WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 1995 >> [1995] EPICAlert 9

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 2.09 [1995] EPICAlert 9


Volume 2.09 August 21, 1995

Published by the Electronic Privacy Information Center (EPIC)
Washington, DC
*Special Edition: Crypto*

Table of Contents

[1] "New" Crypto Policy Announced: Clipper II?

[2] NIST Announcement on Key-Escrow Workshops
[3] Documents: FBI & NSA Want to Ban Non-Escrowed Encryption
[4] EPIC Crypto Web Pages Online

[5] Upcoming Conferences and Events

[1] "New" Crypto Policy Announced: Clipper II?

The Clinton Administration ended a year of silence on August 17 whenit issued a long-awaited statement on the Clipper Chip and key-escrowencryption. Unfortunately, the "new" policy is merely a re-working ofthe old one -- the Administration remains committed to key-escrowtechniques that ensure government agents access to encryptedcommunications. The only changes are a willingness to consider theexport of 64-bit encryption (if "properly escrowed"), the possibilityof private sector escrow agents to serve as key-holders, andconsideration of software implementations of key-escrow technologies.

As EPIC Advisory Board member Whit Diffie observed in an op-ed piecein the New York Times, the new approach won't work. "While othernations may share our interest in reading encrypted messages for lawenforcement purposes, they are unlikely to embrace a system thatleaves them vulnerable to U.S. spying. They will reject any systemthat gives decoding ability to agents in the United States." Diffiefurther notes that "64-bit keys are not expected to be adequate."

In a statement re-printed below, the National Institute of Standardsand Technology (NIST) announced two public workshops "to discuss keyescrow issues." More information concerning these meetings can beobtained from Arlene Carlton at NIST, (301) 975-3240, fax: (301)
948-1784, e-mail:

[2] NIST Announcement on Key-Escrow Workshops

EMBARGOED FOR RELEASE: NIST 95-243 p.m. EDT, Thursday, Aug. 17, 1995
Furthering the Administration's commitment to defining aworkable key escrow encryption strategy that would satisfygovernment and be acceptable to business and private users ofcryptography, the Commerce Department's National Institute ofStandards and Technology announced today renewed dialogue on keyescrow issues.

A Sept. 6-7 workshop will convene industry and governmentofficials to discuss key escrow issues, including proposedliberalization of export control procedures for key escrowsoftware products with key lengths up to 64 bits, which wouldbenefit software manufacturers interested in building secureencryption products that can be used both domestically andabroad.

Key escrow encryption is part of the Administration'sinitiative to promote the use of strong techniques to protect theprivacy of data and voice transmissions by companies, governmentagencies and others without compromising the government's abilityto carry out lawful wiretaps.

In a July 1994 letter to former Rep. Maria Cantwell, VicePresident Gore said that the government would work on developingexportable key escrow encryption systems that would allow escrowagents outside the government, not rely on classified algorithms,
be implementable in hardware or software, and meet the needs ofindustry as well as law enforcement and national security. Sincethat time, discussions with industry have provided valuableguidance to the Administration in the development of this policy.
For example, many companies are interested in using a corporatekey escrow system to ensure reliable back-up access to encryptedinformation, and the renewed commitment should foster thedevelopment of such services.

Consideration of additional implementations of key escrowcomes in response to concerns expressed by software industryrepresentatives that the Administration's key escrow policies didnot provide for a software implementation of key escrow and inlight of the needs of federal agencies for commercial encryptionproducts in hardware and software to protect unclassifiedinformation on computer and data networks.

Officials also announced a second workshop at which industryis invited to help develop additional Federal InformationProcessing Standards for key escrow encryption, specifically toinclude software implementations. This standards activity wouldprovide federal government agencies with wider choices amongapproved key escrow encryption products using either hardware orsoftware. Federal Information Processing Standards provideguidance to agencies of the federal government in theirprocurement and use of computer systems and equipment.

Industry representatives and others interested in joiningthis standards-development effort are invited to a key escrowstandards exploratory workshop on Sept. 15 in Gaithersburg, Md.
This workshop is an outgrowth of last year's meetings in whichgovernment and industry officials discussed possible technicalapproaches to software key escrow encryption.

