IP: CWD--Shadow Cryptocrats

[Dave Farber <farber () cis upenn edu>]

CyberWire Dispatch // Copyright (c) 1998 //


Jacking in from the "Recurring Nightmare" Port:




Shadow Cryptocrats
by Declan McCullagh
Special to CyberWire Dispatch


WASHINGTON, DC, 2/24/98 -- What happens when the irresistible force of 
American business collides with the immovable object of the U.S. federal 
government? (a) A committee is formed; (b) corporations find out they're 
not so irresistible after all;(c) all of the above.


Answer: (c). A new presidential advisory panel met yesterday for the first 
time to wrestle with Washington's most intractable problem: encryption. The 
20-person Export Council Encryption Subcommittee represents banks and 
credit card companies, technology firms, police associations, and nonprofit 
groups. All members have received security clearances, and some future 
meetings will be closed to the public.


This must seem like a recurring nightmare to privacy advocates, who 
previously have mustered favorable reports on crypto-regulation. First, 
back in 1994, USACM published a study called "Codes, Keys, and Conflicts." 
Two years later, the National Research Council released the "CRISIS" 
report, commissioned by Congress. Last year a phalanx of cryptographers 
published their findings on "key recovery" encryption backdoors. Just about 
everyone pointed out problems with the Clinton-Gore administration's 
current restrictions on overseas shipments of crypto-not to mention the 
FBI's itch to ban unapproved encryption software at home. So why do we need 
yet another commission-especially one the government estimates will cost 
taxpayers at least $35,000 a year?


One explanation seems obvious: government cryptocrats want the subcommittee 
to justify existing restrictions on encryption.  That accounts for the 
presence of the police in the group: the University of Texas' top cop, the 
chief of the Michigan State Police, the president of the National Sheriffs' 
Association. If you've been playing without a scorecard, remember the 
Sheriffs' Association wants not just export controls, but domestic controls 
too. Last September they urged a House committee to require crypto products 
to permit "immediate access" to "the plaintext of communications or 
electronic information encrypted by such product without the knowledge or 
cooperation of the person using such product." (That particular committee 
rejected the plan, but the full House has yet to vote.)


Some of the firms selected also endorse restrictions. Trusted Information 
Systems recently circulated a policy paper calling for "sensible" 
legislation to "make the export of 56-bit current interim DES controls 
permanent and permit the export of stronger encryption when it is combined 
with a key recovery system." (Which, coincidentally, TIS is happy to sell 
you...)


A letter that Commerce Department undersecretary William Reinsch sent to 
subcommittee members on February 13 and obtained by Dispatch says: "We look 
to the experience and knowledge of the subcommittee members in helping us 


develop ways to maintain efficient and effective export controls in an 
ever-changing global marketplace."


"Maintain export controls?" Ouch. No wonder most of the businesses on the 
subcommittee seemed a bit skittish during its kickoff meeting yesterday. 
What were they getting themselves into? Some members told Dispatch 
privately they'd consider resigning in protest if the group veered too far 
in the wrong direction.


Much of the meeting was procedural. Boring stuff, like deciding how often 
the subcommittee would meet. Setting up a mailing list for members. 
Organizing a teleconference or two.


Maybe nobody wanted to seem antagonistic. Maybe nobody wanted to get kicked 
off the subcommittee. Maybe the companies had visions of the Commerce folks 
surreptitiously putting their export licenses on hold. Whatever the reason, 
everyone danced a nimble flamenco around the real issue: current 
restrictions on export of encryption products really fuck over businesses. 
Not only does it cost a bundle to add key recovery features, but other 
countries generally don't have such rules. The silence on this point was 
deafening.


The only time sparks flew was when Citibank wondered where the White House 
stood. "Mandatory key escrow is not the administration's policy," 
Commerce's Reinsch harrumphed.  Stephen Katz, Citibank's chief information 
security officer, responded by saying you can see the FBI's Louis Freeh 
demanding just that from Congress when you "turn on C-SPAN." Reinsch shot 
back: "You believe everything you see on television?"


