Skip to main content
EFFecting Change Livestream August 28

EFFector - Volume 5, Issue 9 - EFF Comments to NIST

EFFECTOR

EFFector - Volume 5, Issue 9 - EFF Comments to NIST

==============================================================================
           //////////////     //////////////     //////////////
         ///                ///                ///
       ///////            ///////            ///////
     ///                ///                ///
   //////////////     ///                ///
                  -==--==--==-<>-==--==--==- 
                        In this issue:
                    EFF Comments to NIST
        Computers, Freedom and Privacy Conference 1994
            Summary of Rural Datafications Conference
                   -==--==--==-<>-==--==--==- 

EFF Comments to the NIST (the National Institute of Standards and 
Technology:
          
May 27, 1993

Before the

COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD 
Technology Building, Room B-154
National Institute of Standards and Technology Gaithersburg, MD 
20899

COMMENTS OF THE ELECTRONIC FRONTIER FOUNDATION 

Regarding

Key Escrow Chip Cryptographic Technology and Government 
Cryptographic Policies and Regulations

The Electronic Frontier Foundation (EFF) commends the Computer 
System Security and Privacy Advisory Board for offering the public 
the opportunity to comment on developments in cryptography and 
communications privacy policy. Recent Administration proposals, 
including use of the Clipper Chip and establishment of a government-
controlled key escrow system, raise questions that cut to the core of 
privacy protection in the age of digital communication technology. 
The questions noted by the Advisory Board in its Notice of Open 
Meeting (58 FR 28855) reflect a broad range of concerns, from civil 
liberties to global competitiveness. The Digital Privacy and Security 
Working Group -- a cooperative effort of civil liberties organizations 
and corporate users and developers of communication technology 
which is chaired by the EFF -- has also submitted over one hundred 
questions to the Administration. (These questions are being 
submitted to the Advisory Board under separate cover on behalf of 
the Working Group.) That there are so many questions demonstrates 
the need for a comprehensive review of cryptography and privacy 
policy. 

We are encouraged that the Administration has expressed a 
willingness to undertake such a review. However, it has become clear 
that plans for rapid introduction of the Clipper Chip could 
unacceptably distort this important policy review. The 
Administration has made no secret of the fact that it hopes to use 
government purchasing power to promote Clipper as a de facto 
standard for encryption. With Clipper on the market, the policy 
process will be biased toward a long-term solution such as Clipper 
with key escrow. Moreover, the rush to introduce Clipper is already 
forcing a hasty policy review which may fail to provide adequate 
public dialogue on the fundamental privacy questions which must be 
resolved to reach a satisfactory cryptography policy. Based on the 
depth and complexity of questions raised by this review, EFF 
believes that no solution, with Clipper Chip or otherwise, should be 
adopted by the government until the comprehensive cryptography 
review initiated by the Administration is complete.

EFF is a nonprofit, public interest organization whose public policy 
mission is to insure that the new electronic highways emerging from 
the convergence of telephone, cable, broadcast, and other 
communications technologies enhance free speech and privacy rights, 
and are open and accessible to all segments of society.

In these comments, we will elaborate on questions 1, 2, and 3 listed 
in the Advisory Board's Notice. We offer these comments primarily to 
raise additional questions that must be answered during the course 
of the Administration's policy review.

A. WILL PARTICULAR ENCRYPTION TECHNOLOGIES BE MANDATED OR 
PROSCRIBED?: A THRESHOLD QUESTION

Unraveling the current encryption policy tangle must begin with one 
threshold question: will there come a day when the federal 
government controls the domestic use of encryption through 
mandated key escrow schemes or outright prohibitions against the 
use of particular encryption technologies? Is Clipper the first step in 
this direction? A mandatory encryption regime raises profound 
constitutional questions, some of which we will discuss below. So far, 
the Administration has not declared that use of Clipper will be 
mandatory, but several factors point in that direction:

1. Secrecy of the algorithm justified by need to ensure key escrow 
compliance: 

Many parties have already questioned the need for a secret 
algorithm, especially given the existence of robust, public-domain 
encryption techniques. The most common explanation given for use 
of a secret algorithm is the need to prevent users from by-passing 
the key escrow system proposed along with the Clipper Chip. If the 
system is truly voluntary, then why go to such lengths to ensure 
compliance with the escrow procedure?

