Interactive Week exclusive - White House to launch "Clipper III"

[Will Rodger]

On 5/18, Tim May wrote:

>A question for Will Rodger: Is this "White Paper" ("The newest proposal is
>contained in a 24-page White Paper, a draft of which hit Capitol Hill
>earlier this week") related in any way to the one being prepared by Herb
>Lin and a bunch of other folks? It was due out about this time, and the
>topic seems similar.  A bunch of us gave input to Herb and his panel at the
>CFP in '95...if this is the same White Paper, looks like we might just as
>well have saved our breath.

Don't know. This did have full input from security agencies, however.

>I read the stuff at the URL, and at first blush it looks to say nothing
>about _domestic_ (within the U.S. and Canada) encryption. I'll be anxious
>to see what the White Paper says about domestic encryption.
>

No restrictions domestically nor in Canada. Even so, these CAs and the
policy body above it clearly give the govt. more of a role in controlling
crypto.


>However, as with other proposed crypto laws and "trial balloons," there are
>several questions which arise:
>
>1. Will there be pressures put on the browser companies (Netscape,
>Microsoft, etc.) and the e-mail companies (Qualcomm, Microsoft, Claris,
>Lotus, etc.) to produce a "world version" that meets export standards with
>a single shrink-wrapped package?
>
>(Recall that last fall some of the various companies stated as their goal
>having a single package that could be shipped worldwide. Some of them
>claimed having two versions, a domestic U.S. version and an international
>version, was too onerous. I am skeptical of this, given that they have
>multiple platforms to support, multiple operating systems, etc. But they
>claim it is.)


>
>2. Interoperability. How will U.S. users exchange messages with
>international users? Will a U.S. user have to register with the Authorities
>to get the proper credentials, protocols, etc.?

No indications they would. Idea is each authority could talk to the other
and request escrowed keys or info. a la interpol. Of course, as today,
there's no guarantee that agreements will always be in place, nor honored.

>
>3. With products like PGP, there are already international users (lots of
>them). Thus, no "export laws" are involved. So, will I be able to
>communicate with them using my existing PGP methods?

Under the White Paper, yes.

>
>And if U.S. users can continue to interoperate with international users as
>they are now doing, this puts the lie to claims about how key escrow will
>be useful for law enforcement.

Which makes it look a lot like the old proposal.

>
>4. And of course there is always the issue of _superencryption_. How a
>GAKked program can detect that superencryption is being used has never been
>adequately explained (to my satisfaction at least). Entropy measures won't
>do it, and forbidding any encryption of messages already containing "BEGIN
>PGP" will clearly just be a klugey bandaid.
>
>5. What about U.S.-based corporations with offshore offices? Is a company
>supposed to replace its entire intranet corporate network with a GAKked
>system if even a single user is outside the U.S.-Canada?

If it's legal now, the paper suggests it should be legal in the future.


>
>6. What about U.S. persons travelling abroad?
>
>7. What about packets zinging around the world? Lots of complications if
>GAK is insisted upon. And lots of new avenues for "packet laundering."
>
>8. The issue of why other countries would insist that their citizens GAK
>their keys when U.S. citizens don't have to!!

>("Yes, Herr Glomlutz, we are insisting that all Germans using Netscape 4.0
>must deposit their keys mit der Key Authority. No, we are not requiring our
>own citizens to do this." I don't think this will fly too well.)
>
>I can't see how other countries will go along with this.

The Paper is quite unclear on this, as well. Presumabyt other countries
will have equally spiffy stuff they will require be escrowed for export
under COCOM. ALl of this, of course, assumes cooperation from OECD, et al.

>
>And what about the usual problem of "rogue nations" like Iraq, Iran, North
>Korea, Israel, and Liberia?

Same as before.

>
>9. Many other issues. (They never answered the similar questions raised the
>last time, so I doubt they will this time.)
>
>
>Clipper III, if it turns out to be another worthless proposal which is
>laughed out of Washington, will be no real threat. If Clipper III actually
>outlaws or places limits on domestic use of crypto (as I think it must,
>else it can be too easily circumvented completely), then it will be a
>rallying cry which will likely see our membership increase still further,
>the anti-Washington rhetoric escalate, and likely some new developments in
>the war.

Stay tuned....

Will Rodger
Washington Bureau Chief
Interactive Week.