Katz shut up. He shouldn't have. After all, FBI directors are rarely joking 
when they demand legislation from Congress. Freeh spent much of last year 
demanding a ban on programs like PGP.  He told Congress in September that 
the Feds must "have an immediate lawful decryption of the communications in 
transit or the stored data. That could be done in a mandatory manner. It 
could be done in an involuntary manner. But the key is that we have the 
ability." FBI Deputy Director Bob Bryant echoed him last month, and the 
bureau has offered even more ominous warnings behind closed doors.


Soon the export subcommittee members will enjoy their very own clandestine 
sessions. A "regulations and procedures" memo sent to members says that 
"you will also receive a security briefing." It warns not to "reveal 
classified information imparted to you... you should not make written notes 
of classified discussions. You should report any attempt to obtain 
classified information from you."


One bit of information the government didn't mind releasing in public came 
from Bruce McConnell, a longtime cryptocrat from the Office of Management 
and Budget. He explained to the subcommittee how federal agencies are 
testing out "key recovery" and "key escrow" pilot projects. "We asked them 
if you have business applications" and "would you like to participate?" 
McConnell said.


One of the agencies that signed up was the Customs Service. It wants to 
speed the processing of trucks driving across the border. "Once the truck 
leaves Canada, the manifest is transmitted to Customs in encrypted form," 


McConnell said.  Other agencies dipping a toe in the key recovery waters 
include the Patent and Trademark Office, the Social Security 
Administration, and the Small Business Administration.


Now, keep in mind why the government needs to launch these so-called 
pilots... Imagine, hypothetically, that the FBI wants Americans to buy, 
say, pens that transmit everything written to the Feds. The FBI claims this 
will reduce terrorism, and promises agents will follow lawful procedure 
when they want to read what you're writing.


Problem is, nobody buys the pens. A nettled FBI resorts to coercing federal 
agencies to purchase them. The government also requires that anyone 
submitting forms to the government (and a lot of people are required to 
submit forms to the government) write with 'em. The goal, then, is twofold: 
to work the bugs out of the system, and to get people buying the "key 
recovery pens"-whether anyone really wants to or not.


Add the Commerce Department, of all places, to the list of agencies that 
really would rather not deal with key recovery.  (Yes, this is the same 
agency that has been ramming it down the throats of software companies.) 
Recently it found out firsthand the headaches involved in setting it up. In 
an email message rich with irony, Bureau of Export Administration webmaster 
Bill Sargent pleaded with the Net for help with key recovery:


"I am working on a project to provide for the internet submission of Export 
License Applications for the Bureau of Export Administration here at the 
Department of Commerce. I am trying to gather as much knowledge as possible 
in the area of key recoverable encryption...  we want to make our system 
easy and as transparent as possible for the user while also safeguarding 
the business proprietary information being provided and making sure that we 
meet the Administration's desire to have the encrypted information be key 
recoverable by Federal law enforcement agencies."


I asked Sargent why he needed to use a complicated key recovery system when 
he could just keep a copy of the Commerce Department's private key in a 
safe instead. He replied, "The administration policy is that encryption 
should be key recoverable. BXA is one of the administration's spokesmen in 
that regard. Therefore we would be hard pressed to tell industry to 'Do as 
we say not as we do!'"


Just so. Another person chatting with industry groups is John Podesta, 
deputy chief of staff and former Clinton privacy and telecom aide. He took 
time out from dealing with subpoenas from Ken Starr and dropped by the 
subcommittee meeting yesterday. "We've been meeting over the last couple 
months to reenergize our effort to have a real dialogue" with "all the 
industry segments," Podesta said.


For their part, "industry segments" have been busily organizing the 
Alliance for Computer Privacy, which they hope will muster enough support 
on Capitol Hill to lift export controls. Next steps happen when Congress 
revisits crypto. This could take place as soon as next month in the Senate. 


Stay tuned.  It's your lock, but the Feds have a jones for your key...




=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=


Declan McCullagh (declan () well com) is the Washington correspondent for 
TIME's The Netly News (http://netlynews.com/).  Read more of his reports on 
encryption at (http://www.well.com/~declan/politech/)




********************************
See you at INET'98, Geneva 21-24, July 98   <http://www.isoc.org/inet98/>