1993-07-16 - CPSR Secrecy Statement

Header Data

From: Dave Banisar <banisar@washofc.cpsr.org>
To: CYPHERPUNKS <CYPHERPUNKS@toad.com>
Message Hash: 7a4b3260abe842fe0da62a18290de49cb9699a6fe1e906f14040990eead5b7e0
Message ID: <00541.2825657567.4296@washofc.cpsr.org>
Reply To: N/A
UTC Datetime: 1993-07-16 13:39:10 UTC
Raw Date: Fri, 16 Jul 93 06:39:10 PDT

Raw message

From: Dave Banisar <banisar@washofc.cpsr.org>
Date: Fri, 16 Jul 93 06:39:10 PDT
To: CYPHERPUNKS <CYPHERPUNKS@toad.com>
Subject: CPSR Secrecy Statement
Message-ID: <00541.2825657567.4296@washofc.cpsr.org>
MIME-Version: 1.0
Content-Type: text/plain


  CPSR Secrecy Statement
    Computer Professionals for Social Responsibility (CPSR) has 
called for a complete overhaul in the federal government's 
information classification system, including the removal of 
cryptography from the categories of information automatically 
deemed to be secret.  In a letter to a special Presidential task 
force examining the classification system, CPSR said that the 
current system -- embodied in an Executive Order issued by 
President Reagan in 1982 -- "has limited informed public debate on 
technological issues and has restricted scientific innovation and 
technological development."

       The CPSR statement, which was submitted in response to a 
task force request for public comments, strongly criticizes a 
provision in the Reagan secrecy directive that presumptively 
classifies any information that "concerns cryptology."  CPSR notes 
that "while cryptography -- the science of making and breaking 
secret security codes -- was once the sole province of the 
military and the intelligence agencies, the technology today plays 
an essential role in assuring the security and privacy of a wide 
range of communications affecting finance, education, research and 
personal correspondence."  With the end of the Cold War and the 
growth of widely available computer network services, the outdated 
view of cryptography reflected in the Reagan order must change, 
according to the statement.

       CPSR's call for revision of the classification system is 
based upon the organization's experience in attempting to obtain 
government information relating to cryptography and computer 
security issues.  CPSR is currently litigating Freedom of 
Information Act lawsuits against the National Security Agency 
(NSA) seeking the disclosure of technical data concerning the 
digital signature standard (DSS) and the administration's recent 
"Clipper Chip" proposal.  NSA has relied on the Reagan Executive 
Order as authority for withholding the information from the 
public.

       In its submission to the classification task force, CPSR 
also called for the following changes to the current secrecy 
directive:

     *  A return to the "balancing test," whereby the public 
     interest in the disclosure of information is weighed 
     against the claimed harm that might result from such 
     disclosure;

     *  A prohibition against the reclassification of 
     information that has been previously released;

     *  The requirement that the economic cost of classifying 
     scientific and technical be considered before such 
     information may be classified;

     *  The automatic declassification of information after 
     20 years, unless the head of the original classifying 
     agency, in the exercise of his or her non-delegable 
     authority, determines in writing that the material 
     requires continued classification for a specified 
     period of time; and

     *  The establishment of an independent oversight 
     commission to monitor the operation of the security 
     classification system.

       The task force is scheduled to submit a draft revision of 
the Executive Order to President Clinton on November 30.

       The full text of the CPSR statement can be obtained via 
ftp, wais and gopher from cpsr.org, under the filename 
cpsr\crypto\secrecy_statement.txt.

       CPSR is a national organization of professionals in the 
computing field.  Membership is open to the public.  For more 
information on CPSR, contact <cpsr@cpsr.org>. 



