From: Dave Banisar <cpsr@access.digex.net>
Date: Fri, 4 Mar 94 02:05:34 PST
To: Cypherpunks@toad.com
Subject: Guardian Article on Clipper
Message-ID: <9403040509.AA13710@Hacker2.cpsr.digex.net>
MIME-Version: 1.0
Content-Type: text/plain


The Guardian (UK)
March 3, 1994, Page 17


Are These Men A Threat To Free Speech?

US law enforcement agencies want to decode 'secret' electronic
mail, prompting a furious row about citizens' rights

by Mike Holderness


With modern communications systems you can send letters, orders and
memos around the world in minutes. But you don't want your
competitors, or their governments, siphoning the details of your
bid for that dam contract in the Far East out of the Internet. So
what do you do?

And when you receive an electronic message announcing you've won
the deal, how do you know it's genuine? It's possible to fake
electronic mail: you must worry about the possibilities for
creative industrial espionage this opens up.

Then again, you might be a Cabinet minister, setting up a meeting
with your boyfriend on the mobile phone. Wouldn't it be good to
know that no one could tap the message?

The answer to all these problems lies in encryption technology. The
solution the US government proposed earlier this month, however,
has generated a furious row in the on-line world about government
interference in citizens' right to communicate in private. The
disturbing implications for people outside the US have gone largely
unremarked.

Computer programs that can do practically unbreakable encryption
are available to the public in the US and elsewhere. One, named PGP
for Pretty Good Privacy, is increasingly used to authenticate
electronic messages (Computer Guardian, November 25, 1993). It can
encrypt the whole message, or send the main text "in clear",
followed by an encrypted block containing a mathematical
"fingerprint" of the message and the sender's name and address. The
program can thus verify whether a signature belongs to the
purported sender and whether the message arrives as it left.

This worries law-enforcement agencies. What if drug dealers and
terrorists start using unbreakable encryption? The US government's
Key Escrow Encryption system - commonly known by its working title,
Clipper - is its answer.

Clipper uses an encryption chip suitable for building into a mobile
phone or a modem. Its method of encryption, developed by the US
National Security Agency (NSA), depends on "keys" - codes used
mathematically to mangle the text or speech. The recipient can only
get the original back if they have the key and can use it to
un-mangle - decrypt - the message.

PGP depends on a "public-key" system. Users sending signed messages
encrypt the signature with keys known only to them.  They also
issue public keys, which are mathematically derived from the
private key, and allow anyone to verify the signature.  If someone
sends them a message encrypted with their public key, only the
private key will extract it. By contrast, each Clipper chip will
have an encryption key built in. When the chip is manufactured, two
parts of the key will be lodged with two separate US government
agencies. (In legal jargon, this is like "holding the keys in
escrow".) A secret "super-key" allows law enforcement agencies to
retrieve the serial number of the chip used on the link they're
tapping. Under US guidelines released last month, if a law
enforcement agency wants to eavesdrop on encrypted communications
it should send details of a search warrant to the agencies holding
the key components.

This is a red rag to the inhabitants of Internet discussion forums,
the world's largest functioning anarchy. There, discussions of the
right (under the First Amendment to the Constitution) to
unrestricted free speech can and do slip effortlessly into the
belief that, as one participant put it, "The people must be allowed
to discuss anything, including revolution."

According to Brian Yoder, president of California company Networxx,
"The US Constitution doesn't grant the government the power to
maintain this kind of surveillance capability over the population.
Period. The assumption is that anything that enhances the ability
of the police to catch criminals is OK, but that is not what the
Constitution says, and that's not the kind of country I want to
live in."

Cryptology specialist Dr Dorothy Denning at Georgetown University
was part of a team reviewing the NSA's design process. She points
out that Clipper "will not make it any easier to tap phones, let
alone computer networks. All it will do is make it possible to
decrypt communications that are encrypted with the standard,
assuming the communications are not super-encrypted with something
else. Law enforcers still need to get a court order."

But who trusts the NSA? The Clipper design is secret. Many assume
the Agency has built in a "trap-door" allowing it to break
encryption without the keys.

No one has proposed making non-Clipper encryption illegal, but the
US government clearly hopes to establish it as an industry
standard. For example, while it's usually illegal to export any
form of encryption technology from the US, it will be legal to
export Clipper. However, non-US companies using it to protect their
communications will have to live with the uneasy knowledge that the
NSA could be listening in - and the NSA, like its UK sibling
organisation GCHQ in Cheltenham, has a long history of intercepting
foreign commercial messages for the benefit of home companies.
(GCHQ declined to say whether it had been involved in any
discussions over Clipper.)

The protests have started. A petition organised by Computer
Professionals for Social Responsibility against Clipper, and in
favour of a Bill to permit export of competing encryption systems,
gathered more than 20,000 electronic signatures in its first two
weeks.

Wired magazine has proclaimed, "This is a pivotal moment in
history", accusing "the Clinton-Gore administration" of "attempting
a stealth strike on our rights". It has asked readers to sign the
CPSR  petition and "call or write your Congressional
representatives and let them know how you feel."

Encryption and authentication are important for much more than the
privacy of the frequently obscure or banal discussions on the
Internet. Medical and financial records are now commonly held on
computers, and a growing proportion of business transactions take
place on-line. Cyberspace is where your money is.

For private communications, Emma Nicholson MP takes a relaxed view:
"In communicating, we should start from a belief that everyone
listens to everything. Gossip is what makes the world go round. I
have very few secrets. I would be deeply concerned if a device were
marketed that could stop interception - I would support the FBI
completely."

Computer-law barrister Alistair Kelman, however, believes any
attempt to enforce the Clipper chip as a worldwide standard would
meet stiff opposition. The European Commission could be expected to
object that it fell foul of Treaty of Rome provisions against
misuse of a dominant position. "If you want to have a world
standard for encryption, fine," Kelman said, but the EC could
respond, "Let's get together and settle on something that meets our
requirements as well."