============================================================= @@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @@@ @ @ @@@@@ @ @@@ @@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @ ============================================================= Volume 2.09 August 21, 1995 ------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, DC info@epic.org http://www.epic.org *Special Edition: Crypto* ======================================================================= Table of Contents ======================================================================= [1] "New" Crypto Policy Announced: Clipper II? [2] NIST Announcement on Key-Escrow Workshops [3] Documents: FBI & NSA Want to Ban Non-Escrowed Encryption [4] EPIC Crypto Web Pages Online [5] Upcoming Conferences and Events ======================================================================= [1] "New" Crypto Policy Announced: Clipper II? ======================================================================= The Clinton Administration ended a year of silence on August 17 when it issued a long-awaited statement on the Clipper Chip and key-escrow encryption. Unfortunately, the "new" policy is merely a re-working of the old one -- the Administration remains committed to key-escrow techniques that ensure government agents access to encrypted communications. The only changes are a willingness to consider the export of 64-bit encryption (if "properly escrowed"), the possibility of private sector escrow agents to serve as key-holders, and consideration of software implementations of key-escrow technologies. As EPIC Advisory Board member Whit Diffie observed in an op-ed piece in the New York Times, the new approach won't work. "While other nations may share our interest in reading encrypted messages for law enforcement purposes, they are unlikely to embrace a system that leaves them vulnerable to U.S. spying. They will reject any system that gives decoding ability to agents in the United States." Diffie further notes that "64-bit keys are not expected to be adequate." In a statement re-printed below, the National Institute of Standards and Technology (NIST) announced two public workshops "to discuss key escrow issues." More information concerning these meetings can be obtained from Arlene Carlton at NIST, (301) 975-3240, fax: (301) 948-1784, e-mail: carlton@micf.nist.gov. ======================================================================= [2] NIST Announcement on Key-Escrow Workshops ======================================================================= EMBARGOED FOR RELEASE: NIST 95-24 3 p.m. EDT, Thursday, Aug. 17, 1995 Contact: Anne Enright Shepherd COMMERCE'S NIST ANNOUNCES (301) 975-4858 PROCESS FOR DIALOGUE ON KEY ESCROW ISSUES Furthering the Administration's commitment to defining a workable key escrow encryption strategy that would satisfy government and be acceptable to business and private users of cryptography, the Commerce Department's National Institute of Standards and Technology announced today renewed dialogue on key escrow issues. A Sept. 6-7 workshop will convene industry and government officials to discuss key escrow issues, including proposed liberalization of export control procedures for key escrow software products with key lengths up to 64 bits, which would benefit software manufacturers interested in building secure encryption products that can be used both domestically and abroad. Key escrow encryption is part of the Administration's initiative to promote the use of strong techniques to protect the privacy of data and voice transmissions by companies, government agencies and others without compromising the government's ability to carry out lawful wiretaps. In a July 1994 letter to former Rep. Maria Cantwell, Vice President Gore said that the government would work on developing exportable key escrow encryption systems that would allow escrow agents outside the government, not rely on classified algorithms, be implementable in hardware or software, and meet the needs of industry as well as law enforcement and national security. Since that time, discussions with industry have provided valuable guidance to the Administration in the development of this policy. For example, many companies are interested in using a corporate key escrow system to ensure reliable back-up access to encrypted information, and the renewed commitment should foster the development of such services. Consideration of additional implementations of key escrow comes in response to concerns expressed by software industry representatives that the Administration's key escrow policies did not provide for a software implementation of key escrow and in light of the needs of federal agencies for commercial encryption products in hardware and software to protect unclassified information on computer and data networks. Officials also announced a second workshop at which industry is invited to help develop additional Federal Information Processing Standards for key escrow encryption, specifically to include software implementations. This