TUCoPS :: Crypto :: submit.txt

Submissions to NIST CSSAB on encryption and CLIPPER technology initiative

>From: padgett@tccslr.dnet.mmc.com (A. PADGETT PETERSON, P.E., INFORMATION
SECURITY (407)826-1101)
To: "kammer@micf.nist.gov"@UVS1.dnet.mmc.com,
        "crypto@csrc.ncsl.nist.gov"@UVS1.dnet.mmc.com
Subject: Clipper/Capstone Key Escrow Management

re: maintaining Clipper/Capstone key confidentiality

Recently in an E-Mail conversation with Dorothy Denning a thought occured
to me concerning a means to avoid the key-management problems inherant
with authorized wiretaps. Since this has been one of the apparent stumbling
blocks concerning the issue and since Mrs. Denning indicated that this
possibility had not come up in her conversations with NSA/NIST, the
current "call for comments" seemed to be an appropriate time to present 
my concept formally.

The objection seems to have been primarily that if the keys are released
for a particular chip or chips so that a properly ordered wiretap may
take place, would not the keys (and the chips) have to be considered
comprimised thereafter ?

My concept is simply that the keys are never distributed to outside
parties.
Instead, on presentation of a properly approved wiretap order, the
requesting agency receives a special complementary Clipper chip to that 
mentioned in the order that is configured for "receive only".

The chip is then used by the requesting agency for the duration of the tap
and is required to be returned to the escrow agency on expiration of the
warrant.

Utilizing this concept three advantages accrue:

 1) Since the keys are never divulged, confidentiality is restored once
    the wiretap chip is returned to the escrow agency.

 2) Since the wiretap chip is unique and identifiable hardware, full
    accountability is maintained.

 3) Since the wiretap chip is "receive only", a recording of the encrypted 
    transmission might be admissable as part of the "chain of evidence" as
    only the original Clipper could have produced it.

Note: while I have discussed the first two points before, I believe this is

      the first public mention of the third possibility.

                              Respectfully,

                              A. Padgett Peterson, P.E.  

From forman@cs.washington.edu Thu May 13 12:29:49 1993
Received: from june.cs.washington.edu by csrc.ncsl.nist.gov (4.1/NIST)
     id AA03876; Thu, 13 May 93 12:29:41 EDT
Posted-Date: Thu, 13 May 93 09:29:41 -0700
Received-Date: Thu, 13 May 93 12:29:41 EDT
Received: by june.cs.washington.edu (5.65b/7.1ju)
     id AA23713; Thu, 13 May 93 09:29:41 -0700
Date: Thu, 13 May 93 09:29:41 -0700
>From: forman@cs.washington.edu (George Forman - GHF)
Return-Path: <forman@cs.washington.edu>
Message-Id: <9305131629.AA23713@june.cs.washington.edu>
To: crypto@csrc.ncsl.nist.gov
Cc: forman@cs.washington.edu
Subject: RE: 1.    CRYPTOGRAPHIC POLICIES AND SOCIAL/PUBLIC POLICY ISSUES


RE: 1.    CRYPTOGRAPHIC POLICIES AND SOCIAL/PUBLIC POLICY ISSUES
================================================================

(Certainly others have submitted these ideas, so I'll be very terse.)


#1. I believe no attempt should be made to limit domestic use of strong
encryption techniques.  

(One cannot legislate that all communication be intelligible to the
government.  Such laws cannot be enforced.  Information can be sent in
many subtle ways.  Only the good guys and the dumb bad guys will comply.)


#2. While I think "key escrow cryptography" is interesting technology
(and perhaps useful within some businesses), I do not believe it should
be adopted as a national standard.

(Its costs and risks outweigh its practical benefit.  Consider #1 above.
Also, power corrupts-- the escrowed keys will be the subject of many
attacks;
consider the complexity and cost of maintaining nearly infinitely many keys
forever.  And how hard will it be for the FBI to obtain the right
escrow keys if a bad guy is using several stolen phones, and perhaps
encrypting his e-mail messages with standard encryption programs
available on BBSs and the Internet?)


#3. I think the details of any nationally adopted encryption scheme
should be published.

(I think publishing the details of the encryption system has a great
benefit-- lots of people who care will proof read it and test its
robustness.  Having only a few great minds proof it isn't as good as
having a lot of people beat on it.)

Thank you for your effort to collect responses,

     George Forman
     PhD candidate, Univ of Washington, Seattle
From tad@ksr.com Thu May 13 12:52:06 1993
Return-Path: <tad@ksr.com>
Received: from hopscotch.ksr.com by csrc.ncsl.nist.gov (4.1/NIST)
     id AA03910; Thu, 13 May 93 12:52:00 EDT
Posted-Date: Thu, 13 May 93 12:52:37 EDT
Received-Date: Thu, 13 May 93 12:52:00 EDT
Received: from ksr.com (frankenstein.ksr.com) by hopscotch.ksr.com with
SMTP
     id AA28692; Thu, 13 May 1993 12:51:42 -0400
Received: from foramena.ksr.com by ksr.com (4.0/SMI-3.2)
     id AA11458; Thu, 13 May 93 12:52:39 EDT
Received: by foramena.ksr.com (4.1/KSR-2.0)
     id AA02284; Thu, 13 May 93 12:52:37 EDT
Date: Thu, 13 May 93 12:52:37 EDT
>From: tad@ksr.com
Message-Id: <9305131652.AA02284@foramena.ksr.com>
To: crypto@csrc.ncsl.nist.gov
Subject: Clipper chip review

   I wish to add my voice to the NIST review of the Clipper/Capstone
proposal. I welcome the opportunity to do so electronically.
   The Clipper Chip proposal seems to have value by establishing a
standard. However, it destroys that value through the secrecy of the
algorithm, the lack of a software implementation (which is required
to retain that secrecy), and the government access to decryption. I,
as a citizen, would not use any encryption which as weak as this scheme
appears. Better schemes, and better implementations exist in the open
market. I believe that the best approach for the federal government is
to relax the export criteria for encryption devices. The Clipper Chip
comes through as a waste of time and money.

                              Jeff Deutch
                              Computer Engineer
                              Kendall Square Research Corp.
                              (tad@ksr.com)
(Affiliation given for identification purposes only.)

From john_fletcher@lccmail.ocf.llnl.gov Thu May 13 16:45:40 1993
Return-Path: <john_fletcher@lccmail.ocf.llnl.gov>
Received: from ocfmail.ocf.llnl.gov ([134.9.48.4]) by csrc.ncsl.nist.gov
(4.1/NIST)
     id AA06513; Thu, 13 May 93 16:45:34 EDT
Posted-Date: 13 May 1993 13:41:19 U
Received-Date: Thu, 13 May 93 16:45:34 EDT
Received: from lccmail.ocf.llnl.gov by ocfmail.ocf.llnl.gov (4.1/SMI-4.0)
     id AA07003; Thu, 13 May 93 13:45:30 PDT
Message-Id: <9305132045.AA07003@ocfmail.ocf.llnl.gov>
Date: 13 May 1993 13:41:19 U
>From: "John Fletcher" <john_fletcher@lccmail.ocf.llnl.gov>
Subject: Cryptographic Issue Stateme
To: "Crypto Issue" <crypto@csrc.ncsl.nist.gov>

                       Subject:                               Time:13:16
  OFFICE MEMO          Cryptographic Issue Statement          Date:5/13/93
Just by following the specifications published and widely available in FIPS
PUB 46, I personally programmed a C-language DES subroutine package in
about one week.  Subsequently I located a similar package developed in
Austrailia and available over the Internet.  I then found a DES program 
printed on page 506 of the book "Computer Networks" (2nd edition) by Andrew
S. Tanenbaum.  These are just three examples illustrating that the DES
"cat" is "out of the bag" and available to anyone.

In view of this, I believe that the export ban on DES is
counter-productive. 
It is so clearly ineffective in limiting access to DES that it comes across
as just foolish.  My fear is that foolish regulations tend to reduce
respect for all regulations, even the ones that are well-founded.  That is,
I fear that there are those who might conclude that there are no secrets
worthy of
containment when they see efforts expended to contain what is so clearly
not a secret,  and I fear that they may act on that conclusion.
 


From BDCARRD1%BUDGET.BITNET@ENH.NIST.GOV Fri May 14 14:20:27 1993
Return-Path: <BDCARRD1%BUDGET.BITNET@ENH.NIST.GOV>
Received: from ENH.NIST.GOV by csrc.ncsl.nist.gov (4.1/NIST)
     id AA10161; Fri, 14 May 93 14:20:21 EDT
Posted-Date: 14 May 1993 14:04:22 -0400 (EDT)
Received-Date: Fri, 14 May 93 14:20:21 EDT
Received: from BUDGET.BITNET (MAILER@BUDGET) by ENH.NIST.GOV (PMDF #2824 )
id
 <01GY62TS7P9C002LWL@ENH.NIST.GOV>; Fri, 14 May 1993 14:20:16 EDT
Received: from BUDGET (BDCARRD1) by BUDGET.BITNET (Mailer R2.10 ptf000)
with
 BSMTP id 5675; Fri, 14 May 93 14:05:03 EDT
Date: 14 May 1993 14:04:22 -0400 (EDT)
>From: David Carroll <BDCARRD1%BUDGET.BITNET@ENH.NIST.GOV>
Subject: Comment on Legal and Constitutional Issues
To: crypto@csrc.ncsl.nist.gov
Message-Id: <01GY62TS7P9E002LWL@ENH.NIST.GOV>
Content-Transfer-Encoding: 7BIT
Comments: Converted from PROFS to RFC822 format by PUMP V2.2X

     I would like to comment on the proposals concerning the Clipper
Chip with respect to the related area of Legal and Constitutional Issues.
I have worked in a variety of positions in the computer field including
technical support of security software and management of a data security
department. I have also completed part of a doctoral program in Inform-
ation Science with a concentration in Information Policy. Finally, I am
an active citizen with a strong love of the Bill of Rights.
     I am very concerned that our government should presume to reserve
the ability to gain access to our communications. If two individuals
today spoke a language that police eavesdroppers did not understand,
they ought not to be compelled to explain what the language was so that
the police could decipher their conversations. I believe that the case
of encryption is similar. If individuals are able to encrypt their
communications securely so that only they hold the key, then government
must do without that information. Any other rule would be a form of
a priori self-incrimination which would make a mockery of the Fifth
Amendment.
     The case with respect to the Fourth Amendment is similar. Even given
a legal search warrant, the police are not guaranteed that they will find
the evidence they seek. If the target of their search has hidden the
evidence very well, the search may fail. The target person cannot be
compelled to tell them where the evidence is. I see encryption as similar
to a physical hiding of potential evidence. Giving government the key
would be tantamount to telling the police where to find the evidence,
and compelling people to provide that key would be unconstitutional.
     If the Clipper Chip is only one option and people are free to use
any other hardware or software encryption, then it would not be a threat
to civil liberties. It would also be of questionable value.
     I urge a policy that would remove the NSA from any dominant role
in determining civil liberties questions, something that agency has
proven itself totally incapable of understanding. I urge a policy that
would preserve privacy and freedom from government interference, even
if this means that law enforcement must find other ways to gain evidence.
     Thank for the opportunity to express my opinion on this important
public policy issue with which I am concerned both professionally and
personally. I give permission to reproduce this comment in any format.
I also make the standard disclaimer that these are my opinions alone.
     David G. Carroll
     1092 Van Antwerp Rd.
     Schenectady, NY   12309
     (518) 377-9384 (Home - weekdays aft. 6pm EDT or weekends)
 

From mrosing@igc.apc.org Sat May 15 11:16:19 1993
Return-Path: <mrosing@igc.apc.org>
Received: from cdp.igc.org by csrc.ncsl.nist.gov (4.1/NIST)
     id AA13703; Sat, 15 May 93 11:16:04 EDT
Posted-Date: Sat, 15 May 93 08:16:12 PDT
Received-Date: Sat, 15 May 93 11:16:04 EDT
Received: by igc.apc.org (4.1/Revision: 1.85 )
     id AA04916; Sat, 15 May 93 08:16:12 PDT
Date: Sat, 15 May 93 08:16:12 PDT
>From: Mike Rosing <mrosing@igc.apc.org>
Message-Id: <9305151516.AA04916@igc.apc.org>
To: crypto@csrc.ncsl.nist.gov
Subject: Crypto Issue Statement
Cc: eff@eff.org

          Cryptographic Issue Statement

Howdy,
     The purpose of this statement is to address some of the
issues raised by the Computer System Security and Privacy Advisory
Board from my personal perspective.  As I am not yet a professional
cryptographer I will leave the details for others and attempt to
focus on civil liberties and privacy issues.

     The whole issue presented by the Skipjack algorithm with key
escrow reminds me of a line in Lau Tzu's "Tao Te Ching": the more
rules and regulations a government creates, the more clever the people
become.  The United States government has told the American people
"trust us" for many years.  They gave us Viet Nam, the War on Drugs,
and an invasion at Waco.  Very few sane people trust the U.S.
government.  While the majority of the population is ignorant of what
cryptography can do for them, the people government wants to catch
(terrorists and drug dealers for example) are well aware of how to
keep a secret.

     It is impossible to give government access to all private
encrypted transmissions.  There are enough clever people in the U.S.
who can develop mathematical algorithms for encryption which can be
put into computers for easy use.  Will the government decide to outlaw
"strong crypto" because it defeats their ability to crack it?  If not,
will the government take a recorded encryption and force the creator
of the record to divulge the key?  This would be an exception clause
to the 5th amendment, but there are so many exceptions to the Bill
of Rights today that the majority of the populace won't notice.

     I ask these questions because I am working on a strong
crypto system that I believe I can sell to big business.  It will work
with software or hardware.  It should be straight forward to encrypt
conversation before it goes to the Skipjack routine in the newly
proposed escrow system.  People will then know that even if the
government is listening to their conversation, it will be very
difficult to crack.  I'm sure there is a market for such a device.

     I have the feeling that it really doesn't matter what any
private citizen thinks about the key escrow scheme.  To keep our
privacy we are simply going to have become more clever.  Keeping the
algorithm secret and then saying "there is no back door" and expecting
people to believe it is wishful thinking.  To be blunt, the whole
thing stinks.

