Date: Sat, 02 Jul 94 08:43:53 EST
Errors-To: Comp-privacy Error Handler <owner-comp-privacy@uwm.edu>
From: Computer Privacy Digest Moderator <comp-privacy@uwm.edu>
To: Comp-privacy@uwm.edu
Subject: Computer Privacy Digest V5#001
Computer Privacy Digest Sat, 02 Jul 94 Volume 5 : Issue: 001
Today's Topics: Moderator: Leonard P. Levine
Information About CPD
ACM Releases Crypto Study
USACM Calls for Clipper Withdrawal
Re: IRS Speech, Again
Question About CallerID
Comments on Baker article (long)
The Computer Privacy Digest is a forum for discussion on the effect
of technology on privacy. The digest is moderated and gatewayed into
the USENET newsgroup comp.society.privacy (Moderated). Submissions
should be sent to comp-privacy@uwm.edu and administrative requests
to comp-privacy-request@uwm.edu. Back issues are available via
anonymous ftp on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp"
with password "yourid@yoursite". The archives are in the directory
"pub/comp-privacy". Archives are also held at ftp.pica.army.mil
[129.139.160.133].
----------------------------------------------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 02 Jul 1994 08:04:32 -0500 (CDT)
Subject: Information About CPD
Organization: University of Wisconsin-Milwaukee
This is issue number 1 of volume 5 of the Computer Privacy Digest.
Volume 1 covers the period 27 Apr 92 through 30 Dec 92, volume 2 from
04 Jan 93 through 06 Jul 93, volume 3 from 06 Jul 93 through 29 Nov 93,
and volume 4 from 02 Dec 93 through 30 Jun 94. Dennis G. Rears was the
moderator for volumes 1-3 and Leonard P. Levine was the moderator for
volume 4 and continues on to moderate volume 5.
The Computer Privacy Digest (CPD) is a forum for discussion of the
effect of technology on privacy. The digest is moderated and gatewayed
into the USENET newsgroup comp.society.privacy (Moderated).
Submissions should be sent to comp-privacy@uwm.edu and administrative
requests to comp-privacy-request@uwm.edu.
CPD maintains an archive site for material of general interest that is
too long to post. We also maintain all back issues of CPD for those
who wish to peruse issues that have passed. These issues are ordered
by issue number and are stored in appropriate volume directories. The
recently completed volume 4 has fairly complete indeces available
within its directory.
Gopher access into this structure is the easiest route. Use the
command 'gopher gopher.cs.uwm.edu'. It will permit access to the
Computer Privacy Digest files. Standard gopher commands work.
Similarly, Mosaic access is through 'gopher://gopher.cs.uwm.edu'.
Ftp Access into ftp.cs.uwm.edu [129.89.9.18] with userid 'ftp' and
password 'yourid@yoursite' will also open up the directory. The
archives are in the directory "pub/comp-privacy". Archives are also
held at the address of the former moderator, Dennis Rears,
ftp.pica.army.mil [129.139.160.133].
Using ftp, within the directory pub/comp-privacy a 'dir' command will
show the directories for volume1, volume2, volume3, volume4, volume5
and the library. Each of these directories has appropriate
information. Please come and access what you wish.
If you have no access to these methods, and wish to examine some old
data, we will try to act as your libararian and email you whatever
information you request. Send requests to the Information address
below.
---------------------------------+-----------------------------------------
Leonard P. Levine | Moderator of: Computer Privacy Digest
Professor of Computer Science | and comp.society.privacy
University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu
Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu
| Gopher: gopher.cs.uwm.edu
levine@cs.uwm.edu | Mosaic: gopher://gopher.cs.uwm.edu
---------------------------------+-----------------------------------------
------------------------------
From: "US ACM, DC Office" <usacm_dc@acm.org>
Date: 30 Jun 1994 16:34:47 +0000
Subject: ACM Releases Crypto Study
Association for Computing Machinery
PRESS RELEASE
__________________________________________________
Thursday, June 30, 1994
Contact:
Joseph DeBlasi, ACM Executive Director (212) 869-7440
Dr. Stephen Kent, Panel Chair (617) 873-3988
Dr. Susan Landau, Panel Staff (413) 545-0263
COMPUTING SOCIETY RELEASES REPORT ON ENCRYPTION POLICY
"CLIPPER CHIP" CONTROVERSY EXPLORED BY EXPERT PANEL
WASHINGTON, DC - A panel of experts convened by the nation's
foremost computing society today released a comprehensive report on
U.S. cryptography policy. The report, "Codes, Keys and Conflicts:
Issues in U.S Crypto Policy," is the culmination of a ten-month review
conducted by the panel of representatives of the computer industry and
academia, government officials, and attorneys. The 50-page document
explores the complex technical and social issues underlying the current
debate over the Clipper Chip and the export control of information
security technology.
"With the development of the information superhighway,
cryptography has become a hotly debated policy issue," according to
Joseph DeBlasi, Executive Director of the Association for Computing
Machinery (ACM), which convened the expert panel. "The ACM believes
that this report is a significant contribution to the ongoing debate on
the Clipper Chip and encryption policy. It cuts through the rhetoric
and lays out the facts."
Dr. Stephen Kent, Chief Scientist for Security Technology with the
firm of Bolt Beranek and Newman, said that he was pleased with the
final report. "It provides a very balanced discussion of many of the
issues that surround the debate on crypto policy, and we hope that it
will serve as a foundation for further public debate on this topic."
The ACM report addresses the competing interests of the various
stakeholders in the encryption debate -- law enforcement
agencies, the intelligence community, industry and users of
communications services. It reviews the recent history of U.S.
cryptography policy and identifies key questions that policymakers must
resolve as they grapple with this controversial issue.
The ACM cryptography panel was chaired by Dr. Stephen Kent. Dr.
