TUCoPS :: Privacy :: priv_219.txt

Privacy Digest 2.19 6/4/93

PRIVACY Forum Digest        Friday, 4 June 1993        Volume 02 : Issue 19

          Moderated by Lauren Weinstein (lauren@vortex.com)
                Vortex Technology, Topanga, CA, U.S.A.
	
                     ===== PRIVACY FORUM =====

   	  The PRIVACY Forum digest is supported in part by the 
	      ACM Committee on Computers and Public Policy.


CONTENTS
	Re: Can Wiretaps Remain Cost-Effective? (Barry Jaspan)
	Clipper Chip (bstrauss@BIX.com)
	Re: California law requiring ID at all times (Mel Beckman)
	Clinton Goes Online with E-Mail (Tansin A. Darcos & Company)
	White House Gets a Real Internet Address (Nigel Allen)
	House of Representatives On-Line (Mark Boolootian)
	CPSR Seeks Clipper Docs (Dave Banisar)
	CPSR NIST Crypto Statement (David Sobel)


 *** Please include a RELEVANT "Subject:" line on all submissions! ***
            *** Submissions without them may be ignored! ***

-----------------------------------------------------------------------------
The Internet PRIVACY Forum is a moderated digest for the discussion and
analysis of issues relating to the general topic of privacy (both personal
and collective) in the "information age" of the 1990's and beyond.  The
moderator will choose submissions for inclusion based on their relevance and
content.  Submissions will not be routinely acknowledged.

ALL submissions should be addressed to "privacy@vortex.com" and must have
RELEVANT "Subject:" lines; submissions without appropriate and relevant
"Subject:" lines may be ignored.  Excessive "signatures" on submissions are
subject to editing.  Subscriptions are by an automatic "listserv" system; for
subscription information, please send a message consisting of the word
"help" (quotes not included) in the BODY of a message to:
"privacy-request@vortex.com".  Mailing list problems should be reported to
"list-maint@vortex.com".  All submissions included in this digest represent
the views of the individual authors and all submissions will be considered
to be distributable without limitations. 

The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "ftp.vortex.com",
in the "/privacy" directory.  Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password.  The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access.  PRIVACY Forum materials may also be obtained automatically via
e-mail through the listserv system.  Please follow the instructions above
for getting the listserv "help" information, which includes details
regarding the "index" and "get" listserv commands, which are used to access
the PRIVACY Forum archive.  All PRIVACY Forum materials are also
available through the Internet Gopher system via a gopher server on
site "gopher.vortex.com".

For information regarding the availability of this digest via FAX, please
send an inquiry to privacy-fax@vortex.com, call (310) 455-9300, or FAX
to (310) 455-2364.
-----------------------------------------------------------------------------

VOLUME 02, ISSUE 19

   Quote for the day:

	"When I play with my cat, who knows whether she isn't amusing
         herself with me more than I am with her?"

				-- Montaigne (1533-1592)

	
----------------------------------------------------------------------

Date:    Fri, 28 May 93 11:07:56 EDT
From:    "Barry Jaspan" <bjaspan@gza.com>
Subject: Re: Can Wiretaps Remain Cost-Effective? (Robin Hanson)

Robin Hanson writes:
>> So why not let phone companies sell police the option to perform legal
>> wiretaps on given sets of phone lines, at whatever price the two
>> parties can negotiate?

I agreed, or at least sympathized, with Hanson's argument up to this
point, but I think the privatizing of law enforcement is not
necessarily a good idea.

Why not let landlords sell police the option to perform legal searches
in homes they manage?  Why not allow company executives sell police
the option to perform legal investigations into the business-related
activities of employees?

The answer is that it would put the seller of the option in a position
to control the possibility of a criminal investigation being pursued.
What if the phone comany, the landlord, or the company executive was
in on the crime being committed?  The possibilities for corruption
and, more generally, social and political complications are immense.

This is not to say that law enforcement officials aren't equally
subject to these problems (they are), but there are stricter
guidelines governing their behavior.  It would be bad for business if
the person at the phone company with the authority the negotiate with
the police had to have a security clearance, etc.

Just my $.02.