     From what I know about government bureaucracy, this
committee is nothing but window dressing.  You can't actually do
anything about the introduction of the escrow technology system,
except slow it down by a few months.  Will you have the courage to say
this in your final report?  Does any government employee know how to
tell the truth?  You are going to read and hear many arguments against
this technology for the obvious reason that it gives too much power to
government.  The people who really need security will bypass this
technology for something they can trust.  What does the government do
then? 

     If you really want to accomplish something, allow private
citizens such as myself to play with the Skipjack algorithm and the
escrow chip.  When several thousand individual citizens have played
with the device and algorithm there will be a level of trust built up.
The "back door" we fear may be there, but it might be so hard to use
that we could be certain that only the NSA has the resources to use
it.  Without this level of trust, there is little point in introducing
this technology.  If people can't trust their government, all the
other issues are secondary.

Patience, persistence, truth,         reality:  dvader@hemp-imi.hep.anl.gov
Dr. mike                              home:           mrosing@igc.org  
IMI, P.O. BOX 2242, Darien IL 60559   phone: 708-859-0499

From mrnoise@econs.umass.edu Wed May 19 14:05:32 1993
Return-Path: <mrnoise@econs.umass.edu>
Received: from POBOX.UCS.UMASS.EDU by csrc.ncsl.nist.gov (4.1/NIST)
     id AA02699; Wed, 19 May 93 14:05:22 EDT
Posted-Date: 19 May 1993 14:05:09 -0400 (EDT)
Received-Date: Wed, 19 May 93 14:05:22 EDT
Received: from titan.ucs.umass.edu by POBOX.UCS.UMASS.EDU (PMDF #2573 ) id
 <01GYD1QUXJ8W00N6OJ@POBOX.UCS.UMASS.EDU>; Wed, 19 May 1993 14:05:12 -0400
Received: by titan.ucs.umass.edu (5.65/DEC-Ultrix/4.3) id AA13647; Wed,
 19 May 1993 14:05:10 -0400
Date: 19 May 1993 14:05:09 -0400 (EDT)
>From: "Mr. Noise" <mrnoise@econs.umass.edu>
Subject: NIST Open Meeting
To: crypto@csrc.ncsl.nist.gov
Cc: mrnoise@titan.ucs.umass.edu (Mr. Noise)
Message-Id: <9305191805.AA13647@titan.ucs.umass.edu>
Content-Type: text
Content-Transfer-Encoding: 7BIT
X-Mailer: ELM [version 2.4 PL21]
Content-Length: 2898

*  Permission granted to reproduce this message in any medium *

To Whom It May Concern:

Thank you for this opportunity to comment on the recent proposals to
establish a "key escrow" system and on the public availability of strong
cryptography in general.  I am a graduate student in the Economics
department at UMASS-Amherst as well as a partner in Brazerko
Communications,
a small company started this year in Connecticut to provide electronic
communications services in New London County.  I am writing to you,
therefore,
both as an a citizen concerned with his right to privacy and as someone
concerned with the effect of government regulation in the rapidly-expanding
electronic communications sector.

As a citizen, I hold dear my rights to free speech and privacy, and I am
proud of America's rich heritage of liberty.  Naturally, I recognize the
government's legitimate need to impinge on that liberty when the nation's
security is at stake, but too often in our history the liberty of the
citizenry has been infringed on a flimsy pretext.  By making it costly for
the government to violate our privacy, the public availability of strong
cryptography will ensure that the government obtains access to our private
communications only when there is a clear need.  In my estimation, this
added liberty is surely worth the costs in increased difficulties for law
enforcement.

We must also ask ourselves who would be harmed by legislation restricting
the
availability of strong cryptography or eroding its security through a "key
escrow" system.  Clearly, criminals will not be harmed, but rather the
average, law-abiding citizen.  Just as a ban on small arms would leave
law-abiding citizens unable to defend themselves against gun-weilding
criminals, so too would restrictions on cryptography leave them defenseless
against those who would lawlessly invade their privacy.

The ability to communicate securely over the growing electronic network is
also important to industry.  If firms can conduct their business securely
on the public network, they will take advantage of the opportunities for
increased productivity it affords, engendering growth throughout the
economy.  This is especially important in our global economy, where the
worldwide communications network allows companies to expand overseas with
relative ease.  Not only must encryption be made available for public use,
it must be allowed to cross political boundaries.

While the government's proposal would provide the needed security in
theory, I am sure that others will write in to suggest why public registry
of keys makes the proposal flawed in the real world.  Only individual
citizens and firms can provide security for themselves.  A technology as
important as cryptography cannot be left to the vagaries of the public
sector.

Yours,

Robert Szarka

(For verification or further comment: 1-203-886-6294, voice)




From pcw@access.digex.net Tue May 25 14:59:24 1993
Return-Path: <pcw@access.digex.net>
Received: from access.digex.net by csrc.ncsl.nist.gov (4.1/NIST)
     id AA01394; Tue, 25 May 93 14:59:16 EDT
Posted-Date: Tue, 25 May 1993 14:59:10 -0400
Received-Date: Tue, 25 May 93 14:59:16 EDT
Received: by access.digex.net id AA18141
  (5.65c/IDA-1.4.4 for crypto@csrc.ncsl.nist.gov); Tue, 25 May 1993
14:59:10 -0400
Date: Tue, 25 May 1993 14:59:10 -0400
>From: Peter Wayner <pcw@access.digex.net>
Message-Id: <199305251859.AA18141@access.digex.net>
To: crypto@csrc.ncsl.nist.gov


Raymond Kammer 
NIST

Dear Mr. Kammer:

I'm filing my comments to NIST Clipper Chip. I would like the opportunity
to testify at your meeting on either June 2,3 or 4th. 

Thank you for taking the time to solict public comment on the chip.

-Peter Wayner

 
 
Comments on the National Institute of Standards and Technology's
(NIST) Proposed Encryption Chip with Key Escrow.
 
Peter Wayner

Permission is granted to freely distribute this text. 
 
 
Abstract: My comments are limited to the practical problems involving
pure hardware solutions. I feel that such systems are unwieldy,
expensive and not easily retrofitted into machines that are already in
service. More importantly, the key escrow system adds an additional
weakness that if compromised, could render the standard obsolete. If
such a "Digital Pearl Harbor" occured, the country would be without
secure channels until all of the hardware in the country could be
replaced and this could easily take over 1 year.
 
 
Introduction:
 
My comments are limited to the practical problems involved in
implementing a hardware- based encryption standard for the country. I
believe that specialized hardware is an unnecessarily expensive and
overly complicated approach for providing solid encryption
capabilities and these costs will deter people from adopting the
standard. More importantly, these high costs and the general
inflexibility would prevent the US from having a quick response in the
event that the key escrow system became compromised.
 
Although it is hard to estimate the true effect that the NIST chip
could have on the price of telephones and computers, it is possible to
make ballpark guesses. Manufacturers like Sun Microsystems and IBM
multiply the cost of a part by about 4 to determine the impact of
adding that part to the final price of the machine. This would mean
that a chip that cost $25 would add about $100 to purchasers cost.
This rule of thumb includes the cost of adding extra inventory,
reworking the assembly lines, re-engineering circuit boards, re-
programming system software, training support staff, re-writing
manuals and other extraneous tasks that are not directly related to
the cost of the part.
 
Some low-end PC manufacturers are able to use lower multiples because
they provide less support and assistance for the final customer. More
importantly, they use very standard designs with off-the-shelf
chipsets that are optimized to make cheap computers available to all.
At this time, though, the chipsets are not designed to allow for an
encryption "co- processor" and adding the chip could be more
expensive. For this reason, I feel that that the chip could also add
$100 to the price of off-the-shelf PCs-- an amount that is almost 10%
for many models.
 
The cost of adding the chip to any of the existing computers, though,
could be much more expensive. The chip would need to be mounted on an
expansion board that fits into computers. The cost for this board
would need to be about $100 to cover the costs of marketting,
packaging and stocking the product. Some computers, however, do not
have expansion slots and others have all of their expansion slots
filled up already. Computer manufacturers routinely survey users to
discover how many cards they use so the computers can be built with
the minimum necessary slots. In time, there would be enough space for
a NIST encryption chip card, but until then many users would have
trouble adding the chip to their current system.
 
The high cost is bound to slow the adoption of the standard because
the risk of data insecurity is nebulous and illformed. Will they be
willing to pay extra for this security? Will American people be
willing to add the chip to their home phones to protect themselves
from evesdroppers listening for their credit card numbers? The
problems are severe, but people often don't protect themselves until
it is to late. If the cost is significant, then many people will
certainly balk at the added cost and slow if not stop the development
of the standard.
 


A Cheaper Solution
 
Naturally, every new feature is going to cost something. But the fact
is that encryption does not need to cost this much money if it is
accomplished in software. It could be almost free.  A student on
summer vacation can turn out a system that lives in the public domain.
There is ample evidence that people are willing to do this. PGP
(Pretty Good Privacy) is a system that Phil Zimmerman developed on his
own and gave to the world. NIST could easily pay someone to generate a
public-domain software version for general distribution if it wanted
to provide the lowest cost standard for the people.
 
There is already ample evidence that software solutions succeed and
hardware solutions do not. Several corporations including Cryptech and
AMD have manufactured fast DES chips for years. Yet, the chips are
rarely found in many applications. Public domain implementations of
DES accomplish much of the DES encryption which is done in this
country.
 
I think that most people would agree that a secure standard for data
encryption is necessary to the country's economic health. For this
reason, I believe that a free software implementation is the best way
to achieve this goal. Cost will not prevent people from adopting the
software.
 
The Telephone Problem
 
Perhaps the best example of the cost of converting a $25 chip into a
markettable product is the AT&T secure phone announced on the same day
as the NIST chip. It was priced at over $1000. Certainly, some of this
cost covers the extra electronics to process the voice, but the need
to mark up products to pay for the work is still evident. The price on
these phones is sure to drop as the market grows more mature, but it
should be obvious that the market won't grow substantially until the
price drops more. The Government may be able to afford these rates,
but even the average corporation cannot.
 
The cost of adding secure encryption to handheld market is more
difficult to estimate. Here size, weight and power consumption are
just as important as price and an extra chip adds to each of these
problems. Cellular companies currently aim to manufacturer devices at
a price point of $100/unit in wholesale costs. The NIST chip would
mark up the price by at least 25%, drop the battery life, increase the
weight and add to pocket bulge. These are not positive effects on a
product.Yet, digital cellular phones and digital cordless phones are
perhaps the most important market for a secure encryption device
because the signals travel over the airwaves.
 
As before, all of the work of the Clipper chip could be accomplished
in software. Many of the current digital cellular phones use
highly-integrated Digital Signal Processing computers that both
control the phone and handle the signalling chores. Adding encryption
to a phone can be done by merely instructing the programmer to add an
additional function. The cost per unit is minimal and the extra
feature does not affect the power consumption. There is no doubt that
most people would rather have a software solution.
 
 
"Digital Pearl Harbors"
 
The Key Escrow system allows the law enforcement agencies to access
the content of a signal when they are duly authorized. The NIST plan
requires that the key be split up and held by two separate agencies.
This is both a concession to those who fear abuse and a good safety
procedure. But we must remember Ben Franklin's admonishment that
"three can keep a secret if two are dead."
 
Does NIST have plans for replacing the chips throughout the country if
the key escrow services are compromised? Although I realize that
serious precautions will be taken to protect the keys, I hope that
NIST realizes their value. The Russians were able to obtain the
secrets of the atomic bomb and the hydrogen bomb for very little
money. There have been several high-profile spy cases involving
cryptographic information. The intelligence community recognizes the
need to keep information compartmentalized and to frequently change
codes and ciphers but there are still breaches of security. This system,
however, is barely compartmentalized.
 
Criminals are becoming increasingly adept with technology. One group
placed a fake Automated Teller Machine in a Mall and used it to steal
account information which they later used to make fake withdrawls.
Many crimes like this will be possible in the future and I have little
doubt that the escrowed keys will have much more value than the atomic
secrets.
 
The cost of replacing all of the NIST chips around the country would
be prohibitive. What would happen if the FBI discovered that two
people in the different escrow agencies succumbed to bribery? Would
NIST announce a recall of all encryption chips? What would they use to
replace the chips? It could take 6 months to design and fabricate a
new chip in sufficient quantities. There are at least 250 million
phones around the country and 50 million computers. Even if each
computer and phone had a zero insertion force sockets that made
exchanging the chips easy, the cost to the country would be over $7
billion dollars at $25 a chip.
 
A software solution, on the other hand, could be changed very quickly
in the event of a compromise. Many companies that manufacture virus
software include provisions for delivering updates whenever a new
virus is discovered. The solution often travels substantially faster
than the virus itself because people are able to download the
anti-virus from bulletin boards.
 
The military and the intelligence community routinely change their
cipher systems because they know that mistakes can be made and leaks
can emerge in even the best system. The economic health of the country
is resting, in some part, on the success of large, broadly implemented
encryption systems. Many foreign companies pay princely sums for
American technology. They routinely pay sums that are 10 times larger
than the largest offered by the old Soviet Union. Can we be certain
that two escrow agencies are going to be any more secure than the
atomic scientists or the intelligence community?
 
Conclusions
 
The NIST system is too expensive and too unwieldly for general use.
NIST would be better advised to develop a standard implemented in
software that could be made available to all at no cost. It could be
essentially free and much less prone to dangerous interruptions of
services in case the system was compromised.
 
 

From upsetter@mcl.mcl.ucsb.edu Tue May 25 20:25:09 1993
Return-Path: <upsetter@mcl.mcl.ucsb.edu>
Received: from hub.ucsb.edu by csrc.ncsl.nist.gov (4.1/NIST)
     id AA01716; Tue, 25 May 93 20:24:55 EDT
Posted-Date: Tue, 25 May 93 17:25:01 PDT
Received-Date: Tue, 25 May 93 20:24:55 EDT
Received: from mcl.mcl.ucsb.edu by hub.ucsb.edu; id AA26554
     sendmail 4.1/UCSB-2.0-sun
     Tue, 25 May 93 17:25:24 PDT for crypto@csrc.ncsl.nist.gov
Message-Id: <9305260025.AA26554@hub.ucsb.edu>
Received: by mcl.mcl.ucsb.edu
     (1.37.109.4/MCL.UCSB-HP-16.5) id AA25644; Tue, 25 May 93 17:25:02
-0700
>From: Jason Hillyard <upsetter@mcl.mcl.ucsb.edu>
Subject: Cryptographic Issue Statement
To: crypto@csrc.ncsl.nist.gov
Date: Tue, 25 May 93 17:25:01 PDT
Mailer: Elm [revision: 70.85]

This submission is for the NIST's Computer System Security and Privacy
Advisory Board hearing on the Clipper Chip.  It is my understanding that
submissions must be received by May 27 and that hearing will be held on
June 2-4.

