Testimony of Jerry Berman before Committee on Science, Space and Technology

[David Farber <farber () central cis upenn edu>]

Testimony


of


Jerry J. Berman, Executive Director
Electronic Frontier Foundation


before the


Committee on Science, Space and Technology


Subcommittee on Technology, Environment and Aviation


U.S. House of Representatives




Hearing on


Communications and Computer Surveillance, Privacy and Security




May 3, 1994
Mr. Chairman and Members of the Committee
        I want to thank you for the opportunity to testify today on
communications and computer surveillance, privacy, and security policy.
The Electronic Frontier Foundation (EFF) is a public interest membership
organization dedicated to achieving the democratic potential of new
communications and computer technology and works to protect civil liberties
in new digital environments.  EFF also coordinates the Digital Privacy and
Security Working Group (DPSWG), a coalition of more than 50 computer,
communications, and public interest organizations and associations working
on communications privacy issues.  The Working Group has strongly opposed
the Administration's clipper chip and digital telephony proposals.
        EFF is especially pleased that this subcommittee has taken an
interest in these issues.  It is our belief that Administration policy
developed in this area threatens individual privacy rights, will thwart the
development of the information infrastructure, and does not even meet the
stated needs of law enforcement and national security agencies.  A fresh
and comprehensive look at these issues is needed.


I.      Background on digital privacy and security policy
        From the beginning of the 1992 Presidential campaign, President
Clinton and Vice President Gore committed themselves to support the
development of the National Information Infrastructure.  They recognize
that the "development of the NII can unleash an information revolution that
will change forever the way people live, work, and interact with each
other."  They also know that the information infrastructure can only
realize its potential if users feel confident about security measures
available.
        If allowed to reach its potential, this information infrastructure
will carry vital personal information, such as health care records, private
communications among friends and families, and personal financial
transactions.  The business community will transmit valuable information
such as plans for new products, proprietary financial data, and other
strategic communications.  If communications in the new infrastructure are
vulnerable, all of our lives and businesses would be subject to both
damaging and costly invasion.
        In launching its Information Infrastructure Task Force (IITF) the
Clinton Administration recognized this when it declared that:


The trustworthiness and security of communications channels and networks
are essential to the success of the NII....  Electronic information systems
can create new vulnerabilities.  For example, electronic files can be
broken into and copied from remote locations, and cellular phone
conversations can be monitored easily.  Yet these same systems, if properly
designed, can offer greater security than less advanced communications
channels.  [Agenda for Action, 9]
Cryptography -- technology which allows encoding and decoding of messages
-- is an absolutely essential part of the solution to information security
and privacy needs in the Information Age.  Without strong cryptography, no
one will have the confidence to use networks to conduct business, to engage
in commercial transactions electronically, or to transmit sensitive
personal information.  As the Administration foresees, we need


network standards and transmission codes that facilitate interconnection
and interoperation between networks, and ensure the privacy of persons and
the security of information carried.... [Agenda for Action, 6]
While articulating these security and privacy needs, the Administration has
also emphasized that  the availability of strong encryption poses
challenges to law enforcement and national security efforts.  Though the
vast majority of those who benefit from encryption will be law abiding
citizens, some criminals will find ways to hide behind new technologies.


II.     Current cryptography policy fails to meet the needs of the growing
information infrastructure
        As a solution to the conflict between the need for user privacy and
the desire to ensure law enforcement access, the Administration has
proposed that individuals and organizations who use encryption deposit a
copy of their private key -- the means to decode any communications they
send -- with the federal government.
         In our view, this is not a balanced solution but one that
undermines the need for security and privacy without resolving important
law enforcement concerns.  It is up to the Congress to send the
Administration back to the drawing board.


A.      Current Export Controls and New Clipper Proposal Stifle Innovation
        Two factors are currently keeping strong encryption out of the
reach of United States citizens and corporations.  First, general
uncertainty about what forms of cryptography will and will not be legal to
produce in the future.  Second, export controls make it economically
impossible for US manufacturers that build products for the global
marketplace to incorporate strong encryption for either the domestic or
foreign markets.  Despite this negative impact on the US market, export
controls are decreasingly successful at limiting the foreign availability
of strong encryption.  A recent survey shows that of the more than 260
foreign encryption products now available globally, over 80 offer
encryption which is stronger than what US companies are allowed to export.
Export controls do constrain the US market, but the international market
appears to be meeting its security needs without help from US industry.
The introduction of Clipper fails to address the general uncertainty in the
cryptography market.  Announcement of a key escrow policy alone is not
sufficient to get the stalled US cryptography market back on track.