The Escrowed Encryption Standard, a Federal InformationProcessing Standard for use by federal agencies and available foruse by others, specifies use of a Key Escrow chip (once referredto as "Clipper chip") to provide strong encryption protection forsensitive but unclassified voice, fax and modem communicationsover telephone lines. Currently, this hardware-based standard isthe only FIPS-approved key escrow technique. NIST officialsanticipate proposing a revision to the Escrowed EncryptionStandard to allow it to cover electronic data transmitted overcomputer networks. Under this revised federal standard, theCapstone chip and other hardware-based key escrow techniquesdeveloped for use in protecting such electronic data also will beapproved for use by federal agencies.

As a non-regulatory agency of the Commerce Department'sTechnology Administration, NIST promotes U.S. economic growth byworking with industry to develop and apply technology,
measurements and standards.

[3] Documents: FBI & NSA Want to Ban Non-Escrowed Encryption

On a related note ...

Declassified government documents recently obtained by EPIC show
that key federal agencies concluded more than two years ago that the
"Clipper Chip" key-escrow initiative will only succeed if alternative
security techniques are outlawed. The information is contained in
several hundred pages of material concerning Clipper and cryptography
EPIC obtained from the FBI under the Freedom of Information Act.

The conclusions contained in the documents appear to conflict
with frequent Administration claims that use of key-escrow technology
will remain "voluntary." Critics of the government's initiative,
including EPIC, have long maintained that government-sanctioned key-
escrow encryption techniques would only serve their stated purpose if
made mandatory. According to the FBI documents, that view is shared by
the Bureau, the National Security Agency (NSA) and the Department of
Justice (DOJ).

In a "briefing document" titled "Encryption: The Threat,
Applications and Potential Solutions," and sent to the National
Security Council in February 1993, the FBI, NSA and DOJ concluded that:

Technical solutions, such as they are, will only work if
they are incorporated into *all* encryption products. To
ensure that this occurs, legislation mandating the use of
Government-approved encryption products or adherence to
Government encryption criteria is required.

Likewise, an undated FBI report titled "Impact of Emerging
Telecommunications Technologies on Law Enforcement" observes that
"[a]lthough the export of encryption products by the United States is
controlled, domestic use is not regulated." The report concludes that
"a national policy embodied in legislation is needed." Such a policy,
according to the FBI, must ensure "real-time decryption by law
enforcement" and "prohibit[] cryptography that cannot meet the
Government standard."

The FBI conclusions stand in stark contrast to public assurances
that the government does not intend to prohibit the use of non-
escrowed encryption. Testifying before a Senate Judiciary
Subcommittee on May 3, 1994, Assistant Attorney General Jo Ann
Harris asserted that:

As the Administration has made clear on a number of occasions,
the key-escrow encryption initiative is a voluntary one; we
have absolutely no intention of mandating private use of a
particular kind of cryptography, nor of criminalizing the
private use of certain kinds of cryptography.

The newly-disclosed information suggests that the architects of
the key-escrow program -- NSA and the FBI -- have always recognized
that key-escrow must eventually be mandated. Coming to light on the
eve of the announcement of a "new" Administration policy, the FBI
documents raise significant questions as to the government's long-term
strategy on the cryptography issue.

Scanned images of several key documents are available via the
World Wide Web at

[4] EPIC Crypto Policy Web Pages Online

EPIC is now making available an extensive series of pages oncryptography policy. Each page highlights an area of controversy andprovides links to key documents. Materials include formerly secretgovernment documents obtained under FOIA by EPIC and CPSR, reportsfrom the Office of Technology Assessment, the General AccountingOffice and others on cryptography. Topics include:

o Efforts to ban cryptography o The Clipper Chip o The Digital Signature Standard o The Computer Security Act of 1987
The pages are available at More pages
will become available soon.

[5] Upcoming Privacy Related Conferences and Events

Advanced Surveillance Technologies. Sept. 4, 1995. Copenhagen,
Denmark. Sponsored by Privacy International and EPIC.