standards activity would provide federal government agencies with wider choices among approved key escrow encryption products using either hardware or software. Federal Information Processing Standards provide guidance to agencies of the federal government in their procurement and use of computer systems and equipment. Industry representatives and others interested in joining this standards-development effort are invited to a key escrow standards exploratory workshop on Sept. 15 in Gaithersburg, Md. This workshop is an outgrowth of last year's meetings in which government and industry officials discussed possible technical approaches to software key escrow encryption. The Escrowed Encryption Standard, a Federal Information Processing Standard for use by federal agencies and available for use by others, specifies use of a Key Escrow chip (once referred to as "Clipper chip") to provide strong encryption protection for sensitive but unclassified voice, fax and modem communications over telephone lines. Currently, this hardware-based standard is the only FIPS-approved key escrow technique. NIST officials anticipate proposing a revision to the Escrowed Encryption Standard to allow it to cover electronic data transmitted over computer networks. Under this revised federal standard, the Capstone chip and other hardware-based key escrow techniques developed for use in protecting such electronic data also will be approved for use by federal agencies. As a non-regulatory agency of the Commerce Department's Technology Administration, NIST promotes U.S. economic growth by working with industry to develop and apply technology, measurements and standards. ======================================================================= [3] Documents: FBI & NSA Want to Ban Non-Escrowed Encryption ======================================================================= On a related note ... Declassified government documents recently obtained by EPIC show that key federal agencies concluded more than two years ago that the "Clipper Chip" key-escrow initiative will only succeed if alternative security techniques are outlawed. The information is contained in several hundred pages of material concerning Clipper and cryptography EPIC obtained from the FBI under the Freedom of Information Act. The conclusions contained in the documents appear to conflict with frequent Administration claims that use of key-escrow technology will remain "voluntary." Critics of the government's initiative, including EPIC, have long maintained that government-sanctioned key- escrow encryption techniques would only serve their stated purpose if made mandatory. According to the FBI documents, that view is shared by the Bureau, the National Security Agency (NSA) and the Department of Justice (DOJ). In a "briefing document" titled "Encryption: The Threat, Applications and Potential Solutions," and sent to the National Security Council in February 1993, the FBI, NSA and DOJ concluded that: Technical solutions, such as they are, will only work if they are incorporated into *all* encryption products. To ensure that this occurs, legislation mandating the use of Government-approved encryption products or adherence to Government encryption criteria is required. Likewise, an undated FBI report titled "Impact of Emerging Telecommunications Technologies on Law Enforcement" observes that "[a]lthough the export of encryption products by the United States is controlled, domestic use is not regulated." The report concludes that "a national policy embodied in legislation is needed." Such a policy, according to the FBI, must ensure "real-time decryption by law enforcement" and "prohibit[] cryptography that cannot meet the Government standard." The FBI conclusions stand in stark contrast to public assurances that the government does not intend to prohibit the use of non- escrowed encryption. Testifying before a Senate Judiciary Subcommittee on May 3, 1994, Assistant Attorney General Jo Ann Harris asserted that: As the Administration has made clear on a number of occasions, the key-escrow encryption initiative is a voluntary one; we have absolutely no intention of mandating private use of a particular kind of cryptography, nor of criminalizing the private use of certain kinds of cryptography. The newly-disclosed information suggests that the architects of the key-escrow program -- NSA and the FBI -- have always recognized that key-escrow must eventually be mandated. Coming to light on the eve of the announcement of a "new" Administration policy, the FBI documents raise significant questions as to the government's long-term strategy on the cryptography issue. Scanned images of several key documents are available via the World Wide Web at http://www.epic.org/crypto/ban/fbi_dox/ ======================================================================= [4] EPIC Crypto Policy Web Pages Online ======================================================================= EPIC is now making available an extensive series of pages on cryptography policy. Each page highlights an area of controversy and provides links to key documents. Materials include formerly secret government documents obtained under FOIA by EPIC and CPSR, reports from the Office of Technology Assessment, the General Accounting Office and others on cryptography. Topics include: o Efforts to ban cryptography o The Clipper Chip o The Digital Signature Standard o The Computer Security Act of 1987 The pages are available at http://www.epic.org/crypto/ More pages will become available soon. ======================================================================= [5] Upcoming Privacy Related Conferences and Events ======================================================================= Advanced Surveillance Technologies. Sept. 4, 1995. Copenhagen, Denmark. Sponsored by Privacy International and EPIC. Contact pi@privacy.org. http://www.privacy.org/pi/conference/ 17th International Conference of Data Protection and Privacy Commissioners. Copenhagen, Denmark. September 6-8, 1995. Sponsored by the Danish Data Protection Agency. Contact Henrik Waaben, +45 33 14 38 44 (tel), +45 33 13 38 43 (fax). InfoWarCon '95. September 7-8, 1995. Arlington, VA. Sponsored by NCSA and OSS. Email: 74777.3033@compuserve.com. Business and Legal Aspects of Internet and Online Services. Sept. 14-15. New York City. Sponsored by National Law Journal and New York Law Journal. Contact: (800)888-8300, ext. 6111, or (212)545-6111. The Good, the Bad, and the Internet: A Conference on Critical Issues in Information Technology. October 7-8. Chicago, Ill. Sponsored by CPSR. Contact cpsr@cpsr.org or http://www.cs.uchicago.edu/discussions/cpsr/annual 18th National Information Systems Security Conference. Oct. 10-13. Baltimore, MD. Sponsored by NSA and NIST. Contact: 301-975-3883. Managing the Privacy Revolution. Oct. 31 - Nov. 1, 1995. Washington, DC. Sponsored by Privacy & American Business. Speakers include Mike Nelson (White House) C.B. Rogers (Equifax) and Marc Rotenberg (EPIC). Contact Alan Westin 201/996-1154. 22nd Annual Computer Security Conference and Exhibition. Nov. 6-8, Washington, DC. Sponsored by the Computer Security Institute. Contact: 415-905-2626. Global Security and Global Competitiveness: Open Source Solutions. Nov. 7-9. Washington, D.C. Sponsored by OSS. Contact: Robert Steele oss@oss.net. 11th Annual Computer Security Applications Conference: Technical papers, panels, vendor presentations, and tutorials that address the application of computer security and safety technologies in the civil, defense, and commercial environments. Dec. 11-15, 1995, New Orleans, Louisiana. Contact Vince Reed at (205)890-3323 or vreed@mitre.org. Computers Freedom and Privacy '96. March 27-30. Cambridge, Mass. Sponsored by MIT, ACM and WWW Consortium. Contact cfp96@mit.edu or http://www-swiss.ai.mit.edu/~switz/cfp96 Australasian Conference on Information Security and Privacy June 24-26, 1996. New South Wales, Australia. Sponsored by Australasian Society for Electronic Security and University of Wollongong. Contact: Jennifer Seberry (jennie@cs.uow.edu.au). (Send calendar submissions to Alert@epic.org) ======================================================================= The EPIC Alert is a free biweekly publication of the Electronic Privacy Information Center. To subscribe, send the message: SUBSCRIBE CPSR-ANNOUNCE Firstname Lastname to listserv@cpsr.org. You may also receive the Alert by reading the USENET newsgroup comp.org.cpsr.announce. Back issues are available via http://www.epic.org/alert/ or FTP/WAIS/Gopher/HTTP from cpsr.org /cpsr/alert/ and on Compuserve (Go NCSA), Library 2 (EPIC/Ethics). ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues relating to the National Information Infrastructure, such as the Clipper Chip, the Digital Telephony proposal, medical record privacy, and the sale of consumer data. EPIC is sponsored by the Fund for Constitutional Government and Computer Professionals for Social Responsibility. EPIC publishes the EPIC Alert and EPIC Reports, pursues Freedom of Information Act litigation, and conducts policy research on emerging privacy issues. For more information, email info@epic.org, WWW at HTTP://www.epic.org or write EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. (202) 544-9240 (tel), (202) 547-5482 (fax). The Fund for Constitutional Government is a non-profit organization established in 1974 to protect civil liberties and constitutional rights. Computer Professionals for Social Responsibility is a national membership organization of people concerned about the impact of technology on society. For information contact: cpsr-info@cpsr.org If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "The Fund for Constitutional Government" and sent to EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington DC 20003. Your contributions will help support Freedom of Information Act litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and funding of the National Wiretap Plan.. Thank you for your support. ------------------------ END EPIC Alert 2.09 ------------------------