                                        July 14, 1993




Information Security Oversight Office
750 17th Street, N.W.
Suite 530
Washington, DC 20006
Attention: PRD Task Force

     Re: Proposed Changes to the Security Classification System

     This submission is made in response to the Notice published 
in the Federal Register on May 20, 1993 (58 FR 29480).  According 
to the Notice, the Task Force is soliciting submissions "by 
interested parties on proposals to change the system under which 
information is classified, safeguarded, and declassified in the 
interest of national security."  Computer Professionals for Social 
Responsibility (CPSR), a national organization of professionals in 
the computing field, has a long-standing interest in the problems 
surrounding the current information classification system -- a 
system that has limited informed public debate on technological 
issues and has restricted scientific innovation and technological 
development.  Based on our experience conducting litigation under 
the Freedom of Information Act and our efforts to assess certain 
government policies concerning cryptography and computer security, 
we have the following recommendations regarding changes to the 
security classification system.


General Recommendations  

     CPSR believes that the current Executive Order 12356 is far 
too broad in its definition of classifiable information and that 
post Cold War realities require the substantial revision of this 
outdated directive.  We share the views of many public interest, 
journalistic, academic, historical, and scientific organizations 
that have recommended a complete revision of the classification 
scheme.  We believe such a revision is both necessary and 
appropriate.  In particular, we support the following changes to 
the classification system:

     *  A return to the "balancing test," whereby the public 
     interest in the disclosure of information is weighed 
     against the claimed harm that might result from such 
     disclosure;

     *  A prohibition against the reclassification of 
     information that has been previously released;

     *  The requirement that the economic cost of classifying 
     scientific and technical be completed before such 
     information may be classified;

     *  The automatic declassification of information after 
     20 years, unless the head of the original classifying 
     agency, in the exercise of his or her non-delegable 
     authority, determines in writing that the material 
     requires continued classification for a specified 
     period of time; and

     *  The establishment of an independent oversight 
     commission to monitor the operation of the security 
     classification system.


"Cryptology" as a Classification Category

     In addition to endorsing these general recommendations, we 
wish to address in detail one particular provision of the current 
Executive Order that unnecessarily restricts the dissemination of 
technical data that should be routinely available to the public 
and the scientific community.  At the time EO 12356 was 
promulgated in 1982, a new classification category was 
established, simply defined as "cryptology."  EO 12356, Sec. 
1.3(a)(8).  When the House Government Operations Committee 
examined the Executive Order shortly after its issuance, the 
Committee concluded that "[t]he need for this new category is 
uncertain" and noted that "[t]he word 'cryptology,' as added by 
the Reagan order, is not qualified or defined."  H. Rep. No. 731, 
97th Cong., 2d Sess. 16 (1982).

     This concern carries even more weight today.  The designation 
of a routine privacy-enhancing technology as presumptively a 
national security matter is inconsistent with the end of the Cold 
War and the dramatic growth of commercial and civilian 
telecommunications networks.  While cryptography -- the science of 
making and breaking secret security codes -- was once the sole 
province of the military and the intelligence agencies, the 
technology today plays an essential role in assuring the security 
and privacy of a wide range of communications affecting finance, 
education, research, and personal correspondence.  

     Electronic communications are now widely used in the civilian 
sector and have become an integral component of the global 
economy.  Computers store and exchange an ever increasing amount 
of personal information, including medical and financial data.  In 
this electronic environment, the need for privacy-enhancing 
technologies is apparent.  Communications applications such as 
electronic mail and electronic funds transfers require secure 
means of encryption and authentication -- goals that can be 
achieved only through the development and dissemination of robust 
cryptographic technology within the civilian sector.


The Computer Security Act and Civilian Cryptography

     In recognition of the emerging significance of civilian 
cryptography, Congress enacted the Computer Security Act (P.L. 
100-235) in 1987.  When Congress enacted the legislation, it 
expressed particular concern that the National Security Agency 
("NSA"), a secretive military intelligence agency, would 
improperly limit public access to information concerning civilian 
computer security activities.  H. Rep. No. 153 (Part 2), 100th 
Cong., 1st Sess. 21 (1987).  The House Report on the Act notes 
that NSA's 

     natural tendency to restrict and even deny access to 
     information that it deems important would disqualify 
     that agency from being put in charge of the protection 
     of non-national security information in the view of many 
     officials in the civilian agencies and the private 
     sector.  
Id.  
     