17th International Conference of Data Protection and PrivacyCommissioners. Copenhagen, Denmark. September 6-8, 1995. Sponsored bythe Danish Data Protection Agency. Contact Henrik Waaben, +45 33 14 3844 (tel), +45 33 13 38 43 (fax).

InfoWarCon '95. September 7-8, 1995. Arlington, VA. Sponsored by NCSAand OSS. Email:

Business and Legal Aspects of Internet and Online Services. Sept.
14-15. New York City. Sponsored by National Law Journal and New York
Law Journal. Contact: (800)888-8300, ext. 6111, or (212)545-6111.

The Good, the Bad, and the Internet: A Conference on Critical Issuesin Information Technology. October 7-8. Chicago, Ill. Sponsored byCPSR. Contact or
18th National Information Systems Security Conference. Oct. 10-13.
Baltimore, MD. Sponsored by NSA and NIST. Contact: 301-975-3883.

Managing the Privacy Revolution. Oct. 31 - Nov. 1, 1995. Washington,
DC. Sponsored by Privacy & American Business. Speakers include MikeNelson (White House) C.B. Rogers (Equifax) and Marc Rotenberg (EPIC).
Contact Alan Westin 201/996-1154.

22nd Annual Computer Security Conference and Exhibition. Nov. 6-8,
Washington, DC. Sponsored by the Computer Security Institute.
Contact: 415-905-2626.

Global Security and Global Competitiveness: Open Source Solutions.
Nov. 7-9. Washington, D.C. Sponsored by OSS. Contact: Robert

11th Annual Computer Security Applications Conference: Technicalpapers, panels, vendor presentations, and tutorials that address theapplication of computer security and safety technologies in the civil,
defense, and commercial environments. Dec. 11-15, 1995, New Orleans,
Louisiana. Contact Vince Reed at (205)890-3323 or

Computers Freedom and Privacy '96. March 27-30. Cambridge, Mass.
Sponsored by MIT, ACM and WWW Consortium. Contact or
Australasian Conference on Information Security and Privacy June24-26, 1996. New South Wales, Australia. Sponsored by AustralasianSociety for Electronic Security and University of Wollongong. Contact:
Jennifer Seberry (

(Send calendar submissions to

The EPIC Alert is a free biweekly publication of the ElectronicPrivacy Information Center. To subscribe, send the message:

to You may also receive the Alert by reading theUSENET newsgroup

Back issues are available via orFTP/WAIS/Gopher/HTTP from /cpsr/alert/ and on Compuserve (GoNCSA), Library 2 (EPIC/Ethics).

The Electronic Privacy Information Center is a public interestresearch center in Washington, DC. It was established in 1994 tofocus public attention on emerging privacy issues relating to theNational Information Infrastructure, such as the Clipper Chip, theDigital Telephony proposal, medical record privacy, and the sale ofconsumer data. EPIC is sponsored by the Fund for ConstitutionalGovernment and Computer Professionals for Social Responsibility. EPICpublishes the EPIC Alert and EPIC Reports, pursues Freedom ofInformation Act litigation, and conducts policy research on emergingprivacy issues. For more information, email, WWW atHTTP:// or write EPIC, 666 Pennsylvania Ave., SE, Suite
301, Washington, DC 20003. (202) 544-9240 (tel), (202) 547-5482 (fax).

The Fund for Constitutional Government is a non-profit organizationestablished in 1974 to protect civil liberties and constitutionalrights. Computer Professionals for Social Responsibility is anational membership organization of people concerned about the impactof technology on society. For information contact:
If you'd like to support the work of the Electronic PrivacyInformation Center, contributions are welcome and fullytax-deductible. Checks should be made out to "The Fund forConstitutional Government" and sent to EPIC, 666 Pennsylvania Ave.,
SE, Suite 301, Washington DC 20003.

Your contributions will help support Freedom of Information Actlitigation, strong and effective advocacy for the right of privacy andefforts to oppose government regulation of encryption and funding ofthe National Wiretap Plan..

Thank you for your support.

END EPIC Alert 2.09

WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback