Volume 3.10 May 21, 1996
[1] Clipper III [2] Senator Burns Criticizes New Clipper Proposal [3] House Members Urge Clinton to Abandon Key-Escrow [4] Federal Appeals Court to Review Crypto Export Controls [5] OECD Debates Crypto Policy [6] FBI Releases Digital Telephony Wiretap Report [7] New Privacy Resources at EPIC.org and on the Net [8] Upcoming Conferences and Eventss
[1] Clipper III
A new report from an administration working group calls for the establishment of an international infrastructure for key escrow encryption, called "KMI" or Key Management Infrastructure. The goal of KMI is similar to the original Clipper plan, but is more far-reaching and potentially more damaging to privacy and security on the Internet. The report contends (as did earlier proposals for other products in the Clipper family) that KMI is necessary to protect public safety and national security. The report also argues for an international key-sharing plan. The government offers the gradual relaxation of export controls in exchange for a commitment from industry to build in key escrow capability. The proposal suggests that: -- Export controls will be relaxed where the keys are escrowed in the United States or the U.S. has a government-to-government key escrow agreement with the country of destination. -- Self-escrow will be an "acceptable" option for large corporations, but independent, government-certified escrow authorities may still be necessary for other organizations. The proposal clearly requires regulation of encrypted communications. According to the report, a strong key management infrastructure "can be based on a voluntary system of commercial Certificate Authorities (CAs) *operating within prescribed policy and performance guidelines.*" (Emphasis added) The CA's will be certified by a Policy Approving Authority (PAA) -- presumably the government -- which "sets rules and responsibilities for ensuring the integrity of the CAs" and "is also responsible for setting CA performance criteria to meet law enforcement needs." The proposal concludes with a six-part action plan: 1. Collaborate with industry and standards groups to develop a Key Management Infrastructure 2. Develop a FIPS (Federal Information Processing Standard) for encryption protocol, key exchange and digital signature that would be "mandatory for government use" 3. Develop a Security Management Infrastructure for government use to develop a market for products that support the new FIPS 4. Select a government agency to work with industry to develop security requirements for network security and protecting highly sensitive information 5. Develop legislation for a key management infrastructure that would set polices for escrowed keys, certificate authorities, and address civil liability 6. Develop arrangements with other countries for key sharing The proposal has been dubbed "Clipper III," a reference to earlier attempts by the Administration to promote key escrow encryption. In the first iteration, the government would have held the keys for all encoded communications. In the current version, the government establishes and certifies key escrow procedures. In several respects the proposal is also broader than the original Clipper plan. KMI, as conceived by the government, will be a worldwide standard for network communication. The report is also noteworthy for the issues it does not address. Nothing is said about the reported problems and cost overruns with the government current key escrow program, the Defense Message System. No attention is given increased vulnerability of network communication that will result from KMI or the threat to privacy and security. No mention is made of the relatively ease with which determined attackers will defeat the plan. EPIC urges members of the net community to contact the Interagency Working Group on Cryptography Policy, Room 10236, New Executive Office Building, Washington, D.C. 20503, and urge the Working Group to drop this idea. Clipper and key-escrow just look worse as time passes. The complete report is now available at the EPIC web site: http://www.epic.org/crypto/key_escrow/white_paper.html
[2] Senator Burns Criticizes New Clipper Proposal
As with the original Clipper Chip proposal in 1993, the new administration policy paper on encryption has drawn a quick reaction from Congress. Senator Conrad Burns (R-MT) sharply criticized the new White House key-escrow proposal, stating "It's three strikes and you're out at the old ball game and I would say the third version of the administration's Clipper Chip proposal is a swing and a miss." Echoing a long-standing criticism of the key-escrow concept, Sen. Burns went on to say: We can only stick our heads in the sand for so long. It is important to point out that the criminals and trouble-makers who are apparently targets of this plan are unlikely to enroll in any key-escrow system. Law-abiding businesses and individuals would suffer at the hands of this misguided proposal. Sen. Burns is the author of S. 1726, the "Promotion of Commerce On-Line in the Digital Era (Pro-CODE) Act," which would relax export controls on software and hardware with encryption capabilities and would prohibit mandatory key-escrow. Sen. Burns urged Congress to quickly enact the Pro-CODE legislation. Hearings on the legislation are tentatively scheduled for June. A copy of the Burns press release is available at: http://www.epic.org/crypto/key_escrow/ More information on S. 1726 is available at: http://www.epic.org/crypto/export_controls/
