Clipper: Another point of view

By Susan Landau

Communications technology has shrunk distances in a way unimagined a generation ago. As we increasingly use telephone, fax and E-mail for personal and business communications, cryptography has emerged as the most effective way to ensure the authenticity, integrity and confidentiality once provided by signatures and sealed envelopes. But unlike envelopes, cryptography presents a significant impediment to legally authorized access. How do we balance the need for privacy against the need for effective law enforcement?

The question only appears to be a technical one. The solution will have broad social implications. Twenty-one months ago the Clinton administration introduced the Escrowed Encryption Standard (EES)--Clipper--an encryption scheme in which users' private keys are available to the government.1 This proposal has encountered strong public opposition. The choices the United States makes about confidentiality of communications will reverberate across the globe. These are not decisions to be made lightly.

Ever since the EES announcement, the debate on cryptography in general, and Clipper in particular, has seen hyperbole and many misstatements of fact. The issues are serious and important. They deserve careful thought and discussion. I will attempt to clear the rhetoric from the discussion and lay out the facts. For a deeper look at these issues, I urge you to read the USACM study, Codes, Keys and Conflicts: Issues in US Crypto Policy.2

In the beginning

The current debate had its genesis in two events of the 1970s: the release of the Data Encryption Standard (DES) by the National Bureau of Standards (now the National Institute of Standards and Technology, or NIST) and the invention of public-key cryptography by Whitfield Diffie and Martin Hellman. The former was the first time that the US government distributed a strong cryptographic algorithm for public use; the latter was the harbinger of widespread development of cryptographic algorithms in the public realm.

The release of DES was a mixed success. DES proved enormously successful in providing US businesses with a technique to ensure secure communications. But the release of DES had unintended side effects. Internationally, DES provided the same security it gave domestically. Export restrictions notwithstanding, the availability of the algorithm in software means DES can be found on the streets of Moscow as readily as on the streets of Manhattan. Release of the algorithm meant that the design principles approved by security agencies3 in developing cryptosystems were available for public scrutiny. These agencies presumably would just as soon have kept these design principles behind closed doors.

Nearly 20 years later, DES is coming to the end of its useful life. What will replace it? Electronic communications have become ubiquitous in business and personal life. From a national security viewpoint, securing civilian electronic communications is of paramount importance. At the same time, the intelligence community opposes repeating the DES experience of making a strong cryptographic algorithm available internationally.

A growing problem

Several years ago another government player entered the discussion. Members of the law enforcement community have grown increasingly concerned by the potential use of encryption by criminals and terrorists. Widespread use of strong non-escrowed encryption could make wiretaps useless to law enforcement agencies. The FBI argued for a form of encryption that would enable law enforcement agents to decrypt communications whenever equipped with legal authorization to do so.

Because wiretaps play a crucial part in this story, it is worth a brief detour into their legal history. In the landmark 1928 case of Olmstead v. United States, defendants argued that wiretaps were a violation of the Fourth Amendment's prohibition against unreasonable search. The Supreme Court disagreed, ruling that the Fourth Amendment protected tangible goods, speech not being one such. Forty years of cases led to a narrowing of the Olmstead decision, and in 1967 the court overturned its 1928 decision ruling that the Fourth Amendment does apply to phone conversations because the amendment protects "the person," regardless of the manner in which communications are conducted. A warrant was necessary for a wiretap.

An effective tool

Wiretaps are searches that leave no trace, and thus are a particularly invasive form of surveillance. Law enforcement had found wiretaps too effective a tool to readily give them up. In 1968, Congress passed Title III of the Omnibus Crime Control and Safe Streets Act and established the set of circumstances under which wiretap orders could be issued. The crimes had to be serious and indictable and there had to be probable cause that the communications device was being used to facilitate the crime. Other investigative tools had to have been tried and found wanting; only certain crimes could warrant a wiretap order. About 1,000 electronic surveillance orders are issued under federal and corresponding state statutes annually; about three-quarters of these orders are for wiretaps.

From the point of view of law enforcement, the Clinton administration proposal of an encryption method with escrowed keys fits the bill perfectly. Keys are split and the halves are escrowed with two executive branch agencies: Treasury's Automated Services Division and NIST. Under legal authorization, the keys for domestic users of the technology are available to law enforcement agents. The algorithm is classified to limit the spread of strong encryption techniques. Although these features satisfy the perceived needs of the US government for an algorithm that provides strong cryptography domestically without making it available internationally, the solution was an anathema to many others.

Many objected to a civilian cryptography standard that used a classified algorithm, arguing that cryptographic methods need public scrutiny to prove their strength. The National Security Agency, as the designer of cryptographic algorithms for military and diplomatic purposes, developed the EES algorithm. NSA's role is controversial in light of recent history.

During the 1970s and 1980s, there had been a series of conflicts between the agency and non-governmental developers of cryptography who felt NSA was trying to impede the development of cryptography in the civilian sector. In an attempt to resolve these conflicts, Congress passed the Computer Security Act in 1987, which assigned the responsibility for development of civilian computer security standards, including cryptography, to NIST, a civilian agency. NSA was given an advisory role in the development of cryptography in the civilian sector. Many believe NSA's role in the development of EES violated the intent of the Computer Security Act. When Matthew Blaze of AT&T Bell Labs discovered a method for using EES that circumvented the law enforcement access aspect of the standard, critics of classification felt vindicated. It should be noted, however, that Blaze's attack did not compromise the security of the EES system, nor did it threaten the law enforcement aspects of the present EES system, which is for circuit-switched telephones. Blaze's attack did work on EES-based E-mail transmissions. The government is modifying its Personal Computer Memory Card International Association cards accordingly.