I can be contacted at this Internet address or via the information given
at the end of this submission.

Jason Hillyard

-----------------------------

     On June 5, 1991, Philip Zimmerman released a computer program called 
PGP to the world.  PGP, which stands for "Pretty Good Privacy", is an 
encryption program, a bunch of bits and bytes which Zimmerman himself calls

"guerrilla software".  It was written in response to what he perceived as a

threat to our privacy-- the proposed Digital Telephony legislation pushed 
by the FBI and the Department of Justice.  This software engineer decided 
to take direct action.  He wrote a high quality encryption program and gave

it away for free.  Today there are versions of PGP available for all kinds 
of computers, from Macs to VAX, and programmers all over the world are 
working on future versions.

     Zimmerman's actions can be seen as a strong affirmation that 
cryptography has gone public.  What was once the exclusive domain of the 
NSA and military signal intelligence experts has become a thriving field of

academic inquiry, and it has been for twenty years.  Now encryption is 
starting to hit the street.  Our personal computers are perfectly capable 
of providing us with the type of communications security once reserved for 
the military and intelligence communities.  The digital telecommunications 
networks we will become personally acquainted with in near future will also

provide more opportunities for the public use of encryption.

     Recently, however, there has been a growing public debate about how 
strong encryption technology should be and who should be able to use it.  
One major player in this debate is the federal government.  Different gears

in the federal machine are squeaking for different reasons.  The executive 
branch wants to build its "information infrastructure".  The FBI wants to 
keep its ability to easily eavesdrop on telephone conversations.  The NSA 
must preserve its position as supreme code maker and code breaker.  In the 
past few years a new brand of civil libertarian has also vigorously joined 
the debate.  Public-interest groups such as the EFF (Electronic Frontier 
Foundation) and CPSR (Computer Professionals for Social Responsibility) 
seek to ensure our privacy and civil liberties are not compromised by new 
technologies.  They are challenging the government's attempt to influence 
the public use of encryption.

     I would also like to introduce a third player in the debate-- the 
"technicians".  These are the computer scientists and engineers who 
develop, design, and implement encryption systems.  As the ones who will 
actually be building the encryption and telecommunication systems of the 
future, we have a unique position to take a leading role in the debate.  
Rather than blindly accept government standards and regulations, we should 
examine the issues and decide for ourselves how encryption technology 
should be used.

FREEDOM TO COMMUNICATE

     The fundamental question boils down to this:  How much access should 
the government have to our personal communications?  This presents a trade-
off between the obligations of the government to protect national security 
and the rights of the citizens to privacy and free speech.  Proponents of 
government control insist restrictions on encryption technology are 
necessary to conduct lawful investigations of terrorists, drug dealers, and

gangsters.  Opponents cry out that any restrictions intrude on our right to

privacy and right to free speech.

     These arguments are currently being made in the debates on encryption 
technology and the Digital Telephony proposal.  I tend to side with the 
freedom of speech argument-- but with a twist.  The real issue at stake is 
communication.  Simply put, we should have the freedom to communicate, in 
any way we wish by whatever medium we wish.  If that means communicating so

nobody else can understand us, so be it.  This is not about restricting 
freedom of speech.  As the proponents of government control point out, 
there are restrictions on our freedom of speech.  People cannot make 
slanderous or libelous remarks.  There are laws against "obscenity".  But 
restrictions on freedom of speech deal with speech which can be understood-
- the restrictions are based on content.  What about speech which nobody, 
except the parties who are speaking, can understand?  How in the world 
could that speech be restricted for it's content?

     It can't.  Restrictions on encrypted speech would prevent speech 
simply because it had the potential to be obscene, the potential to be 
libelous, the potential to be a threat to national security.  The idea of 
the government restricting speech simply because it has the potential to be

dangerous is a drastic expansion of government power.  Restrictions on 
encryption technology, whether by export control or government-influenced 
standards essentially result in restrictions on encrypted speech.

DEMAND A LEVEL PLAYING FIELD

     Many people won't agree with me-- but that's fine.  As technicians we 
should examine the issues and decide for ourselves how encryption 
technology should be used.  Upon making that decision, we can design 
systems to deal with the issues and satisfy the needs of the public.  If 
one engineer wants to design an escrowed key system, that's fine.  If 
another wants to design a highly secure system, that's fine.

     However, the federal government is ready to decide for us what kind 
of communication systems we must design.  That is why we must take a stand 
and demand what I call a "level playing field" when it comes to 
communication technology.  The technology we design should be built to meet

the specifications of those who use it.  The purpose of the technology 
should not be manipulated for the political benefits of a few, as the 
Digital Telephony proposal would do.  Communication networks should be 
designed to facilitate communications between interested parties.  They 
should not be designed to facilitate communications between interested 
parties and provide the cops lawful access to those communications.  
Encryption systems should be designed to provide the best security possible

for a given application.  They should not be designed to provide the best 
security possible, but no security when law enforcement has warrant to tap 
the line.  The law enforcement agencies have no place in demanding special 
consideration when it comes to developing or providing communications 
technology for the public.

     The government should also realize that changes in technology will 
change the way law enforcement does its job.  That's the way the game will 
be played on the level playing field.  Our access to technology is based on

how much time, money, and skill we have available.  The FBI should and does

use the technology it feels necessary to do its job better.  And hey, the 
drug dealers also use technology:  fast cars, cellular telephones, beepers. 

But should we not develop certain benign technologies simply because the 
bad guys will use them?  That's a decision the engineers should make, not 
the government.

STANDARDIZE IT

     Given this, industry should take the initiative to design and develop 
authentication and encryption products to meet public demand.  They could 
start by developing some international standards.  Interestingly, the 
government always seems to be there when encryption standards are 
developed.  This is not true for other telecommunications standards.  What 
normally happens is that a standards organization, such as the 
International Telecommunications Union or the International Standards 
Organization, gets together and decides on the specifications for a 
proposed standard.  Then various companies go to work on their various 
solutions and propose them to a committee.  After a debate, the committee 
decides on a standard.  The government never plays a part.

     But for some reason, the NIST and the NSA feel they have been given 
the authority to develop encryption standards.  They were involved in the 
design of Data Encryption Standard and the Digital Signature Standard.  Now

the NSA helped design the Clipper Chip.  This leads to possible conflicts 
of interest, since the NSA is tasked with making codes for public use as 
well as breaking codes.  But the government involvement is totally 
unnecessary.  Sure, the government should make its own standards for 
government communications.  But it's about time for industry to develop 
their own authentication and encryption standards and implement these 
standards, without any meddling from the government.

     Even if the export restrictions persist, international industry 
standards would encourage international development.  If U.S. companies 
can't provide secure products for Americans, we could get compatible 
products from other countries.  Or better yet, multinationals like Motorola

or AT&T could develop standard encryption devices overseas, for overseas 
markets as well as domestic markets.

ENCRYPTING THE FUTURE

     Unfortunately, I believe it would be very difficult for the 
technicians to accomplish this in the present political climate.  One 
engineering professor I spoke with suggested it would be even more 
difficult to create an international encryption standard, since foreign 
governments would have similar motivations to repress encryption 
technology.  However, as engineers and computer scientists, we should 
exercise our professional authority on the technical issues and get 
involved in the policy debate.  It's about time cryptography was treated as

a science and not a secret.  It's about time the use of cryptography was 
treated as a telecommunications issue, not a national security issue.  As 
technicians, we will be the ones building the communication systems, and we

have the final say if we wish to take a stand.

Jason Hillyard      5/25/93
P.O. Box 14685
Santa Barbara, CA 93107
805-968-1771



From floydf@iphase.com Thu May 27 00:21:41 1993
Return-Path: <floydf@iphase.com>
Received: from iphase.com by csrc.ncsl.nist.gov (4.1/NIST)
     id AA10073; Thu, 27 May 93 00:21:26 EDT
Posted-Date: Wed, 26 May 93 23:21:10 CDT
Received-Date: Thu, 27 May 93 00:21:26 EDT
Received: from wildcat.iphase.com by iphase.com (4.1/1.34)
     id AA18150; Wed, 26 May 93 23:21:11 CDT
Received: by wildcat.iphase.com (4.1/SMI-4.1)
     id AA02679; Wed, 26 May 93 23:21:10 CDT
Date: Wed, 26 May 93 23:21:10 CDT
>From: floydf@iphase.com (Floyd Ferguson)
Message-Id: <9305270421.AA02679@wildcat.iphase.com>
To: crypto@csrc.ncsl.nist.gov
Subject: CRYPTOGRAPHIC POLICIES AND SOCIAL/PUBLIC POLICY ISSUES


Computer System Security and Privacy Advisory Board Technology
National Institute of Standards and Technology
Gaithersburg, MD
crypto@csrc.ncsl.nist.gov

26 May 1993

ISSUE: CRYPTOGRAPHIC POLICIES AND SOCIAL/PUBLIC POLICY ISSUES

The April 16th announcement of the President's Clipper and data
encryption initiative was followed immediately by an electronic storm
of discussion, much focused on the secrecy of the Skipjack algorithm,
the lack of details about the escrow mechanism, seasoned with the
usual blend of wild speculations and paranoiac guesses.  Buried under
all this noise, the silent, classified Presidential Directive
initiating a comprehensive inquiry into related public policy issues
lay largely unmentioned, apparently unnoticed.

As distance related cost factors of carried telecom traffic drop,
network-related products seem destined to take the same price plunge
seen in recent past with both micro-processors and mass-storage.  The
results? As network technology becomes a commodity item, used by
millions, for thousands of different purposes, more and more of us
will move more of our personal and business connections from the
familiar physical world of smell and sight to the new digital realms
of electronic mail, remote logins, video conferencing, and a host of
services and products not yet conceived.

>From the standpoint of public and social policy, Clipper (the silicon
plus the secret policy development) suffers one fundamental defect: by
shrouding policy issues regarding privacy protection, encryption, and
law enforcement in secrecy, through use of secret Presidential
Directive, and by failing to disclose the particulars of the proposed
key escrow mechanisms beyond vague affirmations placing everything in
the Attorney General's hands, this initiative substantially diminishes
the openness, the vitality and the good will required to develop a
robust, valuable and productive public digital network, that would
rank with our voice telephone network, our public transport system,
and our numerous public utilities as the best in the world.

Today's digital pathways truly form a frontier; services are primitive,
reliability and availability remain poor, and only a few elite corners
of society benefit from the power provided by the new digital
networks.  If (not when) tomorrow's digital highways extend these
benefits to many, maybe most, these new citizens of the digital realms
will find their digital identity, their personal network "face", as it
were, tied to their key, which allows them to communicate with others
securely and privately, and to establish those firm personal
identities necessary for productive social and commercial interaction.

Under the Clipper initiative, the sole responsibility is placed with
the Attorney General to make arrangements to hold these keys, and to
determine the legal procedures by which those keys can be obtained by
governmental agencies.  The preservation and integrity of my digital
identity appears to be a secret!  Who keeps the keys, why, how, when,
where?  These questions remain not only unanswered, but unasked.

As a user of a digital service, I may not be happy about using a
secret encryption device delivered from the government to the public
on a silicon platter.  I may be unhappy paying more than I would need
to were the process to be open to the optimizations available in a
competitive environment.  But, I absolutely will not ever place the
integrity of my digital identity solely, unconditionally, and
irrevocably in the hands of a single, centralized agent, particularly
if that agent happens to bear the wealth, the power, and the weight of
the State.

Legitimate arguments can be advanced for preserving the technology of
encryption a secret: none can be made for keeping secret the
mechanisms of key registry.

This is not a technological issue: I "own" my personal identity more
truly than I own any other merely material thing; and can also assess
and manage personal risks associated with my use of publicly provided
services.  I, and a hundred million other Americans, users of cars and
highways, owners of homes, shops and small businesses, daily manage
personal risk, selecting insurance providers, making payments always
and claims occasionally, while understanding little or none of the
technical details of the provided service.  But, we have choices, and
our ability to freely choose allows us to freely use valuable shared
resources, like our physical transportation network, to both
contribute to our personal and family well-being, as well as the
shared good of society, while managing personal risks incurred.  We
need that same freedom of choice in the emerging digital realm.

Society has as much legitimate interest in the regulation of
crypto-technology in the new digital networks as it does in regulating
the insurance industry, the use and operation of the telephone system,
and the public highways.  Social structures and policy bodies have
evolved to address those needs.  Certainly the tasks of regulating
publicly available encryption for use with a national digital
infrastructure will require different forms and pose different
challenges than the regulation of other products available to
individual users.  But, this task is not insurmountable, nor is it
primarily technological. It should not be initiated solely (and
secretly) at the hands of the Attorney General, or of any other agency
of the Executive branch.  It should involve, and does require, the
participation and involvement of the citizens affected, and both
deserves and requires the public attention and debate possible through
our duly elected public legislators.

This is not a technological issue: we share words to communicate, not
only with each other but with all who speak our language, those
present, and those past who formed our words and minds and voices.
Words are not private, but by their exchange become part of our common
human inheritance.  Secrets shared are no longer secrets, but secrets
encrypted build a wall between those with the key and those without.
Sometimes these walls can protect us, allowing us to traverse digital
ways safely, engaging in human discourse and activities not possible
were each word visible and observed.  But, these walls can also
conceal, allowing some to prey on others with diminished fear of
detection and reprisal.  Highways and roads, too, are subject to the
same ambivalence; they can be used or abused, but, in order to be
useful, they must be regulated.  No one would want to drive to work on
a freeway system without rules; likely no one could.  Cryptography
provides a powerful tool to tame today's wild electronic frontier.

