1993-06-03 - CPSR NIST Crypto Statement

Header Data

From: Dave Banisar <banisar@washofc.cpsr.org>
To: CYPHERPUNKS <CYPHERPUNKS@toad.com>
Message Hash: fa20ae58b6febb029c24328213a525ba7180d767aedcaa9449df3a1c99e1d766
Message ID: <00541.2821903098.3779@washofc.cpsr.org>
Reply To: N/A
UTC Datetime: 1993-06-03 17:35:42 UTC
Raw Date: Thu, 3 Jun 93 10:35:42 PDT

Raw message

From: Dave Banisar <banisar@washofc.cpsr.org>
Date: Thu, 3 Jun 93 10:35:42 PDT
To: CYPHERPUNKS <CYPHERPUNKS@toad.com>
Subject: CPSR NIST Crypto Statement
Message-ID: <00541.2821903098.3779@washofc.cpsr.org>
MIME-Version: 1.0
Content-Type: text/plain


  CPSR NIST Crypto Statement

                    Department of Commerce
        National Institute of Standards and Technology

      Computer System Security and Privacy Advisory Board

                Review of Cryptography Policy
                          June 1993

             Statement of CPSR Washington office
                  Marc Rotenberg, director
                (rotenberg@washofc.cpsr.org)
               with David Sobel, legal counsel,
                 Dave Banisar, policy analyst


     Mr. Chairman, members of the Advisory Panel, thank you for the 
opportunity to speak today about emerging issues on cryptography 
policy. 

     My name is Marc Rotenberg and I am director of the CPSR 
Washington office.  Although CPSR does not represent any computer 
firm or industry trade association, we speak for many in the 
computer profession who value privacy and are concerned about the 
government's Clipper proposal.

     During the last several years CPSR has organized several meetings 
to promote public discussion of cryptography issues.  We have also 
obtained important government documents through the Freedom of 
Information Act.  We believe that good policies will only result if the 
public, the profession, and the policy makers are fully informed 
about the significance of these recent proposals.

     We are pleased that the Advisory Board has organized hearings.  
This review of cryptography policy will help determine if the Clipper 
proposal is in the best interests of the country.  We believe that a 
careful review of the relevant laws and policies shows that the key 
escrow arrangement is at odds with the public interest, and that 
therefore the Clipper proposal should not go forward.

     Today I will address issues 1 through 3 identified in the NIST 
announcement, specifically the policy requirements of the Computer 
Security Act, the legal issues surrounding the key escrow 
arrangement, and the importance of privacy for network 
development.


1. CRYPTOGRAPHY POLICY

     The first issue concerns the 1987 statute enacted to improve 
computer security in the federal government, to clarify the 
responsibilities of NIST and NSA, and to ensure that technical 
standards would serve civilian and commercial needs.  The Computer 
Security Act, which also established this Advisory Panel, is the true 
cornerstone of cryptography policy in the United States.  That law 
made clear that in the area of unclassified computing systems, the 
Department of Commerce and not the Department of Defense, would 
be responsible for the development of technical standards.  It 
emphasized public accountability and stressed open decision-making.

     The Computer Security Act grew out of a concern that classified 
standards and secret meetings would not serve the interests of the 
general public.  As the practical applications for cryptography have 
moved from the military and intelligence arenas to the commercial 
sphere, this point has become clear.  There is also clearly a conflict of 
interest when an agency tasked with signal interception is also given 
authority to develop standards for network security.  

     In the spirit of the Computer Security Act, NIST set out in 1989 to 
develop a public key standard FIPS.  In a memo dated May 5, 1989 
and obtained by CPSR through the Freedom of Information Act, NIST 
said that it planned:

         to develop the necessary public-key based security 
         standards.  We require a public-key algorithm for 
         calculating digital signatures and we also require a 
         public-key algorithm for distributing secret keys.  

NIST then went on to define the requirements of the standard:

         The algorithms that we use must be public, unclassified, 
         implementable in both hardware or software, usable by 
         federal Agencies and U.S. based multi-national 
         corporation, and must provide a level of security 
         sufficient for the protection of unclassified, sensitive 
         information and commercial propriety and/or valuable 
         information.

     The Clipper proposal and the full-blown Capstone configuration, 
which incorporates the key management function NIST set out to 
develop in 1989, is very different from the one originally conceived 
by NIST. 

         %  The Clipper algorithm, Skipjack, is classified,

         %  Public access to the reasons underlying the proposal is 
            restricted, 

         %  Skipjack can be implemented only in tamper-proof 
            hardware, 

         %  It is unlikely to be used by multi-national corporations, 
            and

         %  Its security remains unproven.

     The Clipper proposal undermines the central purpose of the 
Computer Security Act.  Although intended for broad use in 
commercial networks, it was not developed at the request of either 
U.S. business or the general public.  It does not reflect public goals.  
Rather it reflects the interests of one secret agency with the 
authority to conduct foreign signal intelligence and another 
government agency  responsible for law enforcement investigations.  

     It is our belief that the Clipper proposal clearly violates the intent 
of the Computer Security Act of 1987.  
What is the significance of this?  It is conceivable that an expert 
panel of cryptographers will review the Skipjack algorithm and find 
that it lives up its billing, that there is no "trap door" and no easy 
way to reverse-engineer.  In fact, the White House has proposed just 
such a review process 

     But is this process adequate?  Is this the procedure the Advisory 
Board would endorse for the development of widespread technical 
standards?  The expert participants will probably not be permitted 
to publish their assessments of the proposal in scientific journals, 
further review of the standard will be restricted, and those who are 
skeptical will remain in the dark about the actual design of the chip.  
This may be an appropriate process for certain military systems, but 
it is clearly inappropriate for a technical standard that the 
government believes should be widely incorporated into the 
communications infrastructure.

     Good government policy requires that certain process goals be 
satisfied.  Decisions should be made in the open.  The interests of the 
participating agencies should be clear.  Agencies should be 
accountable for their actions and recommendations.  Black boxes and 
government oversight are not compatible.

     There is an even greater obligation to promote open decisions 
where technical and scientific issues are at stake.  Innovation 
depends on openness.  The scientific method depends on the ability 
of researchers to "kick the tires" and "test drive" the product.  And, 
then, even if it is a fairly good design, additional testing encourages 
the development of new features, improved performance and 
reduced cost.  Government secrecy is incompatible which such a 
development process.

     Many of these principles are incorporated into the Computer 
Security Act and the Freedom of Information Act.  The current 
government policy on the development of unclassified technical 
standards, as set out in the Computer Security Act, is a very good 
policy.  It emphasizes public applications, stresses open review, and 
ensures public accountability.  It is not the policy that is flawed.  It is 
the Clipper proposal.

     To accept the Clipper proposal would be to endorse a process that 
ran contrary to the law, that discourages innovation, and that 
undermines openness.


2. LEGAL AND CONSTITUTIONAL ISSUES

     There are several legal and constitutional issues raised by the 
government's key escrow proposal.  

     The premise of the Clipper key escrow arrangement is that the 
government must have the ability to intercept electronic 
communications, regardless of the economic or societal costs.  The 
FBI's Digital Telephony proposal, and the earlier Senate bill 266, was 
based on the same assumption.

     There are a number of arguments made in defense of this 
position: that privacy rights and law enforcement needs must be 
balanced, or that the government will be unable to conduct criminal 
investigations without this capability. 

     Regardless of how one views these various claims, there is one 
point about the law that should be made very clear: currently there 
is no legal basis -- in statute, the Constitution or anywhere else --  
that supports the premise which underlies the Clipper proposal.  As 
the law currently stands, surveillance is not a design goal.  General 
Motors would have a stronger legal basis for building cars that could 
not go faster than 65 miles per hour than AT&T does in marketing a 
commercial telephone that has a built-in wiretap capability.  In law 
there is simply nothing about the use of a telephone that is 
inherently illegal or suspect.

     The federal wiretap statute says only that communication service 
providers must assist law enforcement in the execution of a lawful 
warrant.  It does not say that anyone is obligated to design systems 
to facilitate future wire surveillance.  That distinction is the 
difference between countries that restrict wire surveillance to 
narrow circumstances defined in law and those that treat all users of 
the telephone network as potential criminals.  U.S. law takes the first 
approach.  Countries such as the former East Germany took the 
second approach.  The use of the phone system by citizens was 
considered inherently suspect and for that reason more than 10,000 
people were employed by the East German government to listen in 
on telephone calls.

     It is precisely because the wiretap statute does not contain the 
obligation to incorporate surveillance capability -- the design 
premise of the Clipper proposal -- that the Federal Bureau of 
Investigation introduced the Digital Telephony legislation.  But that 
legislation has not moved forward on Capitol Hill and the law has 
remained unchanged.  The Clipper proposal attempts to accomplish 
through the standard-setting and procurement process what the 
Congress has been unwilling to do through the legislative process.

     On legal grounds, adopting the Clipper would be a mistake.  There 
is an important policy goal underlying the wiretap law.  The Fourth 
Amendment and the federal wiretap statute do not so much balance 
competing interests as they erect barriers against government excess 
and define the proper scope of criminal investigation.  The purpose 
of the federal wiretap law is to restrict the government, it is not to 
coerce the public.

     Therefore, if the government endorses the Clipper proposal, it will 
undermine the basic philosophy of the federal wiretap law and the 
fundamental values embodied in the Constitution.  It will establish a 
technical mechanism for signal interception based on a premise that 
has no legal foundation.  I am not speaking rhetorically about "Big 
Brother."  My point is simply that the assumption underlying the 
Clipper proposal is more compatible with the practice of telephone 
surveillance in the former East Germany than it is with the narrowly 
limited circumstances that wire surveillance has been allowed in the 
United States.  

     There are a number of other legal issues that have not been 
adequately considered by the proponents of the key escrow 
arrangement that the Advisory Board should examine.  First, not all 
lawful wiretaps follow a normal warrant process.  It is critical that 
the proponents of Clipper make very clear how emergency wiretaps 
will be conducted before the proposal goes forward.  Second, there 
may be civil liability issues for the escrow agents if there is abuse or 
compromise of the keys.  Escrow agents may be liable for any harm 
that results.  Third, there is a Fifth Amendment dimension to the 
proposed escrow key arrangement if a network user is compelled to 
disclose his or her key to the government in order to access a 
communications network. Each one of these issues should be 
examined.  

     There is also one legislative change that we would like the 
Advisory Board to consider.  During our FOIA litigation, the NSA cited 
a 1951 law to withhold certain documents that were critical to 
understand the development of the Digital Signature Standard.  The 
law, passed  grants the government the right restrict the disclosure 
of any classified information pertaining to cryptography.  While the 
government may properly withhold classified information in FOIA 
cases, the practical impact of this particular provision is to provide 
another means to insulate cryptographic policy from public review.  

     Given the importance of public review of cryptography policy, the 
requirement of the Computer Security Act, and the Advisory Board's 
own commitment to an open, public process, we ask the Advisory 
Board to recommend to the President and to the Congress that 
section 798 be repealed or substantially revised to reflect current 
circumstances.

     This is the one area of national cryptography policy where we 
believe a change is necessary.


3. INDIVIDUAL PRIVACY

     Communications privacy remains a critical test for network 
development.  Networks that do not provide a high degree of privacy 
are clearly less useful to network users.  Given the choice between a 
cryptography product without a key escrow and one with a key 
escrow, it would be difficult to find a user who would prefer the key 
escrow requirement.  If this proposal does go forward, it will not be 
because network users or commercial service providers favored it.

     Many governments are now facing questions about restrictions on 
cryptography similar to the question now being raised in this 
country.  It is clear that governments may choose to favor the 
interests of consumers and businesses over law enforcement.  Less 
than a month ago, the government of Australia over-rode the 
objections of law enforcement and intelligence agencies and allowed 
the Australian telephone companies to go forward with new digital 
mobile phone networks, GSM, using the A5 robust algorithm.   Other 
countries will soon face similar decisions.  We hope that they will 
follow a similar path
 
     To briefly summarize, the problem here is not the existing law on 
computer security or policies on cryptography and wire surveillance.   
The Computer Security Act stresses public standards, open review, 
and commercial applications.  The federal wiretap statute is one of 
the best privacy laws in the world.  With the exception of one 
provision in the criminal code left over from the Cold War, our 
current cryptography policy is very good.  It reflects many of the 
values -- individual liberty, openness, government accountability -- 
that are crucial for democratic societies to function.

     The problem is the Clipper proposal.  It is an end-run around 
policies intended to restrict government surveillance and to ensure 
agency accountability.  It is an effort to put in place a technical 
configuration that is at odds with the federal wiretap law and the 
protection of individual privacy.  It is for these reasons that we ask 
the Advisory Board to recommend to the Secretary of Commerce, the 
White House, and the Congress that the current Clipper proposal not 
go forward.

     I thank you for the opportunity to speak with you about these 
issues.  I wish to invite the members of the Advisory Committee to 
the third annual CPSR Privacy and Cryptography conference that will 
be held Monday, June 7 in Washington, DC at the Carnegie 
Endowment for International Peace.  That meeting will provide an 
opportunity for further discussion about cryptography policy.


ATTACHMENTS

"TWG Issue Number: NIST - May 5, 1989," document obtained 
by CPSR as a result of litigation under the Freedom of 
Information Act.

"U.S. as Big Brother of Computer Age," The New York Times, 
May 6, 1993, at D1.

"Keeping Fewer Secrets," Issues in Science and Technology, vol. 
IX, no. 1 (Fall 1992)

"The Only Locksmith in Town," The Index on Censorship 
(January 1990)

[The republication of these articles for the non-commercial purpose 
of informing the government about public policy is protected by 
section 107 of the Copyright Act of 1976]

===============================================










Thread