Re: Campaign and Petition Against Clipper from Dorothy Denning [I may have sent this before, excuse

[David Farber <farber () central cis upenn edu>]

Date:    Wed, 09 Feb 1994 17:23:28 -0500 (EST)
From:    denning () cs georgetown edu (Dorothy Denning)
Subject: Re: Campaign and Petition Against Clipper


CPSR has announced a petition campaign to oppose the Clipper
initiative. I would like to caution people about signing the petition.
The issues are extremely complex and difficult. The Clipper initiative
is the result of considerable deliberation by many intelligent people
who appreciate and understand the concerns that have been expressed and
who worked hard to accommodate the conflicting interests.  The
decisions that have been made were not made lightly.


I would like to respond to some of the statements that CPSR has made
about Clipper in their campaign and petition letters:


     The Clipper proposal, developed in secret by the National Security
     Agency, is a technical standard that will make it easier for
     government agents to wiretap the emerging data highway.


The standard (FIPS 185) is not a standard for the Internet or any other
high speed computer network.  It is for the telephone system.  Quoting
from FIPS 185:  "Data for purposes of this standard includes voice,
facsimile and computer information communicated in a telephone system.
A telephone system for purposes of this standard is limited to a system
which is circuit switched and operating at data rates of standard
commercial modems over analog voice circuits or which uses basic-rate
ISDN or a similar grade wireless service."


The standard will not make it any easier to tap phones, let alone
computer networks.  All it will do is make it technically possible to
decrypt communications that are encrypted with the standard, assuming
the communications are not superencrypted with something else.  Law
enforcers still need to get a court order just to intercept the
communications in the first place, and advances in technology have made
interception itself more difficult.  The standard will make it much
harder for anyone to conduct illegal taps, including the government.


The purpose of the standard is to provide a very strong encryption
algorithm - something much stronger than DES - and to do so in a way
that does not thwart law enforcement and national security objectives.
Keys are escrowed so that if someone uses this technology, they cannot
use it against national interests.


     Industry groups, professional associations and civil liberties
     organizations have expressed almost unanimous opposition to the
     plan since it was first proposed in April 1993.


     "The public does not like Clipper and will not accept it ..."


     The private sector and the public have expressed nearly unanimous
     opposition to Clipper.


As near as I know, neither CPSR nor any other group has conducted any
systematic poll of industry, professional societies, or the public.
While many people have voiced opposition, there are many more
organizations and people who have been silent on this issue.  The ACM
is in the process of conducting a study on encryption.  CPSR is a
member of the study group, as am I.  Steve Kent is chair.  Our goal is
a report that will articulate the issues, not a public statement either
for or against.  The International Association for Cryptologic Research
has not to my knowledge made any official statement about Clipper.


     The Administration ignored the overwhelming opposition of the
     general public. When the Commerce Department solicited public
     comments on the proposal last fall, hundreds of people opposed the
     plan while only a few expressed support.


Hundreds of people is hardly overwhelming in a population of 250
million, especially when most of the letters were the same and came in
through the net following a sample letter that was sent out.


     The technical standard is subject to misuse and compromise. It
     would provide government agents with copies of the keys that
     protect electronic communications. "It is a nightmare for computer
     security."


I have been one of the reviewers of the standard.  We have completed
our review of the encryption algorithm, SKIPJACK, and concluded it was
very strong.  While we have not completed our review of the key escrow
system, from what I have seen so far, I anticipate that it will provide
an extremely high level of security for the escrowed keys.


     The underlying technology was developed in secret by the NSA, an
     intelligence agency responsible for electronic eavesdropping, not
     privacy protection. Congressional investigations in the 1970s
     disclosed widespread NSA abuses, including the illegal
     interception of millions of cables sent by American citizens.


NSA is also responsible for the development of cryptographic codes to
protect the nation's most sensitive classified information.  They have
an excellent track record in conducting this mission.  I do not believe
that our requirements for protecting private information are greater
than those for protecting classified information.  I do not know the
facts of the 1970s incident that is referred to here, but it sounds
like it occurred before passage of the 1978 Foreign Intelligence
Surveillance Act.  This act requires intelligence agencies to get a
court order in order to intercept communications of American citizens.
I am not aware of any recent evidence that the NSA is engaging
in illegal intercepts of Americans.


     Computer security experts question the integrity of the
     technology.  Clipper was developed in secret and its
     specifications are classified.


The 5 of us who reviewed the algorithm unanimously agreed that it was
very strong.  We will publish a final report when we complete or full
evaluation.  Nothing can be concluded from a statement questioning the
technology by someone who has not seen it regardless of whether that
person is an expert in security.


     NSA overstepped its legal authority in developing the standard.  A
     1987 law explicitly limits the intelligence agency's power to set
     standards for the nation's communications network.


The 1987 Computer Security Act states that NIST "shall draw on the
technical advice and assistance (including work products) of the
National Security Agency."


     There is no evidence to support law enforcement's claims that new
     technologies are hampering criminal investigations. CPSR recently
     forced the release of FBI documents that show no such problems.


CPSR obtained some documents from a few FBI field offices.  Those
offices reported no problems.  CPSR did not get reports from all field
offices and did not get reports from local law enforcement agencies.  I
can tell you that it is a fact that new communications technologies,
including encryption, have hampered criminal investigations.  I
personally commend law enforcement for trying to get out in front of
this problem.


     If the plan goes forward, commercial firms that hope to develop
     new products will face extensive government obstacles.
     Cryptographers who wish to develop new privacy enhancing
     technologies will be discouraged.


The standard is voluntary -- even for the government.


     Mr. Rotenberg said "We want the public to understand the full
     implications of this plan.  Today it is only a few experts and
     industry groups that understand the proposal.


I support this objective.  Unfortunately, it is not possible for most
of us to be fully informed of the national security implications of
uncontrolled encryption.  For very legitimate reasons, these cannot be
fully discussed and debated in a public forum.  It is even difficult to
talk about the full implications of encryption on law enforcement.
This is why it is important that the President and Vice-President be
fully informed on all the issues, and for the decisions to be made at
that level.  The Feb. 4 decision was made following an inter-agency
policy review, headed by the National Security Council, that examined
these issues using considerable input from industry, CPSR, EFF, and
individuals as well as from law enforcement and intelligence agencies.
In the absence of understanding the national security issues, I believe
we need to exercise some caution in believing that we can understand
the full implications of encryption on society.


As part of the Feb. 4 announcement, the Administration announced
the establishment of an Interagency Working Group on Encryption
and Telecommunications, chaired by the White House Office of
Science and Technology Policy and National Security Council, with
representatives from Commerce, Justice, State, Treasury, FBI,
NSA, OMB, and the National Economic Council.  The group is to
work with industry and public interest groups to develop new
encryption technologies and to review and refine encryption policy.
The NRC's Computer Science and Telecommunications Board will also
be conducting a study of encryption policy.


These comments may be distributed.


Dorothy Denning
Georgetown University