2. How does a voluntary system solve law enforcement's problems? 

The major stated rationale for government intervention in the 
domestic encryption arena is to ensure that law enforcement has 
access to criminal communications, even if they are encrypted. Yet, a 
voluntary scheme seems inadequate to meet this goal. Criminals who 
seek to avoid interception and decryption of their communications 
would simply use another system, free from escrow provisions. 
Unless a government-proposed encryption scheme is mandatory, it 
would fail to achieve its primary law enforcement purpose. In a 
voluntary regime, only the law-abiding would use the escrow 
system.

B. POLICY CONCERNS ABOUT GOVERNMENT-RUN KEY ESCROW SYSTEM 

Even if government-proposed encryption standards remain 
voluntary, the use of key escrow systems still raises serious 
concerns: 

1. Is it wise to rely on government agencies, or government-selected 
private institutions to protect the communications privacy of all who 
would someday use a system such as Clipper?

2. Will the public ever trust a secret algorithm with an escrow 
system enough to make such a standard widely used? 

C. CONSTITUTIONAL IMPLICATIONS OF GOVERNMENT CONTROLS ON 
USE OF ENCRYPTION 

Beyond the present voluntary system is the possibility that specific 
government controls on domestic encryption could be enacted. Any 
attempt to mandate a particular cryptographic standard for private 
communications, a requirement that an escrow system be used, or a 
prohibition against the use of specific encryption algorithms, would 
raise fundamental constitutional questions. In order to appreciate the 
importance of the concerns raised, we must recognize that we are 
entering an era in which most of society will rely on encryption to 
protect the privacy of their electronic communications. The following 
questions arise: 

1. Does a key escrow system force a mass waiver of all users' Fifth 
Amendment right against self-incrimination? 

The Fifth Amendment protects individuals facing criminal charges 
from having to reveal information which might incriminate them at 
trial. So far, no court has determined whether or not the Fifth 
Amendment allows a defendant to refuse to disclose his or her 
cryptographic key. As society and technology have changed, courts 
and legislatures have gradually adapted fundamental constitutional 
rights to new circumstances. The age of digital communications 
brings many such challenges to be resolved. Such decisions require 
careful, deliberate action. But the existence of a key escrow system 
would have the effect of waiving this right for every person who 
used the system in a single step. We believe that this question 
certainly deserves more discussion.

2. Does a mandatory key escrow system violate the Fourth 
Amendment prohibition against "unreasonable search and seizure"? 

In the era where people work for "virtual corporations" and conduct 
personal and political lives in cyberspace, the distinction between 
communication of information and storage of information is 
increasingly vague. The organization in which one works or lives may 
constitute a single virtual space, but be physically dispersed. So, the 
papers and files of the organization or individual may be moved 
within the organization by means of telecommunications technology. 
Until now, the law of search and seizure has made a sharp distinction 
between, on the one hand, seizures of papers and other items in a 
person's physical possession, and on the other hand, wiretapping of 
communications. Seizure of papers or personal effects must be 
conducted with the owner's knowledge, upon presentation of a 
search warrant. Only in the exceptional case of wiretapping, may a 
person's privacy be invaded by law enforcement without 
simultaneously informing the target. Instantaneous access to 
encryption keys, without prior notice to the communicating parties, 
may well constitute a secret search, if the target is a virtual 
organization or an individual whose "papers" are physically 
dispersed. Under the Fourth Amendment, secret searches are 
unconstitutional. 

