1993-09-24 - ACTIVIST ALERT

Header Data

From: ssimpson@eff.org (Sarah L Simpson)
To: com-priv@lists.psi.com
Message Hash: e817488519923c1374f9b7b10a72051ebd2a9fbe8a62e5f437b57c5670eeecdb
Message ID: <199309242135.AA11095@eff.org>
Reply To: N/A
UTC Datetime: 1993-09-24 21:40:39 UTC
Raw Date: Fri, 24 Sep 93 14:40:39 PDT

Raw message

From: ssimpson@eff.org (Sarah L Simpson)
Date: Fri, 24 Sep 93 14:40:39 PDT
To: com-priv@lists.psi.com
Subject: ACTIVIST ALERT
Message-ID: <199309242135.AA11095@eff.org>
MIME-Version: 1.0
Content-Type: text/plain


ACTIVIST ALERT - The Government Is Messin' With Your Privacy!

Computer Professionals for Social Responsibility (CPSR) posted the
following call for comments to the Net.  As the deadline for comments on
the proposed Escrow Encryption Standard (CLIPPER/SKIPJACK) looms near, EFF
wholeheartedly supports CPSR's work to bring attention to the proposal and
encourages everyone who reads this to respond with comments.

We have added a sample letter and additional information at the end of the
CPSR post.

====================
text of CPSR post
====================
Call for Clipper Comments

The National Institute of Standards and Technology (NIST) has
issued a request for public comments on its proposal to establish
the "Skipjack" key-escrow system as a Federal Information
Processing Standard (FIPS).  The deadline for the submission of
comments is September 28, 1993.  The full text of the NIST notice
follows.

CPSR is urging all interested individuals and organizations to
express their views on the proposal and to submit comments
directly to NIST.  Comments need not be lengthy or very detailed;
all thoughtful statements addressing a particular concern will
likely contribute to NIST's evaluation of the key-escrow proposal.

The following points could be raised about the NIST proposal
(additional materials on Clipper and the key escrow proposal may
be found at the CPSR ftp site, cpsr.org):

* The potential risks of the proposal have not been assessed and
many questions about the implementation remain unanswered.  The
NIST notice states that the current proposal "does not include
identification of key escrow agents who will hold the keys for the
key escrow microcircuits or the procedures for access to the
keys."  The key escrow configuration may also create a dangerous
vulnerability in a communications network.  The risks of misuse of
this feature should be weighed against any perceived benefit.

* The classification of the Skipjack algorithm as a "national
security" matter is inappropriate for technology that will be used
primarily in civilian and commercial applications.  Classification
of technical information also limits the computing community's
ability to evaluate fully the proposal and the general public's
right to know about the activities of government.

* The proposal was not developed in response to a public concern
or a business request.  It was put forward by the National
Security Agency and the Federal Bureau of Investigation so that
these two agencies could continue surveillance of electronic
communications. It has not been established that is necessary for
crime prevention.  The number of arrests resulting from wiretaps
has remained essentially unchanged since the federal wiretap law
was enacted in 1968.

* The NIST proposal states that the escrow agents will provide the
key components to a government agency that "properly demonstrates
legal authorization to conduct electronic surveillance of
communications which are encrypted."  The crucial term "legal
authorization" has not been defined.  The vagueness of the term
"legal authorization" leaves open the possibility that court-
issued warrants may not be required in some circumstances.  This
issue must be squarely addressed and clarified.

* Adoption of the proposed key escrow standard may have an adverse
impact upon the ability of U.S. manufacturers to market
cryptographic products abroad.  It is unlikely that non-U.S. users
would purchase communication security products to which the U.S.
government holds keys.


Comments on the NIST proposal should be sent to:

Director, Computer Systems Laboratory
ATTN: Proposed FIPS for Escrowed Encryption Standard
Technology Building, Room B-154
National Institute of Standards and Technology
Gaithersburg, MD 20899

Submissions must be received by September 28, 1993.  CPSR has
asked NIST that provisions be made to allow for electronic
submission of comments.

Please also send copies of your comments on the key escrow
proposal to CPSR for inclusion in the CPSR Internet Library, our
ftp site.  Copies should be sent to <clipper@washofc.cpsr.org>.
===================
end of CPSR post
===================


EFF joins with CPSR in urging you to send your comments to NIST as soon as
possible.  To help get your creative juices flowing, we're attaching a
sample letter.  You will probably want to personalize any letter you
actually send.

And because time is so tight, EFF has set up an Internet address where you
can send your electronic comments in lieu of mailing them through the U.S.
Postal Service.  Send your letters to:

        cryptnow@eff.org

We will be printing out all letters and hand-delivering them before the
deadline, so please make sure to send us any letter you want included no
later than 8pm on Monday, September 27.

If you would like additional background materials, you can browse the
pub/EFF/crypto area of our anonymous ftp site (ftp.eff.org).  The original
solicitation of comments can be found there and is called
NIST-escrow-proposal.

DO NOT WAIT TO WRITE YOUR COMMENTS!  TIME IS SHORT!


======================
<<your name>>
<<your organization>>
<<your street address>>
<<your city, state, zip>>

<<date>>


National Institute for Standards and Technology (NIST)
ATTN:  Proposed FIPS for Escrowed Encryption Standard
Technology Building, Room B-154
National Institute of Standards and Technology
Gaithersburg, MD  20899

Mr. Director:

I am writing to oppose the Proposed Federal Information Processing Standard
(FIPS) for and Escrowed Encryption Standard, docket # 930659-3159.

Encryption is vital for the protection of individual privacy in the
Information Age.  As more and more personal information flows around
electronic networks, we all need strong encryption to safeguard information
from unwanted intrusion

NIST should not be moving forward with technical standards specification
until critical policy decisions are made.  These policy issues include:

o       Continued Legal Use of All Forms of Encryption:  When the Clinton
Administration announced the Clipper Chip, it assured the public that this
would be a purely voluntary system.  We must have legal guarantees that
Clipper isn't the first step toward prohibition against un-escrowed
encryption.

o       Legal Rights of Escrow Users:  If people choose to deposit their
keys with the government or any other escrow agent, they must have some
legal recourse in the event that those keys are improperly released.  The
most recent draft of the escrow procedures specifically states, however:

        "These procedures do not create, and are not intended to create,
any substantive rights for individuals intercepted through electronic
surveillance, and noncompliance with these procedures shall not provide the
basis for any motion to suppress or other objection to the introduction of
electronic surveillance evidence lawfully acquired."

        Leaving users with no recourse will discourage use of the system
and is a tacit acceptance of unscrupulous government behavior.

o       Open Standards:  People won't use encryption unless they trust it. 
Secret standards such as Clipper cannot be evaluated by independent experts
and do not deserve the public trust.

        In addition, the current proposed technical standard is incomplete.
 It should not be approved until futher comment on the complete proposal is
possible

o       Operating Procedures Unclear:  The full operating procedures for
the escrow agents has yet to be issued.  Public comment must be sought on
the complete procedures, not just the outline presented in the draft FIPS. 
Even the government-selected algorithm review group has declared that it
needs more information on the escrow process.

o       Identity of Escrow Agents:  The identity of one or both of the
escrow agents has not been firmly established.

o       Algorithm Classified:  Asking for comments on an algorithm that is
classified makes a mockery of citizen participation in government
decision-making.

NIST will be involved in making many critical decisions regarding the
National Information Infrastructure.  The next time NIST solicits public
comments, it should be ready to accept reply by electronic mail in addition
to paper-based media.

Sincerely,

<<name>>
<<title>>
******************************
Sarah L. Simpson
Membership Coordinator
Electronic Frontier Foundation
1001 G Street, NW
Suite 950 East
Washington, DC  20001
202/347-5400 tel
202/393-5509 fax






Thread