Barry Jaspan, bjaspan@gza.com

------------------------------

Date:    Fri, 28 May 1993 23:49:10 -0400 (EDT)
From:    bstrauss@BIX.com
Subject: Clipper Chip

One of the things I've not seen discussed in the clipper chip debate is
a worst case scenario.  Clipper chip is mandatory and all other forms of
encryption are banned.  Given the reality of electronic communications
(witness the inability of the USSR to control information flow once
computers started to become common place), I wonder if the government really
thinks they can manage the flow.  Even if there is a backdoor in clipper and
they can crack, trivially, every conversation 'they' want, how does the
government (nefarious FBI, NSA, etc people) expect to sift the 'interesting'
things from the sheer volume?

Suppose two people want to exchange dastardly messages.  Further suppose they
agree that every thousandth message is important and they program their 
computers to exchange 999 messages per day -- meaningless, random garbage...
Or even bad computer generated poetry -- perfect place to hide coded messages.

One of the key military technologies is traffic analysis -- even if you
can't read the meaning, a sudden increase in traffic is an indication that
'something' is up.  But there is 999 or 1000 messages per day, and nothing
to set off a traffic alert.

How can government expect to manage this information flow, especially as
it grows 10x or 100x over the next years?

-----Burton

------------------------------

Date:    Sun, 30 May 93 07:45:38 PST
From:    mbeckman@mbeckman.com (Mel Beckman)
Subject: Re: California law requiring ID at all times

In Regards to your letter <m0nyxeI-00020DC@vortex.com>:
> A couple of nights ago on the local TV news I heard that 
> California now requires that all adults carry identification 
> at all times.

I live in Southern California.  This was news to me, so I called two
different police agencies: the Ventura County Sherrif's Association, and the
Santa Barbara Police Dept. Both said that no, nobody is required to carry ID
at all times. However, if stopped by a police officer, a citizen is to
assume that the officer has reasonable cause and thus produce any
identification they're carrying. The officer (assuming reasonable cause) may
perform a surface search for ID to verify a claim of nonposession.

This has an interesting intersection with the INS (Immigration and
Naturalization Service) here in Southern California. The INS routinely stops
people and asks them to produce their "green card", or legal alien
registration. I've recently had occassion to ask the INS under what
conditions they may stop and demand proof of citizenship. An INS officer
told me that they can stop anybody and ask for a green card if they have the
infamous "reasonable cause" -- and that reasonable cause can be "ethnic
appearance!". However, if the person says they are a US Citizen, they
instantly do not have to produce any further documentation and must be
released. According to the Sherrif's department, the INS doesn't enjoy the
State law enforcer's privilege of obtaining whatever ID the person _is_
carrying.

I plan to look up the specific statutes and will report them here.

  -mel
________________________________________________________________________
| Mel beckman                  |   Internet: mbeckman@mbeckman.com     |
| Beckman Software Engineering | Compuserve: 75226,2257                |
| Ventura, CA 93003            |  Voice/fax: 805/647-1641 805/647-3125 |
|______________________________|_______________________________________|
 "You can observe a lot just by watching."  -Yogi Berra

------------------------------

Date:    Wed, 2 Jun 1993 20:59:24 -0400 (EDT)
From:    "Tansin A. Darcos & Company" <0005066432@mcimail.com>
Subject: Clinton Goes Online with E-Mail

>> From: Paul Robinson <TDARCOS@MCIMAIL.COM>
>> Organization: Tansin A. Darcos & Company, Silver Spring, MD USA
-----
Just reported today (6/2) on page F3 of The Washington Post:

"Move over 1600 Pennsylvania Avenue, Bill Clinton has a second 
address:  president@whitehouse.gov".

Several paragraphs later, it reports:

"People who send complaints or praise by E-Mail won't reach the president
directly or jump the queue in getting attention.  The messages will be
read by the White House correspondence staff, with the same priority as
paper letters. 

A sampling will be show to the president and Vice President Al Gore, 
who made White House E-Mail a personal priority.  (His address:
vice.president@whitehouse.gov)."

"The White House already had addresses with three commercial E-Mail
services.  Through them, it was receiving as many as 5,000 messages 
a week."  The article later points out that the messages were sent using
sneakernet, i.e. copied to diskette and carried by mail or courier.