[3] House Members Urge Clinton to Abandon Key-Escrow
And there's more congressional criticism of the Administration's encryption policies. In a letter to President Clinton dated May 15, a bi-partisan group of 27 House members said, "We are writing to ask you not to proceed with your Administration's key escrow encryption policy proposal and instead to immediately liberalize export controls on non-key escrow encryption programs and products." The group, which represents a diverse cross-segment of the House, ranging from Rep. Barney Frank (D-MA) to Rep. Bob Barr (R-GA), wrote: We share the concerns of a wide range of businesses and privacy interests that a key escrow approach will not adequately address security concerns. The ability of companies and individuals to ensure that the information they send over communications and computer networks is secure is a prerequisite to exploiting the potential of the Global Information Infrastructure. For example, U.S. small businesses are beginning to harness the Internet to enter foreign markets. The Internet in effect lowers the barriers to entry for these companies. But they will not be able to rely on the Internet if their information is not secure. The House members cited the findings of the Computer Systems Policy Project, which estimates that "unless the U.S. relaxes out-of-date export controls, the U.S. technology industry will lose $60 billion in revenues and 200,000 jobs by the year 2000." A copy of the House members' letter is available at: http://www.epic.org/crypto/key_escrow/
[4] Federal Appeals Court to Review Crypto Export Controls
The courts, as well as Congress, are beginning to examine Executive branch policies on encryption. Privacy activist Phil Karn has filed an appeal with the U.S. Court of Appeals for the D.C. Circuit that challenges the constitutionality of export controls on cryptography. In February 1994, Karn applied for a license to export cryptographer Bruce Schneier's book "Applied Cryptography." The State Department approved the license but, shortly thereafter, denied Karn's request for a license to export a disk set which contained text files of different cryptographic algorithms that were printed in the book. Karn filed suit, claiming that the denial violated the Administrative Procedures Act and the First and Fifth Amendments to the Constitution. In March, the federal district court rejected his claims. The recently filed appeal will trigger a rare appellate court examination of Administration encryption policy, including review of the lower court's determination that Karn's case presents a "political question for the two elected branches" to decide. The D.C. Circuit will also review Karn's First Amendment claim, which the lower court rejected on the ground that the restrictions were "content neutral" because the government is "not regulating the export because of the expressive content of the comments and or source code, but instead [is] regulating because of the belief that the combination of encryption source code on machine readable media will make it easier for foreign governments to encode their communications." In an order dated May 17, the D.C. Circuit granted EPIC's motion for leave to file a "friend of the court" brief in support of Karn's claims. More information on the case is available at: http://www.epic.org/crypto/export_controls/
[5] OECD Debates Crypto Policy
The Organization for Economic Cooperation and Development met in Washington, DC on May 8 to discuss the development of international guidelines for encryption policy. The meeting follows a February conference in Canberra, Australia where the OECD first explored encryption issues. The Paris-based organization had previously produced well-regarded policy guidelines for privacy (1981) and information security (1992). However, the effort to develop encryption guidelines has been criticized by some member nations who believe that law enforcement concerns are being placed ahead of economic matters. Several OECD countries have also raised concerns about the legal and Constitutional implications of key escrow encryption, which is favored by the United States and the United Kingdom. Japan, for example, has a Constitutional prohibition against wiretapping. There is also the matter of whether the actual needs of consumers, users of the Internet, and privacy implications of the proposal have received adequate consideration. The OECD will meet again in June to discuss the policy further. It seems unlikely at this time that the member nations of the OECD will agree to an international encryption policy based on key escrow. More information about OECD crypto policy may be found at: http://www.oecd.org/dsti/iccp/legal/top-page.html#3
[6] FBI Releases Digital Telephony Wiretap Report
The Federal Bureau of Investigation has finally released its long-overdue report on implementation on the controversial "digital telephony" wiretap statute. The report, which the FBI was legally required to release by November 30, 1995, was transmitted to Congress on April 11, 1996. EPIC had made several congressional inquiries concerning the FBI's failure to comply with the statutory reporting requirement. The bottom line: the digital telephony program is broke, which may explain the Bureau's tardiness in issuing the report. When Congress enacted the Communications Assistance to Law Enforcement Act (CALEA) in late 1994, it authorized $500 million to reimburse telecommunications carriers for the cost of retro-fitting their networks to facilitate electronic surveillance. Since that time, EPIC has led an effort to block the actual appropriation of those funds. To date, Congress has declined to make the money available. As the FBI report notes, No funding was appropriated in Fiscal Year 1995 for CALEA; therefore, no payments were made to telecommuni- cations carriers during the period October 1, 1994, through September 30, 1995 ... To date, no funding has been appropriated for Fiscal Year 1996 for payments to telecommunications carriers. ... Major switch manufacturers, upon whom telecommunications carriers must rely for most required technological solutions, have advised the FBI that timely development of interception features is technically feasible; however, the development and deployment of such features are directly dependent upon the availability of funding if the statutory deadlines are to be met. The wiretap budget battle will continue. The FBI is still trying to gain approval of $100 million for FY 1996, "to be generated through a surcharge on civil fines and penalties." The report also notes that "the President's Fiscal Year 1997 budget request proposes $100 million in funding for telephone carrier compliance through a direct appropriation." More information on digital telephony and wiretapping is available at: http://www.epic.org/privacy/wiretap/
[7] New Privacy Resources at EPIC.org and on the Net
A full set of trial transcripts from the CDA trial are now available at: http://www.epic.org/free_speech/censorship/lawsuit/ Human Rights Watch has released a paper titled "Silencing the Net: The Threat to Freedom of Expression On-line" on restrictions on free speech and privacy online. http://www.epic.org/free_speech/hrw_report_5_96.html The Data Protection Commissioner of the Isle of Man -- information on Manx privacy law and guidelines. http://www.odpr.org
[8] Upcoming Conferences and Events
InfoWarCon (Europe) '96, Defining the European Perspective. May 23-24, 1996. Brussels, Belgium. Sponsored by the National Computer Security Association. Contact: euroinfowar@ncsa.com. Consumer Privacy on the Global Information Infrastructure. June 4-5, 1996. Washington, DC. The Federal Trade Commission's Bureau of Consumer Protection. Contact Martha Landesberg (202) 326-2825 or mlandesberg@ftc.gov. Practicing Law Institute's 16th Annual Institute on Computer Law: Understanding the Business and Legal Aspects of the Internet, June 17-18, 1996, San Francisco. info@pli.edu for info--or call 800/477 0300. Personal Information - Security, Engineering and Ethics. 21-22 June, 1996. Isaac Newton Institute, Cambridge. Sponsored by Cambridge University and British Medical Association. Paper submission due 10 May 1996. Contact: Ross Anderson (rja14@newton.cam.ac.uk). Australasian Conference on Information Security and Privacy. June 24-26, 1996. New South Wales, Australia. Sponsored by Australasian Society for Electronic Security and University of Wollongong. Contact: Jennifer Seberry (jennie@cs.uow.edu.au). The Internet: Transforming our Society Now. 25-28 June 1996. Montreal Convention Center, Montreal (Quebec), Canada. The Internet Society. http://info.isoc.org:80/conferences/inet96/. Email: tdeliduka@conference.com Privacy Laws & Business 9th Annual Conference. July 1-3, 1996. St. John's College, Cambridge, England. Contact: Ms. Gill Ehrlich +44 181 423 1300 (tel), +44 181 423 4536 (fax). DEF CON IV. July 26-28. Los Vegas, NV. Annual Hacker Convention. Contact: dtangent@defcon.org or http://www.defcon.org/. Surveillance Expo 96. August 19-21. McLean, Virginia. Sponsored by Ross Associates. Contact: Marilyn Roseberry 703-450-2200. Fifth International Information Warfare Conference, "Dominating the Battlefields of Business and War", September 5-6, 1996. Washington, DC. Sponsored by Interpact, NCSA, OSS. Contact: infowar96@ncsa.com Advanced Surveillance Technologies II. Sponsored by EPIC and Privacy International. September 16, 1996. Ottawa, Canada. Contact: http://www.privacy.org/pi/conference/ottawa/ or email pi@privacy.org. 18th International Conference of Data Protection and Privacy Commissioners. September 18-20, 1996. Ottawa, Canada. Sponsored by the Privacy Commissioner of Canada. (Send calendar submissions to Alert@epic.org)
The EPIC Alert is a free biweekly publication of the Electronic Privacy Information Center. To subscribe, send email to epic-news@epic.org with the subject: "subscribe" (no quotes). Back issues are available via http://www.epic.org/alert/
The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues relating to the National Information Infrastructure, such as the Clipper Chip, the Digital Telephony proposal, medical record privacy, and the sale of consumer data. EPIC is sponsored by the Fund for Constitutional Government, a non-profit organization established in 1974 to protect civil liberties and constitutional rights. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, email info@epic.org, HTTP://www.epic.org or write EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240 (tel), +1 202 547 5482 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "The Fund for Constitutional Government" and sent to EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington DC 20003. Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and funding of the National Wiretap Plan. Thank you for your support.