From EFF Online V 5. No 14 8/5/93, official response on EFF Clipper questions--a MINDBOGGLER!
Because these measures may be sufficient to make key escrow encryption the easiest and most available privacy protection it would be imprudent to pursue the far more drastic step of regulating private encryption.
`drastic'? `imprudent'? this from the NSA?
The Administration has progressed far enough in its review to conclude it will not propose new legislation to limit use of encryption technology.
GOOD LORD! HALLELUJA! VICTORY! (Is that a typo?! Did they mean `not far enough'? That's what I *thought* they said at first!) (uh, if this is right, can we get that in writing? with D. Denning's signature?) BTW, This paragraph is almost incoherent and has another typo. Did NSA have a hangover when they wrote this? Or were they drunk? * * * Other notes:
Enhancing the government's ability to decrypt non-key escrow encryption used by the targets of authorized law enforcement wiretaps is another possible strategy for coping with the effects of encryption on law enforcement. However, since encryption appears in a number of forms and applications, the costs are likely to be substantial and may not be either affordable or practical given the requirement for "real time" decryption in the course of wiretap operations.
This is the `give the NSA more money for research' argument, and is infeasible not solely because of `a number of forms of encryption and applications' but because of the underlying *security* of the emerging schemes. Also in this they specifically address the question of whether Key Escrow is legal within constitutional rights. Here they are so bold as to suggest the 4th amendment is *strengthened* because only `legally lawfully authorized' (their three most favorite words) taps can be installed. Interesting, I wonder how our esteemed forefathers would react to this unique interpretation of their masterpiece. But as long as Skipjack is voluntary this begs the question. The fundamental question: is *mandatory* or *restricted* use unconstitutional? Also, we have the first official written admission that `criminals' may turn to other schemes or `double encrypt' (i.e. encrypt the data into the system). ===cut=here=== Date: Fri, 6 Aug 1993 10:34:22 +0900 From: farber@central.cis.upenn.edu (David Farber) Subject: EFFector Online 5.14 [...] **************************** Answers to Clipper Questions **************************** In a previous EFFector Online, we printed some of the 114 questions sent to President Clinton by the Digital Privacy & Security Working Group on the Clipper Chip. On July 29, we received a response to these questions from John D. Podesta, Assistant to the President and Staff Secretary. Some highlights of the response follow. The complete text of the response will be posted to EFF's ftp site. Why is key escrow being proposed? The development of key escrow encryption technology was born out of a recognition on the part of the U.S. Government of the public's growing desire for high quality encryption capability for commercial and private use. At the same time, the Government was concerned that the widespread use of this technology could make lawfully authorized electronic surveillance much more difficult. Historically, law enforcement encountered very little encryption, owing largely to the expense and difficulty in using such technology. With growing availability of lower cost, commercial encryption technology for use by U.S. industry and private citizens, it became clear that a strategy was needed that could accommodate the needs of the private sector for top notch communications security; of U.S. industry to remain competitive in the world's secure communications market; and of U.S. law enforcement to conduct lawfully-authorized electronic surveillance. Enhancing the government's ability to decrypt non-key escrow encryption used by the targets of authorized law enforcement wiretaps is another possible strategy for coping with the effects of encryption on law enforcement. However, since encryption appears in a number of forms and applications, the costs are likely to be substantial and may not be either affordable or practical given the requirement for "real time" decryption in the course of wiretap operations. Why is the algorithm classified? A classified algorithm is essential to the effectiveness of the key escrow solution. The use of a classified algorithm assures no one can use the algorithm in non-escrowed systems. Also, disclosure of the algorithm would, in effect, provide the world with an extremely secure encryption capability that could be implemented and used in systems by those whose interests are adverse to U.S. national security interests. Finally, NSA classifies all of the algorithms used for defense systems as part of its policy to take all reasonable steps to assure the security of systems it develops. The algorithm was classified in accordance with Executive Order 12356 and its implementing regulations. For all these reasons the encryption algorithm could not be chosen from those already available to the public, such as the Data Encryption Standard (DES). Similarly, the algorithm cannot be published for public review and comment. Nonetheless, in keeping with the Presidential Decision Directive of April to allow independent experts to review the integrity of the classified algorithm, five such experts have already begun a study of the algorithm. We expect their findings to be made public soon. Is the key escrow initiative compatible with constitutional rights? Questions have been raised whether the requirement of key disclosure infringes upon one's right to free speech under the First Amendment, the right against self incrimination contained in the Fifth Amendment, or the right against improper search and seizure in the Fourth Amendment. The key escrow scheme does not require the owner or user of a device equipped with the key escrow encryption chip to say or produce anything. The key escrow technique in no way addresses the issue of what people may choose to say, and the individual user of key escrow products will not be required to provide the government any information. Indeed, the individual will not know the keys. Thus, this technology or technique in no way impacts the rights available under the First or Fifth Amendments. Law enforcement organizations will not be able to decrypt communications without the device unique key and they can only obtain the key components needed to determine a device unique key after making an appropriate certification of their authority to conduct electronic surveillance to the independent key escrow agents. Thus, this technology actually strengthens the Fourth Amendment protections afforded individuals, since law enforcement cannot obtain the contents of communications without first obtaining the key component. Will use of the key escrow technology be required? One point clearly stated in the Presidential Decision Directive and emphasized several times since April is that use of key escrow encryption technology is voluntary. While the U.S. government encourages its use because of the excellent security it provides, and will promulgate standards permitting its use by government departments and agencies, there is no requirement that the public use it. No doubt some, particularly those intent on thwarting authorized wiretaps, will buy other forms of encryption or could "double encrypt" their communications suing a key escrow device in combination with a non-escrowed device. But we believe the vast majority will buy this system because it is easy to use, provides superb security, and likely will be readily available in commercial products. The Administration has chosen to encourage the widespread use of key escrow devices rather than mandating or regulating its use. Though we recognize the risks to law enforcement activities posed by the widespread use of sophisticated encryption products, we also recognize that encryption is an effective means to secure communications and computer systems. Thus far, government purchases and standards have created secure products that sere bought by private citizens "piggybacking" on the government's development effort. It makes little sense for the government to promulgate standards or to develop products that will defeat law enforcement interests if and when they spread to the private sector. Because these measures may be sufficient to make key escrow encryption the easiest and most available privacy protection it would be imprudent to pursue the far more drastic step of regulating private encryption. The Administration has progressed far enough in its review to conclude it will not propose new legislation to limit use of encryption technology.