In the article, it kept printing the E-Mail addresses such that the line
breaks kept making the system divide the messages as "president@white-
house.gov" or also, in the second place, the address "vice.president@white-
house.gov".  So I decided to see if it really was on line, or if the Post
had made a mistake; I telnetted to rs.internic.net and did a lookup:

Whois: whois whitehouse.gov 

Executive Office of the President USA (WHITEHOUSE-HST)  198.137.240.100 
 WHITEHOUSE.GOV  Whitehouse Public Access (WHITEHOUSE-DOM) 

Whois: whitehouse-dom 

Whitehouse Public Access (WHITEHOUSE-DOM)
   Executive Office of the President USA
   Office of Administration
   Room NEOB 4208
   725 17th Street NW
   Washington, D.C. 20503
   Domain Name: WHITEHOUSE.GOV
   Administrative Contact, Technical Contact, Zone Contact: 
      Fox, Jack S.  (JSF) fox_j@EOP.GOV
      (202) 395-7323
   Record last updated on 26-May-93. 
   Domain servers in listed order: 
   WHITEHOUSE.GOV    198.137.240.100
   NS.UU.NET    137.39.1.3 

whois:

The article mentions that selected items will be shown to the President
and the Vice President directly.  So here's your chance to send positive
comments directly as E-Mail, or, if desired, to vent your spleen without
delay!

-----
Paul Robinson -- TDARCOS@MCIMAIL.COM

------------------------------

Date: Wed, 2 Jun 93 00:02:42 EDT
From: ae446@freenet.carleton.ca (Nigel Allen)
Subject: White House Gets a Real Internet Address
Organization: Echo Beach

	[ From TELECOM Digest -- MODERATOR ]

Here is a press release from the White House.

I downloaded the press release from the PR On-Line BBS in Maryland at
410-363-0834.

 Letter from President Clinton, Vice President Gore Announcing
White House Electronic Mail Access

 Contact: White House Office of Media Affairs, 202-456-7150

   WASHINGTON, June 1 -- Following is a letter from President Clinton
and Vice President Gore announcing White House electronic mail access:

   Dear Friends:

   Part of our commitment to change is to keep the White House in step
with today's changing technology.  As we move ahead into the
twenty-first century, we must have a government that can show the way
and lead by example.  Today, we are pleased to announce that for the
first time in history, the White House will be connected to you via
electronic mail.  Electronic mail will bring the Presidency and this
Administration closer and make it more accessible to the people.

   The White House will be connected to the Internet as well as
several on-line commercial vendors, thus making us more accessible and
more in touch with people across this country.  We will not be alone
in this venture.  Congress is also getting involved, and an exciting
announcement regarding electronic mail is expected to come from the
House of Representatives tomorrow.

   Various government agencies also will be taking part in the near
future.  Americans Communicating Electronically is a project developed
by several government agencies to coordinate and improve access to the
nation's educational and information assets and resources.  This will
be done through interactive communications such as electronic mail,
and brought to people who do not have ready access to a computer.

   However, we must be realistic about the limitations and
expectations of the White House electronic mail system.  This
experiment is the first-ever e-mail project done on such a large
scale.  As we work to reinvent government and streamline our
processes, the e-mail project can help to put us on the leading edge
of progress.

   Initially, your e-mail message will be read and receipt immediately
acknowledged.  A careful count will be taken on the number received as
well as the subject of each message.  However, the White House is not
yet capable of sending back a tailored response via electronic mail.
We are hoping this will happen by the end of the year.

   A number of response-based programs which allow technology to help
us read your message more effectively, and, eventually respond to you
electronically in a timely fashion will be tried out as well.  These
programs will change periodically as we experiment with the best way
to handle electronic mail from the public.  Since this has never been
tried before, it is important to allow for some flexibility in the
system in these first stages.  We welcome your suggestions.

   This is an historic moment in the White House and we look forward
to your participation and enthusiasm for this milestone event.  We
eagerly anticipate the day when electronic mail from the public is an
integral and normal part of the White House communications system.


     President Clinton             Vice President Gore

     PRESIDENT@WHITEHOUSE.GOV      VICE.PRESIDENT@WHITEHOUSE.GOV

                       -----------------

Nigel Allen, Toronto, Ontario, Canada  ae446@freenet.carleton.ca

------------------------------

Date: Thu, 3 Jun 1993 14:24:55 -0700 (PDT)
From: booloo@framsparc.ocf.llnl.gov (Mark Boolootian)
Subject: House of Representatives On-Line

	[ From TELECOM Digest -- MODERATOR ]

