EFFector Online Volume org Publicati

Found at: gopher.meulie.net:70/EFFector/effect05.08

           //////////////     //////////////     //////////////
         ///                ///                ///
       ///////            ///////            ///////
     ///                ///                ///
   //////////////     ///                ///
EFFector Online Volume 5 No. 8       5/14/1993       editors@eff.org
A Publication of the Electronic Frontier Foundation   ISSN 1062-9424

                        In this issue:
              Clipper Chip-Related Excerpts from:
   A Letter from the Digital Privacy and Security Working Group 
                 to President Clinton
   A Selection of Questions Submitted by the Working Group
                 Sent to President Clinton
   Whit Diffie's Testimony Before the House Subcommittee on Science
   A Request for Public Comment by the National Institute of
                 Standards and Technology

As reported in issue 5.06 of EFFector Online, on April 16, 1993, the 
Clinton Administration announced its proposal for a new national 
cryptography policy. Under this proposed policy, a voice encryption 
agents would each hold half of a code key that could be used to 
enable law enforcement officers to conduct court-authorized 
analysis of the proposal, expressing our concerns about the secrecy 
Administration's intention to keep the encryption algorithm 
classified.  Here are some of the activities EFF and others have 
engaged in since that announcement was made.


On May 7, 1993, the Digital Privacy and Security Working Group sent 
a letter to President Clinton expressing the Group's concerns and 
asking that a public dialogue be initiated to discuss the issue further. 
The Digital Privacy and Security Working Group is a coalition of 
communications and computer companies and associations and 
consumer and privacy advocates that was formed almost a decade 
ago and is chaired by EFF's Executive Director, Jerry Berman.  The 
Working Group has been concerned that no inquiry had been made 
before the release of the proposed government Clipper standard.  
The Working Group proposed that the Group be included in any 
future review process of the Administration's encryption proposal.  
Here are some highlights from the Working Group's letter to the 

"Dear Mr. President:

"On April 16 you initiated a broad industry/government review of 
end of the Cold War and the rapid evolution of technology in the 
computer and communications industries, a comprehensive review of 
our communications security policies such as you have directed is 
nterconnected digital networks, and computer and communications
technologies converge, both government and the private sector need 
to evaluate information security and privacy issues.  Of course, any 
overall policy must recognize the authorized law enforcement and 
national security needs, and must evaluate the impact on American 

. . .

"While we recognize the importance of authorized national security 
and law enforcement needs, we believe that there are fundamental 
account when any domestic surveillance scheme is proposed.  
Moreover, it is unclear how your proposal and the overall review of 
cryptography policy will impact on U.S. export controls.  Over the 
the law enforcement community on just such issues. 

"In the White House press release of April 16, the Press Secretary 
affected industries...and groups that advocate the privacy rights of 
"Our group of over 50 members -- from computer software and 
companies, to the American Civil Liberties Union and the Electronic 
Frontier Foundation -- requests the opportunity to participate in 
being considered, including appropriate encryption techniques.  We 
believe that our membership has the breadth and depth of expertise 
and experience that would allow us to provide an excellent forum for 
the development of new policies in these areas. 

"During the past few weeks, the Working Group has met several 
times to identify issues that need to be addressed. Several aspects of 
the Administration's encryption proposal warrant further discussion, 
ncluding, but not limited to:

o   whether a key escrow system will produce the desired law
        enforcement results;
o   the level of strength and integrity of the algorithm and
        the security of the key escrow system;
o   the advisability of a government-developed and classified
o   its practicality and commercial acceptability;
o   the effect of the proposal on American competitiveness and
        the balance of trade;
o   possible implications for the development of digital
        communications; and,
o   the effect on the right to privacy and other constitutional

"A detailed list of our questions relating to this subject is being 

"We are making our views known to officials within your 
Administration and Members of Congress as the review begins.  We 
and look forward to working with you and your Administration on 
this important issue in the coming months.  Representatives of the 
Digital Privacy and Security Working Group are anxious to meet with 
your staff at their earliest convenience to establish a consultation 


abcd, The Microcomputer Industry Association Advanced Network & 
Services, Inc.
American Civil Liberties Union
Apple Computer, Inc.
Business Software Alliance
Cavanagh Associates, Inc.
Cellular Telephone Industry Association
Computer Professionals for Social Responsibility Computer & Business 
Equipment Manufacturers Association Computer & Communications 
Digital Equipment Corporation
Electronic Frontier Foundation
Electronic Mail Association
Hewlett-Packard Company
Lotus Development Corporation
McCaw Cellular Communications
Microsoft Corporation
RSA Data Security, Inc.
Software Publishers Association
Sun Microsystems, Inc.
Toolmaker, Inc.
Trusted Information Systems
United States Telephone Association


Today, Friday, May 14, 1993, the Digital Privacy and Security 
Working Group sent its list of questions on to the President. The list 
contained over 100 questions. A sample of the questions follows: 
(for a complete list of the questions, please contact us at eff@eff.org)

"Why the secrecy in which the encryption code scheme was 
Has the Justice Department or the White House Office of Legal 
Counsel considered the constitutional implications?"

"If American firms are not able to have their encryption experts 
examine the algorithm, how can they be sure that there is no 'trap 

"Will this system be truly voluntary?  If so, won't criminals and 
terrorists just use some other type of encryption?"

"It appears that once a given chip has been compromised due to use 
of the escrowed keys, the chip and the equipment it is used in are 
vulnerable forever.  Is there any mechanism or program to re-key or 
acquiring party to verify whether the keys on a given chip have 
been compromised?  Who should bear the cost of replacement or re-
keying of compromised hardware?"

"Who will be the agents for the keys?  How secure will they be from 
the outside and from the inside?  What is the cost of maintaining the 
escrow system?  Who will pay?  Who will profit?"

"If the Administration is so confident about the level of security of 
the Clipper Chip scheme, why will classified information not be 
encrypted with it?"

"Is law enforcement permitted to identify the specific piece of 
communications equipment without obtaining a warrant?  If 
encrypted communications include the serial number ("chip family 
key"), will law enforcement be able to keep track of communications 
traffic and track private citizens without even securing the keys 
from the escrow agents?"

"Does the escrow system violate the letter or the spirit of the Fourth 
Amendment protections which safeguard citizens against intrusive 
law enforcement practices?"

"Why weren't other Chip manufacturers given the chance to bid on 
the chip production process?  Why was the choice made to have only 
one manufacturer?"

"What testing has been done to verify the ability of Clipper to work 
across the panoply of new emerging technologies?  If the underlying 
Clipper operation?  How critical is synchronization of the bit stream 
for Clipper operation?  Has this technology been tested with ISDN, 
TDMA, Cellular, CDMA Cellular, ATM, SONET, SMDS, etc. and other 
emerging technologies?  What effect does Clipper have on the 
Cellular Authentication and Voice Encryption (CAVE) algorithm? Are 
these differences for key generation, authentication, or voice 

"If Clipper won't be commercially accepted abroad, and export 
controls continue to prohibit the exportation of other encryption 
US. market?"

"What governmental regulations will apply to imports of devices 
containing the Clipper Chip?  Given that most US. companies source 
most customer premise equipment (e.g., telephones, fax machines, 
etc.) offshore, how will the logistics be handled for the export of the 
Clipper Chip as a component, and the subsequent import of the 
manufacturers to have the Clipper algorithm?  If not, how will the 
Administration justify this trade barrier?"

"There are a number of companies that employ non-escrowed 
cryptography in their products today.  These products range from 
these products and the many corporations and individuals that are 
nvested in them and use them?  Will the investment made by the
vendors in encryption-enhanced products be protected?  If so, how?  
or be asked to employ Clipper?"

"If the outcome of the policy review is not pre-ordained, then the 
need a great deal of definition.  What roles have been identified for 
Congress, the private sector, and other interested parties?  Who is 
coordinating the process?"


On May 11, 1993, Whitfield Diffie, one of the original pioneers of the 
Microsystems, Inc., testified before the House Subcommittee on 
Science about his concerns with the Clipper Chip proposal.  
Representative Rick Boucher (D-VA) heads that committee and 
nitiated these hearings to discuss security issues regarding the
National Research and Education Network (NREN).  Here are some 

. . .

"In the month that has elapsed since the announcement, we have 
nformation permits.  We conclude that such a proposal is at best

"To give you some idea of the importance of the issues this raises, I'd 
like to suggest that you think about what are the most essential 
and away the most important element of your security is that you 
Finally you engage in private conversations, saying things to your 
loved ones, your friends, or your staff that you do not wish to be 
overheard by anyone else.

"These three mechanisms lean heavily on the physical: face to face 
contact between people or the exchange of written messages.  At this 
moment in history, however, we are transferring our medium of 
only by the development of our technology.  Many of us spend half 
the day on the telephone talking to people we may visit in person at 
most a few times a year and the other half exchanging electronic 
mail with people we never meet in person. 

"Communication security has traditionally been seen as an arcane 
the banks and oil companies.  Viewed in light of the observations 
above, however, it is revealed as nothing less than the 
transplantation of fundamental social mechanisms from the world of 
face to face meetings and pen and ink communication into a world of 
electronic mail, video conferences, electronic funds transfers, 
electronic data interchange, and, in the not too distant future,

"No right of private conversation was enumerated in the constitution. 

"Now, however, we are on the verge of a world in which electronic 
communication is both so good and so inexpensive that intimate 
business and personal relationships will flourish between parties 
each other.  If we do not accept the right of these people to protect 
the privacy of their communication, we take a long step in the 

"The import of this is clear:  The decisions we make about 
communication security today will determine the kind of society we 
live in tomorrow. 

. . .

"Eavesdropping, as its name reminds us, is not a new phenomenon. 
But in spite of the fact that police and spies have been doing it for a 
long time, it has acquired a whole new dimension since the invention 
of the telegraph. 

"Prior to electronic communication, it was a hit or miss affair. Postal 
messages were carried by a variety of couriers, travelers, and 
merchants. Sensitive messages in particular, did not necessarily go 
by standardized channels. Paul Revere, who is generally remembered 
for only one short ride, was the American Revolution's courier, 
traveling routinely from Boston to Philadelphia with his saddle bags 
full of political broadsides. 

"Even when a letter was intercepted, opened, and read, there was no 
the victim would not notice the intrusion.

"The development of the telephone, telegraph, and radio have given 
the spies a systematic way of intercepting messages. The telephone 
even people who are aware of the danger routinely put aside their 
caution and use it to convey sensitive information. Digital switching 
and made it possible for them to do their listening a long way from 
the target with negligible chance of detection. 

. . .

"The law enforcement function of the Clipper system, as it has been 
from compromise via the Law Enforcement Exploitation Field, need 
only encrypt that one item at the start of transmission. In many 
become as freely available as has been suggested, many products 

. . .

"I urge the committee to take what is good in the Administration's 

o The Skipjack algorithm and every other aspect of this proposal 
but to guarantee that once made available as standards they will not 
be prematurely withdrawn. Configuration control techniques 
the commercial where that is appropriate.

o I likewise urge the committee to recognize that the right 
to private conversation must not be sacrificed as we move into a 
telecommunicated world and reject the Law Enforcement Exploitation 
Function and the draconian regulation that would necessarily come 

o I further urge the committee to press the Administration 
to accept the need for a sound international security technology 
appropriate to the increasingly international character of the world's 


The Computer System Security and Privacy Advisory Board of the 
National Institute of Standards and Technology (NIST) will be holding 
Gaithersburg, MD. Public submissions are requested and are due by 

Cryptographic Issue Statements
Computer System Security and Privacy Advisory Board Technology 
Building, Room B-154
National Institute of Standards and Technology Gaithersburg, MD 
fax: 301/948-1784

Submissions may also be sent electronically to: 

For more information about the NIST meeting, including a more 

**If you do submit anything to NIST, EFF would be interested in a 
copy of your statement, as well. Thanks.**

. . .

"Issues on which comments are sought include the following: 


"Public and Social policy aspects of the government-developed 'key 
escrow' chip and, more generally, escrowed key technology and 

"Issues involved in balancing various interests affected by 


"Consequences of the government-developed 'key escrow' chip 
technology and, more generally, key escrow technology and 


"Issues and impacts of cryptographic-related statutes, regulations, 
and standards, both national and international, upon individual 

"Issues related to the privacy impacts of the government-developed 
'key escrow' chip and 'key escrow' technology generally. 


. . .


. . .


"Please describe any other impacts arising from Federal government 
cryptographic policies and regulations.

"Please describe any other impacts upon the Federal government in 
the protection of unclassified computer systems. 

"Are there any other comments you wish to share? 

"The Board agenda will include a period of time, not to exceed ten 
and to the extent possible, speakers addressing the same topic will 
be grouped together. Speakers, prescheduled by the Secretariat and 
notified in advance, will be allotted fifteen to thirty minutes to orally 
f they would be interested in orally summarizing their materials for
the Board at the meeting. 

"Another period of time, not to exceed one hour, will be reserved for 
oral comments and questions from the public. Each speaker will be 
allotted up to five minutes; it will be necessary to strictly control the 
length of presentations to maximize public participation and the 
number of presentations.

"Except as provided for above, participation in the Board's 
Designated Federal Official.

"Approximately thirty seats will be available for the public, including 
three seats reserved for the media. Seats will be available on a first-
come, first-served basis.

Secretary and Associate Director for Computer Security, Computer 
Systems Laboratory, National Institute of Standards and Technology, 
Building 225, Room B154, Gaithersburg, Maryland 20899, telephone: 
(301) 975-3240. 

"SUPPLEMENTARY INFORMATION: Background information on the 
the Board Secretariat; see address in 'for further information' section. 
Also, information on the government-developed 'key escrow' chip is 
available electronically from the NIST computer security bulletin 
board, phone 301-948-5717.

"The Board intends to stress the public and social policy aspects, the 
legal and Constitutional consequences of this technology, and the 
mpacts upon American business and industry during its meeting.

"It is the Board's intention to create, as a product of this meeting, a 
conclusions (if any) that might be reached, and an inventory of the 
the procedures described above, public participation is encouraged 
and solicited." 



     EFFector Online is published by
     The Electronic Frontier Foundation
     666 Pennsylvania Ave. SE 
     Washington, DC 20003 USA
     Phone: +1 202 544 9237 FAX: +1 202 547 5481
     Internet Address: eff@eff.org
     Coordination, production and shipping by Cliff Figallo, EFF 
     Online Communications Coordinator (fig@eff.org)
     Introduction and article assembly by Shari Steele
 Reproduction of this publication in electronic media is *encouraged*.
 Signed articles do not necessarily represent the view of the EFF.
 To reproduce signed articles individually, please contact the authors
 for their express permission.

      *This newsletter is printed on 100% recycled electrons*


efforts and activities into other realms of the electronic frontier, we 
need the financial support of individuals and organizations.

becoming a member now. Members receive our bi-weekly electronic 
newsletter, EFFector Online (if you have an electronic address that 
can be reached through the Net), and special releases and other 
notices on our activities.  But because we believe that support should 
be freely given, you can receive these things even if you do not elect 
to become a member.

Your membership/donation is fully tax deductible.

Our memberships are $20.00 per year for students and $40.00 per 
year for regular members.  You may, of course, donate more if you 

Our privacy policy: The Electronic Frontier Foundation will never, 
under any circumstances, sell any part of its membership list.  We 
organizations  whose work we determine to be in line with our goals.  
But with us,  member privacy is the default. This means that you 
must actively grant us permission to share your name with other 

Mail to: The Electronic Frontier Foundation, Inc.
         238 Main St.
         Cambridge, MA 02142

            $20.00 (student or low income membership)
            $40.00 (regular membership)

    [  ] I enclose an additional donation of $_______




City or Town:

State:       Zip:      Phone: (    )             (optional)

FAX: (    )              (optional)

Email address:

to my Mastercard [  ]  Visa [  ]  American Express [  ]


Expiration date:

Signature: ________________________________________________


other non-profit groups from time to time as it deems
appropriate   [ ].