     To alleviate these concerns, Congress granted sole authority 
to the National Institute of Standards and Technology ("NIST") -- 
a civilian agency within the Department of Commerce -- to 
establish technical cryptography standards for civilian computer 
security.  During Congress' consideration of the legislation, "NSA 
opposed its passage and asserted that NSA should be in control of 
this nation's computer standards program."  Id. at 7.  Congress 
forthrightly rejected NSA's position, noting that continued 
military control over all cryptographic development "would 
jeopardize the entire Federal standards program."  Id. at 26.

     Since the enactment of the Computer Security Act, CPSR has 
sought to monitor compliance with its provisions.  In keeping with 
those efforts, CPSR requested relevant information from NIST under 
the Freedom of Information Act ("FOIA") concerning the development 
of the "digital signature standard" -- the agency's first proposed 
cryptographic standard since passage of the legislation.  It is 
important to note that the proposed standard itself would be 
"applicable to all federal departments and agencies for the 
protection of unclassified information."  56 Fed. Reg. 42981 
(August 30, 1991) (emphasis added).  

     After CPSR filed a lawsuit to compel disclosure of the 
information, NIST acknowledged that the great bulk of responsive 
material was under the jurisdiction of NSA.  NSA, in turn, has 
sought to withhold a substantial amount of that information on the 
grounds that it "concerns cryptology" and is therefore classified.  
CPSR v. National Institute of Standards and Technology, et al., 
C.A. 92-0972-RCL (D.D.C.).  The current Executive Order is thus 
being used to classify information relating to a civilian agency's 
development of a security standard intended to protect 
unclassified information.  Such a result contravenes Congress' 
intent that non-military cryptographic standards would be 
developed openly and subject to public scrutiny.


The Public Interest in Cryptography

     More recent developments further illustrate how the 
application of cryptographic technology is moving out of the 
"national security" realm and is thus an inappropriate subject for 
presumptive classification.  On April 16, 1993, the President 
announced that "government engineers" had developed a new 
cryptographic device known as the "Clipper Chip" that is intended 
for widespread public use.  The President noted that 
"[s]ophisticated encryption technology has been used for years to 
protect electronic funds transfer ... [and] is now being used to 
protect electronic mail and computer files."  He also recognized 
that "encryption technology can help Americans protect business 
secrets and the unauthorized release of personal information."  

     Unfortunately, the administration subsequently acknowledged 
that the "Clipper" technology was developed by NSA and that the 
underlying technical data is classified.  As in the case of the 
digital signature standard, a new technology that may have a 
significant impact on the nation's telecommunications 
infrastructure was developed in secrecy behind a shield of NSA-
imposed classification.  There is a great deal of interest in the 
development of civilian cryptography, but public involvement in 
the process has been substantially hampered by the improper 
classification of relevant technical information.  See, e.g., 
Markoff, U.S. as Big Brother of Computer Age, New York Times, May 
6, 1993 at D1. 

     In the Cold War atmosphere that prevailed for 45 years, 
cryptography was often viewed as a national security matter and 
policy makers were at times willing to permit the National 
Security Agency and the military establishment to maintain a 
shroud of secrecy around the technology, even to the detriment of 
scientific research and public accountability.  With the end of 
the Cold War and the growth of widely available computer network 
services, this view of cryptography must change.  Indeed, Congress 
recognized the need for reform when it enacted the Computer 
Security Act in 1987, even before the demise of the Soviet Union.  
At the same time, cryptographic technology has become an 
increasingly vital component of the nation's civilian information 
infrastructure.  Under these circumstances, there is no rational 
basis for continuing the presumption that information that 
"concerns cryptology" should be classified.  The economic and 
scientific cost to the country of the continuation of this policy 
will be substantial and cannot be justified.

     We believe that cryptographic information should only be 
classified upon a specific showing that such disclosure will 
result in an identifiable harm to legitimate national security 
interests.  Such a showing could clearly be made, for instance, 
with respect to the actual "keys" to government cryptographic 
systems.  However, the wholesale classification of all information 
relating to this increasingly important field of computer science 
cannot be justified and may even slow the development of more 
secure systems.  We urge the Task Force to recommend to the 
President that "cryptology" be removed from any listing of 
classification categories that might be contained in a revised 
Executive Order on security classification.

