[CyberLaw (tm) 6/93]

ENCRYPTION

I.  A White House Proposal

For most people, conversations are held face-to-face.  If distance is a problem, letters are sent or a phone call is placed.  Until recently, ensuring the privacy of personal communications has not been the focus of much popular attention.  But this has changed with the development of public-access computer networks and the meteoric rise in the use of E-Mail, along with widespread publicity about the exploits of hackers gaining unauthorized access to phone and computer networks.  Recently, the White House proposed an encryption scheme that would provide a great deal of security in communications.  That proposal has been met with a storm of protest, however, particularly over a feature that guarantees law enforcement agencies a key to each encrypted communication. 

II.  The Clipper Chip

The White House announcement, made in April 1993, outlines a voluntary program "to improve the security and privacy of telephone communications while meeting the legitimate needs of law enforcement."  The focus of that program is a microcircuit called the "Clipper Chip" that scrambles telephone communications.  To allow law enforcement agencies to intercept phone conversations scrambled by the Clipper Chip, the White House proposes to develop a "key-escrow" system.  Under such a system, each device containing the Clipper Chip will have two unique keys to be deposited separately into key-escrow databases to be established by the attorney general.  "Access to these keys will be limited to government officials with legal authorization to conduct a wiretap."  According to the White House, "the 'Clipper Chip' technology provides law enforcement with no new authorities to access the content of the private conversations of Americans."

As described by the White House, each Clipper Chip will be programmed with a classified encryption algorithm (named "Skipjack"), a serial number, a chip unique key, and a chip family key.  Each time a device containing the chip is used, the sender generates an encryption session key.  The sender's data is encrypted with the encryption session key, and that session key is, in turn, encrypted by the chip unique key.  The chip's serial number is encrypted with the chip family key.  All this encrypted information is sent to the receiver.

It is the chip unique key that is to be stored in escrow.  Each chip unique key is to be divided and placed with escrow agents in the form of full 80-bit "split keys."  The chip unique key is reconstituted from the two split keys by means of a mathematical function called an XOR operation.  According to Professor Dorothy E. Denning, Chair of Computer Science at Georgetown University, "[k]nowing one [split key] is insufficient to determine the [chip unique key] since the second [split key] could be any 80 bits."

The strength of the Clipper Chip is found in the Skipjack algorithm.  As described by Professor Denning, Skipjack is a 64-bit block encryption algorithm designed by the National Security Agency (NSA) and classified SECRET.  It uses 80-bit keys and passes data through 32 iterations of scrambling.  "Thus," states Denning, "Skipjack is stronger than [the Data Encryption Standard (DES) adopted in 1977], having about sixteen million times more keys and twice as much scrambling."  (According to the Acting Director of the National Institute of Standards and Technology, it would take a CRAY YMP over a billion years to solve one Clipper Chip key, versus over 200 years to solve one DES key.)  Testifying before the U.S. House of Representatives' Subcommittee on Telecommunication and Finance on June 9, 1993, Professor Denning declared that, 

"[she does] not believe that the [Skipjack] algorithm is classified to cover up weaknesses or a trapdoor.  Classification appears to be essential to protect the integrity of the key-escrow feature.  Someone knowing exactly how that feature worked might be able to design a compatible chip that bypassed the escrow process."

Professor Denning notes further, that law enforcement agencies report that wiretaps have been "an essential means for combating organized crime, major drug trafficking operations, and terrorism."  Widespread use of strong, non-escrow based encryption methods would make it "practically impossible to combat these crimes."  "Claims by people outside law enforcement that these crimes could be dealt with by other means are unsubstantiated and ignore the legal requirements that wiretaps can only be used when other methods of investigation have already failed, are likely to fail, or could be too dangerous."

III.  Substantial Business Concerns

In a statement issued in May 1993, the Computer and Business Equipment Manufacturers Association (CBEMA) voiced a number of "substantial concerns" regarding the implementation of the Clipper Chip program.  CBEMA observes that despite a rapid increase in crime, there were recently less than 1,000 wiretaps performed per year.  The government is proposing, however, that the "entire communications and computing structure of the United States should be constructed with government access __built in__."  CBEMA questions "whether the American people will accept such an arrangement," particularly given the fact that it is not clear that a warrant is required to intercept communications where one or both termini of a communication lie outside the United States.  Another issue is whether the Clipper Chip will be attractive to a significant number of foreign buyers (for whom other encryption schemes are available) given the fact that the chip algorithm was developed by "NSA -- an organization whose tasks include accessing private communications."  NSA involvement, according to CBEMA, has raised "significant speculation" that the algorithm includes a "trap door" that will allow NSA to avoid applying for a court order and utilizing the key-escrow procedure.  On the issue of competitiveness, CBEMA comments that if the Clipper Chip is not freely exportable, U.S. manufacturers will have to bear the expense of supporting two product lines -- one incorporating the Clipper Chip for U.S. use, and another for export.  "[M]any medium-sized and small U.S. firms cannot afford such an expensive undertaking."  If the Clipper Chip were to become effectively mandatory, an important competitive advantage would be handed to foreign manufacturers who do not have to incorporate the chip into their communication devices.

