Date: Sun, 29 Aug 1993 08:13:32 -0500 From: farber@central.cis.upenn.edu (David Farber) Subject: CLIPPING CLIPPER by permission from CACM To: interesting-people@eff.org (interesting-people mailing list) From: hoffman@seas.gwu.edu (Lance J. Hoffman) Several people have asked me to post this for those who do not get Communications of the Association for Computing Machinery. So here it is, reprinted with permission from Communications of the ACM, September 1993, volume 36, number 9. (This is a version which differs in minor detail from the one which finally appeared, and which does not have the footnotes included in the CACM article. But, otherwise it is substantially the same.) Viewpoint: CLIPPING CLIPPER Professor Lance J. Hoffman Department of Electrical Engineering and Computer Science The George Washington University Washington, D. C. hoffman@seas.gwu.edu The FBI is becoming increasingly worried about the fact that the United States is technologically close to having effectively unbreakable encryption available to individuals. This will eliminate its capability to listen in on specific telephone conversations, even with a court-authorized warrant under existing wiretap legislation. In 1991, it pushed legislation to to require significant changes in computer hardware, software, and communications equipment so that agents could maintain these capabilities in the increasingly digital telephone network [1]. But opposition by computer and communications companies, professional societies, and civil libertarians convinced the Senate to remove the provision from its crime bill. Last year, not one member of Congress was willing to introduce legislation requiring telecommunications providers to turn back the clock and redesign the emerging digital telecommunications system so that the FBI could, at some considerable economic cost to all users, continue to tap, under court order, certain digital communications [2]. Now the FBI and its allies in the intelligence community have persuaded the President to pursue a course which, if not reversed, may achieve the same goal by effectively building "Big Brother" capabilities into the computer/telephone network of the future with the "Clipper" chip, an encryption device with applications in telephones and other computer network peripherals [3, 4, 5]. The Clipper encryption method [6] (see sidebar) requires escrowing of user encryption keys with two trusted authorities, not announced as of this writing. One might anticipate the government will compound its surprising move with Clipper by selecting two in-government executive-branch entities as the escrow agents. If it does so, there will be further erosion of the power of Congress to establish public policy. One could, of course, ask whether escrow technology will be accepted by computer users who can get the real thing elsewhere. Encryption is available around the world without the burden of key escrowing -- preliminary survey results from the Software Publishers Association revealed 143 non-U.S. and 133 U. S.-based cryptographic products, many providing DES [7] and/or RSA [8] capabilities. Moreover, encryption software (including DES and RSA algorithms and the user-ready and popular Pretty Good Privacy (PGP) [9] secure message system) is freely downloadable from public networks around the world [10]. Encryption is becoming increasingly important. Persons who wish unescrowed confidentiality -- both law-abiding persons and criminals -- will find and use other encryption schemes to protect information they wish to keep secure. After all, it is not hard to superencrypt messages with one's own software or hardware encryption first, not registering any key with any authority, and very possibly using an imported device (or software) from another country. Increasingly, travelers use telephones to communicate information back and forth between workstations they have never seen before and their home or office computers; the threats of eavesdropping and falsification are much greater than in years past [11]. These persons can't be expected to trust a U. S.-developed standard whose algorithm is secret if they can instead turn to cryptosystems available elsewhere with an algorithm that has faced public scrutiny and whose keys are completely under control of the user. The only way a government can prevent this is by outlawing the use of encryption methods which are not readable by the government. The Administration admits that this is a fundamental policy question which "will be considered during the broad policy review" [12] it has underway. If the government adopts (or, as it appears now, decrees) such a "Digital Volstead Act", there will be some benefits to law enforcement. In the long term however, it will have a negative effect on individual freedom and liberty. It might even encourage contempt for law enforcement on the digital network since strong cryptographic algorithms are already available in