Susan Landau, Research Associate Professor in Computer Science at the
University of Massachusetts, co-ordinated the work of the panel and did
most of the writing. Other panel members were Dr. Clinton Brooks,
Advisor to the Director, National Security Agency; Scott Charney, Chief
of the Computer Crime Unit, Criminal Division, U.S. Department of
Justice; Dr. Dorothy Denning, Computer Science Chair, Georgetown
University; Dr. Whitfield Diffie, Distinguished Engineer, Sun
Microsystems; Dr. Anthony Lauck, Corporate Consulting Engineer, Digital
Equipment Corporation; Douglas Miller, Government Affairs Manager,
Software Publishers Association; Dr. Peter Neumann, Principal
Scientist, SRI International; and David Sobel, Legal Counsel,
Electronic Privacy Information Center. Funding for the cryptography
study was provided in part by the National Science Foundation.
The ACM, founded in 1947, is a 85,000 member non-profit
educational and scientific society dedicated to the development and use
of information technology, and to addressing the impact of that
technology on the world's major social challenges. For general
information, contact ACM, 1515 Broadway, New York, NY 10036. (212)
869-7440 (tel), (212) 869-0481 (fax).
Information on accessing the report electronically will be posted
soon in this newsgroup.
------------------------------
From: "US ACM, DC Office" <usacm_dc@acm.org>
Date: 30 Jun 1994 16:35:37 +0000
Subject: USACM Calls for Clipper Withdrawal
U S A C M
Association for Computing Machinery, U.S. Public Policy Committee
* PRESS RELEASE *
Thursday, June 30, 1994
Contact:
Barbara Simons (408) 463-5661, simons@acm.org (e-mail)
Jim Horning (415) 853-2216, horning@src.dec.com (e-mail)
Rob Kling (714) 856-5955, kling@ics.uci.edu (e-mail)
COMPUTER POLICY COMMITTEE CALLS FOR WITHDRAWAL OF CLIPPER
COMMUNICATIONS PRIVACY "TOO IMPORTANT" FOR
SECRET DECISION-MAKING
WASHINGTON, DC - The public policy arm of the oldest and largest
international computing society today urged the White House to withdraw
the controversial "Clipper Chip" encryption proposal. Noting that the
"security and privacy of electronic communications are vital to the
development of national and international information infrastructures,"
the Association for Computing Machinery's U.S. Public Policy Committee
(USACM) added its voice to the growing debate over encryption and
privacy policy.
In a position statement released at a press conference on Capitol
Hill, the USACM said that "communications security is too important to
be left to secret processes and classified algorithms." The Clipper
technology was developed by the National Security Agency, which
classified the cryptographic algorithm that underlies the encryption
device. The USACM believes that Clipper "will put U.S. manufacturers
at a disadvantage in the global market and will adversely affect
technological development within the United States." The technology
has been championed by the Federal Bureau of Investigation and the NSA,
which claim that "non-escrowed" encryption technology threatens law
enforcement and national security.
"As a body concerned with the development of government technology
policy, USACM is troubled by the process that gave rise to the Clipper
initiative," said Dr. Barbara Simons, a computer scientist with IBM who
chairs the USACM. "It is vitally important that privacy protections
for our communications networks be developed openly and with full
public participation."
The USACM position statement was issued after completion of a
comprehensive study of cryptography policy sponsored by the ACM (see
companion release). The study, "Codes, Keys and Conflicts: Issues in
U.S Crypto Policy," was prepared by a panel of experts representing
various constituencies involved in the debate over encryption.
The ACM, founded in 1947, is a 85,000 member non-profit
educational and scientific society dedicated to the development and use
of information technology, and to addressing the impact of that
technology on the world's major social challenges. USACM was created
by ACM to provide a means for presenting and discussing technological
issues to and with U.S. policymakers and the general public. For
further information on USACM, please call (202) 298- 0842.
=============================================================
USACM Position on the Escrowed Encryption Standard
The ACM study "Codes, Keys and Conflicts: Issues in U.S Crypto Policy"
sets forth the complex technical and social issues underlying the
current debate over widespread use of encryption. The importance of
encryption, and the need for appropriate policies, will increase as
networked communication grows. Security and privacy of electronic
communications are vital to the development of national and
international information infrastructures.
The Clipper Chip, or "Escrowed Encryption Standard" (EES) Initiative,
raises fundamental policy issues that must be fully addressed and
publicly debated. After reviewing the ACM study, which provides a
balanced discussion of the issues, the U.S. Public Policy Committee of
ACM (USACM) makes the following recommendations.
1. The USACM supports the development of public policies and
technical standards for communications security in open forums in which
all stakeholders -- government, industry, and the public --
participate. Because we are moving rapidly to open networks, a
prerequisite for the success of those networks must be standards for
which there is widespread consensus, including international
acceptance. The USACM believes that communications security is too
important to be left to secret processes and classified algorithms. We
support the principles underlying the Computer Security Act of 1987, in
which Congress expressed its preference for the development of open and
unclassified security standards.
2. The USACM recommends that any encryption standard adopted by the
U.S. government not place U.S. manufacturers at a disadvantage in the
global market or adversely affect technological development within the
United States. Few other nations are likely to adopt a standard that
includes a classified algorithm and keys escrowed with the U.S.
government.
3. The USACM supports changes in the process of developing Federal
Information Processing Standards (FIPS) employed by the National
Institute of Standards and Technology. This process is currently
predicated on the use of such standards solely to support Federal
procurement. Increasingly, the standards set through the FIPS process
directly affect non-federal organizations and the public at large. In
the case of the EES, the vast majority of comments solicited by NIST
opposed the standard, but were openly ignored. The USACM recommends
that the standards process be placed under the Administrative
Procedures Act so that citizens may have the same opportunity to
challenge government actions in the area of information processing
standards as they do in other important aspects of Federal agency
policy making.
4. The USACM urges the Administration at this point to withdraw the
Clipper Chip proposal and to begin an open and public review of
encryption policy. The escrowed encryption initiative raises vital
issues of privacy, law enforcement, competitiveness and scientific
innovation that must be openly discussed.
5. The USACM reaffirms its support for privacy protection and urges
the administration to encourage the development of technologies and
institutional practices that will provide real privacy for future users
of the National Information Infrastructure.
------------------------------
From: glr@ripco.com (Glen Roberts)
Date: 01 Jul 1994 13:58:08 GMT
Subject: Re: IRS Speech, Again
Organization: RCI, Chicago, IL
John R Levine (johnl@iecc.com) wrote: Someone asked a week or two
ago someone asked about the speech I excerpted by Coleta Brueck,
Project Manager, Document Processing System, of the IRS where she
said "We know everything about you that we need to know."