By shrouding the social and policy issues in secrecy the Clipper
initiative moves further from this goal, and obstructs many possible
paths of progress.  As the rest of the world moves away from
centralized economic planning and modes of government that reduce
personal freedom and the resulting healthy diversity, it is critical
that the legitimate interests, needs, and capacities of the public
sector be accommodated in this debate.  The Clipper initiative must be
opened to public debate.  Key escrow is fundamental to personal
identity in the new digital world: the public must participate in the
discussion, the debate, and ultimately, through their duly elected
legislators, in the formulation of effective, equitable policy and
law, prior to the implementation of such policy by executive agency.

Floyd Ferguson
Concerned citizen
floydf@iphase.com

From sgs@grebyn.com Thu May 27 00:35:45 1993
Return-Path: <sgs@grebyn.com>
Received: from grebyn.com (leviticus.grebyn.com) by csrc.ncsl.nist.gov
(4.1/NIST)
     id AA10095; Thu, 27 May 93 00:35:33 EDT
Posted-Date: Thu, 27 May 1993 00:35:27 -0400 (EDT)
Received-Date: Thu, 27 May 93 00:35:33 EDT
Received: by grebyn.com (4.1/SMI-4.1/ccg.7.2.91)
     id AA11018; Thu, 27 May 93 00:35:28 EDT
>From: sgs@grebyn.com (Stephen G. Smith)
Message-Id: <9305270435.AA11018@grebyn.com>
Subject: Clipper Comments
To: crypto@csrc.ncsl.nist.gov
Date: Thu, 27 May 1993 00:35:27 -0400 (EDT)
X-Mailer: ELM [version 2.4 PL21]
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Content-Length: 8153      


Cryptographic Issue Statements
Computer System Security and Privacy Advisory Board
Technology Building, Room B-154
National Institute of Standards and Technology
Gaithersburg, MD, 20899

In answer to your request for comments on the issues raised by the 
"Clipper chip":

I see a number of very disturbing aspects of the "Clipper" announcement.  
Others will probably comment on the Constitutional problems in the 
assumption that the Government has the right to tap telephones at will, 
and the legal and ethical problems of a secret sole-source contract award 
for a system that is potentially extremely lucrative.  I will limit my 
comments to a couple of technical issues, with a postscript on some wider 
implications.


TECHNICAL ISSUES:  Is the system secure?

The first and biggest problem with the Clipper technology is that it is 
classified.  There is simply no way to verify that the chips do what is 
claimed for them, or even if they do anything at all.  In the absence of 
any real review of the algorithms, systems, or chip designs, we naturally 
tend to assume the worst.

I am not qualified to comment on the cryptographic algorithms used in the 
"Clipper" and "Capstone" chips, even if they weren't classified. However, 
it is a truism that a secure *algorithm* does not insure a secure 
*system*.  The problems that I see with the system are:

A.  The Man in the Middle.

Take two Clipper chips.  Connect them back-to-back, so that the "clear" 
output of one feeds into the "clear" input of the other.  Add some signal 
processing "glue" to pass dialing and routing information around the 
Clippers.  Take the resulting assembly and insert into a phone line, 
either by actually cutting the wires or by fooling around with the 
switch.  We now have the following arrangement:
                              
     +---+         +---+         +---+
     | A | ------- | M | ------- | B |
     +---+         +---+         +---+

At the start of a call, A dials B's number.  M routes this information 
directly to B.  A then initiates the key exchange supposedly with B, but 
actually with M.  M, sensing that this is an encrypted call, begins 
negotiating a key exchange with B.  At this time, A and B assume that 
they are negotiating with each other, when they are actually both 
negotiating with M.

When the key exchange is complete, A sends encrypted data to B.  M 
decrypts the data, reads it, re encrypts it, and sends it to B.

This method is completely general and can be used against any "zero 
knowledge" system.  M needs no knowledge of the cryptosystems in use, and 
only needs to tell the difference between normal routing signals and 
encrypted data.

Supposedly, the Bell Atlantic systems that are the first to use the 
Clipper have a display that shows the session key that is currently in 
use.  I rather doubt this, as you don't normally want your session key 
where anybody can see it.  In use, supposedly, A reads off the key to B. 
If the key doesn't match, then there is a "man in the middle."  In 
reality, I doubt that users would take the trouble to read off a long (20 
digits?) number every time they make a call.

In any case, if Clipper or something similar comes into widespread use, I 
foresee the "back-to-back" chips taking over the niche currently occupied 
by the "two alligator chips and a headset" tap that will work on current 
non digital telephones -- simple, cheap, effective, and illegal.

How can we keep the "man in the middle" out of things?  With only two 
stations and no prior arrangement between A and B, we can't.  There must 
be some prior arrangement between A and B.  This can be provided 
automatically by a third party.  See Internet RFC 1421 for an example of 
a system that uses this approach.

B.  Back Doors

These could be cleared up by releasing the algorithms and chip design for 
public review.

The proposed system of key escrow makes decoding of encrypted 
conversations a very tedious process.  I find it very difficult to 
believe that law enforcement agencies would be willing to put up with it.  
This leads to speculations about a "back door" that would allow those who 
know it to decrypt any message they wanted, without touching the escrowed 
keys.

The simplest way of compromising the Clipper would be to subvert the key 
exchange.  The "man in the middle" (above) would take an active part in 
the negotiations to determine the secret session key.  This would make 
the "man in the middle" undetectable even in the unlikely event that the 
two users read the "keys" off to each other.

An example of a protocol that this would work on might be: A sends B the 
public part of a public key cipher.  B uses this key to encrypt a 
randomly chosen secret session key.  B sends the encrypted key to A, A 
deciphers the secret key, and they both use it to encrypt further 
communications.

With the man in the middle, M intercepts A's key and passes M's own key 
to B.  B uses M's key to encrypt a secret key.  M decrypts the key, re 
encrypts it with A's public key, and sends it on to A.  All three are now 
using the same key.

Can this happen in Clipper?  We can't know as long as the algorithm and 
the chip design are classified.  It would likely be hidden in circuitry 
purported to provide "conference calling."

Are there other ways of doing it?  We can't know.


WIDER IMPLICATIONS

The Clipper appears to be an attempt by the Government to insure that it 
will always be able to tap telephones and other forms of electronic 
communications at will.  We remember the abuses of J. Edgar Hoover, 
Richard Nixon, John Mitchell, and Ed Meese.  Are they the worst that the 
United States will ever have?  We would be foolish to assume so.

The implication that I have seen is that the Government intends to 
require that anyone doing "sensitive" business with the Government will 
be required to use Clipper, and no other form of communications data 
security.  This will presumably generate a large enough installed base of 
"secure" telephones that no competing "commercial-only" standard can 
survive.  (It will also generate windfall profits for the companies 
making the equipment.  That, I am sure, is somebody else's argument.)

If the Government were interested only in official Government business,
it could simply require a centralized key distribution facility, as is
currently done with classified communications.  This would be much
easier than the rigmarole with "key escrow," but it would probably not
be acceptable for business use.

For me, the final nail in the Clipper's technical coffin is that it is 
not being cleared for use with classified data.  If it's that good, why 
won't the Government use it?

The Clipper concept is flawed technically, but it is probably the only 
way that the Government can even attempt to maintain "universal 
tappability" of all telephones.  Systems that are more secure lose the 
"universal tappability."  Even with Clipper, someone who didn't want to 
be tapped could simply "pre encrypt" the data before feeding it into the 
Clipper chip.  The fact that the data is encrypted could not even be 
*detected* without a court order.

Let it go.  The advantages of solidly secure communications far outweigh 
the rather dubious advantages of phone taps.

At the beginning of the twentieth century, a criminal could only get far 
away from the scene of the crime by taking a train.  Trains and train 
stations are rare and easily watched by law enforcement officers.  The 
advent of the automobile meant that a criminal could commit a crime and 
be far away by the time the crime was discovered.  Would we have a better 
society today if the growth of the automobile had been "managed" to the 
benefit of law enforcement?  Somehow, I doubt it.

The current computer revolution is at least as much of a change as the 
introduction of the automobile.  Attempts to "manage" it for the 
temporary advantage of a narrow group of people are simply doomed. 

-- 
Steve Smith                     Agincourt Computing
sgs@grebyn.com                  (301) 681 7395
"Truth is stranger than fiction because fiction has to make sense."

From djw@eff.org Thu May 27 12:54:41 1993
Return-Path: <djw@eff.org>
Received: from eff.org by csrc.ncsl.nist.gov (4.1/NIST)
     id AA10654; Thu, 27 May 93 12:54:33 EDT
Posted-Date: Thu, 27 May 1993 12:59:53 -0500
Received-Date: Thu, 27 May 93 12:54:33 EDT
Received: from [192.77.172.107] (jackson.eff.org) by eff.org with SMTP id
AA01012
  (5.65c/IDA-1.5/ident for <crypto@csrc.ncsl.nist.gov>); Thu, 27 May 1993
12:56:07 -0400
Message-Id: <199305271656.AA01012@eff.org>
Date: Thu, 27 May 1993 12:59:53 -0500
To: crypto@csrc.ncsl.nist.gov
>From: djw@eff.org (Daniel J. Weitzner)
Subject: Comments of the Electronic Frontier Foundation

May 27, 1993


Before the 

COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD
Technology Building, Room B-154
National Institute of Standards and Technology
Gaithersburg, MD  20899



COMMENTS OF THE ELECTRONIC FRONTIER FOUNDATION

Regarding 

Key Escrow Chip Cryptographic Technology and Government Cryptographic
Policies and Regulations


        The Electronic Frontier Foundation (EFF) commends the Computer
System Security and Privacy Advisory Board for offering the public the
opportunity to comment on developments in cryptography and communications
privacy policy.  Recent Administration proposals, including use of the
Clipper Chip and establishment of a government-controlled key escrow
system, raise questions that cut to the core of privacy protection in the
age of digital communication technology.  The questions noted by the
Advisory Board in its Notice of Open Meeting (58 FR 28855) reflect a broad
range of concerns, from civil liberties to global competitiveness.  The
Digital Privacy and Security Working Group -- a cooperative effort of civil
liberties organizations and corporate users and developers of communication
technology which is chaired by the EFF -- has also submitted over one
hundred questions to the Administration.  (These questions are being
submitted to the Advisory Board under separate cover on behalf of the
Working Group.)  That there are so many questions demonstrates the need for
a comprehensive review of cryptography and privacy policy.  

        We are encouraged that the Administration has expressed a
willingness to undertake such a review.  However, it has become clear that
plans for rapid introduction of the Clipper Chip could unacceptably distort
this important policy review.  The Administration has made not secret of
the fact that they hope to use government purchasing power to promote
Clipper as a de facto standard for encryption.  With Clipper on the market,
the policy process will be biased toward a long-term solution such as
Clipper with key escrow.  Moreover, the rush to introduce Clipper is
already forcing a hasty policy review which may fail to provide adequate
public dialogue on the fundamental privacy questions which must be resolved
to reach a satisfactory cryptography policy.  Based on the depth and
complexity of questions raised by this review, EFF believes that no
solution, with Clipper Chip or otherwise, should be adopted by the
government until the comprehensive cryptography review initiated by the
Administration is complete.

        EFF is a nonprofit, public interest organization whose public
policy mission is to insure that the new electronic highways emerging from
the convergence of telephone, cable, broadcast, and other communications
technologies enhance free speech and privacy rights, and are open and
accessible to all segments of society.  

        In these comments, we will elaborate on questions 1, 2, and 3
listed in the Advisory Board's Notice.  We offer these comments primarily
to raise additional questions that must be answered during the course of
the Administration's policy review.


A.  WILL PARTICULAR ENCRYPTION TECHNOLOGIES BE MANDATED OR PROSCRIBED?: A
THRESHOLD QUESTION

        Unraveling the current encryption policy tangle must begin with one
threshold question: will there come a day when the federal government
controls the domestic use of encryption through mandated key escrow schemes
or outright prohibitions against the use of particular encryption
technologies?  Is Clipper the first step in this direction?  A mandatory
encryption regime raises profound constitutional questions, some of which
we will discuss below.  So far, the Administration has not declared that
use of Clipper will be mandatory, but several factors point in that
direction:

1.  Secrecy of the algorithm justified by need to ensure key escrow
compliance:

        Many parties have already questioned the need for a secret
algorithm, especially given the existence of robust, public-domain
encryption techniques.  The most common explanation given for use of a
secret algorithm is the need to prevent users from by-passing the key
escrow system proposed along with the Clipper Chip.  If the system is truly
voluntary, then why go to such lengths to ensure compliance with the escrow
procedure?  

2.  How does a voluntary system solve law enforcement's problems?

        The major stated rationale for government intervention in the
domestic encryption arena is to ensure that law enforcement has access to
criminal communications, even if they are encrypted.  Yet, a voluntary
scheme seems inadequate to meet this goal.  Criminals who seek to avoid
interception and decryption of their communications would simply use
another system, free from escrow provisions.  Unless a government-proposed
encryption scheme is mandatory, it would fail to achieve its primary law
enforcement purpose.  In a voluntary regime, only the law-abiding would use
the escrow system.  


B.  POLICY CONCERNS ABOUT GOVERNMENT-RUN KEY ESCROW SYSTEM

        Even if government-proposed encryption standards remain voluntary,
the use of key escrow systems still raises serious concerns:

1. Is it wise to rely on government agencies, or government-selected
private institutions to protect the communications privacy of all who would
someday use a system such as Clipper?

2.  Will the public ever trust a secret algorithm with an escrow system
enough to make such a standard widely used?


C.  CONSTITUTIONAL IMPLICATIONS OF GOVERNMENT CONTROLS ON USE OF ENCRYPTION

        Beyond the present voluntary system is the possibility that
specific government controls on domestic encryption could be enacted.  Any
attempt to mandate a particular cryptographic standard for private
communications, a requirement that an escrow system be used, or a
prohibition against the use of specific encryption algorithms, would raise
fundamental constitutional questions.  In order to appreciate the
importance of the concerns raised, we must recognize that we are entering
an era in which most of society will rely on encryption to protect the
privacy of their electronic communications.  The following questions arise:

1.  Does a key escrow system force a mass waiver of all users' Fifth
Amendment right against self-incrimination?

        The Fifth Amendment protects individuals facing criminal charges
from having to reveal information which might incriminate them at trial. 
So far, no court has determined whether or not the Fifth Amendment allows a
defendant to refuse to disclose his or her cryptographic key.  As society
and technology have changed, courts and legislatures have gradually adapted
fundamental constitutional rights to new circumstances.  The age of digital
communications brings many such challenges to be resolved.  Such decisions
require careful, deliberate action.  But the existence of a key escrow
system would have the effect of waiving this right for every person who
used the system in a single step.  We believe that this question certainly
deserves more discussion.  

