Date: Tue, 27 Apr 93 16:19:39 EST
Errors-To: Comp-privacy Error Handler <comp-privacy-request@PICA.ARMY.MIL>
From: Computer Privacy Digest Moderator <comp-privacy@PICA.ARMY.MIL>
To: Comp-privacy@PICA.ARMY.MIL
Subject: Computer Privacy Digest V2#037
Computer Privacy Digest Tue, 27 Apr 93 Volume 2 : Issue: 037
Today's Topics: Moderator: Dennis G. Rears
Clipper Chip
Re: Computer Privacy Digest news
Re: Reprint Roszak: _The Cult of Information_, Y or N?
promises never made to limit SS# use (regardless of rumors)
The Computer Privacy Digest is a forum for discussion on the
effect of technology on privacy. The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy
(Moderated). Submissions should be sent to
comp-privacy@pica.army.mil and administrative requests to
comp-privacy-request@pica.army.mil.
Back issues are available via anonymous ftp on ftp.pica.army.mil
[129.139.160.133].
----------------------------------------------------------------------
Date: Sat, 17 Apr 93 14:04:30 -0700
From: Dean Ridgway <ridgwad@atlantis.csos.orst.edu>
Subject: Clipper Chip
Hello, I recently read this in alt.internet.services and thought it would
be appropriate to cross-post.
From: sphughes@sfsuvax1.sfsu.edu (Shaun P. Hughes)
Newsgroups: alt.internet.services
Subject: Computer Security
Message-ID: <1993Apr17.021904.27040@csus.edu>
Date: 17 Apr 93 02:19:04 GMT
Sender: news@csus.edu
Organization: San Francisco State University
Lines: 311
Just thought some of you netters might be interested in this one.
Please direct follow-ups to sci.crypt
*************
Note: This file will also be available via anonymous file
transfer from csrc.ncsl.nist.gov in directory /pub/nistnews and
via the NIST Computer Security BBS at 301-948-5717.
---------------------------------------------------
THE WHITE HOUSE
Office of the Press Secretary
_________________________________________________________________
For Immediate Release April 16, 1993
STATEMENT BY THE PRESS SECRETARY
The President today announced a new initiative that will bring
the Federal Government together with industry in a voluntary
program to improve the security and privacy of telephone
communications while meeting the legitimate needs of law
enforcement.
The initiative will involve the creation of new products to
accelerate the development and use of advanced and secure
telecommunications networks and wireless communications links.
For too long there has been little or no dialogue between our
private sector and the law enforcement community to resolve the
tension between economic vitality and the real challenges of
protecting Americans. Rather than use technology to accommodate
the sometimes competing interests of economic growth, privacy and
law enforcement, previous policies have pitted government against
industry and the rights of privacy against law enforcement.
Sophisticated encryption technology has been used for years to
protect electronic funds transfer. It is now being used to
protect electronic mail and computer files. While encryption
technology can help Americans protect business secrets and the
unauthorized release of personal information, it also can be used
by terrorists, drug dealers, and other criminals.
A state-of-the-art microcircuit called the "Clipper Chip" has
been developed by government engineers. The chip represents a
new approach to encryption technology. It can be used in new,
relatively inexpensive encryption devices that can be attached to
an ordinary telephone. It scrambles telephone communications
using an encryption algorithm that is more powerful than many in
commercial use today.
This new technology will help companies protect proprietary
information, protect the privacy of personal phone conversations
and prevent unauthorized release of data transmitted
electronically. At the same time this technology preserves the
ability of federal, state and local law enforcement agencies to
intercept lawfully the phone conversations of criminals.
A "key-escrow" system will be established to ensure that the
"Clipper Chip" is used to protect the privacy of law-abiding
Americans. Each device containing the chip will have two unique
2
"keys," numbers that will be needed by authorized government
agencies to decode messages encoded by the device. When the
device is manufactured, the two keys will be deposited separately
in two "key-escrow" data bases that will be established by the
Attorney General. Access to these keys will be limited to
government officials with legal authorization to conduct a
wiretap.
