VTW BillWatch #17: Clipper II is here and still unpopular [cr-95/9/9]

1995-09-08

============================================================================
      VTW BillWatch: A weekly newsletter tracking US Federal legislation
        affecting civil liberties.  BillWatch is published every
           Friday evening as long as Congress is in session.

                Congress is: returning to session

               Issue #17, Date: Thu Sep  7 22:35:25 EDT 1995

      Please widely redistribute this document with this banner intact
          Redistribute no more than two weeks after above date
             Reproduce this alert only in relevant forums

      Distributed by the Voters Telecommunications Watch (•••@••.•••)

____________________________________________________________________________
TABLE OF CONTENTS

        Action alerts
        This week's legislative and policy rundown
        Subscription Information

        '-'  denotes quiet issue (no movement this week)
        '+'  denotes movement this week on an issue
        '++' denotes movement this week with an action for YOU to do

        + Changes in US policy on cryptography
                Rundown of workshop at NIST Sep. 6th, 7th
                Text of submitted comments from VTW
                Status: "Son of Clipper" proceeding despite unpopularity
        - HR1978, S n.a. (Internet Freedom and Family Empowerment Act)
                Status: In conference
        - HR1004, S314  (1995 Communications Decency Act)
                Status: In conference
        - HR n.a., S714  (Child Protection, User Empowerment, and Free
                                Expression in Interactive Media Study Act)
                Status: In conference
        - Last-minute provisions of the Manager's Mark amendment to HR1555
                Status: In conference
        - HR n.a., S892 (Protection of Children from Computer Pornography Act)
                Status: In committee
        - HR n.a., S974 (Anti-Electronic Racketeering Act)
                Status: In committee

____________________________________________________________________________
ACTION ALERTS

Clipper II is here, and you should be mad.

This week VTW traveled to Maryland to the National Institute of
Standards and Technology (NIST) to voice our opposition to the new Son
of Clipper plan being proposed by the White House.  Lucky for us, we
were not alone.  An army of industry representatives came to nervously
show their opposition as well.  VTW was allowed 4-6 minutes to present
our problems with the key escrow program.  The full text of our comments
is attached here, and a copy is being included into the NIST workshop
report.

____________________________________________________________________________
CHANGES IN US CRYPTOGRAPHY POLICY

In BillWatch (Issue #14) we described the background surrounding the
announcement of the government's new "Key Escrow" proposal.  In this
issue we give a report on the outcome of the NIST Key Escrow workshop
(Sep. 6th and 7th in Gaithersberg MD) where the trial lead balloon of
Clipper II was presented to industry and the public.

        Clipper II: Don't trip over the dogs and ponies

INTRODUCTION
Last year many people announced that "Clipper is dead".  Contrary to
that belief, several civil liberties organizations warned that
although the use of the Clipper Chip is probably dead, the public had
not heard the last from the government on their war on your right to
have a private conversation.  Indeed, as predicted, the government
proposed a new program this summer called Commercial Key Escrow ("Son
of Clipper" or "Clipper II").

WHAT IS COMMERCIAL KEY ESCROW?
Remember the Clipper Chip?  It was a scheme that allowed you to have a
private conversation (encrypted) with any other person, except that the
government would have a built-in way of decoding that conversation.  Many
people found it unacceptable to have government-designed built-in back
doors to telephones and software.

Under Clipper II, the government still requires those back doors be built
into the products.  However the encryption key that scrambles your
conversation would be held by a third party, another company called a
"commercial escrow agent".  When law enforcement wanted to decrypt
your files or your communications they would go to the escrow agent and
demand the keys to decrypt your information.

This is even worse than the original Clipper for a number of reasons
outlined in the presentations given by civil liberties advocates.
Instead of the government telling you that you had to let them listen
to your conversations, under commercial key escrow they require that
both they and an "escrow company" have access to your encryption keys.

Both public advocates and industry representatives viewed this as just as
unacceptable as the original Clipper proposal.

NIST HOLDS SOMETHING AKIN TO A PUBLIC FORUM
This week (Sep 6th and 7th) NIST (National Institute of Standards and
Technology) conducted a key escrow workshop" in Gaithersburg Maryland.
Advertised as a place for industry to bring their concerns over key
escrow but "open to the public", it was heavily attended by industry
representatives.  A few advocates of the public interest crashed the
party anyway and to NIST's credit, we were not turned away and even
allowed to present our dissenting views.  Representatives from the ACLU
(American Civil Liberties Union), CDT (Center for Democracy and
Technology), EPIC (Electronic Privacy Information Center) and VTW
(Voters Telecommunications Watch) all were in attendance to critique
the proposal.  A transcript of VTWs testimony is available at the end
of this document.

Here's how the workshop worked:
First, NIST, in concert with the law enforcement and intelligence
communities, came up with a set of ten criteria for a commercial key
escrow system and for certifying escrow agents.  No public input was
solicited.

Second, while representatives of the White House uttered the mantras of
"export decontrol" and "foreign markets", industry representatives were
shown a complicated scheme whereby law enforcement would have access
to the keys, all while consumers would still be allowed to encrypt their
data.

At the workshop, industry representatives were broken up into groups and
charged with examining and improving the standards for commercial key
escrow proposed by the Administration.

As expected, this scheme backfired.  As each group reported back to the
larger audience, industry representatives fell over each other to ensure
that no one considered their attendance at this workshop an endorsement
of commercial key escrow.  Two of the groups experienced what could best
be described as revolts.  In one group several individuals, led by an
representative from the ACLU, tried to pass a resolution to remove the
restrictions on export of cryptography, something clearly unacceptable to
the government.  It was defeated on a tie vote of 7-7.