2.  Does a mandatory key escrow system violate the Fourth Amendment
prohibition against "unreasonable search and seizure"?

        In the era where people work for "virtual corporations" and conduct
personal and political lives in cyberspace, the distinction between
communication of information and storage of information is increasingly
vague.  The organization in which one works or lives may be constitute a
single virtual space, but be physically dispersed.  So, the papers and
files of the organization or individual may be moved within the
organization by means of telecommunications technology.  Until now, the law
of search and seizure has made a sharp distinction between, on the one
hand, seizures of papers and other items in a person's physical possession,
and on the other hand, wiretapping of communications.  Seizure of papers or
personal effects must be conducted with the owner's knowledge, upon
presentation of a search warrant.  Only in the exceptional case of
wiretapping, may a person's privacy be invaded by law enforcement without
simultaneously informing the target.  Instantaneous access to encryption
keys, without prior notice to the communicating parties, may well
constitute a secret search, if the target is a virtual organization or an
individual whose "papers" are physically dispersed.  Under the Fourth
Amendment, secret searches are unconstitutional.

3.  Does prohibition against use of certain cryptographic techniques
infringe individuals' right to free speech?

        Any government restriction on or control of speech is to be
regarded with the utmost scrutiny.  Prohibiting the use of a particular
form of cryptography for the express purpose of making communication
intelligible to law enforcement is akin to prohibiting anyone from speaking
a language not understood by law enforcement.  Some may argue that
cryptography limitations are controls on the "time, place and manner" of
speech, and therefore subject to a more lenient legal standard.  However,
time, place and manner restrictions that have been upheld by courts include
laws which limit the volume of speakers from interfering with surrounding
activities, or those which confine demonstrators to certain physical areas.
 No court has ever upheld an outright ban on the use of a particular
language.  Moreover, even a time, place and manner restriction must be
shown to be the "least restrictive means" of accomplishing the government's
goal. It is precisely this question -- the availability of alternatives
which could solve law enforcement's actual problems -- that must be
explored before a solution such as Clipper is promoted.


D.  PUBLIC PROCESS FOR CRYPTOGRAPHY POLICY

        As this Advisory Board is well aware, the Computer Security Act of
1987 clearly established that neither military nor law enforcement agencies
are the proper protectors of personal privacy.  When considering the law,
Congress asked, "whether it is proper for a super-secret agency [the NSA]
that operates without public scrutiny to involve itself in domestic
activities...?"  The answer was a clear "no."  Recent Administration
announcements regarding the Clipper Chip suggest that the principle
established in the 1987 Act has been circumvented.  For example, this
Advisory Board was not consulted with until after public outcry over the
Clipper announcements.  Not only does the initial failure to consult eschew
the guidance of the 1987 Act, but also it ignored the fact that this
Advisory Board was already in the process of conducting a cryptography
review.

        As important as the principle of civilian control was in 1987, it
is even more critical today.  The more individuals around the country come
to depend on secure communications to protect their privacy, the more
important it is to conduct privacy and security policy dialogues in public,
civilian forums.


CONCLUSION

The EFF thanks the Advisory Board for the opportunity to comment on these
critical public policy issues.  In light of the wide range of difficult
issues raised in this inquiry, we encourage the Advisory Board to call on
the Administration to delay the introduction of Clipper-based products
until a thorough, public dialogue on encryption and privacy policy has been
completed. 



Respectfully Submitted,



Electronic Frontier Foundation
eff@eff.org
+1 202-544-9237


Jerry Berman
Executive Director
jberman@eff.org

Daniel J. Weitzner 
Senior Staff Counsel
djw@eff.org



From djw@eff.org Thu May 27 12:55:14 1993
Return-Path: <djw@eff.org>
Received: from eff.org by csrc.ncsl.nist.gov (4.1/NIST)
     id AA10665; Thu, 27 May 93 12:55:06 EDT
Posted-Date: Thu, 27 May 1993 13:00:07 -0500
Received-Date: Thu, 27 May 93 12:55:06 EDT
Received: from [192.77.172.107] (jackson.eff.org) by eff.org with SMTP id
AA01027
  (5.65c/IDA-1.5/ident for <crypto@csrc.ncsl.nist.gov>); Thu, 27 May 1993
12:56:21 -0400
Message-Id: <199305271656.AA01027@eff.org>
Date: Thu, 27 May 1993 13:00:07 -0500
To: crypto@csrc.ncsl.nist.gov
>From: djw@eff.org (Daniel J. Weitzner)
Subject: Digital Privacy and Security Working Group Comments

The Digital Privacy and Security Working Group, whose members are listed
below, submitted the following questions to the Clinton Administration
regarding Clipper and Cryptography Policy.  The Working Group hereby
submits this set of questions for the consideration of the Computer System
Security and Privacy Advisory Board.

Members of the Digital Privacy and Security Working Group:

abcd, The Microcomputer Industry Association
Advanced Network & Services, Inc.
American Civil Liberties Union
Apple Computer, Inc.
AT&T 
Business Software Alliance
Cavanagh Associates, Inc.
Cellular Telephone Industry Association
Computer Professionals for Social Responsibility
Computer & Business Equipment Manufacturers Association
Computer & Communications Industry Association
Crest Industries, Inc.
Digital Equipment Corporation
EDUCOM
Electronic Frontier Foundation
Electronic Mail Association
Hewlett-Packard Company
IBM
Information Technology Association of America
Information Industry Association
International Communication Association
Iris Associates
Lotus Development Corporation
McCaw Cellular Communications
MCI
Microsoft Corporation
National Association of Manufacturers
Oracle 
RSA Data Security, Inc.
Software Publishers Association
Sun Microsystems, Inc.
Telecommunications Industry Association
Toolmaker, Inc.
Trusted Information Systems
United States Telephone Association


Work Group Questions:

ISSUES AND QUESTIONS 
REGARDING THE ADMINISTRATION'S CLIPPER CHIP PROPOSAL


A. Process by Which the Proposal Was Developed

1.      Why the secrecy in which the encryption code scheme was developed? 
Were any members of the computer, communications, or security industries
consulted? Were any privacy experts consulted? Has the Justice Department
or the White House Office of Legal Counsel considered the constitutional
implications?

2.      The Administration's announcement implies that a policy review on
encryption has been commenced; but at the same time, it appears that a
decision has already been reached to support the Clipper proposal or some
other key-escrow scheme.  Is any review of the Clipper chip itself now
underway?  What progress has been made?  When will this expedited review be
complete?

3.      What role has the National Security Agency played in the
development and selection of the Clipper Chip and key escrow system?  What
will NSA's role be in the deployment and evaluation of the system?  Are
these roles consistent with the principle of civilian control of computer
security, as required by the Computer Security Act of 1987?

4.      What efforts are underway to improve the government's ability to
decrypt non-Clipper algorithms which are likely to be used by criminals? 
Can the government decrypt all commercially available hardware sold
domestically and abroad? If not, wouldn't it be a better policy to direct
U.S. resources in that direction instead of the Clipper approach?

5.      What percentage of the 800 to 900 annual Title III interceptions
encounter encrypted communications?  What percentage of law 
B. Secrecy of the Algorithm
11.     Will the Clipper proposal have the same degree of public review
that other NIST standards, senforcement encountered encryption is estimated
to be Clipper as opposed to the other encryption schemes?  Is this a
solution in search of a problem?

6.      Did the government consider commercially-available encryption
schemes and reject them? If so, why were they rejected, and is that
analysis available? If not, why not?

7.      Capstone is the successor to Clipper with the addition of public
key exchange and digital signature capabilities. Is Clipper just an
intermediate step before Capstone is released? Why did the White House
press release not mention Capstone?

8.      How will this relate to the FBI's Digital Telephony Proposal?  Has
the Administration committed to supporting, discarding or reintroducing the
proposal in a new form?

9.      What is the history of the proposal?  How long has this been under
consideration?

10.     How long has the Clipper Chip and escrow concept been in
development?  Which agency originated these concepts?

uch as DSS have gone through?

12.     How can the public trust the security and reliability of an
algorithm that is kept classified?

13.     If American firms are not able to have their encryption experts
examine the algorithm, how can they be sure that there is no "trap door"
that would allow any Clipper Chip security system to be overridden?  Dr.
Kammer of NIST has said that "respected experts from outside the government
will be offered access" to the algorithm. How do interested parties go
about obtaining this access to the classified material about the Clipper
algorithm and participate in the analysis of the design to search for trap
doors and other weaknesses?  What specific reports from this process will
serve to reassure users regarding the integrity of the Clipper Chip?

14.     What will be the consequence if the algorithm is published? Will it
become less secure?  If publication (i.e., de-classification) would make it
less secure, how secure can it be? 

15.     If the Clipper Chip is too weak to protect classified government
communications, why should it be used for sensitive proprietary private
sector communications?

16.     Executive Order 12356 has procedures on classification and
declassification of information.  Is the algorithm being classified under
the framework of this order? What agency is in charge of classification/
declassification?

17.     How much effort has the government put into the design and
cryptoanalysis of the Clipper Chip as compared to the public analysis of
the Data Encryption Standard during the last 16 years?

18.     Is the Skipjack algorithm being used by the Clipper Chip derived
from codes used in the management of our nuclear arsenal?  Is this why the
algorithm is being kept secret?  If this is so, why are we using this
secret system for a dubious commercial standard?  If there is a national
security justification to avoid having this encryption technique revealed,
why risk compromising it by integrating it into publicly distributed
products?

19.     If the algorithm is classified, how will it be legal to distribute
the chips to users not qualified to handle classified encryption equipment?
This seems contrary to Facility Security Clearance procedures and the
Personal Security Clearance requirements of DoD 5220.222-M, Industrial
Security Manual for Safeguarding Classified Information.

20.     Is it illegal to reverse engineer the Clipper Chip?  If it were
reverse engineered, would it then be illegal to reveal the algorithm?  


C. Voluntariness of Clipper System

21.     Will this system be truly voluntary? If so, won't criminals and
terrorists just use some other type of encryption?

22.     If the use of the Clipper Chip is "voluntary," why would any party
desiring privacy or secrecy of communications use it, knowing that the US.
government has a process to allow decryption?  If the Administration's
ultimate goal is to ban other forms of encryption for use domestically,
what is the legal basis for such an approach?

23.     Isn't the Administration doing more than "encouraging" use of
Clipper?  (E.g., discontinuing DES at the end of the current certification
cycle, directing NIST to adopt Clipper as a Federal standard, and
maintaining export restrictions on hardware/software using different
algorithms?)

24.     Does the government have any plans to campaign for the
implementation of the Clipper Chip as a standard for data cryptography?

25.     What impact will the introduction of Clipper have on the market for
other encryption technologies?  Will the government otherwise try to
discourage other cryptographic mechanisms from being marketed domestically
and abroad?

26.     Isn't the government dictating the design of technology into
commercial products rather than allowing market demand to dictate?

27.     What prevents a sender of information from encrypting with secure,
easy to obtain software using DES or RSA algorithms before sending data
through a channel encrypted with the Clipper system?

28.     Would the Administration ever consider making the Clipper Chip or
other key escrow system mandatory?

D. Key Escrow System

29.     How can the government assure us that the keys held in escrow are
not compromised?  What public or private agencies have sufficient integrity
and public trust to serve as escrow agents?

30.     How can the public be sure that keys will only be revealed upon
proper warrant?  Will there be clerks who actually operate the equipment
who could get anyone's keys?  Or will judges have personal keys, which
would be directly authenticated to the escrow agents' equipment that
protects the users' keys?

31.     Once the keys are obtained from the escrow holders, is it
envisioned that electronic surveillance can be done "real-time," or will
recording and post-processing be required?

32.     To hear both sides of a conversation, does law enforcement need the
keys of both participants?

33.     After law enforcement has properly obtained a pair of unit keys
from the escrow agents and conducted a wiretap, will the keys be "returned"
to the agents?  What safeguards exist to prevent law enforcement from
re-using the keys without authorization in the future?

34.     Once in possession of the unit keys, can the government pretend to
be ("spoof") the original unit owner?

35.     What is the smallest number of people who would be in a position to
compromise the security of the system?

36.     Can an escrow agent exercise discretion in the release of key
information?  E.g., can they refuse an inappropriate request?  (Phone
companies ensure that court orders are facially valid.)  Can they publicize
an inappropriate request?  Can they tell the person whose communications
were intended to be violated?

37.     Who will be responsible for auditing the escrow process and the use
of revealed keys?

38.     How will the government ensure that unanticipated uses of the
escrow database are prevented in the long term?  (E.g., the Census database
was supposed to stay confidential for 75 years, but was released during
World War Two to allow Japanese-Americans to be imprisoned without cause. 
What protections are in place to make sure that this never happens again?

39.     What happens when one discovers that the keys have been captured
through theft?  How difficult would it be to change keys?  What is done in
the meanwhile?  How difficult is it to reprogram the chip, or do you need a
replacement?

40.     If the chip can be reprogrammed, how do you prevent covert changes
that will not be discovered until authorization to tap is received and
execution of the warrant is forestalled?

41.     It appears that once a given chip has been compromised due to use
of the escrowed keys, the chip and the equipment it is used in are
vulnerable forever.  Is there any mechanism or program to re-key or replace
compromised hardware?  Is there any method for a potential acquiring party
to verify whether the keys on a given chip have been compromised?  Who
should bear the cost of replacement or re-keying of compromised hardware?

42.     What safeguards will be used when transporting the escrow keys?

43.     What are the national security implications of widespread
deployment of Clipper?  Does it make our communications more susceptible to
disruption or jamming?

