============================================================================ VTW BillWatch: A weekly newsletter tracking US Federal legislation affecting civil liberties. BillWatch is published every Friday evening as long as Congress is in session. Congress is: returning to session Issue #17, Date: Thu Sep 7 22:35:25 EDT 1995 Please widely redistribute this document with this banner intact Redistribute no more than two weeks after above date Reproduce this alert only in relevant forums Distributed by the Voters Telecommunications Watch (•••@••.•••) ____________________________________________________________________________ TABLE OF CONTENTS Action alerts This week's legislative and policy rundown Subscription Information '-' denotes quiet issue (no movement this week) '+' denotes movement this week on an issue '++' denotes movement this week with an action for YOU to do + Changes in US policy on cryptography Rundown of workshop at NIST Sep. 6th, 7th Text of submitted comments from VTW Status: "Son of Clipper" proceeding despite unpopularity - HR1978, S n.a. (Internet Freedom and Family Empowerment Act) Status: In conference - HR1004, S314 (1995 Communications Decency Act) Status: In conference - HR n.a., S714 (Child Protection, User Empowerment, and Free Expression in Interactive Media Study Act) Status: In conference - Last-minute provisions of the Manager's Mark amendment to HR1555 Status: In conference - HR n.a., S892 (Protection of Children from Computer Pornography Act) Status: In committee - HR n.a., S974 (Anti-Electronic Racketeering Act) Status: In committee ____________________________________________________________________________ ACTION ALERTS Clipper II is here, and you should be mad. This week VTW traveled to Maryland to the National Institute of Standards and Technology (NIST) to voice our opposition to the new Son of Clipper plan being proposed by the White House. Lucky for us, we were not alone. An army of industry representatives came to nervously show their opposition as well. VTW was allowed 4-6 minutes to present our problems with the key escrow program. The full text of our comments is attached here, and a copy is being included into the NIST workshop report. ____________________________________________________________________________ CHANGES IN US CRYPTOGRAPHY POLICY In BillWatch (Issue #14) we described the background surrounding the announcement of the government's new "Key Escrow" proposal. In this issue we give a report on the outcome of the NIST Key Escrow workshop (Sep. 6th and 7th in Gaithersberg MD) where the trial lead balloon of Clipper II was presented to industry and the public. Clipper II: Don't trip over the dogs and ponies INTRODUCTION Last year many people announced that "Clipper is dead". Contrary to that belief, several civil liberties organizations warned that although the use of the Clipper Chip is probably dead, the public had not heard the last from the government on their war on your right to have a private conversation. Indeed, as predicted, the government proposed a new program this summer called Commercial Key Escrow ("Son of Clipper" or "Clipper II"). WHAT IS COMMERCIAL KEY ESCROW? Remember the Clipper Chip? It was a scheme that allowed you to have a private conversation (encrypted) with any other person, except that the government would have a built-in way of decoding that conversation. Many people found it unacceptable to have government-designed built-in back doors to telephones and software. Under Clipper II, the government still requires those back doors be built into the products. However the encryption key that scrambles your conversation would be held by a third party, another company called a "commercial escrow agent". When law enforcement wanted to decrypt your files or your communications they would go to the escrow agent and demand the keys to decrypt your information. This is even worse than the original Clipper for a number of reasons outlined in the presentations given by civil liberties advocates. Instead of the government telling you that you had to let them listen to your conversations, under commercial key escrow they require that both they and an "escrow company" have access to your encryption keys. Both public advocates and industry representatives viewed this as just as unacceptable as the original Clipper proposal. NIST HOLDS SOMETHING AKIN TO A PUBLIC FORUM This week (Sep 6th and 7th) NIST (National Institute of Standards and Technology) conducted a key escrow workshop" in Gaithersburg Maryland. Advertised as a place for industry to bring their concerns over key escrow but "open to the public", it was heavily attended by industry representatives. A few advocates of the public interest crashed the party anyway and to NIST's credit, we were not turned away and even allowed to present our dissenting views. Representatives from the ACLU (American Civil Liberties Union), CDT (Center for Democracy and Technology), EPIC (Electronic Privacy Information Center) and VTW (Voters Telecommunications Watch) all were in attendance to critique the proposal. A transcript of VTWs testimony is available at the end of this document. Here's how the workshop worked: First, NIST, in concert with the law enforcement and intelligence communities, came up with a set of ten criteria for a commercial key escrow system and for certifying escrow agents. No public input was solicited. Second, while representatives of the White House uttered the mantras of "export decontrol" and "foreign markets", industry representatives were shown a complicated scheme whereby law enforcement would have access to the keys, all while consumers would still be allowed to encrypt their data. At the workshop, industry representatives were broken up into groups and charged with examining and improving the standards for commercial key escrow proposed by the Administration. As expected, this scheme backfired. As each group reported back to the larger audience, industry representatives fell over each other to ensure that no one considered their attendance at this workshop an endorsement of commercial key escrow. Two of the groups experienced what could best be described as revolts. In one group several individuals, led by an representative from the ACLU, tried to pass a resolution to remove the restrictions on export of cryptography, something clearly unacceptable to the government. It was defeated on a tie vote of 7-7. A second