3. Does prohibition against use of certain cryptographic techniques 
infringe individuals' right to free speech? 

Any government restriction on or control of speech is to be regarded 
with the utmost scrutiny. Prohibiting the use of a particular form of 
cryptography for the express purpose of making communication 
intelligible to law enforcement is akin to prohibiting anyone from 
speaking a language not understood by law enforcement. Some may 
argue that cryptography limitations are controls on the "time, place 
and manner" of speech, and therefore subject to a more lenient legal 
standard. However, time, place and manner restrictions that have 
been upheld by courts include laws which limit the volume of 
speakers from interfering with surrounding activities, or those which 
confine demonstrators to certain physical areas. 
No court has ever upheld an outright ban on the use of a particular 
language. Moreover, even a time, place and manner restriction must 
be shown to be the "least restrictive means" of accomplishing the 
government's goal. It is precisely this question -- the availability of 
alternatives which could solve law enforcement's actual problems -- 
that must be explored before a solution such as Clipper is promoted. 

D. PUBLIC PROCESS FOR CRYPTOGRAPHY POLICY 

As this Advisory Board is well aware, the Computer Security Act of 
1987 clearly established that neither military nor law enforcement 
agencies are the proper protectors of personal privacy. When 
considering the law, Congress asked, "whether it is proper for a 
super-secret agency [the NSA] that operates without public scrutiny 
to involve itself in domestic activities...?" The answer was a clear 
"no." Recent Administration announcements regarding the Clipper 
Chip suggest that the principle established in the 1987 Act has been 
circumvented. For example, this Advisory Board was not consulted 
with until after public outcry over the Clipper announcements. Not 
only does the initial failure to consult eschew the guidance of the 
1987 Act, but also it ignored the fact that this Advisory Board was 
already in the process of conducting a cryptography review.

As important as the principle of civilian control was in 1987, it is 
even more critical today. The more individuals around the country 
come to depend on secure communications to protect their privacy, 
the more important it is to conduct privacy and security policy 
dialogues in public, civilian forums.

CONCLUSION

The EFF thanks the Advisory Board for the opportunity to comment 
on these critical public policy issues. In light of the wide range of 
difficult issues raised in this inquiry, we encourage the Advisory 
Board to call on the Administration to delay the introduction of 
Clipper-based products until a thorough, public dialogue on 
encryption and privacy policy has been completed.

Respectfully Submitted,

Electronic Frontier Foundation

Jerry Berman
Executive Director
jberman@eff.org

Daniel J. Weitzner
Senior Staff Counsel
djw@eff.org

                    -==--==--==-<>-==--==--==- 

Computers, Freedom and Privacy '94 Announcement

The fourth annual conference, "Computers, Freedom, and Privacy," 
will be held in Chicago, Il., March 23-26, 1994. This conference will 
be jointly sponsored by the Association for Computing Machinery 
(ACM) and The John Marshall Law School. George B. Trubow, 
professor of law and director of the Center for Informatics Law at 
John Marshall, is general chairman of the conference. The series 
began in 1991 with a conference in Los Angeles, and subsequent 
meetings took place in Washington, D.C., and San Francisco, in 
successive years. Each conference has addressed a broad range of 
issues confronting the "information society" in this era of the 
computer revolution. 

The advance of computer and communications technologies holds 
great promise for individuals and society. From conveniences for 
consumers and efficiencies in commerce to improved public health 
and safety and increased knowledge of and participation in 
government and community, these technologies are fundamentally 
transforming our environment and our lives. 

At the same time, these technologies present challenges to the idea 
of a free and open society. Personal privacy is increasingly at risk 
from invasions by high-tech surveillance and monitoring; a myriad of 
personal information data bases expose private life to constant 
scrutiny; new forms of illegal activity may threaten the traditional 
barriers between citizen and state and present new tests of 
Constitutional protection; geographic boundaries of state and nation 
may be recast by information exchange that knows no boundaries as 
governments and economies are caught up in global data networks.

