. In particular, we support the following changes to the classification system: * A return to the "balancing test," whereby the public interest in the disclosure of information is weighed against the claimed harm that might result from such disclosure; * A prohibition against the reclassification of information that has been previously released; * The requirement that the economic cost of classifying scientific and technical be completed before such information may be classified; * The automatic declassification of information after 20 years, unless the head of the original classifying agency, in the exercise of his or her non-delegable authority, determines in writing that the material requires continued classification for a specified period of time; and * The establishment of an independent oversight commission to monitor the operation of the security classification system. "Cryptology" as a Classification Category In addition to endorsing these general recommendations, we wish to address in detail one particular provision of the current Executive Order that unnecessarily restricts the dissemination of technical data that should be routinely available to the public and the scientific community. At the time EO 12356 was promulgated in 1982, a new classification category was established, simply defined as "cryptology." EO 12356, Sec. 1.3(a)(8). When the House Government Operations Committee examined the Executive Order shortly after its issuance, the Committee concluded that "[t]he need for this new category is uncertain" and noted that "[t]he word 'cryptology,' as added by the Reagan order, is not qualified or defined." H. Rep. No. 731, 97th Cong., 2d Sess. 16 (1982). This concern carries even more weight today. The designation of a routine privacy-enhancing technology as presumptively a national security matter is inconsistent with the end of the Cold War and the dramatic growth of commercial and civilian telecommunications networks. While cryptography -- the science of making and breaking secret security codes -- was once the sole province of the military and the intelligence agencies, the technology today plays an essential role in assuring the security and privacy of a wide range of communications affecting finance, education, research, and personal correspondence. Electronic communications are now widely used in the civilian sector and have become an integral component of the global economy. Computers store and exchange an ever increasing amount of personal information, including medical and financial data. In this electronic environment, the need for privacy-enhancing technologies is apparent. Communications applications such as electronic mail and electronic funds transfers require secure means of encryption and authentication -- goals that can be achieved only through the development and dissemination of robust cryptographic technology within the civilian sector. The Computer Security Act and Civilian Cryptography In recognition of the emerging significance of civilian cryptography, Congress enacted the Computer Security Act (P.L. 100-235) in 1987. When Congress enacted the legislation, it expressed particular concern that the National Security Agency ("NSA"), a secretive military intelligence agency, would improperly limit public access to information concerning civilian computer security activities. H. Rep. No. 153 (Part 2), 100th Cong., 1st Sess. 21 (1987). The House Report on the Act notes that NSA's natural tendency to restrict and even deny access to information that it deems important would disqualify that agency from being put in charge of the protection of non-national security information in the view of many officials in the civilian agencies and the private sector. Id. To alleviate these concerns, Congress granted sole authority to the National Institute of Standards and Technology ("NIST") -- a civilian agency within the Department of Commerce -- to establish technical cryptography standards for civilian computer security. During Congress' consideration of the legislation, "NSA opposed its passage and asserted that NSA should be in control of this nation's computer standards program." Id. at 7. Congress forthrightly rejected NSA's position, noting that continued military control over all cryptographic development "would jeopardize the entire Federal standards program." Id. at 26. Since the enactment of the Computer Security Act, CPSR has sought to monitor compliance with its provisions. In keeping with those efforts, CPSR requested relevant information from NIST under the Freedom of Information Act ("FOIA") concerning the development of the "digital signature standard" -- the agency's first proposed cryptographic standard since passage of the legislation. It is important to note that the proposed standard itself would be "applicable to all federal departments and agencies for the protection of unclassified information." 56 Fed. Reg. 42981 (August 30, 1991) (emphasis added). After CPSR filed a lawsuit to compel disclosure of the information, NIST acknowledged that the great bulk of responsive material was under the jurisdiction of NSA. NSA, in turn, has sought to withhold a substantial amount of that information on the grounds that it "concerns cryptology" and is therefore classified. CPSR v. National Institute of Standards and Technology, et al., C.A. 92-0972-RCL (D.D.C.). The current Executive Order is thus being used to classify information relating to a civilian agency's development of a security standard intended to protect unclassified information. Such a result contravenes Congress' intent that non-military cryptographic standards would be developed openly and subject to public scrutiny. The Public Interest in Cryptography More recent developments further illustrate how the application of cryptographic technology is moving out of the "national security" realm and is thus an inappropriate subject for presumptive classification. On April 16, 1993, the President announced that "government engineers" had developed a new cryptographic device known as the "Clipper Chip" that is intended for widespread public use. The President noted that "[s]ophisticated encryption technology has been used for years to protect electronic funds transfer ... [and] is now being used to protect electronic mail and computer files." He also recognized that "encryption technology can help Americans protect business secrets and the unauthorized release of personal information." Unfortunately, the administration subsequently acknowledged that the "Clipper" technology was developed by NSA and that the underlying technical data is classified. As in the case of the digital signature standard, a new technology that may have a significant impact on the nation's telecommunications infrastructure was developed in secrecy behind a shield of NSA- imposed classification. There is a great deal of interest in the