   Date: 03 Jun 93 15:41:15 -0500
   Subject: press release

TEXT OF PRESS RELEASE FROM COMMITTEE ON HOUSE ADMINISTRATION, U.S.
HOUSE OF REPRESENTATIVES, DATED JUNE 3,1993


FOR IMMEDIATE RELEASE

For further information please contact:
Lance Koonce  (202) 225-7922

HOUSE ANNOUNCES PUBLIC ELECTRONIC MAIL SERVICE

        Chairman Charlie Rose and Ranking Minority Member Bill Thomas
of the Committee on House Administration announced today the pilot
program of the Constituent Electronic Mail System.  This
ground-breaking new service will allow citizens to communicate
directly with their Member of Congress by electronic mail.  The House
of Representatives has established an electronic gateway to the
Internet, the vast computer network that is used currently by over
twelve million people worldwide.  Participating Members of the House
have been assigned public mailboxes which may be accessed by their
constituents from their home computers.  In addition, many libraries,
schools and other public institutions now provide, or soon will
provide, public access to the Internet.

        The Members of the House of Representatives who have agreed to
participate in this pilot program are: Rep. Jay Dickey (AR-07), Rep.
Sam Gejdenson (CT-02), Rep. Newt Gingrich (GA-06), Rep. George Miller
(CA-07), Rep. Charlie Rose (NC-07), Rep. Fortney (Pete) Stark (CA-l3),
and Rep.  Melvin Watt (NC-12).  These Members will be making
announcements in their congressional districts within the next few
weeks to make their constituents aware of the new service.

        The Constituent Electronic Mail System represents a
significant effort by the House of Representatives to expand
communication with constituents.  With the tremendous growth of
electronic mail over the past several years, and the increasingly
inter-connected nature of computer networks, the new service is a
natural addition to the current methods of communication available to
constituents.  At the present time, House Members involved in the
pilot program will largely respond to electronic mail messages from
their constituents by postal mail, to ensure confidentiality.

        Constituents of House Members participating in the pilot
program who wish to communicate with those Members will be asked to
send a letter or postcard stating their interest to the Member's
office.  The request will include the constituent's Internet
"address," as well as that constituent's name and postal address. This
process will allow Members to identify an electronic mail user as his
or her constituent.

        The pilot e-mail program will continue until sufficient
feedback from participating offices has been collected to allow
improvements and modifications to the system.  When House Information
Systems and the Committee on House Administration are satisfied that
the system is sufficiently error-free, other Members of the House will
be allowed to add this new service as technical, budgetary and
staffing concerns allow.

        For more information,Internet users are encouraged to contact
the House of Representative's new on-line information service. Please
send a request for information to CONGRESS@HR.HOUSE.GOV (1)


(1) Please be advised that the commercial "at" symbol is not
recognized by some computer systems when transmitted electronically.
The "at" symbol is an important part of the electronic mail address
for the U.S. House information service, and should be inserted in
place of the question mark in the following example:
"CONGRESS?HR.HOUSE.GOV"

------------------------------

Date:    Fri, 28 May 1993 14:30:44 EST    
From:    Dave Banisar <banisar@washofc.cpsr.org>
Subject: CPSR Seeks Clipper Docs 

PRESS RELEASE May 28, 1993

CPSR Seeks Clipper Documents - Brings Suit Against NSA and National
Security Council

	Washington, DC -- Computer Professionals for Social
Responsibility filed suit today in federal district court seeking
information about the government's controversial new cryptography
proposal.

	The "Clipper" proposal, announced by the White House at an
April 16 press conference, is based on a technology developed by the
National Security Agency that would allow the government to intercept
computer encoded information.  Law enforcement agencies say that
capability this is necessary to protect court ordered wire
surveillance.

   But industry groups and civil liberties organizations have raised
questions about the proposal.  They cite the risk of abuse, the
potential loss in security and privacy, costs to US firms and
consumers, and the difficulties enforcing the policy.

	Marc Rotenberg, CPSR Washington office director, said "The
Clipper plan was developed behind a veil of secrecy.  It is not enough
for the White House to hold a few press conferences.  We need to know
why the standard was developed, what alternatives were considered, and
what the impact will be on privacy. "

	"As the proposal currently stands, Clipper looks a lot like
'desktop surveillance,'" added Rotenberg.

	David Sobel, CPSR Legal Counsel, said "CPSR is continuing its
oversight of federal cryptography policy.  These decisions are too
important to made in secret, without public review by all interested
parties."