Computers, Freedom, and Privacy '94 will present an assemblage of 
experts, advocates and interested parties from diverse perspectives 
and disciplines to consider the effects on freedom and privacy 
resulting from the rapid technological advances in computer and 
telecommunication science. Participants come from fields of 
computer science, communications, law, business and commerce, 
research, government, education, the media, health, public advocacy 
and consumer affairs, and a variety of other backgrounds. A series of 
pre-conference tutorials will be offered on March 23, 1994, with the 
conference program beginning on Thursday, March 24, and running 
through Saturday, March 26, 1994.

The emphasis in '94 will be on examining the many potential uses of 
new technology and considering recommendations for dealing with 
them. "We will be looking for specific suggestions to harness the new 
technologies so society can enjoy the benefits while avoiding 
negative implications," said Trubow. "We must manage the 
technology, or it will manage us," he added. 

Trubow is putting out a call for papers or program suggestions. 
"Anyone who is doing a paper relevant to our subject matter, or who 
has an idea for a program presentation that will demonstrate new 
computer or communications technology and suggest what can be 
done with it, is invited to let us know about it." Any proposal must 
state the title of the paper or program, describe the theme and 
content in a short paragraph, and set out the credentials and 
experience of the author or suggested speakers. Conference 
communications should be sent to:

CFP'94
John Marshall Law School
315 S. Plymouth Ct.
Chicago, IL 60604
(Voice: 312-987-1419; Fax: 312-427-8307; E-mail: CFP94@jmls.edu) 

Trubow anticipates that announcement of a student writing 
competition for CFP'94 will be made soon, together with information 
regarding the availability of a limited number of student 
scholarships for the conference. Trubow said, "I expect the 
organizational structure for CFP'94, including the designation of 
program committees, to be completed by about the first of August, to 
allow plenty of time for the development of a stimulating and 
informative conference."

The venerable Palmer House, a Hilton hotel located at the corner of 
State Street and Washington Ave. in Chicago's "loop," and only about 
a block from the John Marshall Law School buildings, will be the 
conference headquarters. Room reservations should be made directly 
with the hotel, mentioning John Marshall Law School or "CFP'94" to 
get the special conference rate of $99.00, plus tax. 

The Palmer House Hilton
17 E. Monroe., Chicago, Il., 60603
Tel: 312-726-7500; 1-800-HILTONS; Fax 312-263-2556 

                    -==--==--==-<>-==--==--==- 

Preliminary Report -- Rural Datafication Conference 
Chicago, May 13 & 14, 1993

Over 200 hundred people from all over the United States and Canada 
gathered in Chicago last week to participate in _Rural Datafication: 
achieving the goal of ubiquitous access to the Internet_. The 
conference was sponsored by CICNet and nine cooperating state 
communications networks or organizations: NetILLINOIS, INDNet, 
IREN, MichNet, MRNet, NYSERNet, PREPnet, WiscNet, and WVNET. Two 
of the represented states (Minnesota and Indiana) took the 
opportunity to caucus among themselves to further define their own 
activities.

The program began Thursday afternoon with hosted discussion 
groups intended to discover where we could make improvements in 
networked information services. Then a panel described current 
successful projects in British Columbia (Roger Hart), North Dakota 
(Dan Pullen), Montana (Frank Odasz), Washington, Alaska, and Oregon 
(Sherrilynne Fuller), Pennsylvania (Art Hussey), and Massachusetts 
(Miles Fidelman). Questions from the panel and the audience would 
have kept the room filled far into the night had the moderator not 
sent everyone out to dinner. 

The next morning's sessions featured knowledgeable speakers open 
to interaction with the other conference attendees. Mike Staman set 
the stage. He was followed by Ross Stapleton who spoke about 
recognizing that our government is also not well-networked; by 
Simona Nass who spoke about some of the legal and policy issues of 
networked communities; by Anthony Riddle who spoke about how 
the networked information community could build from the 
experiences of the community access television people; and by 
George Baldwin who spoke about using networked information to 
preserve Native American cultures. Rick Gates finished up the 
morning with a presentation that described his efforts to teach 
information discovery on the nets using play.