There is a lot of fear mongering about the IRS collection of
information. However, they get so much information, that much of it
ends up near useless. For example, I just got a GAO report about the
fact that they get TOO MANY CTR's (currency transaction reports). Cash
transactions over $10,000 have to be reported on a CTR. Well, they get
so many, it interferes with the intended purpose of the CTR's.
--------------------------------------
Glen L. Roberts, Publisher, Directory of Elect Surv Equip Suppliers
Host Full Disclosure Live (WWCR 5,810 khz - Sundays 7pm central)
Box 734, Antioch, Illinois 60002 Fax: (708) 838-0316
Voice/FAX on demand: (708) 356-9646
--------------------------------------
------------------------------
From: "J. Shickel" <STU_JFSHICKE@VAX1.ACS.JMU.EDU>
Date: 30 Jun 1994 10:39:33 -0500 (EST)
Subject: Question About CallerID
Does 'Caller ID' return the telephone number of callers with unlisted
numbers?
__
______________________________________________________________________
Jon Shickel |
stu_jfshicke@vax(1).acs.jmu.edu (internet) | "Better Living through
@jmuvax (bitnet) | Chemistry"
__________________________________________________________________________
------------------------------
From: nzook@fireant.ma.utexas.edu (Nathan Zook)
Date: 30 Jun 1994 14:34:23 GMT
Subject: Comments on Baker article (long)
Organization: University Of Texas Mathematics
Comment by Nathan Zook, PhD candidate in Mathematics. Distribute
widely. Wired Magazine issue reproduced without explicit permission.
First, let my quote from the Texas Republican Party's 1994 platform, a
section that was added at my request at the convention.
"Electronic Privacy-The Party believes that no government trapdoor
encryption standards should be advanced for use in any civilian
communication systems (e.g. Clipper Chip, Digital Telephony Act) and
that the U.S. patent office should limit the RSA patent to allow
individuals to secure their own communications systems. We believe
that encryption systems publicly available outside the U.S. should not
be classified as munitions."
There is an effort underway to develop an EFF platform. I will suggest
the following as the basic principle in this matter:
"We believe that the mere existence of technologically feasible methods
to monitor the day-to-day activities of citizens does not imply that
legal entities should be allowed to use such technologies to gather
such information. We place an absolute premium on the right of
individuals to communicate, to maintain records, and to transact
business privately, should they desire to."
I would like to point out at this juncture that resistance to the
Clipper standard did not appear whole cloth overnight. There has been
a deep and growing suspicion among those of us keeping track of such
things that this government is making preparations to begin tracking
the lives of thousands or millions of individuals of whom they
disapprove. This administration, and this president, in particular,
have spoken of "Getting around that." That being the pesky forth
amendment. Since the forth amendment is the only thing standing
between you and the government when it comes to the Clipper chip, it is
amazing that the response has been a limited as it has.
Speaking of this administration, you will note that mister Baker refers
to a child molester in his comments. This administration, you will
recall, burned a building to the ground containing many children--to
keep them from being molested. This administration is pushing for a
relaxation of child porn laws, and a lowering of the age of consent.
So when this administration talks about protecting children, grab your
gun, grab your wife and kids, and head for cover.
I have made no effort to be fair in my comments. I consider this man,
by his manner and position, to be a real and present danger to the
security of the individuals in this nation, and, as such, have utilized
my full power in responding to point out the "flaws" in his
statements. I have not edited, except by insertion, anything in the
original article. I have indented text lines from the article.
WIRED 2.06
Don't Worry Be Happy
********************
A WIRED Exclusive
By Stewart A. Baker, Chief Counsel for the NSA
With all the enthusiasm of Baptist ministers turning their Sunday
pulpits over to the Devil, the editors of WIRED have offered me the
opportunity to respond to some of the urban folklore that has grown
up around key escrow encryption -- also known as the Clipper Chip.
Oops, I missed it. THIS is the first attempt to marginalize us.
Folklore- unsubstantiated beliefs held by unsophisticated people. Note
that he refers to all of his straw men as myths, as well.
Recently the Clinton administration has announced that federal
agencies will be able to buy a new kind of encryption hardware that
is sixteen million times stronger than the existing federal
standard known as DES. But
Is THAT all? 16,000,000? Does this guy know how many times over
decryption power has advanced since DES was introduced? That the key
was shortened, at the request of this same NSA? I expect that if this
number is correct, that the NSA can crack Clipper messages almost as
fast as they can be sent--without the "escrowed key".
this new potency comes with a caveat. If one of these new
encryption devices is used, for example, to encode a phone
conversation that is subject to a lawful government wiretap, the
government can get access to that device's encryption keys.
Separate parts of each key are held by two independent "escrow
agents," who will release keys only to authorized agencies under
safeguards approved by the attorney general. Private use of
First note. This is the same attorney general who is looking into
"getting around" the forth amendment.
Note also that there is no mention here of requiring a search warrant.
They are working hard in order to keep that option open--the option of
not needing a search warrant in order to make a tap. Why do they need
that?
the new encryption hardware is welcome but not required. That's a
pretty modest proposal. Its critics, though, have generated at
least seven myths
The thin edge always is. Modest, that is.
about key escrow encryption that deserve answers.
MYTH NUMBER ONE: Key escrow encryption will create a brave new
world of government intrusion into the privacy of Americans.
Okay, how about this? "GOVERNMENT HELD key escrow encryption will
allow for the government to spy on millions of Americans at the same
time with next to no effort, should they so desire."
Remember the phrase, "_Government_ trapdoor encryption standards"
And no, that's not such a _new_ thing. The government's power to
monitor us continues to grow at an alarming rate, and this is merely
the latest example.
Opponents of key escrow encryption usually begin by talking about
government invading the privacy of American citizens. None of us
likes the idea of the government intruding willy-nilly on
communications that are meant to be private.
But it is perfectly all right for the government to intrude willy-nilly
into high crime areas, such a housing projects? And you consider the
net to have the potential to be such a high crime area?
