============================================================= @@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @@@ @ @ @@@@@ @ @@@ @@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @ ============================================================ Volume 1.04 (special edition) July 21, 1994 ------------------------------------------------------------ Published by the Electronic Privacy Information Center (EPIC) Washington, DC (Alert@epic.org) ======================================================================= Table of Contents ======================================================================= SPECIAL EDITION -- "SON OF CLIPPER" [1] Administration "Reversal" on Clipper [2] EPIC Statement [3] Letter from Gore to Cantwell [4] What You Can Do (Email the VP) [5] Upcoming Conferences and Events ======================================================================= [1] Administration "Reversal" on Clipper ======================================================================= A letter from Vice President Al Gore to Representative Maria Cantwell (D-WA) sent this week during Congressional debate on the Export Administration Act has raised important questions about the current state of the Clipper proposal. Some have hailed the statement as a major reversal. Others say the letter seals a bad deal. Below we have included the letter from the Vice President, a statement from EPIC, and recommendations for further action. ======================================================================= [2] EPIC Statement on Gore Letter to Cantwell ======================================================================= News reports that the Clinton Administration has reversed itself on encryption policy are not supported by the letter from Vice President Gore to Maria Cantwell regarding export control policy. In fact, the letter reiterates the White House's commitment to the NSA's key escrow proposal and calls on the private sector to develop products that will facilitate electronic surveillance. The letter from the Vice President calls on the government and the industry to develop jointly systems for key escrow cryptography. Key escrow is the central feature of the Clipper chip and the NSA's recommended method for electronic surveillance of digital communications. The letter also reaffirms the Administration's support for Clipper Chip as the federal standard for voice networks. There is no indication that the White House will withdraw this proposal. Statements that Clipper is "dead" are absurd. The letter offers no changes in export control policy. It recommends instead that the status quo be maintained and that more studies be conducted. (The White House already completed such a study earlier this year. The results were never disclosed to the public, despite EPIC's request for release of the findings under the Freedom of Information Act.) This is a significant setback for groups expecting that export control laws would be revised this year. The White House expresses a willingness to allow unclassified algorithms and to hold key escrow agents liable for misuse. These are the only provisions of the Gore letter favorable to the user community. But neither provision would even be necessary if the White House did not attempt to regulate cryptography in the first place. The Administration's willingness to accept private sector alternatives to Clipper for data networks essentially ratifies an agreement to develop "wiretap ready" technologies for data networks. We believe the letter from the Vice President is essentially a blueprint for electronic surveillance of digital networks. The government will set out the requirements for surveillance systems such as key escrow, and the industry will build complying systems. The plan dovetails neatly with the FBI's Digital Telephony proposal, which will establish legal penalties for companies and users that design systems that cannot be wiretapped. We do not believe this is in the interests of users of the information highway. Key escrow necessarily weakens the security and privacy of electronic communications. It makes networks vulnerable to tampering and confidential messages subject to compromise. It is the approach urged by organizations that specialize in electronic eavesdropping. No group of Internet users has ever called for key escrow encryption. If this proposal goes forward, electronic surveillance will almost certainly increase, network security will be weakened, and people who design strong cryptography without key escrow could become criminals. This is not a victory for freedom or privacy. We support unclassified standards and relaxation of export controls. We cannot support the premise that the government and industry should design key escrow systems. We also do not believe that Clipper is an appropriate standard for federal voice communications. We are asking the Vice President to reconsider his position and urging network users to make known their concerns about the proposal. Electronic Privacy Information Center Washington, DC July 21, 1994 ======================================================================= [3] Letter from Gore to Cantwell ======================================================================= THE VICE PRESIDENT WASHINGTON July 20, 1994 The Honorable Maria Cantwell House of Representatives Washington, DC 20515 "Dear Maria, "I write today to express my sincere appreciation of your efforts to move the national debate forward on the issue of information security and export controls. I share your strong conviction for the need to develop a comprehensive policy regarding encryption, incorporating an export policy that does not disadvantage American software companies in world markets while preserving our law enforcement and national security goals. "As you know, the Administration disagrees with you on the extent to which existing controls are harming U.S. industry in the short run and the extent to which their immediate relaxation would affect national security. For that reason we have supported a five-month Presidential study. In conducting this study, I want to assure you that the Administration will use the best available resources of the federal government. This will include the active participation of the National Economic Council and the Department of Commerce. In addition, consistent with the Senate-passed language, the first study will be completed within 150 days of passage of the Export Administration Act reauthorization bill, with the second study to be completed within one year after the completion of the first. I want to personally assure you that we will reassess our existing export controls based on the results of these studies. Moreover, all programs with encryption that can be exported today will continue to be exportable. "On the other hand, we agree that we need to take action this year to ensure that over time American companies are able to include information security features in their program in order to maintain their international competitiveness. We can achieve this by entering into a new phase of cooperation among