development of civilian cryptography, but public involvement in the process has been substantially hampered by the improper classification of relevant technical information. See, e.g., Markoff, U.S. as Big Brother of Computer Age, New York Times, May 6, 1993 at D1. In the Cold War atmosphere that prevailed for 45 years, cryptography was often viewed as a national security matter and policy makers were at times willing to permit the National Security Agency and the military establishment to maintain a shroud of secrecy around the technology, even to the detriment of scientific research and public accountability. With the end of the Cold War and the growth of widely available computer network services, this view of cryptography must change. Indeed, Congress recognized the need for reform when it enacted the Computer Security Act in 1987, even before the demise of the Soviet Union. At the same time, cryptographic technology has become an increasingly vital component of the nation's civilian information infrastructure. Under these circumstances, there is no rational basis for continuing the presumption that information that "concerns cryptology" should be classified. The economic and scientific cost to the country of the continuation of this policy will be substantial and cannot be justified. We believe that cryptographic information should only be classified upon a specific showing that such disclosure will result in an identifiable harm to legitimate national security interests. Such a showing could clearly be made, for instance, with respect to the actual "keys" to government cryptographic systems. However, the wholesale classification of all information relating to this increasingly important field of computer science cannot be justified and may even slow the development of more secure systems. We urge the Task Force to recommend to the President that "cryptology" be removed from any listing of classification categories that might be contained in a revised Executive Order on security classification. * "Cryptology" should be removed from the designated "Classification Categories." Limitations on Quasi-Classification Authority In addition to our concern regarding classification for cryptology, we wish to raise several additional points about the operation of the Executive Order. One aspect of the Executive Order concerning classification authority with which we agree has not received proper notice by federal agencies. That is paragraph (b) or Part 1 which states that "Except as otherwise provided by statute, no other terms shall be used to identify classified information." It has been CPSR's experience that agencies continue to use the designation "sensitive but unclassified" to invoke a national security concern when in fact there is no basis for such a claim and when such a "quasi- classification" is disfavored by the Executive Order and contrary to the intent of the Computer Security Act. In one instance, the Federal Bureau of Investigation specifically restricted public access to information regarding the development of certain computer systems because it designated technical documents "sensitive but unclassified." We believe that these activities improperly restrict public access to government information that should otherwise be made available. For this reason, we believe that a revised Executive Order should make very clear that classification authority is narrowly restricted. * Classification authority must be narrowly construed and invoked only pursuant to designated classification levels, recognized by statute or executive order. Limitations on Classification to Conceal Misconduct We are further concerned that Section 1.6(a)-(b) and Section 5.4(b)(2)(c) in the current Executive Order have not received adequate attention by the national security community. Section 1.6(a) states that: In no case shall administrative information be classified in order to conceal violations of law, inefficiencies, or administrative error; to prevent embarrassment to a person, organization, or agency; to restrain competition; or to prevent or delay the release of information that does not require protection in the interest of national security. Section 1.6(b) further states that "[b]asic scientific information not clearly related to the national security may not be classified." Section 5.4 (Sanctions) states, in pertinent part, that: (b) Officers and employees of the United States government and its contractors, licensees, and grantees shall be subject to appropriate sanctions if they: . . . (2) knowingly and willfully classify or continue the classification of information in violation of this Order or any implementing directive; (c) sanctions may include reprimand, suspension without pay, removal, termination of classification authority, loss or denial of access to classified information, or other sanctions in accordance with applicable law and agency regulation. As indicated above, it has been CPSR's experience that the National Security Agency sought to conceal its activities under the Computer Security Act through improper assertion of the (b)(1) exemption to the Freedom of Information Act. It is clearly an improper use of classification authority to conceal agency conduct in this manner. Such activities frustrate public oversight and permit the abuse of powers. Based on this experience, we make the following recommendations: * ISOO should conduct an investigation to determine whether the NSA's classification of documents regarding cryptography was improper and, if so, whether sanctions are appropriate for the agency officials involved. * Any agency or government official exercising classification authority with the intent of concealing misconduct, inefficiencies or improper conduct should be subject to sanctions and the ISOO should make known on an annual basis its efforts to ensure that such activities do not occur. Implementation and Review It is also our belief that it would be appropriate to establish an independent commission on classification authority that would meet periodically to review the activities of the Information Security Oversight Office and to solicit public input on issues regarding information classification and national security. Such a commission could include a representative of the National Security Council and the Director of the ISOO. It would also include distinguished archivists, historians, journalists, librarians, scientists and academics. Such a commission could provide ongoing oversight of the classification program and help ensure that future policies reflect the widespread needs of our country in information policy and the changing nature of our national security interest. We appreciate this opportunity to present our views and would be pleased to provide you with any additional information you might require. Marc Rotenberg David L. Sobel CPSR Washington Director CPSR Legal Counsel