B.      The secrecy of the Clipper/Skipjack algorithm reduces public trust
and casts doubt on the voluntariness of the whole system
        Many parties have already questioned the need for a secret
algorithm, especially given the existence of robust, public-domain
encryption techniques.  The most common explanation given for use of a
secret algorithm is the need to prevent users from bypassing the key escrow
system proposed along with the Clipper Chip.  Clipper has always been
presented by the Administration as a voluntary option.  But if the system
is truly voluntary, why go to such lengths to ensure compliance with the
escrow procedure?


C       Current plans for escrow system offer inadequate technical security
and insufficient legal protections for users
        The implementation of a nationwide key escrow system is clearly a
complex task.  But preliminary plans available already indicate several
areas of serious concern:


1.      No legal rights for escrow users:  As currently written, the escrow
procedures insulate the government escrow agents from any legal liability
for unauthorized or negligent release of an individual's key.  This is
contrary to the very notion of an escrow system, which ordinarily would
provide a legal remedy for the depositor whose deposit is released without
authorization.  If anything, escrow agents should be subject to strict
liability for unauthorized disclosure of keys.


2.      No stability in escrow rules:  The Administration has specifically
declared that it will not seek to have the escrow procedures incorporated
into legislation or official regulations.  Without formalization of rules,
users have no guaranty that subsequent administrations will follow the same
rules or offer the users the same degree of protection.  This will greatly
reduce the trust in the system.


3.      Fixed Key:  A cardinal rule of computer security is that encryption
keys must be changed often.  Since the Clipper keys are locked permanently
into the chips, the keys can never be changed.  This is a major technical
weakness of the current proposal.


4.      Less intrusive, more secure escrow alternatives are available: The
Clipper proposal represents only one of many possible kinds of key escrow
systems.  More security could be provided by having more than two escrow
agents.  And, in order to increase public trust, some or all of these
agents could be non-governmental agencies, with the traditional fiduciary
duties of an escrow agent.


D.      Escrow Systems Threaten Fundamental Constitutional Values
        The Administration, Congress, and the public ought to have the
opportunity to consider the implications of limitations on cryptography
from a constitutional perspective.  A delicate balance between
constitutional privacy rights and the needs of law enforcement has been
crafted over the history of this country.  We must act carefully as we face
the constitutional challenges posed by new communication technologies.
        Unraveling the current encryption policy tangle must begin with one
threshold question: will there come a day when the federal government
controls the domestic use of encryption through mandated key escrow schemes
or outright prohibitions against the use of particular encryption
technologies?  Is Clipper the first step in this direction?  A mandatory
encryption regime raises profound constitutional questions.
        In the era where people work for "virtual corporations" and conduct
personal and political lives in "cyberspace," the distinction between
communication of information and storage of information is increasingly
vague.  The organization in which one works may constitute a single virtual
space, but be physically dispersed.  So, the papers and files of the
organization or individual may be moved within the organization by means of
telecommunications technology.  Instantaneous access to encryption keys,
without prior notice to the communicating parties, may well constitute a
secret search, if the target is a virtual corporation or an individual
whose "papers" are physically dispersed.
        Wiretapping and other electronic surveillance has always been
recognized as an exception to the fundamental Fourth Amendment prohibition
against secret searches.  Even with a valid search warrant, law enforcement
agents must "knock and announce" their intent to search a premises before
proceeding.  Failure to do so violates the Fourth Amendment.  Until now,
the law of search and seizure has made a sharp distinction between, on the
one hand, seizures of papers and other items in a person's physical
possession, and on the other hand, wiretapping of communications.  Seizure
of papers or personal effects must be conducted with the owner's knowledge,
upon presentation of a search warrant.  Only in the exceptional case of
wiretapping, may a person's privacy be invaded by law enforcement without
simultaneously informing that person.
        Proposals to regulate the use of cryptography for the sake of law
enforcement efficiency should be viewed carefully in the centuries old
tradition of privacy protection.


E.      Voluntary escrow system will not meet law enforcement needs
        Finally, despite all of the troubling aspects of the Clipper
proposal, it is by no means clear that it will even solve the problems that
law enforcement has identified.  The major stated rationale for government
intervention in the domestic encryption arena is to ensure that law
enforcement has access to criminal communications, even if they are
encrypted.  Yet, a voluntary scheme seems inadequate to meet this goal.
Criminals who seek to avoid interception and decryption of their
communications would simply use another system, free from escrow
provisions.  Unless a government-proposed encryption scheme is mandatory,
it would fail to achieve its primary law enforcement purpose.  In a
voluntary regime, only the law-abiding would use the escrow system.