The afternoon session featured reports from the hosted discussion 
groups on agriculture, on health care and health education, on 
libraries, on post-secondary education, on community and 
government information, and on K-12 education. Joel Hartman of 
Bradley University and netILLINOIS moderated.

The interaction among the attendees and between and with the 
speakers and panelists brought the most benefit, according to some 
attendees. The attendees recognized that we haven't quite figured 
out how to solve the extensive problems that bar network access to 
all but they are excited about continuing to identify and work on 
removing the barriers. A number suggested that the meeting should 
actually be the first Rural Datafication Conference and offered to host 
and/or organize the anticipated follow-on meeting next year. Many 
offered format and speaker suggestions for that meeting and look 
forward to the anticipated proceedings from the conference which 
CICNet expects to publish.

CICNet is working on a summary of the meeting and working to build 
a gopher/ftp-archive and printed version of the meeting. We'll 
announce the availability of those versions as soon as we can. Thanks 
to all the participants for a successful meeting and to all of you who 
have expressed interest but couldn't come.
____________________________
Glee Harrah Cady, Manager, Information Services, CICNet 2901 
Hubbard, Ann Arbor, MI 48105	+1.313.998.6419
glee@cic.net

=============================================================

     EFFector Online is published by
     The Electronic Frontier Foundation
     666 Pennsylvania Ave. SE  Suite 303
     Washington, DC 20003 USA
     Phone: +1 202 544 9237 FAX: +1 202 547 5481
     Internet Address: eff@eff.org
     Coordination, production and shipping by Cliff Figallo, EFF 
     Online Communications Coordinator (fig@eff.org)
 Reproduction of this publication in electronic media is encouraged.
 Signed articles do not necessarily represent the view of the EFF.
 To reproduce signed articles individually, please contact the authors
 for their express permission.

      *This newsletter is printed on 100% recycled electrons*
=============================================================

        MEMBERSHIP IN THE ELECTRONIC FRONTIER FOUNDATION

In order to continue the work already begun and to expand our 
efforts and activities into other realms of the electronic frontier, we 
need the financial support of individuals and organizations.

If you support our goals and our work, you can show that support by
becoming a member now. Members receive our bi-weekly electronic 
newsletter, EFFector Online (if you have an electronic address that 
can be reached through the Net), and special releases and other 
notices on our activities.  But because we believe that support should 
be freely given, you can receive these things even if you do not elect 
to become a member.

Your membership/donation is fully tax deductible.

Our memberships are $20.00 per year for students and $40.00 per 
year for regular members.  You may, of course, donate more if you 
wish.

Our privacy policy: The Electronic Frontier Foundation will never, 
under any circumstances, sell any part of its membership list.  We 
will,  from time to time, share this list with other non-profit 
organizations  whose work we determine to be in line with our goals.  
But with us,  member privacy is the default. This means that you 
must actively grant us permission to share your name with other 
groups. If you do not  grant explicit permission, we assume that you 
do not wish your  membership disclosed to any group for any reason.

=============================================================
Mail to: 
         Membership Coordinator
         The Electronic Frontier Foundation
         666 Pennsylvania Ave. SE Suite 303
         Washington, DC 20003 USA


I wish to become a member of the EFF.  I enclose: $_______
I wish to renew my membership in the EFF.  I enclose: $_______
            $20.00 (student or low income membership)
            $40.00 (regular membership)

    [  ] I enclose an additional donation of $_______

Name:

Organization:

Address:

City or Town:

State:       Zip:      Phone: (    )             (optional)

FAX: (    )              (optional)

Email address:

I enclose a check [  ].
Please charge my membership in the amount of $
to my Mastercard [  ]  Visa [  ]  American Express [  ]

Number:

Expiration date:

Signature: ________________________________________________

Date:

I hereby grant permission to the EFF to share my name with
other non-profit groups from time to time as it deems
appropriate   [ ].
                       Initials:___________________________

Back to top

JavaScript license information