	In previous FOIA suits, CPSR obtained records from the General
Services Administration questioning the FBI's digital telephony plan, a
legislative proposal to require that communications companies design
wiretap capability.  More recently, CPSR obtained records through the
FOIA revealing the involvement of the National Security Agency in the
development of  unclassified technical standards in violation of
federal law.

	CPSR is a national membership organization, based in Palo Alto,
CA.  Membership is open to the public.  For more information about
CPSR, contact CPSR, P.O. Box 717, Palo Alto, CA 9403, 415/322-3778
(tel), 415/322-3798 (fax), cpsr@cpsr.org

------------------------------

Date:    Wed, 2 Jun 1993 17:08:40 EST
From:    David Sobel <dsobel@washofc.cpsr.org>
Subject: CPSR NIST Crypto Statement


                    Department of Commerce
        National Institute of Standards and Technology

      Computer System Security and Privacy Advisory Board

                Review of Cryptography Policy
                          June 1993

             Statement of CPSR Washington office
                  Marc Rotenberg, director
                (rotenberg@washofc.cpsr.org)
               with David Sobel, legal counsel,
                 Dave Banisar, policy analyst


     Mr. Chairman, members of the Advisory Panel, thank you for the
opportunity to speak today about emerging issues on cryptography
policy.

     My name is Marc Rotenberg and I am director of the CPSR
Washington office.  Although CPSR does not represent any computer
firm or industry trade association, we speak for many in the
computer profession who value privacy and are concerned about the
government's Clipper proposal.

     During the last several years CPSR has organized several meetings
to promote public discussion of cryptography issues.  We have also
obtained important government documents through the Freedom of
Information Act.  We believe that good policies will only result if the
public, the profession, and the policy makers are fully informed
about the significance of these recent proposals.

     We are pleased that the Advisory Board has organized hearings.
This review of cryptography policy will help determine if the Clipper
proposal is in the best interests of the country.  We believe that a
careful review of the relevant laws and policies shows that the key
escrow arrangement is at odds with the public interest, and that
therefore the Clipper proposal should not go forward.

     Today I will address issues 1 through 3 identified in the NIST
announcement, specifically the policy requirements of the Computer
Security Act, the legal issues surrounding the key escrow
arrangement, and the importance of privacy for network
development.


1. CRYPTOGRAPHY POLICY

     The first issue concerns the 1987 statute enacted to improve
computer security in the federal government, to clarify the
responsibilities of NIST and NSA, and to ensure that technical
standards would serve civilian and commercial needs.  The Computer
Security Act, which also established this Advisory Panel, is the true
cornerstone of cryptography policy in the United States.  That law
made clear that in the area of unclassified computing systems, the
Department of Commerce and not the Department of Defense, would
be responsible for the development of technical standards.  It
emphasized public accountability and stressed open decision-making.

     The Computer Security Act grew out of a concern that classified
standards and secret meetings would not serve the interests of the
general public.  As the practical applications for cryptography have
moved from the military and intelligence arenas to the commercial
sphere, this point has become clear.  There is also clearly a conflict of
interest when an agency tasked with signal interception is also given
authority to develop standards for network security.

     In the spirit of the Computer Security Act, NIST set out in 1989 to
develop a public key standard FIPS.  In a memo dated May 5, 1989
and obtained by CPSR through the Freedom of Information Act, NIST
said that it planned:

         to develop the necessary public-key based security
         standards.  We require a public-key algorithm for
         calculating digital signatures and we also require a
         public-key algorithm for distributing secret keys.

NIST then went on to define the requirements of the standard:

         The algorithms that we use must be public, unclassified,
         implementable in both hardware or software, usable by
         federal Agencies and U.S. based multi-national
         corporation, and must provide a level of security
         sufficient for the protection of unclassified, sensitive
         information and commercial propriety and/or valuable
         information.

     The Clipper proposal and the full-blown Capstone configuration,
which incorporates the key management function NIST set out to
develop in 1989, is very different from the one originally conceived
by NIST.

         %  The Clipper algorithm, Skipjack, is classified,

         %  Public access to the reasons underlying the proposal is
            restricted,

         %  Skipjack can be implemented only in tamper-proof
            hardware,

         %  It is unlikely to be used by multi-national corporations,
            and

         %  Its security remains unproven.