government, industry representatives and privacy advocates with a goal of trying to develop a key escrow encryption system that will provide strong encryption, be acceptable to computer users worldwide, and address our national security needs as well. "Key escrow encryption offers a very effective way to accomplish our mutual goals. That is why the Administration adopted the key escrow encryption standard in the "Clipper Chip" to provide very secure encryption for telephone communications while preserving the ability for law enforcement and national security. But the Clipper Chip is an approved federal standard for telephone communication and not for computer networks and video networks. For that reason, we are working with industry to investigate other technologies for these applications. "The administration understands the concerns that industry has regarding the Clipper Chip. We welcome the opportunity to work with industry to design a more versatile, less expensive system Such a key escrow scheme would be implementable in software, firmware or hardware, or any combination thereof, would not rely on a classified algorithm, would be voluntary, and would be exportable. While there are many severe challenges to developing such a system, we are committed to a diligent effort with industry and academics to achieve such a system. We welcome your offer to assist us in furthering this effort. "We also want to assure users of key escrow encryption products that they will not be subject to unauthorized electronic surveillance. As we have done with the Clipper Chip, future key escrow schemes must contain safeguards to provide for key disclosure only under legal authorization and should have audit procedures to ensure the integrity of the system. Escrow holders should be strictly liable for releasing keys without legal authorization. "We also recognize that a new key escrow encryption system must permit the use of private-sector key escrow agents as one option. It is also possible that as key escrow encryption technology spreads, companies may establish layered escrowing services for their own products. Having a number of escrow agents would give individuals and businesses more choice and flexibility in meeting their needs for secure communications. "I assure you the President and I are acutely aware of the need to balance economic and privacy needs with law enforcement and national security. This is not an easy task, I think that our approach offers the best opportunity to strike an appropriate balance. I am looking forward to working with you and others who share our interest in developing a comprehensive national policy on encryption. I am convinced that our cooperative endeavors will open new creative solutions to this critical problems." Sincerely /s/ Al Gore ======================================================================= [4] What You Can Do (Email the VP) ======================================================================= The Clipper debate has reached a critical juncture. The White House and industry are about to seal a deal to make key escrow the standard for encrypted communications. If you believe that individuals should have the right to make full use of new technologies to protect privacy, now is the time for your voice to be heard (and your email to be sent). EMAIL the Vice President at vice.president@whitehouse.gov - Thank him for the Administration's willingness to reconsider its views on Clipper - Express support for the decision to support unclassified algorithms and liability for key escrow agents - But urge him not to require key escrow as a standard for encryption products - Emphasize that key escrow is the soul of Clipper, the method for conducting electronic surveillance of digital communications - Call for extensive testing and studies before any key escrow system is deployed You should also: - Urge him to withdraw Clipper as a standard for voice communications - Urge him to support relaxation of export controls - Ask for the public release of the earlier White House study on cryptography - Ask for the public release of White House documents reviewing the weaknesses of the key escrow proposal The Vice President has clearly shown a willingness to listen to the concerns of the user community on this issue. Your letter could make a difference. ======================================================================= [5] Upcoming Privacy Related Conferences and Events ======================================================================= DEF CON ][ ("underground" computer culture) "Load up your laptop Muffy, we're heading to Vegas!" The Sahara Hotel, Las Vegas, NV. July 22-24. Contact: dtangent@defcon.org. Hackers on Planet Earth: The First US Hacker Congress. Hotel Pennsylvania, New York City, NY. August 13-14. Sponsored by 2600 Magazine. Contact: 2600@well.sf.ca.us. Technologies of Surveillance; Technologies of Privacy. The Hague, The Netherlands. September 5. Sponsored by Privacy International and EPIC. Contact: Simon Davies (davies@privint.demon.co.uk). 16th International Conference on Data Protection. The Hague, Netherlands. September 6-8. Contact: B. Crouwers 31 70 3190190 (tel), 31-70-3940460 (fax). CPSR Annual Meeting. University of California, San Diego. October 8-9. Contact: Phil Agre Symposium: An Arts and Humanities Policy for the National Information Infrastructure. Boston, Mass. October 14-16. Sponsored by the Center for Art Research in Boston. Contact: Jay Jaroslav (jaroslav@artdata.win.net). Third Biannual Conference on Participatory Design, Chapel Hill, North Carolina. October 27-28. Sponsored by CPSR. Contact: trigg@parc.xerox.com. Ethics in the Computer Age Conference. Gatlinburg, Tennessee. November 11-13. Sponsored by ACM. Contact: jkizza@utcvm.utc.edu (Send calendar submissions to Alert@epic.org) ======================================================================= To subscribe to the EPIC Alert, send the message: SUBSCRIBE CPSR-ANNOUNCE Firstname Lastname to listserv@cpsr.org. You may also receive the Alert by reading the USENET newsgroup comp.org.cpsr.announce ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues relating to the National Information Infrastructure, such as the Clipper Chip, the Digital Telephony proposal, medical record privacy, and the sale of consumer data. EPIC is sponsored by the Fund for Constitutional Government and Computer Professionals for Social Responsibility. EPIC publishes the EPIC Alert and EPIC Reports, pursues Freedom of Information Act litigation, and conducts policy research on emerging privacy issues. For more information email info@epic.org, or write EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240 (tel), +1 202 547 5482 (fax). The Fund for Constitutional Government is a non-profit organization established in 1974 to protect civil liberties and constitutional rights. Computer Professionals for Social Responsibility is a national membership organization of people concerned about the impact of technology on society. For information contact: cpsr-info@cpsr.org ------------------------ END EPIC Alert 1.04 ------------------------