Clipper Crack -- LAST FOR A WHILE -- OFF TO OZ DJF

[David Farber <farber () central cis upenn edu>]

CyberWire Dispatch // Copyright (c) 1994 // July 20 //


Jacking in from the "Where's Middle Ground?" Port:


Washington, DC -- The hard line coalition of federal agencies
backing the Clinton Administration's controversial Clipper chip
encryption standard has cracked, forcing the Administration to
modify its call for a single, government backed standard for
scrambling private communications.


The crack in the "Clipper Coalition" came after the Administration
and the agencies most responsible for the Clipper program -- the
National Security Agency and the National Institute of Standards
and Technology (NIST) --withered under a blistering fire of a
nationwide anti-Clipper grassroots campaign waged by the U.S.
software companies, Crypto-rebels, privacy and civil liberties
groups.


According to Administration sources, more moderate forces within
the Administration began to lobby for a less intrusive alternative
to Clipper, a program that one Administration official has openly
acknowledged is "the Bosnia of telecommunications," months ago when
the full hit of the public debate began to weigh on Clinton policy
makers.


Moderate forces, pushing for a change in the hard line approach
backing Clipper, have had to fight turf battles with the spooks
within the super secret National Security Agency, the agency which
impregnated the government's overall encryption policy with the
Clipper seed.  "The NSA lost a lot of ground and credibility when
the news of [AT&T Bell Labs scientist Matt] Blaze's discovered flaw
hit the streets," said one Administration source involved in the
Clipper policy debate.


The flaw Blaze exposed dealt with a way to confuse a critical part
of the Clipper algorithm which allowed law enforcement agents to
gain access to serial numbers of each Clipper Chip.  Without those
serial numbers, Clipper scrambled messages can't be listened to or
read, in the case of computer communications.


Having suffered public embarrassment over the "Blaze Flaw," the NSA
backed down and was forced to compromise:  Clipper would remain the
method for scrambling telephone conversations, but when it came to
all other encryption methods -- including those embedded in
software for export --all efforts would be used to come up with an
alternative to Clipper.


That compromise was unveiled late today (Wed.) in a letter from
Vice President Al Gore to Rep. Maria Cantwell (D.-Wash.), an
opponent of Clipper.  Cantwell, who represents the district that's
home to Microsoft, has been negotiating with the Clipper Coalition
over export legislation. If Clipper remained the government's
policy, Cantwell says, it would do grave damage to U.S. exports. If
no other encryption schemes but Clipper were allowed to be
exported, U.S. industry would suffer the backlash of foreign
markets which refused to buy any device or software that came with
a built-in snooping capability accessible only by agents of the
U.S. government.


Buying Time the Wonk Way
Start A Study
========================


Gore's letter buys the Administration time to find acceptable
alternatives to Clipper.  "As you know, the Administration
disagrees with you on the extent to which existing controls are
harming U.S. industry in the short run," Gore says in his letter to
Cantwell, "and the extent to which their immediate relaxation would
affect national security. For that reason we have supported a five-
month Presidential study."


That study, Gore promises, will reassess the entire encryption
program by entering into a "new phase of cooperation among
government, industry representatives and privacy advocates with a
goal of trying to develop a key escrow encryption system that will
provide strong encryption, be acceptable to computer users
worldwide, and address our national needs as well."


Gore acknowledges that Clipper is to be used only for telephones
and not for computers or faxes.  That's a big move away from what
the government had wanted to use, the Tessera Card, which was a
credit card sized device that used the same classified encryption
program beating within the heart of Clipper.  Gore promises that
Clipper won't be used "for computer networks and video networks,"
and that because of this shift "we are working with industry to
investigate other technologies for those applications."


NIST is currently heading up the effort to find these alternatives.
It's working with several ad hoc groups to find solutions to
government controlled key escrow agents, while trying to find a way
to allow private encryption schemes to proliferate but not at the
expense of national security or law enforcement.


Gore backs this up in his letter:  "We welcome the opportunity to
work with industry to design a more versatile, less expensive
system.  Such a key escrow system would be implementable in
software, firmware, hardware, or any combination thereof, would not
rely upon a classified algorithm, would be voluntary, and would be
exportable."


Despite assurances from the Administration, congressional forces
are taking no chances.  "If this Administration fucked up so bad
during the first round of this Clipper fiasco, what proof is there
that they won't shoot themselves in the foot again," a
congressional staffer said.


Earlier this month, Sen. Patrick Leahy (D-Vt.) took steps to hold
the Administration responsible for its Keystone Kop approach to
encryption policy. Leahy insisted that language be added to the
Justice Dept. Appropriations Committee Report that would force the
White House to make a full accounting of Clipper.


According to the Appropriations language, the White House has to
provide answers to 9 pointed questions, including "How much fiscal
year 1994 and 1995 funding will the Dept. of Justice and Dept. of
Commerce spend to develop, implement, and maintain key escrow
encryption programs and what outyear funding requirements are
anticipated beyond fiscal year 1995?


(Without funding for the key escrow agents, the program dies from
starvation... )


Other questions to be answered include:  (1) What steps is Justice
taking to ensure that the one company currently manufacturing the
Clipper chip doesn't become a de facto monopoly, which would then
be able to hold the Administration as an economic hostage, should
it decide it wants $10,000 per Clipper Chip instead of $10.   (2)
What plans are there for annual audits and recertification of key
escrow agents?  (Unlike Supreme Court Justices, escrow agents
aren't intended to be appointed for life.  Or are they? Good
Question, Leahy wants answers.)  (3) What are the specific
procedures for releasing Clipper to foreign intelligence and law
enforcement agencies? (4) What laws are in place to hammer
government escrow agents that "improperly disclosed escrow keys"?


And probably most important of all, the White House will have to
the well and answer this one:  "Is it in fact the President's
position that no law, regulation, or procedure requires the use of
the key escrow technology and the associated Escrowed Encryption
Standard?"


In other words, tell us, once and for all, are we going to have a
law that bans private encryption -- forcing us to become a nation
of crypto-outlaws -- or are is this Administration going to promise
to stand by our current freedom to use any encryption technology we
choose.


Meeks out...