Interesting People mailing list archives
IP: Re: U.S. cyberterrorism report hit on encryption stance
From: Dave Farber <farber () cis upenn edu>
Date: Thu, 06 Nov 1997 19:05:53 -0500
To: farber () cis upenn edu Cc: willis () rand org Reply-To: willis () rand org Subject: Re: IP: U.S. cyberterrorism report hit on encryption stance Date: Thu, 06 Nov 97 10:32:18 PST From: "Willis H. Ware" <willis () rand org> -- Folder: YES -- For your list: Dave: With (ex Senator) Sam Nunn and (ex DOJ) Jamie Gareleck co-chairing the PCCIP's Advisory Committee and with their known positions on national security and law enforcement, there was little chance that the Commission could escape saying something about encryption -- even though it originally intended to avoid the issue since it was being worked by other parts of government. Since the Advisory Committee appointments came somewhat late in the game, one can conjecture that the Commission could have been instructed to comment on cryptography as late as its September 5 1997 meeting with the Advisory Board. Who knows what was discussed in the non-public closed part of that meeting? By tracking the media releases, their content and dates of appearance [http://pccip.gov], one could get a sense of how the Commission's positions and outcome was evolving. Had encryption been on the agenda for much or most of the Commission's tenure, one would have expected a little hint about it at General Marsh's keynote address at the Baltimore NISSC-97 conference; nothing was said. So I conclude that encryption was probably a late addition to the Commission's scope but of course, that personal position derives from my reading of electronic tea leaves. =================== FYI - the full text of the Commission's report is on the web site at http://www.pccip.gov. It's in 5 parts, totals slightly under 1 Mb, is in PDF format, and seems to require ver 3.01 of Adobe's acroreader to open the file. The discussion of encryption is page 2ff of chapter nine, and for the present point at issue, the operative paragraph is bullet 2 on page 3. "Law enforcement agencies should have lawful access to the decrypted information when necessary to prevent or deter serious crime. Procedures for judicial review prior to granting government access must be defined in law." Important 3rd bullet also: it provides for individual rights of redress when such access is abused! Read the words carefully; the 2nd bullet does not call for key escrow or key recovery; it simply observes that law enforcement should have access to the decrypted information and by implication, however it is obtained; e.g., pinching the keys, cryptanalysis, lawful court-ordered access to corporate key recovery records, using an informant to snitch the key. It most assuredly does not support the broad scope posture that the FBI technical memorandum to the House committees proposed. And the sense of the discussion is oriented toward businesses. Importantly also, (first full paragraph from bottom of page 2), the Commission calls for strong encryption as an "essential element [for] the information on which critical infrastructures depend." In the same paragraph, the Commission does call for key recovery systems but the statement is set in the context of businesses for self-protection; and the following phrase certain connects lawful access to business-oriented key recovery schemes. No where does the word "mandatory" appear. In the same paragraph, the Commission calls for a key-management infrastructure which unfortunately, is a term with somewhat ambiguous meaning and scope. It can mean the certificate-authority and public-key management aspects for digital signatures -- which everyone agrees will have to come into existence. On balance, it strikes me that the Commission walked a very treacherous line very carefully. It did endorse strong encryption as essential to a digital commerce world; it did call for lawful access to decryption keys in the business setting; it did NOT call for a sweeping solution such as proposed by the FBI; it mandated nothing. It said what needed to be said about cryptography as an aspect of the Commission's charter; it properly avoided what (probably) many would have wished that it had said on cryptography as a national policy issue. Moreover, the Commission certainly could not risk obscuring its central message and mission objectives for protecting the critical infrastructure. A broad policy position on cryptography could have aroused all manner of dialogue and opposition that might easily detract from its other findings. After all, encryption is [what ??] something like 0.001% of the Commission's broad tasking? True, one could, I suppose, imagine ways in which the words could have more carefully honed (e.g., clarify what was meant by KMI), but given the emotional and confused dialogue on cryptography as it now exists, the Commission position strikes me as an appropriate position on a difficult issue. My thoughts derive from watching the scene and listening at the gateposts. Needless to say, the above doesn't reflect any sponsors, other hats that I might be associated with, and it's not a paid announcement.:-)) Willis ************************************************** "Photons have neither morals nor visas" -- Dave Farber 1994 **************************************************
Current thread:
- IP: Re: U.S. cyberterrorism report hit on encryption stance Dave Farber (Nov 06)