industry working group made their report and published the following statement, [..] There is a concern that we will be viewed as endorsing the [government proposal]. Specifically, we are worried that a report from these meetings will reflect a consensus and endorsement of the policy proposals put forth by the government when this is not the case. The process is driven too much by the concerns of law enforcement and national security. It is not industry led and market driven. We see little attempt to find the common ground that meets market export needs, law enforcement and national security. The best next step is to table the criteria and work with industry organizations to further define what can and cannot work. Crippled cryptography will be a commercial flop for everybody. We are also concerned that FIPS will be decided on the 15th and the entire exercise will be slam dunk. [..] WHY THE RUSH? Industry representatives, while not repeating the mantra "My attendance should not constitute an endorsement of key escrow", were all asking "Why are we in such a hurry?" The answer may lie in a review of key escrow history. When the original Clipper plan was announced many suspected it was because a manufacturer was about to release an encrypting telephone device of DES (Data Encryption Standard) strength. Dissuaded from releasing that product, they were convinced to allow the government to try their hand at a Clipper version of that product. Similar rumors were thick at the workshop this week. The rumor mill suggested that another company is about to release a secure telephone product domestically that does not have a built-in government back door. However noting the lack of marketplace enthusiasm for Clipper products, the company is not rumored to be waiting for a key escrow proposal to be finished. They will simply be releasing the product for the domestic market only. Keep an eye out for product announcements to see if this rumor is true. IS CLIPPER II OR COMMERCIAL KEY ESCROW A "SLAM DUNK"? Many have critiqued the administrations cryptography policy as being too dominated by law enforcement and national security interests. Indeed the original Clipper proposal proposed by NIST went through a period of public comment. NIST received 185 comments on the proposal, 183 of them opposing it. Over the objections of the public and industry and with the support of only law enforcement and the intelligence community, NIST went ahead and made the Clipper proposal a standard. Even before the workshop was over, the question of whether the commercial key escrow proposal would become a FIPS (Federal Information Processing Standard) standard was answered. The "shoe dropped" twice on the first day of the workshop. The first indication came when a high-profile NSA representative admitted during a break that the government was going to go forward with Clipper II as an experiment, hoping it would be acceptable by the marketplace. The second, more public, indication that Clipper II would become a national standard came during a session wrapup given by NIST staffer Ed Roback. In talking about the possibility of Clipper II becoming a standard, Mr. Roback confessed on the podium, "Well, it's been more or less decided that it's going to happen." DO PUBLIC ADVOCATES HAVE A SENSE OF HUMOR? The futility of stopping such an unpopular proposal set a Kafka-esque tone to the proceedings. Attendee Carl Ellison suggested the following alternative to the government's key escrow proposal. The NSA and the FBI could each generate a PGP key which he would sign. Those public keys would each be include in products. When you as a user of such products are encrypting stored data or a communication, you will have the option of choosing whether or not to store an encryption key available for those two agencies. It certainly fits the model of a voluntary system. Users who do not wish to voluntarily use the system simply choose not to enclose a copy of their keys for law enforcement and the intelligence community. Somehow we expect it will not be embraced by the White House. WHAT CAN YOU DO? Within a few weeks NIST will issue a request for comments on making Clipper II (Commercial Key Escrow) a FIPS standard (Federal Information Processing Standard). It is most important that when that happens you submit an objection to the standard. Having this record of public opposition to the proposal will serve public advocates well in the debates over such schemes in the future. Take some time to review the testimony below and watch for announcements about the standards process. WHERE CAN I LEARN MORE? You can find VTW's testimony on the Clipper II proposal below. Testimony from the Center for Democracy and Technology should be available soon at: URL:http://www.cdt.org/ ____________________________________________________________________________ COMMENTS SUBMITTED FOR NIST KEY ESCROW WORKSHOP REPORT INTRODUCTIOn Thank you for the opportunity to speak here today. I am Shabbir J. Safdar from the VTW (Voters Telecommunications Watch). VTW is a public advocacy organization based in New York City. We monitor civil liberties issues in telecommunications for the public and when civil liberties coincides with good business practices, small business interests. There are a number of problems with the key escrow proposals (both Clipper and Commercial Key Escrow) that have been put before us. Today I will be addressing some of the problems with the current proposal and exploring some myths surrounding the debate. For further information, you can reach VTW at: Listserver: •••@••.••• Email: •••@••.••• WWW: http://www.vtw.org Gopher: gopher -p1/vtw gopher.panix.com TRUE OR FALSE? True or False: Industry is clamoring for key escrow True. Industry is not, however, clamoring to put their keys in the hands of disinterested third parties. True or False: Export controls are preventing foreign adversaries from obtaining commercial cryptographic technology This is true if we're speaking of US commercial cryptographic technology, but false if weÕre speaking about the hundreds of products available overseas. As recently as this year Colombia declared a state of emergency and used that opportunity to conduct a number of raids on suspected Cali Cartel offices. They found that Cartel members were using encryption to hide stored data files containing counter-intelligence information, encryption devices to hide their real time communications,