But the key escrow proposal is not about increasing government's
authority to invade the privacy of its citizens. All that key
escrow does is preserve the government's current ability to conduct
wiretaps under existing authorities. Even if key escrow were the
only form of encryption available, the world would look only a
little different from the one we live in now.
So long as there is a living mathematicians with a hard BS, RSA will
always be there for those of us who are willing to risk jail by using
it. But you are still missing the point. I, for one, have never
willing ceded the privacy of my phone conversations to any governmental
agency. And if I told my story of being tapped, a lot of other people
might agree. The right of the government to interrogate was severely
cut back by Miranda, I think that it is time we consider that persons
who go to the trouble of encryptting their private communications
should be allowed that privacy.
In fact, it's the proponents of widespread unbreakable encryption
who want to create a brave new world, one in which all of us --
crooks included --
Now we see the first sign that this guy might be a Clinton era
appointee. At least I hope so. Why do I say so? Check this out:
"Our opponents are sheltering criminals." He will expand on this in a
minute, but criminalizing the opposition is the particular habit of
government. It is a scare tactic, and an attempt to marginalize the
opposition through emotional manipulation. When you see it, grab your
gun, your wife and kids, and head for cover.
have a guarantee that the government can't tap our phones. Yet
these proponents have done nothing to show us that the new world
they seek will really be a better one.
We here see the first suggestion that this guy has little or no
knowledge of the history of cryptology. It has been several years
since reading David Kahn's, "The Codebreakers", but I recall,
"Encryption changes nothing. It attempts to maintain a state of
ignorance in the enemy until the knowledge becomes useless. Encryption
can only delay. _Decryption_, however changes things. It is through
decryption that the enemy is destroyed, and so it is upon decryption
that we will focus." This was written some time before quantum
encryption.
Note also here the argument to ignorance. I maintain that this
government has done nothing to show us that the new world they seek
will really be a better one. I maintain that this government has done
much to show quite the reverse. I maintain that a limited government
is a VERY good thing, and alternative systems would certainly limit
government, vis a vis the Clipper system, although not nearly to the
extent he claims.
In fact, even a civil libertarian might prefer a world where
wiretaps are possible. If we want to catch and convict the leaders
of criminal organizations, there are usually only two good ways to
do it. We can "turn" a gang member -- get him to testify against
his leaders. Or we can wiretap the leaders as they plan the crime.
Didn't this guy ever read Dick Tracy? He obviously failed to interview
law enforcement officials about how they obtain evidence. Tailing,
long-range listening/viewing devices, through the wall listening
devices, bugs, TEMPEST, the list goes on and on. What he means to say
is, "there are usually two _easy_ ways to do it." Well, get off your
duff!!
I once did a human rights report on the criminal justice system in
El Salvador. I didn't expect the Salvadorans to teach me much about
human rights. But I learned that, unlike the US, El Salvador
greatly restricts the testimony of "turned" co-conspirators. Why?
Because the co-conspirator is usually "turned" either by a threat
of mistreatment or by an offer to reduce his punishment. Either
way, the process raises moral questions -- and creates an incentive
for false accusations.
Now we can be certain this is a Clinton era appointee. He has
obviously never read a scrap of information about the Salem witch
trials. This country's government had to come to grips with this
CENTURIES ago. And if the government has no qualms about using turned
evidence, juries most certainly do. Because they know instinctively
what this guy apparently had to go to El Salvador to learn.
Wiretaps have no such potential for coercive use. The defendant is
convicted or freed on the basis of his own, unarguable words.
Again, this guy should keep up with Dick Tracy. Is he completely
unaware of the advances in computer manipulation of pictures and
sound? I expect within twenty years that the public will DEMAND that
this type of evidence be ruled inadmissible, unless we have an
UNFORGABLE communication system in place. And anything the government
has the keys to, it can forge.
In addition, the world will be a safer place if criminals cannot
take advantage of a ubiquitous, standardized encryption
infrastructure that is immune from any conceivable law enforcement
wiretap. Even if you're worried about illegal government taps, key
escrow reinforces the existing requirement that every wiretap and
every decryption must be lawfully authorized. The key escrow system
means that proof of authority to tap must be certified and audited,
so that illegal wiretapping by a rogue prosecutor or police officer
is, as a practical matter, impossible.
Unless that rogue prosecutor happens to be the attorney general, I
presume? More to the point, the concern is not about rogues, it is
about the government _as a whole_. We want protection against a
Hitler- or Lenin-styled government. And what is the big deal about
wire taps? Put a bug in either room. Do other things. The FBI got
shot down last year over this sort of thing. GET THE POINT.
MYTH NUMBER TWO: Unreadable encryption is the key to our future
liberty.
Let me sharpen this "myth" a little. There EXISTS a single key to our
future liberty. This "myth" is downright insulting. I'm tempted to
ignore the rest of this, but he asks for some rebuttals.
There is no single key to our future liberty. There are many. Like
the right to bear arms. Like eternal vigilance. Like freedom from
massive, arbitrary spying.
Of course there are people who aren't prepared to trust the escrow
agents, or the courts that issue warrants, or the officials who
oversee the system, or anybody else for that matter. Rather than
rely on laws to protect us, they say, let's make wiretapping
impossible; then we'll be safe no matter who gets elected.
Marginalization attempt number two: Our opposition is paranoid.
IF WE DIDN'T NEED SAFEGUARDS "NO MATTER WHO GETS ELECTED", THEN WHY DO
WE HAVE A BILL OF RIGHTS?
You know, that stuff this administration is "trying to work around".
Let me be specific. I want protection against _this_ administration.
If we trust the courts that issue warrants, why do we have appeals
courts?
This sort of reasoning is the long-delayed revenge of people who
couldn't go to Woodstock because they had too much trig homework.
It reflects a wide -- and kind of endearing -- streak of romantic
high-tech anarchism that crops up throughout the computer world.
Marginalization attempt number three: Our opposition is a bunch of
cute starry-eyed nerds.
Furthermore, he sneers anyone who takes their academic responsibilities
more seriously than trespassing, destroying private property, and
taking part in the biggest ("non-inhaling") orgy in history.