     *  "Cryptology" should be removed from the designated 
     "Classification Categories."


Limitations on Quasi-Classification Authority

     In addition to our concern regarding classification for 
cryptology, we wish to raise several additional points about the 
operation of the Executive Order. One aspect of the Executive 
Order concerning classification authority with which we agree has 
not received proper notice by federal agencies.   That is 
paragraph (b) or Part 1 which states that "Except as otherwise 
provided by statute, no other terms shall be used to identify 
classified information."  It has been CPSR's experience that 
agencies continue to use the designation "sensitive but 
unclassified" to invoke a national security concern when in fact 
there is no basis for such a claim and when such a "quasi-
classification" is disfavored by the Executive Order and contrary 
to the intent of the Computer Security Act.  In one instance, the 
Federal Bureau of Investigation specifically restricted public 
access to information regarding the development of certain 
computer systems because it designated technical documents 
"sensitive but unclassified."  

     We believe that these activities improperly restrict public 
access to government information that should otherwise be made 
available.  For this reason, we believe that a revised Executive 
Order should make very clear that classification authority is 
narrowly restricted.

     *  Classification authority must be narrowly construed and 
     invoked only pursuant to designated classification levels, 
     recognized by statute or executive order.

     
Limitations on Classification to Conceal Misconduct

     We are further concerned that Section 1.6(a)-(b) and Section 
5.4(b)(2)(c) in the current Executive Order have not received 
adequate attention by the national security community.  Section 
1.6(a) states that:

     In no case shall administrative information be 
     classified in order to conceal violations of law, 
     inefficiencies, or administrative error; to prevent 
     embarrassment to a person, organization, or agency; to 
     restrain competition; or to prevent or delay the release 
     of information that does not require protection in the 
     interest of national security.

Section 1.6(b) further states that "[b]asic scientific information 
not clearly related to the national security may not be 
classified."

Section 5.4 (Sanctions) states, in pertinent part, that:

     (b) Officers and employees of the United States 
     government and its contractors, licensees, and grantees 
     shall be subject to appropriate sanctions if they: . . . 

     (2) knowingly and willfully classify or continue the 
     classification of information in violation of this Order 
     or any implementing directive;

     (c) sanctions may include reprimand, suspension without 
     pay, removal, termination of classification authority, 
     loss or denial of access to classified information, or 
     other sanctions in accordance with applicable law and 
     agency regulation.

     As indicated above, it has been CPSR's experience that the 
National Security Agency sought to conceal its activities under 
the Computer Security Act through improper assertion of the (b)(1) 
exemption to the Freedom of Information Act.  It is clearly an 
improper use of classification authority to conceal agency conduct 
in this manner.  Such activities frustrate public oversight and 
permit the abuse of powers.

     Based on this experience, we make the following 
recommendations:

     *  ISOO should conduct an investigation to determine whether 
     the NSA's classification of documents regarding 
     cryptography was improper and, if so, whether sanctions are 
     appropriate for the agency officials involved.

     *  Any agency or government official exercising 
     classification authority with the intent of concealing 
     misconduct, inefficiencies or improper conduct should be 
     subject to sanctions and the ISOO should make known on an 
     annual basis its efforts to ensure that such activities do 
     not occur.


Implementation and Review

     It is also our belief that it would be appropriate to 
establish an independent commission on classification authority 
that would meet periodically to review the activities of the 
Information Security Oversight Office and to solicit public input 
on issues regarding information classification and national 
security.  Such a commission could include a representative of the 
National Security Council and the Director of the ISOO.  It would 
also include distinguished archivists, historians, journalists, 
librarians, scientists and academics.  Such a commission could 
provide ongoing oversight of the classification program and help 
ensure that future policies reflect the widespread needs of our 
country in information policy and the changing nature of our 
national security interest.


     We appreciate this opportunity to present our views and would 
be pleased to provide you with any additional information you 
might require.


Marc Rotenberg                         David L. Sobel
CPSR Washington Director        CPSR Legal Counsel









Thread