44.     Doesn't the two-escrowee approach make these locations targets of
opportunity for any party or foreign government that wants to gain access
to sensitive US. information?  If an escrow location is compromised, all
chip data contained there is compromised.  Wouldn't these locations also
become targets of opportunity for any criminal or terrorist organization
that wanted to disrupt US. law enforcement?  What back-up or physical
security measures are envisioned?  If multiple copies are kept, doesn't
this increase the threat of compromise?


E. Choice of Agents for the Keys

45.     Who will be the agents for the keys? How secure will they be from
the outside and from the inside?  What is the cost of maintaining the
escrow system?  Who will pay?  Who will profit?

46.     When will the escrow agents be announced? Will there be a process
to allow input into the selection of these individuals/agencies?

47.     Although it has been reported that the escrow holders will not be
the FBI, DoD, CIA or NSA, is it envisioned that one or both of the escrow
locations will be non-government entities?  Can one or both be private
parties?  What will the process be to determine what private party will be
awarded the contract for key holder?

48.     Can the set of escrow agents be changed after the initial
selection? How can the government be prevented from moving the escrow
contract to a more pliable escrow agent, if one of the agents stands up
against the government for the rights of the people whose keys they are
protecting?

49.     Will escrow agents be immune from prosecution during their term of
office, like Members of Congress, the President, and Justices of the
Supreme Court?  If not, what will prevent the government from harassing the
agents during a dispute with the Justice Department?

50.     Will there be a mechanism for particular people to keep their keys
out of the key escrow database, or to obtain Clipper Chips with keys that
have not been escrowed? (E.g. Judges, law enforcement officers, NSA
officials, the President, etc.)


F. Level of Security of Clipper Chip Encryption
51.     How will the government assure American businesses that their
proprietary information is not compromised?  Given the extremely
competitive nature of the high-tech industries, and the importance of
intellectual property, how can American firms be adequately protected?

52.     How will the government assure American citizens that the privacy
of their electronic communications and the security of personal information
that is transmitted in electronic form will all be secure under the Clipper
Chip?

53.     f the Administration is so confident about the level of security of
the Clipper Chip scheme, why will classified information not be encrypted
with it?

54.     What warranty is the US. government prepared to make regarding the
security of the Clipper Chip compared to other algorithms, and indemnity
for failures for breaches of the algorithm, chips that are compromised due
to failures in the security of the escrow system, or other failures in the
Clipper approach?  

55.     What effect does Clipper have on other NSA and DOD programs aimed
at encryption and authentication of unclassified messages (e.g., MOSAIC)?

56.     If Clipper is not approved for classified traffic, what government
agencies will be utilizing Clipper, and for what applications?

57.     Normal security procedures involve changing cryptography keys
periodically, in case one has been compromised. But the family and unit
keys cannot be changed by the user. If these keys are compromised, it won't
matter how frequently the user changed their session keys. Doesn't the long
use of the same family and unit keys increase the likelihood that these
keys will be compromised while they are still in use? Doesn't this also
eliminate a significant degree of the user's control of the level of
security that their his or her system provides?

58.     If the government discovered that the algorithm or family key had
been discovered by a foreign government or private individuals, would it
tell the public that the system had been compromised?  Are there plans to
restore privacy and authentication if the algorithm is compromised?

59.     How secure is the Clipper algorithm if it is attacked by a person
with half the key? 

G. Level of Privacy Protection

60.     Given the dramatic growth in transmission and storage of personal
information in electronic form, does the Administration recognize that
private individuals, as well as large organizations, need access to
affordable, robust encryption systems?

61.     Is law enforcement permitted to identify the specific piece of
communications equipment without obtaining a warrant?  If encrypted
communications include the serial number ("chip family key"), will law
enforcement be able to keep track of communications traffic and track
private citizens without even securing the keys from the escrow agents?

62.     Does the Administration believe that all household phones are going
to be replaced with secure versions over some period of time?  At what
cost?

63.     It has been impossible to keep any large collection of information
completely private, including Social Security records, tax information,
police files, motor vehicle records, medical records, video rentals, highly
classified military information, and information on abuses of power. How
will users be able to tell when this happens to the key escrow information?


H. Constitutional/Legal Implications

64.     Has the Administration fully considered the constitutional
implications of the Clipper Chip and other key escrow systems?

65.     Does forcing someone to disclose a key for future law enforcement
access infringe the fundamental right against self incrimination embodied
in the Fifth Amendment?

66.     Does requiring key disclosure in conjunction with a particular
technology violate users' right to free speech under the First Amendment? 
Courts frown most severely on any government attempts to compel a
particular form of speech.

67.     Does the escrow system violate the letter or the spirit of the
Fourth Amendment protections which safeguard citizens against intrusive law
enforcement practices?

68.     When the Administration says "nor is the U.S. saying that 'every
American, as a matter of right, is entitled to an unbreakable commercial
encryption product,'" are they therefore saying the inverse, that every
American is not allowed to have an unbreakable commercial encryption
product?

69.     Does the Administration see the need for any new legislation to
implement its Clipper Chip proposal? If so, specifically identify.

70.     In the event that one or more escrow keys are obtained through
unauthorized means, what liability, if any, might the equipment
manufacturer have to bear?

71.     What will be the relationship between Federal and state law
enforcement?  Will the policy pre-empt state law?  How will state law
enforcement access the "key" system?

72.     What is the statutory authority for regulation of domestic
encryption?  Are any of these statutes cold war relics?  Should the
efficacy of all statutes that effect civilian encryption be reviewed?

73.     What protections do we have against blackmailing by escrow agents,
or by others who have gained possession of escrowed keys?  Is there civil
or criminal liability for escrow agents who reveal keys illegally?

74.     What is the impact on society if the right to hold a truly private
conversation is withdrawn?

75.     Is strong encryption technology important for protecting
intellectual property in a digital network environment?


I. Logistics of Chip Development and Manufacture

76.     Why weren't other Chip manufacturers given the chance to bid on the
chip production process?  Why was the choice made to have only one
manufacturer?

77.     Since the Clipper Chip design data will need to be released to
manufacturers, how will we be assured that this information, in itself,
will not allow the user systems to be compromised?

78.     What assurances will there be that the manufacturer is not keeping
a record of all keys issued?

79.     We have read Dorothy Denning's explanation of how the two 80-bit
keys will be created in the SCIF.  Is this description accurate? If not,
how would this process occur? If so, is the system feasible? What will the
cost be for this process and for the increased security of the involved
government agents?

80.     The chips will be programmed in a Secure Compartmented Information
Facility (SCIF). Does this suggest that the chips should at some point be
classified Secret or Top Secret? What is the classification of the Clipper
and Capstone chips and the Skipjack algorithm? How will these chips be
declassified once leaving the SCIF?

81.     Some of the press reports imply that AT&T has had access to this
information in order to incorporate Clipper into some of its equipment
designs. Is that implication accurate?

82.     Can this scheme be implemented in software? If so, why haven't we
seen information on that software?  If not, were issues of how this
hardware solution would affect continued use of software encryption
adequately evaluated? Were the comparative costs of software and hardware
encryption schemes evaluated? Is this evaluation available for analysis?

83.     Current high speed DES processors have encryption rates of
approximately 200 megabits per second, while the Clipper Chip has a
throughput of 12.5 megabits per second.  Within two to five years, 100 Mbs+
technologies, such as Fast Ethernet, FDDI and ATM, will become commonplace.
 How will the Clipper technology be used in environments where data is sent
at 100 Mbs or faster?


J. Feasibility/Implementation

84.     What testing has been done to verify the ability of Clipper to work
across the panoply of new emerging technologies?  If the underlying digital
transport protocol drops a bit or two, will that interfere with Clipper
operation?  How critical is synchronization of the bit stream for Clipper
operation?  Has this technology been tested with ISDN, TDMA, Cellular, CDMA
Cellular, ATM, SONET, SMDS, etc. and other emerging technologies?  What
effect does Clipper have on the Cellular Authentication and Voice
Encryption (CAVE) algorithm?  Are these differences for key generation,
authentication, or voice privacy?

85.     Does the Administration seek to extend the Clipper Chip proposal to
the TDMA and CDMA digital cellular standards?

86.     When will the government publish the various Modes of Operation and
other documents for Clipper, together with a physical implementation
standard (similar to the old FS-1027)?

87.     Will the government consider the development of alternate sources
for the chip or will vendors be limited to a single, monopoly supplier?

88.     Initially, the Clipper Chip is being proposed for telephone
technology, but the White House specifically mentions that the technology
will be used for electronic data transmission. What is the timetable for
implementing this?

89.     What is the scope that the Administration envisions for the Clipper
Chip's algorithm use?  What about Capstone?  Is it limited to choice, or
does it encompass electronic mail, network encryption, security modems,
long-haul bulk encryptors, video applications, computer password
protection, Intelligent Vehicle Highway Systems ("IVHS"), satellite
communications -- both transport and control, electronic funds transfers,
etc.? 

90.     What is the Administration's policy on other security mechanisms
beyond privacy, such as message authentication codes for banking and EFT,
and for integrity and digital signatures for sender authentication and
non-repudiation? What is the impact on international standards such as
X.500 and X.509?

91.     Since Clipper, as currently defined, cannot be implemented in
software, what options are available to those who can benefit from
cryptography in software? Was a study of the impact on these vendors or of
the potential cost to the software industry conducted?

92.     What is are the success criterion for the Clipper initiative? 
Would the government abandon its initiative if the Clipper is shown to be
unsuccessful beyond government use?

93.     What is the expected useful lifetime of the Clipper technology?
What do you expect will render it useless at some point?

94.     Is it true that the name "Clipper Chip" is the intellectual
property of another company?

K. Impact on American Competitiveness

95.     As the key-escrow approach is designed to ensure the ability of the
American government to access confidential data, do NIST and NSA expect
overseas customers (who do not have the protection of due process) to
purchase the chip for data protection?

96.     In testimony before the House Telecommunications Subcommittee, Mr.
Kammer of NIST indicated that if he were a foreign customer, he would not
purchase devices that included the Clipper Chip. Doesn't this raise serious
balance-of-trade problems?

97.     Will the technology, or the Chip itself, be shared with other
allied governments  (e.g., the UK), or will US. producers of data security
products, forced by government standards to develop clipper-based products
for the US. market, be permanently closed out of the overseas security
market?

98.     If Clipper won't be commercially accepted abroad, and export
controls continue to prohibit the exportation of other encryption schemes,
isn't the US. government limiting American companies to a US. market?

99.     Given the restrictions on who can build Clipper devices, how will
Clipper keep up with advances in semiconductor speed, power, capacity and
integration? Openly available devices, such as Intel-compatible
microprocessors, have seen dramatic gains, but only because everyone was
free to try to build a better version.

100.    Will the Clipper Chip be used nationally and internationally? How
will multinational operations accommodate this new system?

101.    Banking and finance are truly global today. Most European financial
institutions use technology described in standards such as ISO 9796. Many
innovative new financial products and services will employ the reversible
cryptography described in these standards. Clipper does not comply with
these standards. Will US. financial institutions be able to export Clipper?
If so, will their overseas customers find Clipper acceptable?

102.    If overseas companies provide systems based on algorithms that do
not have key escrow schemes that encrypt faster and more securely, how will
we compete internationally? We are market leaders in applications software
and operating systems. our world leadership in operating systems is
dependent on integrating security in internationally distributed systems.

103.    Internet Privacy Enhanced Mail (PEM) is becoming an internationally
recognized system for encrypting Electronic Mail. Would Skipjack encryption
become a US. standard for encrypting electronic mail while the rest of the
world used PEM? How would E-mail traffic between the US. and other
countries be encrypted?


L. Effect on Export Control Policy

104.    In light of the Clipper initiative, will export restrictions on
hardware and software encryption regimes using DES and RSA algorithms
(which are widely available abroad) remain in place?

105.    Will American firms be allowed to sell devices containing the
Clipper Chip abroad? Under which governmental regulatory regime would
exports of devices containing the Clipper Chip fall? What conditions would
be applied to exports of devices containing the Clipper Chip? (E.g., would
American firms be allowed to export devices to non-US. customers without
the escrow requirement? If not, who would hold the keys?)

106.    What governmental regulations will apply to imports of devices
containing the Clipper Chip? Given that most US. companies source most
customer premise equipment (e.g., telephones, fax machines, etc.) offshore,
how will the logistics be handled for the export of the Clipper Chip as a
component, and the subsequent import of the device containing the chip?
Will the US. permit non-US. manufacturers to have the Clipper algorithm? If
not, how will the Administration justify this trade barrier?

107.    If the Clipper Chip cannot be reverse-engineered, and if the US.
government is capable of decrypting, why would there be any reason to limit
Clipper products from being exported?

108.    If Clipper is allowed to be exported, does the US. government
foresee a problem with other governments? Would the US. government's access
to escrow keys be viewed as an exercise of extraterritorial jurisdiction?


M. Implications for Installed-Base/Existing Products

109.    What are the implications of NSA/NIST withdrawing the certification
of DES? Although it may -- at some point in the future -- no longer be used
for government purposes, that is not going to effect commercial or private
users' applications of DES. What about the embedded base of DES hardware?

110.    Will existing systems need to be replaced?

111.    What efforts were spent to make the new encryption approach
compatible with the embedded base of equipment?  If DES was becoming weak
(vulnerable), wouldn't merely extending the DES key length to 80 bits have
solved that problem?

112.    There are a number of companies that employ non-escrowed
cryptography in their products today.  These products range from secure
voice, data, and fax, to secure e-mail, electronic forms, and software
distribution, to name but a few.  With over a million such products in use
today, what does the Clipper scheme foretell for these products and the
many corporations and individuals that are invested in them and use them? 
Will the investment made by the vendors in encryption-enhanced products be
protected?  If so, how?  Is it envisioned that they will add escrow
features to their products or be asked to employ Clipper?


N. Process by which Input Will Be Received from Industry/Public Interest
Groups

113.    If the outcome of the policy review is not pre-ordained, then the
process to analyze the issues and arrive at solutions would seem to need a
great deal of definition. What roles have been identified for Congress, the
private sector, and other interested parties? Who is coordinating the
process?