Definitely a Clintonite.
The problem with all this romanticism is that its most likely
beneficiaries are predators. Take for example the campaign to
distribute PGP ("Pretty Good Privacy") encryption on the Internet.
Some argue that widespread availability of this encryption will
help Latvian freedom fighters today and American freedom fighters
tomorrow. Well, not quite. Rather, one of the earliest users of PGP
was a high-tech pedophile in Santa Clara, California. He used PGP
to encrypt files that, police suspect, include a diary of his
contacts with susceptible young boys using computer bulletin boards
all over the country. "What really bothers me," says Detective
Brian Kennedy of the Sacramento, California, Sheriff's Department,
"is that there could be kids out there who need help badly, but
thanks to this encryption, we'll never reach them."
Marginalization attempt number four: Our opposition is a bunch of
pedophiles. Coming from this administration, that should be a
compliment.
But there is a VERY serious slight-of-hand going on here. This
paragraph should destroy ANY credibility this guy has. Why? Read along
with me.
"One of the earliest" and therefore most primitive and easiest to
break....... CANNOT YET TO BE BROKEN. Don't believe him. This guy is
really stewing in his own juices here. Either the NSA isn't good
enough to break this old PGP after several years, OR they don't care
to, OR he's lying. His implications certainly do. PGP is called PGP
because its authors know that it is not secure to the extent that THEY
want. Let alone anyone else. To argue here that after all these
years, the first versions still cannot be broken is like telling me -1
has no square root! (I'm working on my PhD in this stuff.) Assuming
this guy is telling the truth,....... then what is really going on is
that the NSA doesn't care enough about children to crack this case. So
we see that it is the NSA that is sheltering pedophiles. (I'm just
putting the shoe on the other foot here--of course the rank-and-file
members of the NSA do no such thing.) Grab your gun, grab your wife and
kids, and head for cover.
If unescrowed encryption becomes ubiquitous, there will be many
more stories like this. We can't afford as a society to protect
pedophiles and criminals today just to keep alive the far-fetched
notion that some future tyrant will be brought down by guerrillas
wearing bandoleers and pocket protectors and sending PGP-encrypted
messages to each other across cyberspace.
Again, the opposition is a bunch of starry-eyed nerds. He must be
jealous. Note also that he is scrupulously failing to mention RSA.
Any serious resistance movement will use RSA. And they will wear
whatever allows them to penetrate and eliminate enemy facilities.
MYTH NUMBER THREE: Encryption is the key to preserving privacy in a
digital world.
Notice his order here. First he says privacy ain't such a good thing.
Now he says, privacy can't be achieved. Nonsense. But as before,
THERE IS NO SINGLE KEY TO ACHIEVING ANYTHING WORTH HAVING.
It is A key. And an essential one. A hundred years ago, privacy
rights meant shooting peeping Toms. Now we worry that the peeper's
name is Sam.
Even people who don't believe that they are likely to be part of
future resistance movements have nonetheless been persuaded that
encryption is the key to preserving privacy in a networked,
wireless world, and that we need strong encryption for this reason.
This isn't completely wrong, but it is not an argument against
Clipper.
Sure, some have. But some people who never plan to fall off also
believe that the world is flat. So what?
The point is that strong encryption, like the right to bear arms, is
one of the best forms of insurance against an aggressive government. I
know that this government isn't too thrilled about the second
amendment, either, but this buttresses our concerns even more.
If you want to keep your neighbors from listening in on your
cordless phone, if you want to keep unscrupulous competitors from
stealing your secrets, even if you want to keep foreign governments
from knowing your business plans, key escrow encryption will
provide all the security you need, and more.
Not if it is only 16M times as powerful as DES, it won't protect from
Japan. Note the scare tactics again. I REPEAT: I'm not worried about
my neighbor, it's my uncle I don't trust.
But I can't help pointing out that encryption has been vastly
oversold as a privacy protector. The biggest threats to our privacy
in a digital world come not from what we keep secret but from what
we reveal willingly. We lose privacy in a digital world because it
becomes cheap and easy to collate and transmit data, so that
information you willingly gave a bank to get a mortgage suddenly
ends up in the hands of a business rival or your ex-spouse's
lawyer. Restricting these invasions of privacy is a challenge, but
it isn't a job for encryption. Encryption can't protect you from
the misuse of data you surrendered willingly.
Now we go for distraction. Boy, I would hate to face this guy in
court. Except for his first sentence, which I believe is just plain
false, the entire paragraph has nothing to do with the Clipper issue.
It's like saying, oh forty years ago, "The biggest threat to your home
is nuclear attack, so why are you worried about keeping your guns?"
This is something we can work on. This is a threat we can deal with.
This is a real and present danger.
Of course, even in his distraction, he destroys his credibility. If
the administration is so worried about privacy, as this system is
supposed to provide, why is there no serious legislation pending on
these other matters? If Clipper is the best these guys can do to help
privacy, we are in heap big trouble.
What about the rise of networks? Surely encryption can help prevent
password attacks like the recent Internet virus, or the
interception of credit card numbers as they're sent from one
digital assistant to another? Well, maybe. In fact, encryption is,
at best, a small part of network security.
The real key to network security is making sure that only the right
people get access to particular data. That's why a digital
signature is so much more important to future network security than
encryption. If everyone on a net has a unique identifier that
others cannot forge, there's no need to send credit card numbers --
and so nothing to intercept. And if everyone has a digital
signature, stealing passwords off the Net is pointless. That's why
the Clinton administration is determined to put digital signature
technology in the public domain. It's part of a strategy to improve
the security of the information infrastructure in ways that don't
endanger government's ability to enforce the law.
And we are all being SUCH bad children by not begging you for it. So
now the guy admits that digital signatures are a critical part of net
security. But only HIS signatures are good. PGP ones are bad. RSA
ones are bad. This reminds me of IBM introducing their first PC with
an 8088, after the TRS-80 had been out for years with the Z-80. One of
the major concerns is that the same thing, in the end, will happen.
MYTH NUMBER FOUR: Key escrow will never work. Crooks won't use it
if it's voluntary. There must be a secret plan to make key escrow
encryption mandatory.