The "Clipper Chip" technology provides law enforcement with no
new authorities to access the content of the private
conversations of Americans.
To demonstrate the effectiveness of this new technology, the
Attorney General will soon purchase several thousand of the new
devices. In addition, respected experts from outside the
government will be offered access to the confidential details of
the algorithm to assess its capabilities and publicly report
their findings.
The chip is an important step in addressing the problem of
encryption's dual-edge sword: encryption helps to protect the
privacy of individuals and industry, but it also can shield
criminals and terrorists. We need the "Clipper Chip" and other
approaches that can both provide law-abiding citizens with access
to the encryption they need and prevent criminals from using it
to hide their illegal activities. In order to assess technology
trends and explore new approaches (like the key-escrow system),
the President has directed government agencies to develop a
comprehensive policy on encryption that accommodates:
-- the privacy of our citizens, including the need to
employ voice or data encryption for business purposes;
-- the ability of authorized officials to access telephone
calls and data, under proper court or other legal
order, when necessary to protect our citizens;
-- the effective and timely use of the most modern
technology to build the National Information
Infrastructure needed to promote economic growth and
the competitiveness of American industry in the global
marketplace; and
-- the need of U.S. companies to manufacture and export
high technology products.
The President has directed early and frequent consultations with
affected industries, the Congress and groups that advocate the
privacy rights of individuals as policy options are developed.
3
The Administration is committed to working with the private
sector to spur the development of a National Information
Infrastructure which will use new telecommunications and computer
technologies to give Americans unprecedented access to
information. This infrastructure of high-speed networks
("information superhighways") will transmit video, images, HDTV
programming, and huge data files as easily as today's telephone
system transmits voice.
Since encryption technology will play an increasingly important
role in that infrastructure, the Federal Government must act
quickly to develop consistent, comprehensive policies regarding
its use. The Administration is committed to policies that
protect all Americans' right to privacy while also protecting
them from those who break the law.
Further information is provided in an accompanying fact sheet.
The provisions of the President's directive to acquire the new
encryption technology are also available.
For additional details, call Mat Heyman, National Institute of
Standards and Technology, (301) 975-2758.
---------------------------------
QUESTIONS AND ANSWERS ABOUT THE CLINTON ADMINISTRATION'S
TELECOMMUNICATIONS INITIATIVE
Q: Does this approach expand the authority of government
agencies to listen in on phone conversations?
A: No. "Clipper Chip" technology provides law enforcement with
no new authorities to access the content of the private
conversations of Americans.
Q: Suppose a law enforcement agency is conducting a wiretap on
a drug smuggling ring and intercepts a conversation
encrypted using the device. What would they have to do to
decipher the message?
A: They would have to obtain legal authorization, normally a
court order, to do the wiretap in the first place. They
would then present documentation of this authorization to
the two entities responsible for safeguarding the keys and
obtain the keys for the device being used by the drug
smugglers. The key is split into two parts, which are
stored separately in order to ensure the security of the key
escrow system.
Q: Who will run the key-escrow data banks?
A: The two key-escrow data banks will be run by two independent
entities. At this point, the Department of Justice and the
Administration have yet to determine which agencies will
oversee the key-escrow data banks.
Q: How strong is the security in the device? How can I be sure
how strong the security is?
A: This system is more secure than many other voice encryption
systems readily available today. While the algorithm will
remain classified to protect the security of the key escrow
system, we are willing to invite an independent panel of
cryptography experts to evaluate the algorithm to assure all
potential users that there are no unrecognized
vulnerabilities.
Q: Whose decision was it to propose this product?
A: The National Security Council, the Justice Department, the
Commerce Department, and other key agencies were involved in
this decision. This approach has been endorsed by the
President, the Vice President, and appropriate Cabinet
officials.