114.    Why does the Presidential directive on the review process remain
classified?
From jim@RSA.COM Thu May 27 14:32:44 1993
Return-Path: <jim@RSA.COM>
Received: from RSA.COM (CHIRALITY.RSA.COM) by csrc.ncsl.nist.gov (4.1/NIST)
     id AA10737; Thu, 27 May 93 14:32:35 EDT
Posted-Date: Thu, 27 May 93 11:31:27 PDT
Received-Date: Thu, 27 May 93 14:32:35 EDT
Received: by RSA.COM 
     id AA22646; Thu, 27 May 93 11:31:27 PDT
Date: Thu, 27 May 93 11:31:27 PDT
>From: jim@RSA.COM (Jim Bidzos)
Message-Id: <9305271831.AA22646@RSA.COM>
To: crypto@csrc.ncsl.nist.gov
Subject: Submission


To:

Cryptographic Issue Statements
Computer System Security and Advisory Board
Technology Building Room B-154
National Institute of Standards and Technology
Gaithersburg, MD  20899

Statement of Jim Bidzos, President, RSA Data Security, Inc.

Address:

RSA Data Security, Inc.
100 Marine Parkway
Redwood City, CA  94065

Phone: 415/595-8782
Fax:   415/595-5198

email: jim@rsa.com

To Whom It May Concern:

Much has been said about Clipper and Capstone (the term Clipper will
be used to describe both) recently.  Essentially, Clipper is a
government-sponsored tamper-resistant chip that employs a classified
algorithm and a key escrow facility that allows law enforcement, with
the cooperation of two other parties, to decipher Clipper-encrypted
traffic.  The stated purpose of the program is to offer
telecommunications privacy to individuals, businesses, and government,
while protecting the ability of law enforcement to conduct
court-authorized wiretapping.

The announcement said, among other things, that there is currently no
plan to attempt to legislate Clipper as the only legal means to
protect telecommunications.  Many have speculated that Clipper, since
it is only effective in achieving its stated objectives if everyone
uses it, will be followed by legislative attempts to make it the only
legal telecommunications protection allowed. This remains to be seen.
In light of past attempts at this type of legislation (S266 in May
1991 and the Digital Telephony Bill of 1992) one must believe the
issue is being given serious consideration by law enforcement.

There are a number of companies that employ non-escrowed cryptography
in their products today.  These products provide security for voice,
data, and fax transmissions in networks all over the US.  Since
Clipper, as currently defined, cannot be implemented in software, what
options are available to those who can benefit from cryptography in
software?  Will NIST state clearly that the investment these companies
are making will not be threatened by legislation?

In 1992, the number of deployed products licensed by RSA Data Security
which use public-key went over one million. (This is he number of
products, not users.  There are likely more users than products.) The
majority of these products use BSAFE or TIPEM, software toolkits
offering DES and RSA, and no escrow features.  This number will grow
quickly as it does not include the RSA-enhanced Apple Macintosh OS or
Novell NetWare 4.0, both of which began shipping in 1993.  Apple sells
millions of Macs yearly, and Novell has well over 13 million
customers, most of whom will naturally upgrade to release 4.  Has NIST
considered and valued the impact of Clipper on the software industry?

Banking and finance (as well as general commerce) are truly global
today. Most European financial institutions use technology described
in standards such as ISO 9796.  Many innovative new financial products
and services will employ the reversible cryptography described in
these standards.  Clipper does not comply with these standards.  The
basis for international commerce will be compatible communications and
security systems.  Will US financial institutions be able to export
Clipper? If so, will their overseas customers or correspondent banks
find Clipper acceptable?  Will the governments of other countries
allow Clipper equipment into financial institutions that, in many
cases, they partially or entirely own?  Why was no study of the
potential impact of Clipper on US competitiveness conducted?

During NIST's policy review in June 1993, they ask US industry to
detail actual losses and projections due to Clipper and export
controls.  This is unfair.  No company wants to admit publicly where
and how it lost business to competition.  Doing so simply provides
valuable information that can be used by competitors against them
again, or worse, by other competitors they haven't lost to yet.

If the government holds that export controls are working, even though
they don't contain the technology in the US, then let them tell us
where and how they benefit from the policy, or let's begin removing
the controls.  If that sounds unreasonable, it's only the equivalent
of their request to industry to "put up or shut up."

In what must be seen as the tip of the iceberg, warning signals exist.
Australia's Courier Mail reported in a lead business story on May 18,
1992 that U.S. export controls will be directly responsible for three
Australian companies taking over $100 million per year in business
from U.S. suppliers in Australia alone for Pay-TV systems.  They
report that the full amount could be billions in the emerging Pacific
market for these systems.

At a June 1992 conference in Washington, DC, five panelists discussed
how export controls were affecting their business.  One, a
representative of a Fortune 5 company, described how two of their
major clients were lost because adequate security could not be offered
by the US company in Europe. Another panelist, representing a major
computer company, described how a European company was specifically
created and funded to exploit market opportunities created by US
export controls.  He further stated that his company had lost system
sales --hardware and software-- due to their inability to provide
adequate security to foreign buyers.

Export controls coupled with Clipper, which puts the US at odds with
the rest of the world, could cost US industry billions of dollars in
lost commerce opportunities and lost jobs.  Clipper will cost US
industry billions of dollars, and create the potential for a national
catastrophe by putting all the keys to a nationwide security system in
one place.  The impact of these policies and actions deserve more open
study than NIST and NSA have been willing to provide.

This is the problem with Clipper/Capstone.  There is a presumption on
the part of the government that a wiretap capability through escrowed
cryptography must be protected regardless of the cost to industry.
This is what we should be debating.


From hanson@ptolemy.arc.nasa.gov Thu May 27 15:12:55 1993
Return-Path: <hanson@ptolemy.arc.nasa.gov>
Received: from ptolemy.arc.nasa.gov (ptolemy-ethernet.arc.nasa.gov) by
csrc.ncsl.nist.gov (4.1/NIST)
     id AA10795; Thu, 27 May 93 15:12:46 EDT
Posted-Date: Thu, 27 May 93 12:15:07 PDT
Received-Date: Thu, 27 May 93 15:12:46 EDT
Received: from jabberwock.arc.nasa.gov by ptolemy.arc.nasa.gov (4.1/) id
<AA24469>; Thu, 27 May 93 12:15:07 PDT
Date: Thu, 27 May 93 12:15:07 PDT
>From: Robin Hanson <hanson@ptolemy.arc.nasa.gov>
Message-Id: <9305271915.AA24469@ptolemy.arc.nasa.gov>
Received: by jabberwock.arc.nasa.gov (4.1/SMI-4.1)
     id AA13922; Thu, 27 May 93 12:12:25 PDT
To: crypto@csrc.ncsl.nist.gov
Cc: hanson@ptolemy.arc.nasa.gov
Subject:  Cryptographic Issue Statement

[This is an updated version of a message I sent May 13.]

You have announced:

  "The Board solicits all interested parties to submit well-written,
  concise issue papers, position statements, and background materials on
  areas such as those listed below. ... Because of the volume of
  responses expected, submittors are asked to identify the issues above
  to which their submission(s) are responsive."
 

My paper included below addresses this issue: 

  1.    CRYPTOGRAPHIC POLICIES AND SOCIAL/PUBLIC POLICY ISSUES
 
  ... Issues involved in balancing various interests affected by 
  government cryptographic policies.


Specifically, I examine whether government cryptographic policies
intended to preserve wiretap abilities can cost phone users less than
they benefit citizens seeking law enforcement.  This seems unlikely.

Robin Hanson
-------------------------------------------------------------------------
                 CAN WIRETAPS REMAIN COST-EFFECTIVE?

                          by Robin Hanson
              hanson@ptolemy.arc.nasa.gov 510-651-7483  
               47164 Male Terrace, Fremont, CA 94539
                    
                            May 21, 1993
                         Distribute Freely

  SUMMARY: Compared to an average monthly phone bill of eighty dollars,
  the option to wiretap the average phone line is probably worth less than
  twelve cents a month to police and spy agencies.  Claims that this 
  option is worth over a dollar a month ignore the basic economics of 
  law enforcement.  Thus recently proposed government policies to preserve
  wiretap abilities in the face of technological change must raise phone 
  costs by less than one part in seven hundred to be cost-effective.  
  Why not let a market decide if wiretaps make sense?  

BACKGROUND

Until now, telephones have happened to allow the existence of "wiretaps",
cheap detectors which can pick up conversations on a phone line without the
consent of either party to the conversation.  And since 1968, U.S. police
have been allowed to request such wiretaps from judges, and must compensate
phone companies for expenses to assist a tap.  Since then, law enforcement
agencies have come to rely on this capability to aid in criminal
investigations.

However, wiretaps have become more difficult as phone companies have
switched to digital technologies.  And powerful new encryption technologies
threaten to make truly private communication possible; a small chip in each
phone could soon make it virtually impossible to overhear a conversation
without a physical microphone at either end.  So the U.S. government has
begun to actively respond to these threats to police wiretap abilities.

Regarding digital phone issues, a "FBI Digital Telephone Bill" was
circulated early in 1992 [1], proposing to require all communication
services to support easy wiretaps, now without compensation from the
police.  Each tapped conversation would have to be followed smoothly as the
parties used call-forwarding or moved around with cellular phones.  The
data for that conversation would have to be separated out from other
conversations, translated to a "form representing the content of the
communication", and sent without detection or degradation to a remote
government monitoring facility, to be received as quickly as the parties to
the conversation hear themselves talk.  Congress has yet to pass this bill.

Regarding encryption issues, the White House announced on April 16, 1993 
that 1) they had developed and begun manufacturing a special "wiretap" (or
"Clipper") chip to be placed in future phones, instead of the total privacy
chips which have been under private development, 2) they plan to require
this chip in most phones the government buys, and 3) they will request all
manufacturers of encrypted communications hardware to use this wiretap
chip.  The same day, AT&T announced it would use these chips "in all its
secure telephone products".  

The plan seems to be to, at the very least, create a defacto standard for
encryption chips, so that alternatives become prohibitively expensive for
ordinary phone users, and to intimidate through the threat of further
legislation.  Such legislation would be required to stop privacy fans and
dedicated criminals, who might be willing to pay much more to use an
alternative total privacy standard.

Both the specific wiretap chip design and the general algorithm are secret.
Each chip would be created under strict government supervision, where it
would be given a fixed indentifier and encryption key [2].  At some
unspecified frequency during each conversation, the chip would broadcast
its identifier and other info in a special "law enforcement field".  Law
enforcement officers with a court order could then obtain the key
corresponding to this indentifier from certain unspecified agencies, and
could thereby listen in on any future or previously recorded conversations
on that phone.

To date, most concerns voiced about the wiretap chip have been about its
security.  Encryption algorithms are usually published, to allow the
absence of public demonstrations of how to break the code to testify to the
strength of that code.  And it is not clear what government agency could be
trusted with the keys.  Many suspect the government will not limit its
access in the way it has claimed; the track records of previous
administrations [3], and of foreign governments [4], do not inspire
confidence on this point.

This paper, however, will neglect these concerns, and ask instead whether
this new wiretap chip, and other policies to preserve phone wiretaps, are
cost-effective tools for police investigation.  That is, which is a cheaper
way for society to investigate crime: force phone communications to support
wiretaps, or give police agencies more money to investigate crimes as they
see fit?  Or to put it another way, would police agencies still be willing
to pay for each wiretap, if each wiretapping agency were charged its share
of the full cost, to phone users, of forcing phones to support wiretaps?

A recent U.S. General Accounting Office report on the FBI bill stated [1]:

 "[N]either the FBI nor the telecommunications industry has 
  systematically identified the alternatives, or evaluated their costs, 
  benefits, or feasibility."

While this paper will not change this sad fact, it does aspire to improve
on the current confusion.  To begin to answer the above questions, we might
compare the current benefits wiretaps provide to law enforcement agencies
with projected costs of implementing the new wiretap chip and other wiretap
policies. 

WIRETAP BENEFITS

1992 is the latest year for which wiretap statistics are available [5].
According to the Office of U.S. Courts, 919 wiretap installations were
requested by local, state, and federal police in 1990, no requests were
denied, and 846 taps were installed.  2685 arrests resulted from wiretaps
started the same year, 1211 arrests came from wiretaps in previous years,
and about 60% of arrests eventually lead to convictions.  About 37% of
wiretaps were requested by federal authorities, and 67% of state wiretaps
were in New York, New Jersey, and Florida.  28 states had no wiretaps, and
10 states do not allow wiretaps.

About 69% of taps were regarding drug offenses, and 10% for racketeering,
and 7% for gambling offenses.  Wiretaps are most useful for investigating
"victimless" crimes, since victims will often give police permission to
record their calls.

Each wiretap installation heard an average of 1861 calls, 19% of them
incriminating, among 117 people.  Of 829 installations reporting costs, the
average cost was $46,492.  Federal taps cost about twice as much as state
taps, so federal agencies paid 53% of total wiretap costs.  $1.1 million
was also spent following up on wiretaps from previous years.  Thus a total
of $40.4 million was spent on wiretaps, to obtain about 4000 arrests, at
about $10,000 per arrest, or four times as much as the $2500 per arrest
figure one gets by dividing the $28 billion spent by all police nationally
by the total 11 million non-traffic arrests in 1987 [6].  Thus wiretaps are
a relatively expensive form of investigations.

75% of the wiretaps were for phone lines (vs pagers, email, etc.), and are
the focus of this paper.  The $30 million per year spent on phone taps
represents only one thousandth of the total police expenditures.
Projecting previous trends from the 138 million phone "access" lines in the
country in 1990 [6] suggests 147 million access lines in 1992.  Thus about
20 cents spent per year per phone line, or about two cents a month, is
spend on phone wiretaps.  Since 1978, our foreign intelligence agencies
have also been authorized to tap international phone calls.  No statistics
are published on these taps, so let us assume a similar number of "spy"
wiretaps are done, giving a total of ~$60 million annually, or four cents
per month per phone line spent on wiretaps.

Of course the amount police spend on wiretaps is not the same as the
benefits of wiretaps.  How can we estimate benefits?  Dorothy Denning, an
advocate of both the FBI bill and the wiretap chip, claims that "the
economic benefits [of wiretaps] alone are estimated to be billions of
dollars per year" [7], and then refers to amounts fined, recovered, and "$2
billion in prevented potential economic loss" by the FBI from 1985 to 1991.
Denning further relays fascinating FBI claims that through wiretaps "the
hierarchy of organized crime has been neutralized or destabilized", and
that "the war on drugs ... would be substantially ... lost" without them.