A product containing keys escrowed with the US government is less than attractive to many foreign purchasers. Presumably, the classified nature of EES means that the algorithm cannot be imported into France, where all cryptographic algorithms must be registered with the government.

US manufacturers can continue to include cryptographic algorithms other than EES in their equipment for export. Manufacturers argue that maintaining dual product lines adds complexity and expense and causes delays in production. Many in the industry fear that widespread domestic adoption of EES for secure communications will lead to a situation in which US products are less competitive internationally.

The strongest objections to EES arose from the civil liberties community. EES opponents point to numerous examples in which the government violated individuals' privacy rights. From Nixon and Kissinger's tapping telephones of employees of the National Security Council, to recent instances in which IRS employees browsed the tax returns of friends, neighbors and celebrities,4 agents of the government have abused power and invaded individuals' privacy. Sometimes the invasion has been officially sanctioned: the FBI tapping of Martin Luther King's telephone in the 1960s, and NSA's surveillance of private individuals, 5 contrary to law, from 1948 to 1975. Sometimes the government has collected information for one purpose--census data--and used it for another--internment of Japanese-Americans during the Second World War (contrary to laws regarding census data that limited the use of the information to census-related issues). EES opponents argue that an encryption system in which the government holds the keys is a system ripe for abuse.

Proponents of the Clipper system counter that by having an automatic erasure of the keys at the end of the wiretap period and an electronic audit trail generated automatically for the surveillance, EES will prevent such abuses. However, the present prototype decrypt processor has manual erasure of the keys. Similarly, the electronic audit trail has not been used in the prototype decrypt processor.

Proponents observe that EES is a voluntary system; the Clinton administration has stated it will continue to allow other forms of encryption. However, FBI Director Louis Freeh holds a different position on this issue.

Two months ago the Digital Telephony Bill became law. This measure requires that telecommunications providers build their systems wiretap-ready and authorizes a four-year federal expenditure of $500 million to cover the costs of transforming the present telecommunications infrastructure to achieve this goal. While the bill was being considered, opponents of Clipper raised concerns that if the government invested half a billion dollars in digital telephony to ensure law enforcement's continued ability to wiretap, government would be loath to later lose wiretapping ability because of encrypted communications.

But the Clinton administration was clear on the issue of encryption: "Today, any American can purchase and use any type of encryption product. The administration does not intend to change that policy. Nor do we have any intention of restricting domestic encryption."6

Recently, Freeh said otherwise. At a conference on Global Cryptography, Freeh said that if he found that wiretap orders were impeded by the use of non-Clipper cryptography, he would seek support for the outlawing of non-escrowed encryption.

It all comes back to wiretaps, and the issue of wiretaps is a clouded one. Many members of the law enforcement community strongly believe that wiretaps form a critical component in fighting certain types of crimes. That is hard to evaluate. The issue of encrypted communications thwarting court-authorized wiretaps is admittedly speculative. According to the FBI, problems already exist with executing legally authorized wiretaps. The bureau has been unwilling to make public the cases in which it has been unable to execute court-authorized taps.

Courts are not scientific laboratories, and in many cases there is no way to know what ultimately leads to a conviction. For many of the high-profile cases in which electronic surveillance played a role, electronic bugs--not wiretaps--led to the convictions. That was the case with the Gotti conviction in New York, for example.

Finally, it is worth noting that while computer technology, in the form of advanced telecommunications switching or encryption, may impede the execution of wiretaps, computer technology also has greatly enhanced crime-fighting techniques. Electronic surveillance, in the form of video cameras in public places, is widespread. Modern telephone signaling systems provide much more information, revealing in real time the origination and destination of the call. Electronic database information, whether for fingerprints or more mundane records, makes many searches effective when paper files did not. All of these are substantial advances over 1968, when the federal wiretap statute was enacted.

A decision to be made

This nation is experiencing fundamental transformations in the way people and organizations communicate. The National Information Infrastructure will only accelerate the changes. Confidentiality of electronic communications is a serious technical and policy issue facing society. What cryptography policy best accommodates national needs for secure communications and privacy, industry success, effective law enforcement and national security? Ultimately, the choice will be one of values: How important is protecting society from potential attacks by criminals versus how important is protecting personal privacy from all threats of eavesdropping--including by the government? This debate will rest on facts, so it is important to get those facts right.

Susan Landau is a research associate professor in the Computer Science Department at the University of Massachusetts. She is co-author of the USACM study, Codes, Keys and Conflicts: Issues in US Crypto Policy.

Footnotes

1EES is a voluntary Federal Information Processing Standard (FIPS). Any agency that chooses to protect the communication of sensitive but unclassified information (e.g., Social Security records or IRS returns) could choose to use EES or any other FIPS cryptographic scheme. However, the only other FIPS approved for encrypting electronic communication is the Data Encryption Standard (DES) and there is a good chance that DES will be shelved at its next review later this decade.

2A copy of this USACM report is available on the World Wide Web at http://Info.acm.org/reports/acm_crypto_study.html/.

3DES was designed by IBM Corp. and vetted by the National Security Agency.

4General Accounting Office, IRS Information Systems: Weaknesses Increase Fraud and Impair Reliability of Management Information, Washington, DC, Government Printing Office, September 1993.

5US Senate, 1974, Final Report of the Select Committee to Study Governmental Operations with Respect to Intelligence Activities, Washington, DC, April 26, 1974.

6Office of the White House, White House press statement on EES, Feb. 4, 1994.