The General Counsel of the Software Publishers Association ("SPA") also raised objections to the Clipper proposal in testimony on export controls before the Computer System Security and Privacy Advisory Board (a Department of Commerce advisory panel).  The SPA noted that the Clipper proposal describes a hardware regime, and stated that SPA has serious doubts as to whether the Clipper system could be implemented in software.  This, says SPA, flies in the face of demands by customers for encryption through software, "for reasons of cost, convenience, scarce computer 'real estate', and particular performance requirements."  SPA offers further that it "strains credulity" to believe that foreign (or U.S.) customers will accept an encryption system in which the U.S. Government holds or has access to the keys.

IV.  Accountability and Civil Liberties

Before the same Advisory Board, the Director of Computer Professionals for Social Responsibility (CPSR) focused on "the policy requirements of the Computer Security Act, the legal issues surrounding the key escrow arrangement, and the importance of privacy for network development."  According to CPSR, government policy as set out in the 1987 Computer Security Act "emphasizes public applications, stresses open review, and ensures public accountability."  But in the case of the Clipper proposal, "[t]he Clipper algorithm, Skipjack, is classified, [p]ublic access to the reasons underlying the proposal is restricted, Skipjack can be implemented only in tamper-proof hardware, [i]t is unlikely to be used by multi-national corporations, and [i]ts security remains unproven."

Among other things, CPSR takes issue with the premise of the Clipper proposal, "that the government must have the ability to intercept electronic communications, regardless of the economic or societal costs."  CPSR notes that "there is no legal basis -- in statute, the Constitution or anywhere else -- that supports [this premise] ....  The Clipper proposal attempts to accomplish through the standard-setting and procurement process what the Congress has been unwilling to do through the legislative process."  "[T]he assumption underlying the Clipper proposal," claims CPSR, "is more compatible with the practice of telephone surveillance in the former East Germany than it is with the narrowly limited circumstances that wire surveillance has been allowed in the United States."

The American Civil Liberties Union (ACLU) also takes the position that the Clipper initiative erodes important constitutional principles, and has identified a number of areas for concern.  First, the ACLU is disturbed that the government would announce a major policy initiative without soliciting prior public comment or review.  Second, as it "appears that the [key] 'escrow' holders will be either government agencies or agents .... [t]he term 'escrow' would seem to obscure rather than illuminate the government's role here."  Third, the ACLU does not believe that the government has "established a sufficient justification for its unprecedented key escrow system on either law enforcement or technical grounds."  (As do others, the ACLU believes that the government's Clipper scheme will become mandatory to achieve the government's stated law enforcement objective.)  Fourth, substantial First Amendment free speech protections are implicated in a regime that prohibits encrypted communications unless the government holds the key.  Fifth, there are serious Fourth and Fifth Amendment issues (concerning restrictions on search and seizure and the privilege against self-incrimination) raised by a procedure that requires the disclosure of a key to the government "in advance of there being probable cause sufficient to entitle the government to seize an encrypted communication and to search and seize the key to such communication."  Sixth, the ACLU "asserts that the present method of export controls on cryptography is unconstitutional," for the reason that encryption technology is "speech protected by the First Amendment and the government must meet strict First Amendment standards before imposing such a licensing scheme, which is essentially a prior restraint that operates as censorship."  Seventh, and lastly, although "[t]he Administration describes the initiative as an effort to protect individual privacy, ... its sole purpose is to make sure that all communications are accessible to the government and cannot remain private outside the scope of government decryption."

V.  More Review Needed

On June 4, 1993, the Computer System Security and Advisory Board reported that serious issues and problems had been voiced during 2 days of hearings on the Clipper initiative.  Among the areas identified by the Board for further attention are: the problem that the Clipper proposal attempts to solve; export and import controls over cryptographic products; the needs of the software industry; additional DES encryption alternatives and key management alternatives; review of the escrow protocol and chip implementation as well as thorough review of the Skipjack algorithm; a clear definition of the proposed key escrow scheme; the economic implications of the Clipper proposal; legal issues raised by the Clipper proposal; and Congressional review.  Accordingly, the Board determined  to conduct an additional meeting in July 1993 to review the Clipper proposal and "recommend[ed] that the key escrowing encryption technology not be deployed beyond current implementations planned within the Executive Branch, until the significant public policy and technical issues inherent with this encryption technique are fully understood."