One at a time, please. "Government trapdoor encryption standards...
for civilian communication systems." If a company wants to use its own
system internall, fine. If a company wants to offer such a system to
outsiders, fine. If the government wants to use it for the military,
or other strictly internal matters, fine. And by the way, if this is
so good, why won't the military use it?
As for people not wanting to use it, (all crooks, again) this is a
legitimate concern. Major crooks are probably using RSA already.
Minor ones aren't smart enough, usually, to use PGP.
But the third one is legitimate. If the government is as concerned
about maintaining its wire tapping abilities as _you_ indicate, the
expectation that the system will go mandatory is hardly unreasonable.
This is probably the most common and frustrating of all the myths
that abound about key escrow. The administration has said time and
again that it will not force key escrow on manufacturers and
companies in the private sector. In a Catch-22 response, critics
then insist that if key escrow isn't mandated it won't work.
This administration also stated that it would cut taxes for the middle
class, and raise them only on millionaires. This administration also
stated that it would not recertify China for MFN status. This
administration also stated that our Haitian policy under the previous
administration was "immoral". This administration also stated that it
would wait as long as necessary at Waco. This administration has gone
through periods of changing its stories on Whitewater daily. Shall I
continue?
Yes, this administration is definitely the most trustworthy we have
EVER had. I can't imagine what ever got into me, doubting their word.
That misunderstands the nature of the problem we are trying to
solve. Encryption is available today. But it isn't easy for
criminals to use; especially in telecommunications. Why? Because as
long as encryption is not standardized and ubiquitous, using
encryption means buying and distributing expensive gear to all the
key members of the conspiracy. Up to now only a few criminals have
had the resources, sophistication, and discipline to use
specialized encryption systems.
"resources, sophistication, and discipline"--Those last two words, the
last one in particular, have NEVER been associated with much of the
criminal environment, for ANY reason. But, _but_, BUT with the 1977
advent of the RSA system, practically ANYONE with a decent computer can
make code like nobody's business. And, despite the government's "best"
efforts, criminal use of RSA will continue to rise, especially among
the big time.
What worries law enforcement agencies --what should worry them --
is a world where encryption is standardized and ubiquitous: a world
where anyone who buys an US$80 phone gets an "encrypt" button that
interoperates with everyone else's; a world where every fax machine
and every modem automatically encodes its transmissions without
asking whether that is necessary. In such a world, every criminal
will gain a guaranteed refuge from the police without lifting a
finger.
What worries me --what should worry you -- is guys who actually seem to
believe statements like this when they make them. If encryption is
such a poor provider of privacy, what is his worry here? He so much as
affirms his own named MYTH number three! Not one of the above systems
would be immune from governmental monitoring. Just immune from the
lazy ones.
The purpose of the key escrow initiative is to provide an
alternative form of encryption that can meet legitimate security
concerns without building a web of standardized encryption that
shuts law enforcement agencies out. If banks and corporations and
government agencies buy key escrow encryption, criminals won't get
a free ride. They'll have to build their own systems -- as they do
now. And their devices won't interact with the devices that much of
the rest of society uses. As one of my friends in the FBI puts it,
"Nobody will build secure phones just to sell to the Gambino
family."
If he actually said that, he is as misinformed as you. The Gambinos, I
am sure, have MORE than sufficient resources to hire their own
mathematitions, engineers, etc, and custom build PLENTY of such
things. Right now they probably aren't because using such a system
would set off too many flags. But mark my words--when secure or
"secure" communications systems become ubiquitous, these families will
have their own systems installed, probably within weeks.
In short, as long as legitimate businesses use key escrow, we can
stave off a future in which acts of terror and organized crime are
planned with impunity on the public telecommunications system. Of
course, whenever we say that, the critics of key escrow trot out
their fifth myth:
Oh, yes save us! Please!!! You yourself just said that these people
are already doing exactly what you claim to prevent. Face the facts:
it is not a matter of if but of when that almost all serious criminals
will be doing this. You just want to deceive enough of the lesser ones
in order to trot them out the the public as examples of how good this
system is. Sorta like calling up those news stations before assaulting
Waco.
MYTH NUMBER FIVE: The government is interfering with the free
market by forcing key escrow on the private sector. Industry should
be left alone to develop and sell whatever form of encryption
succeeds in the market.
Well, lets see. Precisely why was the Clipper release "accelerated"?
Was it not because the nasty market was moving ahead with secure comm,
and you didn't like the way it was going? Didn't you preempt AT&T's
efforts by clipper? Oh, no, you aren't "forcing" anything on the
market. You make offers to major companies that cannot be refused. We
all know the VHS/Beta story. This administration has been a big fan of
early intervention in determination of standards. This is a textbook
example of such an intervention.
In fact, opponents of key escrow fear that businesses may actually
prefer key escrow encryption. Why? Because the brave new world that
unreadable encryption buffs want to create isn't just a world with
communications immunity for crooks. It's a world of uncharted
liability. What if a company supplies unreadable encryption to all
its employees, and a couple of them use it to steal from customers
or to encrypt customer data and hold it hostage? As a lawyer, I can
say it's almost certain that the customers will sue the company
that supplied the encryption to its employees. And that company in
turn will sue the software and hardware firms that built a
"security" system without safeguards against such an obvious abuse.
The only encryption system that doesn't conjure up images of a
lawyers' feeding frenzy is key escrow.
Marginalization attempt number five: our opponents are liars.
And as someone who ISN'T a lawyer, I'm not impressed. These uncharted
liabilities have been cooked up by trial lawyers just trying to rip the
rest of society off. The problem you refer to has nothing to do with
encryption, it has to do with tort reform, and with sharks in general.
Of course, THIS administration thinks we don't need such things.
But that's not even it. "Governmental trapdoor encryption systems..."
if Future Manufacturers wants to use escrow key internally, that's fine
by me. Speaking of someone fearing the opposite of what they say, I
think that this government doesn't like the idea of a distributed
password base. Suppose a company suspects one of its employees of
stealing secrets. Under Clipper, it would have to go to you to get the
key. Such transactions would be a matter of public record. Rumors
could fly, stock might plunge. All because some guy was trading
barbecue recipes. Companies SHOULD be able to monitor what their
equipment is being used for. Now tell me precisely why the government
should be involved in each such check???
But there's a second and even more compelling reason why the key
escrow initiative can't fairly be characterized as interfering with
private enterprise: The encryption market has been more or less
created and sustained by government. Much of the market for
encryption devices is in the public sector, and much of the
encryption technology now in widespread use in the private sector
was funded, perfected, or endorsed by the federal government.
Did the government create RSA? Did it create PGP? Do businesses want
to protect their research secrets from government? Notice the
arrogance (again), if something hasn't been endorsed by the federal
government, it won't sell.
Up until the early '80's, the government more or less created the
market. The demand now is government driven, too: people don't trust
it, and they want protection from it. The free market is trying to
respond to demand, and Clipper is clearly an attempt to influence that
market.
And not by accident, either. Good encryption is expensive. It isn't
just a matter of coming up with a strong algorithm, although
testing the strength of an algorithm can be enormously
time-consuming. The entire system must be checked for bugs and
weaknesses, a laborious and unglamorous process.
And, of course, the facts that strong encryption is non-exportable,
that the government has opposed expansion of strong encryption at every
turn, and that the government used Clipper to cut off the first product
coming out don't have a thing to do with it.
Generally, only the federal government has been willing to pay what
it costs to develop secure communications gear. That's because we
can't afford to have our adversaries reading our military and
diplomatic communications.
He admits it! There are other entities willing to do the hard work.
They are also more candid about their results. They are more easily
retaliated against. They are, therefore, more trustworthy.
That's led to a common pattern. First, the government develops,
tests, or perfects encryption systems for itself. Then the private
sector drafts along behind the government, adopting government
standards on the assumption that if it's good enough for the
government's information, it's good enough to protect industry's.
Unless, like the DES, the government intentionally weakens a system for
the public so that it can read it? Again, however, this guy is either
lying or horribly misinformed. Clipper is NOT good enough for the
military. Nor the diplomatic corps. Nor for anyone else with a
SERIOUS espionage problem. The "general use" of the Clipper will be to
assure privacy for those agencies with FOUO data, not SCI data. SCI
data will be better protected.
As encryption technology gets cheaper and more common, though, we
face the real prospect that the federal government's own research,
its own standards, its own purchases will help create the future I
described earlier -- one in which criminals use ubiquitous
encryption to hide their activities. How can anyone expect the
standard-setting arms of government to use their power to destroy
the capabilities of law enforcement -- especially at a time when
the threat of crime and terror seems to be rising dramatically?
Yep, we're all lax on crime. You're just a poor, misunderstood
crimefighter. You fight environmental crimes, health care crimes,
crimes against lizards, and crimes against the earth. Funny how serial
killers get a couple of years.
By adopting key escrow encryption instead, the federal government
has simply made the reasonable judgment that its own purchases will
reflect all of society's values, not just the single-minded pursuit
of total privacy.
"All of society's values"--like the NEA? Like PBS and NPR?
"Reasonable judgment" indeed. The government's first interest is its
dominancy and continuance. That puts it in direct conflict with the
people's interest in privacy. Oh yes, we should all trust your
profound judgement.
So where does this leave industry, especially those companies that
don't like either the 1970s-vintage DES or key escrow? It leaves
them where they ought to be -- standing on their own two feet.
Companies that want to develop and sell new forms of unescrowed
encryption won't be able to sell products that bear the federal
seal of approval. They won't be able to ride piggyback on federal
research efforts. And they won't be able to sell a single
unreadable encryption product to both private and government
customers.
Not quite. The federally granted copyright (patent?) on RSA makes it
illegal for them to use the most powerful, simplest scheme out there.
They may be on their own two feet, but the Feds are trying to knock
them down.
Well, so what? If companies want to develop and sell competing,
unescrowed systems to other Americans, if they insist on hastening
a brave new world of criminal immunity, they can still do so -- as
long as they're willing to use their own money. That's what the
free market is all about.
Marginalization attempt number six: Our opponents are unpatriotic.
Again, coming from this crowd, I think that should be a compliment.
And what does this administration know about the free market? This mea
culpa for influencing the market is just too incredible. You offer to
buy thousands of units of _your_ design from AT&T, just as they are
getting serious about _their_ designs, promising them millions more
sales, and THAT is a free market? I'll try Soviet agriculture.
Of course, a free market in the US doesn't mean freedom to export
encryption that may damage US national security. As our experience
in World War II shows, encryption is the kind of technology that
wins and loses
Not encryption, decryption. And are you actually claiming that any
serious enemy we might face WON'T already have access to RSA-based
systems?
wars. With that in mind, we must be careful about exports of
encryption. This isn't the place for a detailed discussion of
controls, but one thing should be clear: They don't limit the
encryption that Americans can buy or use. The government allows
Americans to take even the most sophisticated encryption abroad for
their own protection. Nor do controls require that
from what? From abusive governments? Isn't that it?
Speaking of foreign governments, consider the following senario: the
US adopts some governmental escrow-key system. The Chinese pick up on
it. They come out with their own standard--same chip, same system,
made "at home". And then they tell their people, "With this new chip
on your phones, our glorious government is granting our people the
exact same level of privacy that the United States government gives its
own." Care to comment on THAT "myth"?
software or hardware companies "dumb down" their US products.
Software firms have complained that it's inconvenient to develop a
second encryption scheme for export, but they already have to make
changes from one country to the next -- in language, alphabet, date
systems, and handwriting recognition, to take just a few examples.
And they'd still have to develop multiple encryption programs even
if the US abolished export controls, because a wide variety of
national restrictions on encryption are already in place in
countries from Europe to Asia.
This guy better not light a match--there is enough straw around here to
keep India in fodder for a year. The problem isn't that it's
inconvenient to develop different standards, it's that they won't
sell. I know it's hard for you to understand, but the rest of the
world has RSA, and maybe PGP. They are using it already. And unless
our secure systems can deliver that level of protection, nobody outside
will want it.
MYTH NUMBER SIX: The National Security Agency is a spy agency; it
has no business worrying about domestic encryption policy.