software, freely reproducible by all who desire, regardless of where they live or work. The Clinton administration should postpone the introduction of Clipper. And Congress should mandate a serious, open, public review of the issues and options facing society. The implications are too profound to allow the promulgation of the first partially classified Federal Information Processing Standard (FIPS) without appropriate discussion. Congress should also move to strengthen the independence of NIST, which has apparently not only used the National Security Agency's skills in cryptography (as required by the Computer Security Act of 1987) but also appears to be all too eager to adopt its policy interests as well. This has resulted in the discussion of critical issues being framed by the cryptographic policy specialists at NSA, who have so far sidestepped Congress and are protecting their traditional ways of doing things, while the world is changing all around them. They are apparently reluctant to admit that cryptography and the policy issues that go with it are now important enough to merit a full public debate, or that the genie may be out of the bottle, or that we now have "a regulatory structure that goes back to the cold war and does not recognize the realities of the present situation" [11]. So they are using the Clipper initiative to pull off a "turf coup d'etat". The issue here is U.S. cryptographic policy and who controls it, not the technical merit of the Clipper initiative. This has far-reaching policy implications [13, 14] and is not an issue for the technical community only. The Clinton administration has, to its credit, identified the important questions and realizes that there are serious constitutional issues here. Unfortunately, it has picked the wrong player -- the National Security Council -- to examine them in the wrong forum, a classified one. There is no valid reason for the broad policy debate to be classified and many reasons for it not to be; one of the most important is the government's credibility. There is no need to rush to judgement here. The administration has not reached out beyond the government to computer hardware or software manufacturers or to the telecommunications industry or to business in general or to academe during the planning of the Clipper initiative. This is one reason that almost all the major players in the industry have raised serious objections [11, 10, 15]. No adequate and public analysis of the economic and social costs and benefits of the Clipper proposal has yet been done. Unfortunately, the administration is conducting a hasty ill-defined investigation, going hell-bent for leather to conclude by about the time you read this [19]. Instead, what is needed is a serious, comprehensive, dispassionate study, with real data, cool heads, unbiased scientists, legal experts, and adequate time for examining many intricate issues which threaten long lasting, even permanent, consequences for the basic structure of constitutional government in the United States. A number of issues must be considered in the encryption policy discussion: - Very serious Constitutional questions. In the opinion of some, the government's key-escrow initiative would violate the First, Fourth, and Fifth Amendments of the U. S. Bill of Rights [15, 20, 21], and possibly others such as the Ninth and Tenth. - Serious questions regarding the proposed Clipper key escrow scheme, including non-government escrow agencies and software solutions [22] - 114 questions asked by the Digital Privacy and Security Working Group [15]. As of this writing, NIST had not responded to these. - How U. S. firms can compete with foreign firms who don't have to "dumb down" [23] the technology (the "level playing field" issue) - Tensions between law enforcement, national security, and the citizen's personal freedoms and rights, such as privacy. - The future world of a National (and International) Information Infrastructure, and why export controls [10, 24] have to be reformulated - A rough cost/benefit analysis of any controls over cryptography, including retraining and conversion costs for cryptographic experts with much less to do if an increasing amount of traffic will be encrypted well enough to defy effective decryption by them. Better answers will emerge if respected organizations such as the National Academy of Sciences and the Office of Technology Assessment are given the opportunity to analyze the issues carefully. There are meritorious alternatives to Clipper. For example, Professor Silvio Micali of MIT has proposed a multi-key escrow capability in which multiple trusted parties authenticate a message and/or allow eavesdropping [25]. The parties can be selected by the message sender or jointly by the sender and the other party (as with current escrow agents). Without a choice of alternatives, many persons who are eager to develop and use the emerging information infrastructure -- "digital superhighways" and other forward-looking projects of Vice President Gore -- will turn away from those projects. The full potential of the network and the Vice President's vision will never be realized. The Computer System Security and Privacy Advisory Board, created by the Computer Security Act of 1987, called for such a full, public national review of cryptographic policy in March 1992. It, too, is queasy with the Clipper initiative. On June 4, 1993, it passed a resolution which stated that "Key escrowing encryption technology represents a dramatic change in the nation's information infrastructure. The full implications ... are not fully understood at this time. Therefore, the Board recommends that key escrowing encryption technology not be deployed beyond current implementations planned within the Executive Branch, until the significant public policy and technical issues ... are fully understood". NIST has not (ever) taken any significant action on the cryptographic policy suggestions of this national statutory board whose basic mission is to be alert for latent public policy issues related to computer and communications technology. By the time you read this, the government policy "review" may be close to completion. Computer professionals have a special obligation to let their senators and member of Congress (as well as other key legislators) know of the profound negative impacts of such a rush to judgment, and to urge them to defer this initiative. Copies of those communications should also be sent to the President (whose electronic mail address is president@whitehouse.gov), the vice president (whose electronic mail address is vice.president@whitehouse.gov), and to NIST which is the official government spokesman on the issue through its deputy director, Raymond G. Kammer, (kammer@micf.nist.gov). REFERENCES 1. Sessions, W.S., "Keeping an Ear on Crime", New York Times, March 27, 1992, page A35. 2. Denning, D., To Tap or Not to Tap. CACM 36:25-44, 1993. 3. Statement by the Press Secretary on a Cryptography Initiative. White House Press Office, April 16, 1993. 4. Markoff, John, "U. S. as Big Brother of Computer Age", New York Times, May 6, 1993, page D1. 5. Mintz, John and Schwartz, John, " Chipping Away at Privacy?" Washington Post, May 30, 1993, pages H1-H4. 6. Denning, D., "Cryptography, Clipper, and Capstone", Proc. 3rd CPSR Cryptography & Privacy Conf., Washington, D.C., June 7, 1993. 7. National Bureau of Standards, Data Encryption Standard, Washington, D.C.:1977. 8. Rivest, R., Shamir, A. and Adelman, L., A method for obtaining digital signatures and public-key cryptosystems. CACM 21:120-126, 1978. 9. Zimmerman, P., "PGP, Public Key Encryption for the Masses", Proc. 3rd CPSR Cryptography & Privacy Conf., Washington, D.C., June 7, 1993. 10. Rosenthal, I., Software Publishers Association Statement to the Computer System Security and Privacy Advisory Board on cryptography, June 3, 1993. 11. Diffie, W., Testimony before the House Subcommittee on Telecommunications and Finance. Congressional Record June 9, 1993. 12. Statement by the White House Press Secretary, Questions and Answers about the Clinton Administration Telecommunications Initiative, April 16, 1993. 13. Who Holds the Keys? In: Proc. 2nd Conf. on Computers, Freedom, and Privacy, edited by Hoffman, Lance J. New York, N.Y.: Association for Computing Machinery, 1993, p. 133-147. 14. Murray, W.H., Who holds the keys? CACM 35:13-15, 1992. 15. Digital Privacy and Security Working Group, Issues and Questions Regarding the Administration's Clipper Chip Proposal, in [18], 36-47, 1993. 16. Denning, D., Position Statement Supporting the Key-Escrow Chip, in [18], 64-67, 1993. 17. Postings to sci.crypt, comp.risks, and alt.privacy.clipper Internet newsgroups after the announcement of the key escrow initiative. 18. Cryptographic issue Statements Submitted to the Computer System Security and Privacy Advisory Board, May 27. 1993, Gaithersburg, Md.:NIST, 1993. 19. Schwartz, J., "U. S. Data Decoding Plan Delayed", Washington Post, June 8, 1993, p. A-12. 20. Computer and Business Equipment Manufacturers Association, Statement before the Computer Systems Security and Privacy Advisory Board, May 27, 1993, in [18], 138-161, 1993. 21. American Civil Liberties Union, Comment for Cryptographic Issue Statements, in [18], 195-199, 1993. 22. NIST Computer System Security and Privacy Advisory Board, Resolution #1 and #2 of June 4, 1993. 23. Goldman, J., Why Cater to Luddites? New York Times, March 27, 1992, p. A35. 24. Turner, G.W., Commercial Cryptography at the Crossroads. Information Systems Security 1:34-42, 1992. 25. Micali, S., Fair Public-Key Cryptosystems (Preliminary Draft 3/25/93), MIT Laboratory for Computer Science, Cambridge, Mass. -- Professor Lance J. Hoffman Department of Electrical Engineering and Computer Science The George Washington University (202) 994-4955 Fax: (202) 994-0227 Washington, D. C. 20052 hoffman@seas.gwu.edu