     The Clipper proposal undermines the central purpose of the
Computer Security Act.  Although intended for broad use in
commercial networks, it was not developed at the request of either
U.S. business or the general public.  It does not reflect public goals.
Rather it reflects the interests of one secret agency with the
authority to conduct foreign signal intelligence and another
government agency  responsible for law enforcement investigations.
ntent
of the Computer Security Act of 1987.
What is the significance of this?  It is conceivable that an expert
panel of cryptographers will review the Skipjack algorithm and find
that it lives up its billing, that there is no "trap door" and no easy
way to reverse-engineer.  In fact, the White House has proposed just
such a review process

     But is this process adequate?  Is this the procedure the Advisory
Board would endorse for the development of widespread technical
standards?  The expert participants will probably not be permitted
to publish their assessments of the proposal in scientific journals,
further review of the standard will be restricted, and those who are
skeptical will remain in the dark about the actual design of the chip.
This may be an appropriate process for certain military systems, but
it is clearly inappropriate for a technical standard that the
government believes should be widely incorporated into the
communications infrastructure.

     Good government policy requires that certain process goals be
satisfied.  Decisions should be made in the open.  The interests of the
participating agencies should be clear.  Agencies should be
accountable for their actions and recommendations.  Black boxes and
government oversight are not compatible.

     There is an even greater obligation to promote open decisions
where technical and scientific issues are at stake.  Innovation
depends on openness.  The scientific method depends on the ability
of researchers to "kick the tires" and "test drive" the product.  And,
then, even if it is a fairly good design, additional testing encourages
the development of new features, improved performance and
reduced cost.  Government secrecy is incompatible which such a
development process.

     Many of these principles are incorporated into the Computer
Security Act and the Freedom of Information Act.  The current
government policy on the development of unclassified technical
standards, as set out in the Computer Security Act, is a very good
policy.  It emphasizes public applications, stresses open review, and
ensures public accountability.  It is not the policy that is flawed.  It is
the Clipper proposal.

     To accept the Clipper proposal would be to endorse a process that
ran contrary to the law, that discourages innovation, and that
undermines openness.


2. LEGAL AND CONSTITUTIONAL ISSUES

     There are several legal and constitutional issues raised by the
government's key escrow proposal.

     The premise of the Clipper key escrow arrangement is that the
government must have the ability to intercept electronic
communications, regardless of the economic or societal costs.  The
FBI's Digital Telephony proposal, and the earlier Senate bill 266, was
based on the same assumption.

     There are a number of arguments made in defense of this
position: that privacy rights and law enforcement needs must be
balanced, or that the government will be unable to conduct criminal
investigations without this capability.

     Regardless of how one views these various claims, there is one
point about the law that should be made very clear: currently there
is no legal basis -- in statute, the Constitution or anywhere else --
that supports the premise which underlies the Clipper proposal.  As
the law currently stands, surveillance is not a design goal.  General
Motors would have a stronger legal basis for building cars that could
not go faster than 65 miles per hour than AT&T does in marketing a
commercial telephone that has a built-in wiretap capability.  In law
there is simply nothing about the use of a telephone that is
inherently illegal or suspect.

     The federal wiretap statute says only that communication service
providers must assist law enforcement in the execution of a lawful
warrant.  It does not say that anyone is obligated to design systems
to facilitate future wire surveillance.  That distinction is the
difference between countries that restrict wire surveillance to
narrow circumstances defined in law and those that treat all users of
the telephone network as potential criminals.  U.S. law takes the first
approach.  Countries such as the former East Germany took the
second approach.  The use of the phone system by citizens was
considered inherently suspect and for that reason more than 10,000
people were employed by the East German government to listen in
on telephone calls.

     It is precisely because the wiretap statute does not contain the
obligation to incorporate surveillance capability -- the design
premise of the Clipper proposal -- that the Federal Bureau of
Investigation introduced the Digital Telephony legislation.  But that
legislation has not moved forward on Capitol Hill and the law has
remained unchanged.  The Clipper proposal attempts to accomplish
through the standard-setting and procurement process what the
Congress has been unwilling to do through the legislative process.

     On legal grounds, adopting the Clipper would be a mistake.  There
is an important policy goal underlying the wiretap law.  The Fourth
Amendment and the federal wiretap statute do not so much balance
competing interests as they erect barriers against government excess
and define the proper scope of criminal investigation.  The purpose
of the federal wiretap law is to restrict the government, it is not to
coerce the public.