III.    Recent policy developments indicate that Administration policy is
bad for the NII, contrary to the Computer Security Act, and requires
Congressional oversight
        Along with the Clipper Chip proposal, the Administration announced
a comprehensive review of cryptography and privacy policy.  Almost
immediately after the Clipper announcement, the Digital Privacy and
Security Working Group began discussions with the Administration on issues
raised by the Clipper proposal and by cryptography in general.
Unfortunately, this dialogue has been largely one-sided.  EFF and many
other groups have provided extensive input to the Administration, yet the
Administration has not reciprocated -- the promised policy report has not
been forthcoming.  Moreover, the National Security Agency and the Federal
Bureau of Investigation are proceeding unilaterally to implement their own
goals in this critical policy area.
        Allowing these agencies to proceed unilaterally would be a grave
mistake. As this subcommittee is well aware, the Computer Security Act of
1987 clearly established that neither military nor law enforcement agencies
are the proper protectors of personal privacy.  When considering the law,
Congress asked, "whether it is proper for a super-secret agency [the NSA]
that operates without public scrutiny to involve itself in domestic
activities...?"  The answer was a clear "no."  Recent Administration
announcements regarding the Clipper Chip suggest that the principle
established in the 1987 Act has been circumvented.
        As important as the principle of civilian control was in 1987, it
is even more critical today.  The more individuals around the country come
to depend on secure communications to protect their privacy, the more
important it is to conduct privacy and security policy dialogues in public,
civilian forums.
        The NII can grow into the kind of critical, national resource which
this Administration seeks to promote only if major changes in current
cryptography and privacy policy.  In the absence of such changes, digital
technology will continue to rapidly render our commercial activities and
communications -- and, indeed, much of our personal lives -- open to
scrutiny by strangers.  The Electronic Frontier Foundation believes that
Americans must be allowed access to the cryptographic tools necessary to
protect their own privacy.
        We had hoped that the Administration was committed to making these
changes, but several recent developments lead us to fear that the effort
has been abandoned, leaving individual agencies to pursue their own policy
agendas instead of being guided by a comprehensive policy.  The following
issues concern us:


*       Delayed Cryptography Policy ReportThe policy analysis called for
along with the April 16, 1993 Presidential Decision Directive has not been
released, though it was promised to have been completed by early fall of
1993.  We had hoped that this report would be the basis for public dialogue
on the important privacy, competitiveness, and law enforcement issues
raised by cryptography policy.  To date, none of the Administration's
policy rationale has been revealed to the public, despite the fact that
agencies in the Executive Branch are proceeding with their own plan


*       Escrowed Encryption Federal Information Processing Standard (FIPS)
approved against overwhelming weight of public commentsThe Presidential
Decision Directive also called for consideration of a Federal Information
Processing Standard (FIPS) for key-escrow encryption systems.  This process
was to have been one of several forums whereby those concerned about the
proposed key-escrow system could voice opinions.  EFF, as well as over 225
of our individual members, raised a number of serious concerns about the
draft FIPS in September of this 1993.  EFF expressed its opposition to
government implementation of key-escrow systems as proposed.  We continue
to oppose the deployment of Skipjack family escrow encryption systems both
because they violate fundamental First, Fourth, and Fifth amendment
principles, and because they fail to offer users adequate security and
flexibility.Despite overwhelming opposition from over 300 commenters, the
Department of Commerce recently approved FIPS 185.


*       Large-Scale Skipjack Deployment AnnouncedAt the December 9, 1993
meeting of the Computer Systems Security and Privacy Advisory Board, an NSA
official announced plans to deploy from 10,000 to 70,000 Skipjack devices
in the Defense Messaging System in the near future.  The exact size of the
order was said to be dependent only on budget constraints.  The
Administration is on record in the national press promising that no
large-scale Skipjack deployment would occur until a final report of the
Administration Task Force was complete.  Ten thousand units was set as the
upper limit of initial deployment.  Skipjack deployment at the level
planned in the Defense Messaging System circumvents both the FIPS notice
and comments process which has been left in a state of limbo, as well as
the Administration's promise of a comprehensive policy framework. 
*       New FBI Digital Telephony Legislation ProposedThe FBI recently
proposed a new "Digital Telephony" bill.  After initial analysis, we
strongly oppose the bill, which would require all common carriers to
construct their networks to deliver to law enforcement agencies, in real
time, both the contents of all communications on their networks and the
"signaling" or transactional information.


        In short, the bill lays the groundwork for turning the National
Information Infrastructure into a nation-wide surveillance system, to be
used by law enforcement with few technical or legal safeguards.  This image
is not hyperbole, but a real assessment of the power of the technology and
inadequacy of current legal and technical privacy protections for users of
communications networks.