Two billion dollars per year of wiretap benefit would translate to a little
over a dollar a month per phone line.  Denning, however, offers no support
for her claims, and appears to be relaying internal FBI figures, which the
FBI itself has neither revealed nor explained to the public.  And the FBI
is hardly a neutral party on this subject.

Estimating the benefits of police investigations is not as simple as it
might seem, however, and certainly requires more than adding up amounts
fined or recovered.  Long and well-established results in the economics of
law enforcement [8] tell us to reject the notion that we should be willing
to spend up to one dollar on police, in order to collect another dollar in
fines or to prevent another dollar of theft.  So, for example, we rightly
reject IRS pleas for increased budget based solely on estimates of how many
more dollars can be collected in taxes for each dollar spent by the IRS.
In fact, a main reason given for using public police to investigate crime,
instead of private bounty hunters, is to avoid such police overspending.

In general, we deter a given class of criminals through a combination of
some perceived probability of being caught and convicted, and some expected
punishment level if convicted.  And some crime is directly prevented,
rather
than deterred, through some level of police monitoring.  The optimum police
budget is a complex tradeoff between social costs due to the crimes
themselves, the punishment exacted, and police expenses.

How then can we estimate wiretap benefits?  Let us assume that about the
right total amount is being spent on police, and that police have about the
right incentives, to spend their budget to monitor where it would help the
most, and to get as many as possible of the right kinds of convictions.
(If police budgets are too low, then the answer is to increase them, rather
than trying to crudely subsidize any one of their expenses.)

In this case the social benefit of being able to wiretap is no more than
about the additional amount police would be willing to pay, beyond what
they now pay, to undertake the same wiretaps (assuming this remains a small
fraction of total police budgets).  The benefit of wiretaps is actually
less than this value, because were wiretaps to become more expensive, we
might prefer to get the same criminal deterrence by instead raising
punishment and lowering the probability of conviction, or perhaps we might
accept a lower deterrence level, or even decriminalize certain activities.
Police monitoring might be similarly adjusted.

How much police would be willing to pay for each wiretap would depend of
course on how what alternatives are available.  If unable to wiretap a
particular suspect's phone line, police might instead use hidden
microphones, informants, grant immunity to related suspects, or investigate
a suspect in other ways.

The law requires that police requesting a wiretap must convince a judge
that other approaches "reasonably appear to be unlikely to succeed if tried
or to be too dangerous".  But in practice judges don't often question
boilerplate claims to this effect in police requests [9], and
investigations often continue even after a wiretap has failed to aid an
investigation.  Experienced investigators advise wiretaps as a last resort,
but mainly because wiretaps are so expensive.

More importantly, police can also choose to focus on similar suspects who
are more easily investigated without wiretaps.  Most police cases are near
the borderline where it is not clear that they are worth pursuing, and will
be simply dropped should a more pressing case suddenly arise.  Many cases
reach the point where a wiretap might help, but are dropped because a
wiretap seems too costly.  And most cases now using wiretaps would probably
be abandoned if wiretaps became dramatically more expensive.

No doubt a few wiretaps are so valuable that it would have cost ten times
as much to obtain similar results through other means.  But on average, it
is hard to imagine that police would be willing to pay more than a few
times what they now pay for each wiretap.  If we assume that police would
on average be willing to pay twice as much for each tap, then the social
benefit of phone wiretaps is about equal to the current spending level of
four cents a month per phone line.  If we assume that police would on
average be willing to pay four times as much per wiretap, the option to
wiretap the average phone would be worth twelve cents a month.

A better estimate of wiretap values might come from randomly asking recent
wiretap requestors whether they would have still requested that wiretap had
they expected it to take twice as much labor to get the results they had
expected, or three times as much, etc.  The FBI will not allow such a
survey by ordinary citizens, but perhaps some state police would.  But
until such research is done, the twelve cent figure seems a reasonably
generous estimate, and the four cent figure may be closer to reality,

Of course the value of the option to tap any particular phone line
presumably varies a great deal from the average value.  But unless the
police can somehow pay only for the option to wiretap particular phone
lines of its choosing, it is the average value that matters for a
cost/benefit analysis.

WIRETAP COSTS

Let us for the moment optimistically assume that the U.S. government
encryption scheme used in the wiretap chip is as secure as whatever private
enterprise would have offered instead, protecting our conversations from
the spying ears of neighbors, corporations, and governments, both foreign
and domestic.  Even so, the use of this chip, and of other policies to
support wiretaps, would create many additional costs to build and maintain
our communication system.

Some phone companies must have perceived a non-trivial cost in continuing
to support wiretaps while moving to digital phone transmissions, even when
compared to the widely recognized value of staying on the good side of the
police.  Otherwise the police would not have complained of "instances in
which court orders authorizing the interception of communications have not
been fulfilled because of technical limitations within particular
telecommunications networks" [1].  

The wiretap chip requires extra law enforcement fields to be added to phone
transmissions, increasing traffic by some unknown percentage.  A special
secure process must be used to add encryption keys to chips, while securely
distributing these keys to special agencies, which must be funded and
monitored.  The chips themselves are manufactured through a special process
so that the chip becomes nearly impossible to take apart, and the pool of
those who can compete to design better implementations is severely limited.
Private encryption systems not supporting wiretaps would require none of
these extra costs.

Perhaps most important, government decree would at least partially replace
private marketplace evolution of standards for how voice is to be
represented, encrypted, and exchanged in our future phones.  It is widely
believed that governments are less efficient than private enterprise in
procuring products and standards, though they may perhaps perform a useful
brokering role when we choose between competing private standards.  How
much less efficient is a matter of debate, some say they pay twice as much,
while others might say they pay only 10% more.

This type of wiretap support also raises costs by preventing full use of a
global market for telephone systems.  It pushes certain domestic phone
standards, which foreign countries may not adopt, and requires the use of
encryption methods known only to our government, which foreign countries
are quite unlikely to adopt.

In 1990, 53 U.S. phone companies had total revenues of $117.7 billion for
domestic calls, $4.4 billion for overseas calls, and $4.5 billion for
cellular calls [6], for a total cost of $126.6 billion dollars to run the
phone system.  Extrapolating recent trends suggests $138 billion for 1992,
and an average monthly phone bill of $78 per line.  If we generously assume
that police and spies would on average be willing to pay four times as much
as the ~$60 million they now spent on wiretaps annually, we find that
wiretaps are not cost effective if we must raise phone costs by as much as
one part in 700 to preserve wiretap abilities in the face of technological
change.  The twelve cents per line wiretap option value must be compared
with an average seventy dollar monthly phone bill.  (If we assume that
police would only pay twice as much on average, then this limit falls to
one part in 2300!)

Dorothy Denning relays FBI claims that $300 million is the maximum
cumulative development cost "for a switch-based software solution" so that
phone companies can continue to support wiretaps [7].  Denning does not,
however, say how long this solution would be good for, nor what the
software maintenance and extra operating costs would be.  And again this is
a figure which the FBI itself has neither revealed nor explained to the
public.  If we use a standard estimate that software maintenance typically
costs twice as much as development [10], and accept this FBI estimate, then
total software costs would be by itself five times the above generous
estimate of annual wiretap benefits.

The current government contractor claims it will offer the wiretap chips
for about $26 each in lots of 10,000 [2], over twice the $10 each a
competing private developer claims it would charge [11] for a chip with
comparable functionality, minus wiretap support.  And the wiretap chip
price probably doesn't reflect the full cost of government funded NSA
research to develop it.  If only one phone (or answering machine) is
replaced per phone line every five years, the extra cost for these chips
alone comes out to over 27 cents extra a month per line, or by itself more
than two times a twelve cent estimated wiretap option value.  Of course
most phones wouldn't have encryption chips for a while, but the wiretap
benefit is per phone, so this argument still applies.

COMPARING BENEFITS AND COSTS

Given the dramatic difference between the total cost of running the phone
system and an estimated social value of wiretaps, we can justify only the
slightest modification of the phone system to accommodate wiretaps.  When
the only modification required was to allow investigators in to attach
clips to phone wires, wiretap support may have been reasonable.  But when
considering more substantial modification, the burden of proof is clearly
on those proposing such modification to show how the costs would really be
less than the benefits.  This is especially true if we consider the costs
neglected above, of invasions of the privacy of innocents, and the risk
that future administrations will not act in good faith [3].

If consensus cannot be obtained on the relative costs and benefits of
wiretaps, we might do better to focus on structuring incentives so that
people will want to make the right choices, whatever those might be.
Regarding phone company support for wiretaps, it seems clear that if
wiretaps are in fact cost-effective, there must be some price per wiretap
so that police would be willing to pay for wiretaps, and phone companies
would be willing to support them.  As long as the current law requiring
police to pay phone company "expenses" is interpreted liberally enough, the
market should provide wiretaps, if they are valuable.

Monopoly market power of phone companies, or of police, might be an issue,
but if we must legislate to deal with monopoly here, why not do so the same
way we deal with monopoly elsewhere, such as through price regulation?
Legislating the price to be zero, however, as the FBI bill seems to
propose, seems hard to justify.  And having each police agency pay for
wiretaps, rather than all phone companies, seems fairer to states which
forbid or greatly restrict the use of wiretaps.

Regarding encryption chips, recall that without legislation outlawing
private encryption, serious criminals would not be affected.  In this case,
it does not seem unreasonable to allow phone companies to offer discounts
to their customers who buy phones supporting wiretaps, and thereby help
that phone company sell wiretaps to police.  Each phone user could then
decide if this discount was worth buying a more expensive phone chip, and
risking possible unlawful invasions of their privacy.  Adverse selection,
however, might make privacy lovers pay more than they would in an ideal
world.

If outlawing private encryption is seriously considered, then we might do
better to instead just declare an extra punishment for crimes committed
with the aid of strong encryption, similar to current extra punishments for
using a gun, crossing state lines, or conspiring with several other people.
As in these other situations, a higher punishment compensates for lower
probabilities of convicting such crimes, and for higher enforcement costs,
while still allowing individual tradeoffs regarding wiretap support.

If, as seems quite possible, the stringent cost requirements described here
for preserving wiretap abilities cannot be met, then we should accept that
history has passed the economical wiretap by.  Police functioned before
1968, and would function again after wiretaps.

[1] ftp: ftp.eff.org /pub/EFF/legislation/new-fbi-wiretap-bill
                     /pub/EFF/legal-issues/eff-fbi-analysis

[2] Clipper Chip Technology, ftp: csrc.ncsl.nist.gov /pub/nistnews/clip.txt

[3] Alexander Charns, Cloak and Gavel, FBI Wiretaps, Bugs, Informers, and
    the Supreme Court, Univ. Ill. Press, Chicago, 1992.

[4] Headrick, The Invisible Weapon, Oxford Univ. Press, 1991.

[5] Report on Applications for Orders Authorizing or Approving the
    Interception of Wire, Oral, or Electronic Communications, 1992,
    Administrative Office of U.S. Courts, Washington, DC 20544.

[6] Statistical Abstract of the United States, 1992.

[7] Dorothy Denning, "To Tap Or Not To Tap", Comm. of the ACM, March 1993.

[8] Richard Posner, Economic Analysis of Law, 4th Ed., 1992, Chapter 22.

[9] Report of the National Commission for the Review of Federal and State
    Laws Relating to Wiretapping and Electronic Surveillance, Washington,
    1976.

[10] Barry Boehm, Software Engineering Economics, Prentice Hall, 1981.

[11] Conversation with Steven Bryen, representative of Secure 
     Communications Technology, 301-588-2200, April 25, 1993.

No one paid Robin anything to write or research this (unfortunately :-)

From Ralph.Durham@Forsythe.Stanford.EDU Thu May 27 19:11:05 1993
Return-Path: <Ralph.Durham@Forsythe.Stanford.EDU>
Received: from Forsythe.Stanford.EDU by csrc.ncsl.nist.gov (4.1/NIST)
     id AA11125; Thu, 27 May 93 19:10:56 EDT
Posted-Date:      Thu, 27 May 93 16:10:43 PDT
Received-Date: Thu, 27 May 93 19:10:56 EDT
Message-Id: <9305272310.AA11125@csrc.ncsl.nist.gov>
Date:      Thu, 27 May 93 16:10:43 PDT
To: crypto@csrc.ncsl.nist.gov
>From: "Ralph Durham" <Ralph.Durham@Forsythe.Stanford.EDU>
Subject: Clipper Chips! NO!

Madam / Sir:

RE: Clipper chip;

I currently have no vested interest in the encryption of computer
files or the transmission of same.

Encryption technology has become a potential commodity for the
masses because of the PC. Thre will be no way to stop people from
encrypting their files for safekeeping of transmission should they
want. This is akin to prohibition, gun laws, and drugs. This is not
a policable issue.

This technology, the clipper chip, will reduce our country's
technological edge in this feild because it will lead to stagnation.

This will drive prices up for honest people because of monopolistic
encryption chips will be needed. Add to this the cost of a secure
network to manufacture, program, sell, install, and keep the 2nd key
required to use the system. For what? I for one would like to see a
cost benefit analysis done for this issue alone.

The other issue is privacy. With out the public knowing what this
encryption is like and how it will be used we cannot be sure that it
is really secure or needed. What precautions are going to be taken
to ensure that this is the best way to encrypt data or that only law
enforement can get the 2nd key for justified reasons. The way our
government, and other governments, have acted in the past leaves me
leary of the future. How will we be able to protect our rights and
privacy.

How will these keys be stored? How will access be decided? Will we
have criminal charges for the unathorized use of the 2nd key. Or the
data thus gained. Or the theft of keys and data?

Drop this ill fated plan. Spend the money on something better for
the country than the marginal, at best, law enforcement gain from
this idea. Privacy issues, cost benefit, get children innoculations
and adequate educations and we will have less need for a police
state.

Sincerely;
Ralph G. Durham
104A Escondido Village
Stanford, CA 94305

To:  CRYPTO@CSRC.NCSL.NIST.GOV



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH