From: Karl Auerbach - San Jose Consultant <auerbach@denver.ssds.com>
Date: Fri, 20 May 94 11:40:46 PDT
To: Russell Nelson <nelson@crynwr.com>
Subject: Re: NSA's Baker to debate key escrow live on AOL, May 26
In-Reply-To: <m0q48qF-000I7hC@crynwr>
Message-ID: <Pine.3.05.9405201117.A3207-e100000@sanjose>
MIME-Version: 1.0
Content-Type: text/plain




I'm going to add some annotations to clarify the transcript...

I must say, it was fun!

Overall, I believe that there were some good minds at work on Clipper,
and that they are really sincere that they believe they have put in a
workable set of protections.  One must admit, that for the government,
they have actually put in a pretty strong set of restrictions and
limitations.  But, overall, they simply missed the point that the starting
point of the discussion is that people have a right to privacy, not that
the government has a right to wiretap.

        --karl--


On Thu, 19 May 1994, Russell Nelson wrote:

> Date: Thu, 19 May 94 10:12 EDT
> From: Russell Nelson <nelson@crynwr.com>
> To: cypherpunks@toad.com, auerbach@denver.ssds.com
> Subject: Re: NSA's Baker to debate key escrow live on AOL, May 26
> 
>    Date: Thu, 19 May 1994 03:03:31 -0700
>    From: Phil Karn <karn@unix.ka9q.ampr.org>
> 
>    In article <NELSON.94May14232954@crynwr.crynwr.com>, you write:
>    |> I've heard Baker.  He's not particularly articulate, especially when
>    |> confronted by another lawyer (viz Karl Auerbach at Interop).  He tends
> 
>    I missed that session, opting to head for the airport before the rush.
>    What exactly did Auerbach say? Sorry I missed the fun.
> 
> I missed it too, so I bought the tapes.  This is transcribed from the
> tape of the Networld+Interop "The Clipper Chip Controversy" debate
> between Baker of the NSA and Weitzman of the EFF.  Karl Auerbach was
> the first questioner:
> 
> Auerbach: Okay, well, my name is Karl Auerbach, and first a
> calibration tone.  I grew up reading the cases of Sacco and Vanzetti,
> and Julius and Ethel Rosenberg, and I remember Kent State, and things
> like that.  So, do I trust my government?  No.
> 
> Certain things.  First, a technical question.  You said that you sent
> the chip off to the national labs for reverse engineering.  Did anyone
> sent it to Taiwan?  <audience chuckles>  Next thing.
> 
> Baker: Are these all going to be hypothetical?
> 
> A: Did you really try giving it to the experts?  I mean, is it really
> reasonable to expect that someone isn't going to try to reverse
> engineer this thing?
> 
> B: I think it's quite reasonable to buy devices with the chip in it
> and sent it to whomever you'd like.  I don't necessarily believe that
> I share your belief that you know who has the best technology for
> doing this because the people at the national labs get to practice against
> someone besides Intel and Motorola.  <audience chuckles>  Just a response,
> Karl.
> 
> A: I'd like to see them have a try.  Anyway, getting more to the legal
> matters, If I have a clipper phone, it's used by lots of people.  And,
> does that increase the expectation of privacy which is recognized by
> the supreme court and what happens to other people -- are we going to
> enact parallel legislation that restricts the further use of just
> ancillary conversations on the phone by a third party.  To make this
> work, we're going to have to enact legislation that prohibits the use
> of superencryption like pgp.  Are we going to do that?  And also

The point that I was trying to make here is this:

One of the ways to determine whether the government can simply use stuff
it happens to encounter (perhaps with a little help in the encountering)
is based on whether the subject has an "expectation of privacy."  So, if I
yell to another person in a crowded room, I don't have much expectation
that my conversation is private.  If I were to talk quietly in a room with
just two people, my expectation is higher.  On a normal telephone, I might
be overhead by an operator.  On a cellular phone, my expectation might be
a bit less.  On an encrypted phone I might have a pretty high expectation.
Thus, if a third party were to use a phone which is being tapped, would
the police be able to use what they overheard this person say, even though
the search warrant only allows tapping for the main subject?  From a later
answer, it seems that there are some laws governing this.

> 
> B: NO!
> 
> A: And also, are we going to allow PGP then?  And we're going to
> superencrypt it.  So that means that your total system is dead.
> 
> B: <splutter> I have to ask myself, what is the value to you of
> superencrypting?
> 
> A: So you can't read it!
> 
> B: Yeah, that's right <audience laughs, applauds>  Of course, but
> 
> A: If you want to do police work, get the police to find the key that
> the pedophile used to encrypt his file.  Get your warrant to look for
> that key.  He kept it somewhere.  It was just sloppy police work that
> didn't get the key he's got somewhere <audience applauds>.  And I
> don't know what piece of information you had that led you to know that
> that encrypted file had what you thought was in it.  Can you point,
> can you specifically articulate reasons that would give you probably
> cause to think that that information was in those files?  And I might
> remind you, the Supreme Court requires that.  <audience murmurs,
> whistles, claps>

I was really incensed at this point.  The guy from NSA was making all
these assertions about what was purportedly in some PGP encrypted files,
yet he failed to indicate one bit of information that would indicate why
he believed that those files contained that information.  In addition,
while it is possible that someone might hold a PGP key in his head, it is
more likely that it is written down somewhere.  So rather than using this
situation to justify Clipper, it should be used to educate the police to
find the key to the door before breaking it down.

> 
> B: I'm trying to figure out which of your points to address first.
> Let me start with the suggestion that superencryption somehow makes
> this pointless.  I agree that if the government said that the only
> kind of encryption you can use is clipper, that superencryption would
> be a way of evading some kind of enforcement mechanism designed to
> ensure that only clipper encryption was on the system.
> 
> A: So if I use PGP then you'll have probable cause to get a warrant?
> 
> B: No.  First, there's no suggestion, hasn't been a suggestion, you've
> got denials left and right, that this is going to be a required
> system.  If it's not a required system, what's the point of adding PGP
> to clipper?  You can encrypt with PGP if you want to, and you get
> whatever strength PGP gives you.  You add to that clipper and the
> government has probably cause to decrypt your clipper conversations,
> what you have is a single PGP-encrypted conversation, which is as good
> as not having bothered going through the clipper encryption at all.
> 
> A: No, what I was expecting was that you're going to make the argument
> that if we've got clipper, and we find that someone is using PGP in
> addition to clipper, that therefore they've got something to hide, and
> we'd better go after them.
> 
> B: Yeah, I think that's a paranoid suggestion.
> 
> A: Well, I'm paranoid, but the government...  <baker chuckles> And the
> other thing is, we saw an earlier slide that says that this will only
> be available to the federal government.  Now, if my statistics memory
> is right, most criminals are investigated by state governments.  So is
> this somehow, what's going to happen with the states?  Are they going
> to have access to this, or are we going to create more magistrates?
> Are we going to deputize all the local police as federal agents?
> 
> B: About 37 states have wiretap authority.  If they encounter
> 
> A: So the first slide lied.
> 
> B: I don't think so.
> 
> A: So those state police are now federal employees.  So this is more
> than federal wiretapping, this is state wiretapping as well then?  And
> I bet there's far more, how many state wiretaps are there per year?
> 
> B: I think the 900 includes that.  And the wiretapping proceeds in
> this country pursuant to federal law.  It's regulated by federal law
> even when it's done by state authorities.  That, probably, is the
> answer to the other point you had suggested, which is that we need
> some special law to protect third parties who might have conversations
> with people.  In fact, there are already requirements on the books
> that, after all, if you're conducting a wiretap, of John Gotti, you're
> always going to get two people in those conversations.  There's not
> much point in wiretapping him when he's not talking to somebody.
> Consequently, if he calls somebody to order pizza, or if his daughter
> orders pizza, or talks to her friends, there are already legal
> requirements that you cease the recording of those conversations when
> they're plainly not related to the crime.
> 
> A: And finally in respect to the escrows, since this is personally
> identifiable information, I assume that under the privacy act, I have
> access to it.
> 
> <someone else>: Karl, it's not personally identifiable in the sense
> that what the escrow agents maintain is a chip id and an encryption
> key and there is not a mapping maintained in the system in general, at
> any point, of who bought which device with chip id, so if that's what
> you were referring to, I don't think it qualifies as you described it.
> 
> <someone else yet>: Let me just add that unfortunately there's a law
> enforcement exception to the privacy act, so I think it's an
> interesting question whether it is personally identifiable or not, but
> either way, there is an exception for on ongoing investigation.
> 
>    I heard somebody made a good crack to Baker about how he must have
>    worked for the tobacco companies. Was that Auerbach?
> 
> No, that was the person who spoke after him.  It was "Mr. Baker, I
> just have a very simple question about your position on all this.  Do
> you ever feel like a cigarette industry executive?"  <audience
> laughs, applauds>
> 
> B: Let me turn that around a little, and I'll ask that about the EFF.
> I wonder whether they don't ever feel like the NRA, because in fact,
> <audience laughs> the analysis we hear of this issue, and the stuff,
> you've all heard it, "they'll get my crypto key when they pry it from
> my dead, cold fingers".  All that stuff is a deliberate invocation of
> the same kind of analysis that gave us the gun policy that we have in
> this country.  And so I guess if you like the gun policy that the NRA
> gave us, I think you're going to love the privacy consequences of the
> policies that the EFF is urging on us.
> 
> <other>: Isn't that what the United States Constitution says, though?
> 
> B: <splutter> I don't think the constitution requires either of these
> things.
> 
> etc.
> 
> -russ <nelson@crynwr.com>      ftp.msen.com:pub/vendor/crynwr/crynwr.wav
> Crynwr Software   | Crynwr Software sells packet driver support | ask4 PGP key
> 11 Grant St.      | +1 315 268 1925 (9201 FAX)    | Quakers do it in the light
> Potsdam, NY 13676 | LPF member - ask me about the harm software patents do.