        Although the FBI suggests that the bill is primarily designed to
maintain status quo wiretap capability in the face of technological
changes, in fact, it seeks vast new surveillance and monitoring tools.


        Lengthy delays on the promised policy report, along with these
unilateral steps toward Clipper/Skipjack deployment, lead us to believe
that Administration policy is stalled by the Cold War-era national security
concerns that have characterized cryptography policy for the last several
decades.
        EFF believes that it would be a disastrous error to allow national
information policy -- now a critical component of domestic policy -- to be
dictated solely by backward-looking national-security priorities and
unsubstantiated law-enforcement claims.  The directions set by this
Administration will have a major impact on privacy, information security,
and the fundamental relationship between the government and individual
autonomy.  This is why the Administration must take action--and do so
before the aforementioned agencies proceed further--to ensure that
cryptography policy is restructured to serve the interests of privacy and
security in the National Information Infrastructure. We still believe the
Administration can play the leadership role it was meant to play in shaping
this policy. If it does not, the potential of the NII, and of fundamental
civil liberties in the information age, will be threatened.


IV.     Congressional oversight of cryptography & privacy policy is
urgently needed to right the balance between privacy, competitiveness & law
enforcement needs


        All participants in this debate recognize that the need for privacy
and security is real, and that new technologies pose real challenges for
law enforcement and national security operations.  However, the solutions
now on the table cripple the NII, pose grave threats to privacy, and fail
to even meet law enforcement objectives.  In our judgment, the
Administration has failed, thus far, to articulate a comprehensive set of
policies which will advance the goals upon which we all agree.
        Congress must act now to ensure that cryptography policy is
developed in the context of the broader goal of promoting the development
of an advanced, interoperable, secure, information infrastructure.
        In order to meet the privacy and security needs of the growing
infrastructure, Congress should seek a set of public policies which promote
the widespread availability of cryptographic systems according to the
following criteria:


*       Use Voluntary Standards to Promote Innovation and Meet Diverse
Needs: The National Information Infrastructure stretches to encompass
devices as diverse as super computers, handheld personal digital assistants
and other wireless communications devices, and plain old telephones.
Communication will be carried over copper wires, fiber optic cables, and
satellite links.  The users of the infrastructure will range from
elementary school children to federal agencies.  Encryption standards must
be allowed to develop flexibly to meet the wide-ranging needs all
components of the NII.  In its IITF Report, the Administration finds that


standards also must be compatible with the large installed base of
communications technologies, and flexible and adaptable enough to meet user
needs at affordable costs. [AA, 9]
The diverse uses of the NII require that any standard which the government
seeks to promote as a broadly deployed solution should be implementable in
software as well as hardware and based on widely available algorithms.


*       Develop Trusted Algorithms and End-to-End Security:  Assuring
current and future users of the NII that their communications are secure
and their privacy is protected is a critical task.  This means that the
underlying algorithms adopted must have a high level of public trust and
the overall systems put in place must be secure.


*       Encourage National and International Interoperability:  The promise
of the NII is seamless national and international communications of all
types.  Any cryptographic standard offered for widespread use must allow US
corporations and individuals to function as part of the global economy and
global communications infrastructure.


*       Seek Reasonable Cooperation with Law Enforcement and National
Security Needs:  New technologies pose new challenges to law enforcement
and national security surveillance activities.  American industry is
committed to working with law enforcement to help meet its legitimate
surveillance needs, but the development of the NII should not be stalled on
this account.


*       Promote Constitutional Rights of Privacy and Adhere to Traditional
Fourth Amendment Search and Seizure Rules:  New technology can either be a
threat or an aid to protection of fundamental privacy rights.  Government
policy should promote technologies which enable individuals to protect
their privacy and be sure that those technologies are governed by laws
which respect the long history of constitutional search and seizure
restraints.


*       Maintain Civilian Control over Public Computer and Communications
Security:  In accordance with the Computer Security Act of 1987,
development of security and privacy standards should be directed by the
civilian


V.      Conclusion
        Among the most important roles that the federal government has in
NII deployment are setting standards and guaranteeing privacy and security.
Without adequate security and privacy, the NII will never realize it
economic or social potential.  Cryptography policy must, of course, take
into account the needs of law enforcement and national security agencies,
but cannot be driven by these concerns alone.  The Working Group, along
with other industry and public interest organizations, is committed to
working with the Administration to solving the privacy and security
questions raised by the growing NII.  This must be done based on the
principles of voluntary standards, promotion of innovation, concern for law
enforcement needs, and protection of constitutional rights of privacy.
*       *       *       *       *