WOW! All the hay in Kentucky! I've never _heard_ such a statement.
Anybody who is at all involved in crypto knows what the NSA is, what is
does, and what it has done. Of course it is natural that the NSA would
develop any systems that the government would use. And if the
government were to make such standards public, such as the DES, what
else would anyone expect?
Since the National Security Agency has an intelligence mission, its
role in helping to develop key escrow encryption is usually treated
as evidence that key escrow must be bad security. In reality,
though, NSA has two missions. It does indeed gather intelligence,
in part by breaking codes. But it has a second, and oddly
complementary, mission. It develops the best possible encryption
for the US government's classified information.
With code breakers and code makers all in the same agency, NSA has
more expertise in cryptography than any other entity in the
country, public or private. It should come as no surprise,
therefore, that NSA had the know- how to develop an encryption
technique that provides users great security without compromising
law enforcement access. To say that NSA shouldn't be involved in
this issue is to say the government should try to solve this
difficult technical and social problem with both hands tied behind
its back.
The biggest NSA-specific gripe I could come up with is that the system
is classified. That means we can't test it easily. And I believe that
even with _our_ hands tied behind our backs, we are finding sever
technical problems.
MYTH NUMBER SEVEN: This entire initiative was studied in secret and
implemented without any opportunity for industry or the public to
be heard.
Two parter: Part one is true, and, so long as the algorithm remains
classified, very valid.
Part two would have been true if it weren't for us. There _was_ an
attempt to slip this by, but we stopped that...
This is an old objection, and one that had some force in April of
1993, when the introduction of a new AT&T telephone encryption
device required that the government move more quickly than it
otherwise would have. Key escrow was a new idea at that time, and
it was reasonable for the public to want more details and a chance
to be heard before policies were set in concrete. But since April
1993, the public and industry have had many opportunities to
express their views. The government's computer security and privacy
advisory board held several days of public hearings. The National
Security Council met repeatedly with industry groups. The Justice
Department held briefings for congressional staff on its plans for
escrow procedures well in advance of its final decision. And the
Commerce Department took public comment on the proposed key escrow
standard for 60 days.
After all this consultation, the government went forward with key
escrow, not because the key escrow proposal received a universally
warm reception, but because none of the proposal's critics was able
to suggest a better way to accommodate society's interests in both
privacy and law enforcement.
It bears repeating: the assumption that government's interests and
societies coincide is the hallmark of an oppressive government, and you
do yourself no good by continuing the assertion.
Unless somebody comes up with one, key escrow is likely to be
around for quite a while. That's because the only alternative being
proposed today is for the government to design or endorse
encryption systems that will cripple law enforcement when the
technology migrates -- as it surely will -- to the private sector.
And that alternative is simply irresponsible.
And one last, marginalizing dig: Our opposition is irresponsible. Of
course, the kids that went to Woodstock weren't.
More to the point: The government had nothing to do with the design of
RSA, let alone PGP, except to attempt to keep them under wraps, and to
blockade their implementation. The government's refusal to admit that
these systems are in fact the ones that are favored for PRIVATE use is
another indication that they are not willing to accept the declarations
of the market.
So, in the end, what do we have? We have a man who spends more time
attacking his opponents personally or in knocking down straw men than
he does the issues. And when he does get around to the issues, many of
his own "facts" either contradict his own arguments, or simple logic.
A friend told me, after reading this article, that he was _at first_
placated by it. This man is a PhD mathematician. After reflection, he
noted some of the points I raise. The fact that these folks have to
resort to calling their opponents pedophiles, and to putting down
responsible students indicates that they are desperate, and they have
no real case. Why engage in all these scare tactics if you have good,
basic arguments?
In case you did not get it from my comments, I (and thousands like me)
can develop the RSA system from scratch any time. Strong encryption is
here. It cannot be made to go away. The only question is whether
access to it will be limited to the elite few who can do it themselves,
or if it will be out there for all. He fails to mention that one can
easily layer PGP or RSA into any other system, rendering it strong, if
you have the equipment.
A late-breaking note: Sever technical flaws are cropping up in the
Clipper standard. This is tied to the fact that they formed the
standard by intentionally weakening an existing system--a violation of
ALL developmental protocols. You NEVER weaken an existing system,
because it is effectively impossible to prove exactly how much you
weakened it. This breach of protocol, _by itself_ disqualifies, IMHO,
the NSA from EVER being used to develop civilian use systems unless the
algorithms, and the process used to reach them, are fully available for
comment, over a long period.
--end of comments
Nathan Zook, Candidate, UT Austin, Dept of Mathematics
nzook@math.utexas.edu
They don't know that I'm doing this, so how could this have anything to
do with their oppinions?
For more information on the Clipper standard you can access WIRED's
Clipper archive via the following WIRED Online services.
* WIRED Infodroid e-mail server: Send e-mail to infodroid@wired.com
containing the words "send clipper/index" on a single line inside the
message body.
* WIRED Gopher: Gopher to gopher.wired.com and select "Clipper Archive."
* WIRED on World Wide Web: http://www.wired.com select "Clipper Archive."
* WIRED on America Online: The keyword is WIRED.
* WIRED on the Well: Type "go wired" from any "OK" prompt.
* * *
Stewart A. Baker is the National Security Agency's top lawyer. He
worked briefly as Deputy General Counsel of the Education
Department under President Jimmy Carter, and he practiced
international law at Steptoe & Johnson, in Washington, DC. He has
been at the NSA since 1992.
=-=-=-=-=-=-=-=-=WIRED Online Copyright Notice=-=-=-=-=-=-=-=-=-=
Copyright 1993,4 Wired Ventures, Ltd. All rights
reserved.
This article may be redistributed provided that the article and
this notice remain intact. This article may not under any
circumstances be resold or redistributed for compensation of any
kind without prior written permission from Wired Ventures, Ltd.
If you have any questions about these terms, or would like
information about licensing materials from WIRED Online, please
contact us via telephone (+1 (415) 904 0660) or email
(info@wired.com).
WIRED and WIRED Online are trademarks of Wired Ventures, Ltd.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
------------------------------
End of Computer Privacy Digest V5 #001
******************************
.