(Source material for CyberLaw was kindly made available to the author by Professor Dorothy Denning and by David Sobel, Esq. and David Banisar of Computer Professionals for Social Responsibility.)

CyberLaw (tm) is published solely as an educational service.  The author may be contacted at jrsnr@well.sf.ca.us; cyberlaw@aol.com; questions and comments may be posted on America Online (go to keyword "CYBERLAW").  Copyright (c) 1993 Jonathan Rosenoer; All Rights Reserved.  CyberLaw is a trademark of Jonathan Rosenoer. 

CyberLex (tm) [6/93]

Notable legal developments reported in June 1993 include the following:

#	Apple Computer, Inc. conceded the few remaining points in its copyright suit against Microsoft Corp. and Hewlett-Packard Co. so that Apple might hasten its appeal of rulings in the case that, among other things, treat the graphical user interface of the Macintosh computer as a purely functional arrangement.  (New York Times, June 2, 1993, C8; San Jose Mercury News, June 2, 1993, 1F.)

#	Two computer hackers, Charles Anderson and Costa George Katsaniotis, who illegally entered computers at Boeing Corp. and a U.S. District Court, have been each sentenced to 5 years probation and 250 hours of community service and also have been ordered to pay a combined $30,000 in restitution.  In addition, the two residents of Seattle, Washington, are barred from owning computers or holding computer accounts without the permission of their probation officer.  (New York Times, June 11, 1993, A10.)

#	A Commerce Department advisory committee, the Computer System Security and Privacy Advisory Board, has raised serious concerns about the Clinton Administration plan to standardize a high-technology coding system that would allow law enforcement officials to tap telephone calls and computer data transmissions.  The advisory committee has called for extensive public hearings and urges that the new technology, known as the "Clipper Chip," not be deployed until after the public review is completed.  (New York Times, June 5, 1993, p.17.)

#	A California state appeals court overturned an arbitrator's decision that gave Advanced Micro Devices (AMD) the right to make its own version of Intel's 386 microprocessor, on the grounds that the arbitrator had exceeded his authority in a case over the interpretation of a 1982 technology-exchange agreement between Intel and AMD.  Following the decision, Intel announced it will seek damages of $1 billion or more from AMD.  (San Jose Mercury News, June 6, 1993, 1A; New York Times, June 7, 1993, C3; Wall Street Journal, June 7, 1993, A3.)

#	Oracle Corp. has filed suit against Standish Group International Inc., a small market research firm that has accused Oracle of rigging a key software performance test.  The dispute is based upon charges raised by Standish, vigorously denied by Oracle, that the company designed a special feature in its Oracle 7 database software to rank high in a benchmark test for transaction processing, but not capable of functioning in actual applications.  (San Jose Mercury News, June 24, 1993, 1E.)

#	The Federal Communications Commission has set aside a portion of the public airwaves to be divided into 11 channels for use by a new type of 2-way communications networks that will operate with wireless computers.  Mobile Telecommunications Technologies Corp. of Jackson, Mississippi, has been granted a "pioneer's preference" by the FCC, which will allow it a license when the FCC develops licensing procedures for other companies interested in the business.  (San Jose Mercury News, June 25, 1993, 1F.)

#	A San Jose, CA, jury has returned verdicts of not guilty in the trial of two ULSI Systems Inc. executives, Alfred Chan and George Hwang, who had been charged with using stolen designs from Intel to design their own microprocessor.  The jurors could not agree that an Intel design plan and other documents produced in the course of the trial qualified as trade secrets.  (San Jose Mercury News, June 16, 1993, 1D.)

#	The Emir of Bahrain has issued that country's first copyright law.  (Wall Street Journal, June 10, 1993, A8.)

#	The Software Publishers Association estimates that computer software piracy cost European industry and government at least $2.9 billion last year, including $431 million in lost tax receipts.  (Wall Street Journal, June 10, 1993, A8.)

#	According to unconfirmed reports, the Federal Trade Commission (FTC) will take up the investigation of Microsoft Corp. at its July 21 meeting.  The FTC has been "informally" investigating whether Microsoft enjoys an unfair advantage in selling applications programs because it also designs and sells the operating systems that competing software programmers need to make their applications work.  (San Jose Mercury News, June 11, 1993, 1C.)

CyberLex (tm) is published solely as an educational service.  Copyright (c) 1993 Jonathan Rosenoer; All Rights Reserved.  CyberLex is a trademark of Jonathan Rosenoer.   