A second industry working group made their report and published the
following statement,

        [..] There is a concern that we will be viewed as endorsing the
        [government proposal].  Specifically, we are worried that a
        report from these meetings will reflect a consensus and
        endorsement of the policy proposals put forth by the government
        when this is not the case.  The process is driven too much by
        the concerns of law enforcement and national security.  It is
        not industry led and market driven.  We see little attempt to
        find the common ground that meets market export needs, law
        enforcement and national security.

        The best next step is to table the criteria and work with
        industry organizations to further define what can and cannot
        work.  Crippled cryptography will be a commercial flop for
        everybody.

        We are also concerned that FIPS will be decided on the 15th and
        the entire exercise will be slam dunk.  [..]


WHY THE RUSH?
Industry representatives, while not repeating the mantra "My attendance
should not constitute an endorsement of key escrow", were all asking "Why
are we in such a hurry?"  The answer may lie in a review of key escrow
history.

When the original Clipper plan was announced many suspected it was
because a manufacturer was about to release an encrypting telephone
device of DES (Data Encryption Standard) strength.  Dissuaded from
releasing that product, they were convinced to allow the government to
try their hand at a Clipper version of that product.

Similar rumors were thick at the workshop this week.  The rumor mill
suggested that another company is about to release a secure telephone
product domestically that does not have a built-in government back door.

However noting the lack of marketplace enthusiasm for Clipper products,
the company is not rumored to be waiting for a key escrow proposal to be
finished.  They will simply be releasing the product for the domestic
market only.  Keep an eye out for product announcements to see if this
rumor is true.

IS CLIPPER II OR COMMERCIAL KEY ESCROW A "SLAM DUNK"?
Many have critiqued the administrations cryptography policy as being
too dominated by law enforcement and national security interests.
Indeed the original Clipper proposal proposed by NIST went through a
period of public comment.  NIST received 185 comments on the proposal,
183 of them opposing it.  Over the objections of the public and
industry and with the support of only law enforcement and the
intelligence community, NIST went ahead and made the Clipper proposal a
standard.

Even before the workshop was over, the question of whether the
commercial key escrow proposal would become a FIPS (Federal Information
Processing Standard) standard was answered.  The "shoe dropped" twice
on the first day of the workshop.  The first indication came when a
high-profile NSA representative admitted during a break that the
government was going to go forward with Clipper II as an experiment,
hoping it would be acceptable by the marketplace.

The second, more public, indication that Clipper II would become a
national standard came during a session wrapup given by NIST staffer Ed
Roback.  In talking about the possibility of Clipper II becoming a
standard, Mr. Roback confessed on the podium, "Well, it's been more or
less decided that it's going to happen."

DO PUBLIC ADVOCATES HAVE A SENSE OF HUMOR?
The futility of stopping such an unpopular proposal set a Kafka-esque
tone to the proceedings.  Attendee Carl Ellison suggested the following
alternative to the government's key escrow proposal.  The NSA and the
FBI could each generate a PGP key which he would sign.  Those public
keys would each be include in products.  When you as a user of such
products are encrypting stored data or a communication, you will have
the option of choosing whether or not to store an encryption key
available for those two agencies.

It certainly fits the model of a voluntary system.  Users who do not
wish to voluntarily use the system simply choose not to enclose a copy
of their keys for law enforcement and the intelligence community.
Somehow we expect it will not be embraced by the White House.

WHAT CAN YOU DO?
Within a few weeks NIST will issue a request for comments on making
Clipper II (Commercial Key Escrow) a FIPS standard (Federal Information
Processing Standard).  It is most important that when that happens you
submit an objection to the standard.  Having this record of public
opposition to the proposal will serve public advocates well in the debates
over such schemes in the future.  Take some time to review the testimony
below and watch for announcements about the standards process.

WHERE CAN I LEARN MORE?
You can find VTW's testimony on the Clipper II proposal below.  Testimony
from the Center for Democracy and Technology should be available soon at:

        URL:http://www.cdt.org/

____________________________________________________________________________
COMMENTS SUBMITTED FOR NIST KEY ESCROW WORKSHOP REPORT


INTRODUCTIOn
Thank you for the opportunity to speak here today.  I am Shabbir J.
Safdar from the VTW (Voters Telecommunications Watch).  VTW is a public
advocacy organization based in New York City.  We monitor civil
liberties issues in telecommunications for the public and when civil
liberties coincides with good business practices, small business
interests.

There are a number of problems with the key escrow proposals (both
Clipper and Commercial Key Escrow) that have been put before us.  Today I
will be addressing some of the problems with the current proposal and
exploring some myths surrounding the debate.

For further information, you can reach VTW at:
        Listserver:     •••@••.•••
        Email:  •••@••.•••
        WWW:    http://www.vtw.org
        Gopher: gopher -p1/vtw gopher.panix.com


TRUE OR FALSE?

True or False: Industry is clamoring for key escrow

True.  Industry is not, however, clamoring to put their keys in the hands of
disinterested third parties.

True or False: Export controls are preventing foreign adversaries from
obtaining commercial cryptographic technology

This is true if we're speaking of US commercial cryptographic technology,
but false if weÕre speaking about the hundreds of products available
overseas.  As recently as this year Colombia declared a state of
emergency and used that opportunity to conduct a number of raids on
suspected Cali Cartel offices.  They found that Cartel members were using
encryption to hide stored data files containing counter-intelligence
information, encryption devices to hide their real time communications,