Q: Who was consulted? The Congress? Industry?
A: We have on-going discussions with Congress and industry on
encryption issues, and expect those discussions to intensify
as we carry out our review of encryption policy. We have
briefed members of Congress and industry leaders on the
decisions related to this initiative.
Q: Will the government provide the hardware to manufacturers?
A: The government designed and developed the key access
encryption microcircuits, but it is not providing the
microcircuits to product manufacturers. Product
manufacturers can acquire the microcircuits from the chip
manufacturer that produces them.
Q: Who provides the "Clipper Chip"?
A: Mykotronx programs it at their facility in Torrance,
California, and will sell the chip to encryption device
manufacturers. The programming function could be licensed
to other vendors in the future.
Q: How do I buy one of these encryption devices?
A: We expect several manufacturers to consider incorporating
the "Clipper Chip" into their devices.
Q: If the Administration were unable to find a technological
solution like the one proposed, would the Administration be
willing to use legal remedies to restrict access to more
powerful encryption devices?
A: This is a fundamental policy question which will be
considered during the broad policy review. The key escrow
mechanism will provide Americans with an encryption product
that is more secure, more convenient, and less expensive
than others readily available today, but it is just one
piece of what must be the comprehensive approach to
encryption technology, which the Administration is
developing.
The Administration is not saying, "since encryption
threatens the public safety and effective law enforcement,
we will prohibit it outright" (as some countries have
effectively done); nor is the U.S. saying that "every
American, as a matter of right, is entitled to an
unbreakable commercial encryption product." There is a
false "tension" created in the assessment that this issue is
an "either-or" proposition. Rather, both concerns can be,
and in fact are, harmoniously balanced through a reasoned,
balanced approach such as is proposed with the "Clipper
Chip" and similar encryption techniques.
Q: What does this decision indicate about how the Clinton
Administration's policy toward encryption will differ from
that of the Bush Administration?
A: It indicates that we understand the importance of encryption
technology in telecommunications and computing and are
committed to working with industry and public-interest
groups to find innovative ways to protect Americans'
privacy, help businesses to compete, and ensure that law
enforcement agencies have the tools they need to fight crime
and terrorism.
Q: Will the devices be exportable? Will other devices that use
the government hardware?
A: Voice encryption devices are subject to export control
requirements. Case-by-case review for each export is
required to ensure appropriate use of these devices. The
same is true for other encryption devices. One of the
attractions of this technology is the protection it can give
to U.S. companies operating at home and abroad. With this
in mind, we expect export licenses will be granted on a
case-by-case basis for U.S. companies seeking to use these
devices to secure their own communications abroad. We plan
to review the possibility of permitting wider exportability
of these products.
*********************
Amendment IV
Seizures, Searches and Warrants
[Section 1.] The right of the people to be secure in their persons,
houses, papers and effects, against unreasonable searches and seizures,
shall not be violated, and no warrants shall issue, but upon probable
cause, supported by oath or affirmation, and particularly describing the
place to be searched, and the persons or things to be seized.
Proposed September 25, 1789; ratified December 15, 1791
--
Shaun P. Hughes sphughes@sfsuvax1.sfsu.edu
finger for PGP 2.2 Public Key
------------------------------
Date: Sat, 24 Apr 93 22:20:36 GMT
From: Graham Toal <gtoal@gtoal.com>
Subject: Re: Computer Privacy Digest news
I challenge the readership to post meaningful articles. I am
surprised that up until this digest no one has brought up the
clipper chip. It is subjects like that for which this forum
was set up.
That's probably because the debate is better served by one of the
non-moderated groups that is discussing it; too much is happening to
afford the luxury of long turnaround times in discussion.
For anyone interested, the majority of the debate is going on in the
new group alt.privacy.clipper; you can also find it in comp.org.eff.talk,
sci.crypt, alt.privacy, alt.security, alt.security.pgp, comp.dcom.telecom,
and stray offshoots in a dozen other groups.
alt.privacy.clipper is the place to go however.
G
------------------------------
From: Renee Alexander <deputy@carson.u.washington.edu>
Subject: Re: Reprint Roszak: _The Cult of Information_, Y or N?
Date: 25 Apr 1993 01:10:43 GMT
Organization: University of Washington, Seattle
Looks like a good tome. I'd give it a definite yes. Just out of
curosity though, I wonder if this book is presently available anywhere
on the net as an electronic pub. Anybody know?
------------------------------
Date: Sun, 25 Apr 1993 14:39:09 -0700
From: Jim Warren <jwarren@well.sf.ca.us>
Subject: promises never made to limit SS# use (regardless of rumors)
FYI, I raised this question, and received the following reply from Rand's
Willis Ware, who chaired the congressionally-established U.S. Privacy Commission
for many years -- a nationally recognized expert in privacy issues for several
decades. [posted with Willis' permission, please note :-) ]
--jim
========
From jake.rand.org!willis@netcomsv.netcom.com Fri Apr 23 14:01:29 1993
To: Jim Warren <jwarren@well.sf.ca.us>
Subject: Re: promises to limit SSN use?
From: "Willis H. Ware" <willis@jake.rand.org>
>>I have often heard the *rumor* that there were assurances/promises that the
>>SSN would not be used as a universal citizen id number, back when SS was
>>first being debated/created.
NO -- no assurances, no promises.
I can help clarify but not provide precise citations. The SSA is in no
position to lay down the law on how the SSN is used; it has no suc
authority. When the SSAN [A for account] it was clearly stated that
the number was for one's "bank account" with SSA. At that time and
for a long time, the SSN cards would say "not intended to be an
identifation number" -- or words to that effect. I believe that the
phrase no longer appears on the cards.
Franklin Delano issued an executive order directing that any new system
of numbers that Federal agencies wished to create was to use the SSN.
So he's the one that started it all. Hence, we have the DoD with SSNs
as military ID, IRS with SSN=TIN, Medicare with its number = SSN+letter.
Then Congress in the privacy act of '74 put a stop to use of the SSN as
an ID but turned around in the tax act of '76 to allow use of the SSN
as an ID if authorized by Congress! Subsequently Congress authorized
its use by the states for a lot of things; e.g., driver licenses,
tracking delinquent parents. I'm not sure how the laws read; they may
not use the word "identification" but rather talk about "system of
numbers" or "system of enumeration."
In the private sector, there is nothing that governs how the SSN can be
used. There are a few things, like the FICA accounting and the TIN
accounting, that must use the SSN for individuals; but otherwise, the
private sector is free to do as it pleases and it has.
Your assistant might take a look at the original SSA Act [1933?] and
see what it says about the number. It may be in there that something
is said about it being an account number; but obviously there is no
prohibition against other things or we wouldn't have it happening.
That's a once over lightly.
=====
From jake.rand.org!willis@netcomsv.netcom.com Fri Apr 23 18:14:38 1993
To: jwarren@autodesk.com (Jim Warren)
Cc: willis@rand.org
Subject: Re: promises to limit SSN use?
From: "Willis H. Ware" <willis@jake.rand.org>
>>> ........ (Don't know why the feds couldn't
>>>mandate no extracurricular use of the SSAN along with their fed-mandated
>>>speed limits -- via some ransom or other :-).
Oh, I know that answer. We, the country, were not very smart in 1933
in regard to databases and all their implications. We didn't smarten
up in fact until well into the late 50s or early 60s and by then, the
SSN horse was well on his way out of the pasture. By the time the
Privacy Commission and the DHEW Committee before it tried to put on the
brakes, it was no longer feasible; the brakes had long ago vanished in
smoky oblivion.
You may surely share what I sent you; it's all public knowledge. Glad
that I could be of help.
------------------------------
End of Computer Privacy Digest V2 #037
******************************