     Therefore, if the government endorses the Clipper proposal, it will
undermine the basic philosophy of the federal wiretap law and the
fundamental values embodied in the Constitution.  It will establish a
technical mechanism for signal interception based on a premise that
has no legal foundation.  I am not speaking rhetorically about "Big
Brother."  My point is simply that the assumption underlying the
Clipper proposal is more compatible with the practice of telephone
surveillance in the former East Germany than it is with the narrowly
limited circumstances that wire surveillance has been allowed in the
United States.

     There are a number of other legal issues that have not been
adequately considered by the proponents of the key escrow
arrangement that the Advisory Board should examine.  First, not all
lawful wiretaps follow a normal warrant process.  It is critical that
the proponents of Clipper make very clear how emergency wiretaps
will be conducted before the proposal goes forward.  Second, there
may be civil liability issues for the escrow agents if there is abuse or
compromise of the keys.  Escrow agents may be liable for any harm
that results.  Third, there is a Fifth Amendment dimension to the
proposed escrow key arrangement if a network user is compelled to
disclose his or her key to the government in order to access a
communications network. Each one of these issues should be
examined.

     There is also one legislative change that we would like the
Advisory Board to consider.  During our FOIA litigation, the NSA cited
a 1951 law to withhold certain documents that were critical to
understand the development of the Digital Signature Standard.  The
law, passed  grants the government the right restrict the disclosure
of any classified information pertaining to cryptography.  While the
government may properly withhold classified information in FOIA
cases, the practical impact of this particular provision is to provide
another means to insulate cryptographic policy from public review.

     Given the importance of public review of cryptography policy, the
requirement of the Computer Security Act, and the Advisory Board's
own commitment to an open, public process, we ask the Advisory
Board to recommend to the President and to the Congress that
section 798 be repealed or substantially revised to reflect current
circumstances.

     This is the one area of national cryptography policy where we
believe a change is necessary.


3. INDIVIDUAL PRIVACY

     Communications privacy remains a critical test for network
development.  Networks that do not provide a high degree of privacy
are clearly less useful to network users.  Given the choice between a
cryptography product without a key escrow and one with a key
escrow, it would be difficult to find a user who would prefer the key
escrow requirement.  If this proposal does go forward, it will not be
because network users or commercial service providers favored it.

     Many governments are now facing questions about restrictions on
cryptography similar to the question now being raised in this
country.  It is clear that governments may choose to favor the
interests of consumers and businesses over law enforcement.  Less
than a month ago, the government of Australia over-rode the
objections of law enforcement and intelligence agencies and allowed
the Australian telephone companies to go forward with new digital
mobile phone networks, GSM, using the A5 robust algorithm.   Other
countries will soon face similar decisions.  We hope that they will
follow a similar path

     To briefly summarize, the problem here is not the existing law on
computer security or policies on cryptography and wire surveillance.
The Computer Security Act stresses public standards, open review,
and commercial applications.  The federal wiretap statute is one of
the best privacy laws in the world.  With the exception of one
provision in the criminal code left over from the Cold War, our
current cryptography policy is very good.  It reflects many of the
values -- individual liberty, openness, government accountability --
that are crucial for democratic societies to function.

     The problem is the Clipper proposal.  It is an end-run around
policies intended to restrict government surveillance and to ensure
agency accountability.  It is an effort to put in place a technical
configuration that is at odds with the federal wiretap law and the
protection of individual privacy.  It is for these reasons that we ask
the Advisory Board to recommend to the Secretary of Commerce, the
White House, and the Congress that the current Clipper proposal not
go forward.

     I thank you for the opportunity to speak with you about these
issues.  I wish to invite the members of the Advisory Committee to
the third annual CPSR Privacy and Cryptography conference that will
be held Monday, June 7 in Washington, DC at the Carnegie
Endowment for International Peace.  That meeting will provide an
opportunity for further discussion about cryptography policy.


ATTACHMENTS

"TWG Issue Number: NIST - May 5, 1989," document obtained
by CPSR as a result of litigation under the Freedom of
Information Act.

"U.S. as Big Brother of Computer Age," The New York Times,
May 6, 1993, at D1.

"Keeping Fewer Secrets," Issues in Science and Technology, vol.
IX, no. 1 (Fall 1992)

"The Only Locksmith in Town," The Index on Censorship
(January 1990)

[The republication of these articles for the non-commercial purpose
of informing the government about public policy is protected by
section 107 of the Copyright Act of 1976]

------------------------------

End of PRIVACY Forum Digest 02.19
************************

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH