You are here:
EPIC Alert >>
 EPICAlert 10
EPIC Alert 3.10  EPICAlert 10 (21 May 1996)
Volume 3.10 May 21, 1996
Published by the
Electronic Privacy Information Center
Table of Contents
 Clipper III
 Senator Burns Criticizes New Clipper Proposal
 House Members Urge Clinton to Abandon Key-Escrow
 Federal Appeals Court to Review Crypto Export Controls
 OECD Debates Crypto Policy
 FBI Releases Digital Telephony Wiretap Report
 New Privacy Resources at EPIC.org and on the Net
 Upcoming Conferences and Eventss
A new report from an administration working group calls for theestablishment of an international infrastructure for key escrowencryption,
called "KMI" or Key Management Infrastructure. The goal ofKMI is similar to the original Clipper plan, but is more far-reachingand
potentially more damaging to privacy and security on the Internet.
The report contends (as did earlier proposals for other products in theClipper family) that KMI is necessary to protect public safety
andnational security. The report also argues for an internationalkey-sharing plan. The government offers the gradual relaxation ofexport
controls in exchange for a commitment from industry to build inkey escrow capability.
The proposal suggests that:
-- Export controls will be relaxed where the keys are escrowed in the United States or the U.S. has a government-to-government key
escrow agreement with the country of destination.
-- Self-escrow will be an "acceptable" option for large corporations,
but independent, government-certified escrow authorities may still be necessary for other organizations.
The proposal clearly requires regulation of encrypted communications.
According to the report, a strong key management infrastructure "can bebased on a voluntary system of commercial Certificate Authorities
*operating within prescribed policy and performance guidelines.*"
(Emphasis added) The CA's will be certified by a Policy ApprovingAuthority (PAA) -- presumably the government -- which "sets rules
andresponsibilities for ensuring the integrity of the CAs" and "is alsoresponsible for setting CA performance criteria to meet law
The proposal concludes with a six-part action plan:
1. Collaborate with industry and standards groups to develop a KeyManagement Infrastructure
2. Develop a FIPS (Federal Information Processing Standard) forencryption protocol, key exchange and digital signature that would
be"mandatory for government use"
3. Develop a Security Management Infrastructure for government use todevelop a market for products that support the new FIPS
4. Select a government agency to work with industry to develop securityrequirements for network security and protecting highly sensitiveinformation
5. Develop legislation for a key management infrastructure that wouldset polices for escrowed keys, certificate authorities, and addresscivil
6. Develop arrangements with other countries for key sharing
The proposal has been dubbed "Clipper III," a reference to earlierattempts by the Administration to promote key escrow encryption.
Inthe first iteration, the government would have held the keys for allencoded communications. In the current version, the governmentestablishes
and certifies key escrow procedures. In several respectsthe proposal is also broader than the original Clipper plan. KMI, asconceived
by the government, will be a worldwide standard for networkcommunication.
The report is also noteworthy for the issues it does not address.
Nothing is said about the reported problems and cost overruns with thegovernment current key escrow program, the Defense Message System.
Noattention is given increased vulnerability of network communicationthat will result from KMI or the threat to privacy and security.
Nomention is made of the relatively ease with which determined attackerswill defeat the plan.
EPIC urges members of the net community to contact the InteragencyWorking Group on Cryptography Policy, Room 10236, New Executive
OfficeBuilding, Washington, D.C. 20503, and urge the Working Group to dropthis idea. Clipper and key-escrow just look worse as time
The complete report is now available at the EPIC web site:
As with the original Clipper Chip proposal in 1993, the newadministration policy paper on encryption has drawn a quick reactionfrom
Congress. Senator Conrad Burns (R-MT) sharply criticized the newWhite House key-escrow proposal, stating "It's three strikes andyou're
out at the old ball game and I would say the third version ofthe administration's Clipper Chip proposal is a swing and a miss."
Echoing a long-standing criticism of the key-escrow concept, Sen.
Burns went on to say:
We can only stick our heads in the sand for so long.
It is important to point out that the criminals and trouble-makers who are apparently targets of this plan are unlikely
to enroll in any key-escrow system.
Law-abiding businesses and individuals would suffer at the hands of this misguided proposal.
Sen. Burns is the author of S. 1726, the "Promotion of CommerceOn-Line in the Digital Era (Pro-CODE) Act," which would relax exportcontrols
on software and hardware with encryption capabilities andwould prohibit mandatory key-escrow. Sen. Burns urged Congress toquickly
enact the Pro-CODE legislation. Hearings on the legislationare tentatively scheduled for June.
A copy of the Burns press release is available at:
More information on S. 1726 is available at:
And there's more congressional criticism of the Administration'sencryption policies. In a letter to President Clinton dated May15,
a bi-partisan group of 27 House members said, "We are writingto ask you not to proceed with your Administration's key escrowencryption
policy proposal and instead to immediately liberalizeexport controls on non-key escrow encryption programs and products."
The group, which represents a diverse cross-segment of the House,
ranging from Rep. Barney Frank (D-MA) to Rep. Bob Barr (R-GA), wrote:
We share the concerns of a wide range of businesses and privacy interests that a key escrow approach will not adequately
address security concerns. The ability of companies and individuals to ensure that the information they send over communications
and computer networks is secure is a prerequisite to exploiting the potential of the Global Information Infrastructure.
For example, U.S. small businesses are beginning to harness the Internet to enter foreign markets. The Internet in effect
lowers the barriers to entry for these companies. But they will not be able to rely on the Internet if their information
is not secure.
The House members cited the findings of the Computer Systems PolicyProject, which estimates that "unless the U.S. relaxes out-of-dateexport
controls, the U.S. technology industry will lose $60 billionin revenues and 200,000 jobs by the year 2000."
A copy of the House members' letter is available at:
The courts, as well as Congress, are beginning to examine Executivebranch policies on encryption. Privacy activist Phil Karn has
filedan appeal with the U.S. Court of Appeals for the D.C. Circuit thatchallenges the constitutionality of export controls on cryptography.
In February 1994, Karn applied for a license to export cryptographerBruce Schneier's book "Applied Cryptography." The State Departmentapproved
the license but, shortly thereafter, denied Karn's requestfor a license to export a disk set which contained text files ofdifferent
cryptographic algorithms that were printed in the book.
Karn filed suit, claiming that the denial violated the AdministrativeProcedures Act and the First and Fifth Amendments to the Constitution.
In March, the federal district court rejected his claims.
The recently filed appeal will trigger a rare appellate courtexamination of Administration encryption policy, including review ofthe
lower court's determination that Karn's case presents a "politicalquestion for the two elected branches" to decide. The D.C. Circuitwill
also review Karn's First Amendment claim, which the lower courtrejected on the ground that the restrictions were "content neutral"
because the government is "not regulating the export because of theexpressive content of the comments and or source code, but instead[is]
regulating because of the belief that the combination ofencryption source code on machine readable media will make it easierfor foreign
governments to encode their communications."
In an order dated May 17, the D.C. Circuit granted EPIC's motion forleave to file a "friend of the court" brief in support of Karn'sclaims.
More information on the case is available at:
The Organization for Economic Cooperation and Development met inWashington, DC on May 8 to discuss the development of internationalguidelines
for encryption policy. The meeting follows a Februaryconference in Canberra, Australia where the OECD first exploredencryption issues.
The Paris-based organization had previously produced well-regardedpolicy guidelines for privacy (1981) and information security (1992).
However, the effort to develop encryption guidelines has beencriticized by some member nations who believe that law enforcementconcerns
are being placed ahead of economic matters. Several OECDcountries have also raised concerns about the legal and Constitutionalimplications
of key escrow encryption, which is favored by the UnitedStates and the United Kingdom. Japan, for example, has aConstitutional prohibition
against wiretapping. There is also thematter of whether the actual needs of consumers, users of theInternet, and privacy implications
of the proposal have receivedadequate consideration.
The OECD will meet again in June to discuss the policy further. Itseems unlikely at this time that the member nations of the OECD
willagree to an international encryption policy based on key escrow.
More information about OECD crypto policy may be found at:
The Federal Bureau of Investigation has finally released itslong-overdue report on implementation on the controversial "digitaltelephony"
wiretap statute. The report, which the FBI was legallyrequired to release by November 30, 1995, was transmitted to Congresson April
11, 1996. EPIC had made several congressional inquiriesconcerning the FBI's failure to comply with the statutory reportingrequirement.
The bottom line: the digital telephony program is broke, which mayexplain the Bureau's tardiness in issuing the report. When Congressenacted
the Communications Assistance to Law Enforcement Act (CALEA)
in late 1994, it authorized $500 million to reimbursetelecommunications carriers for the cost of retro-fitting theirnetworks to facilitate
electronic surveillance. Since that time, EPIChas led an effort to block the actual appropriation of those funds.
To date, Congress has declined to make the money available. As the FBIreport notes,
No funding was appropriated in Fiscal Year 1995 for CALEA; therefore, no payments were made to telecommuni-
cations carriers during the period October 1, 1994,
through September 30, 1995 ...
To date, no funding has been appropriated for Fiscal Year 1996 for payments to telecommunications carriers. ...
Major switch manufacturers, upon whom telecommunications carriers must rely for most required technological solutions,
have advised the FBI that timely development of interception features is technically feasible; however,
the development and deployment of such features are directly dependent upon the availability of funding if the statutory
deadlines are to be met.
The wiretap budget battle will continue. The FBI is still trying togain approval of $100 million for FY 1996, "to be generated through
asurcharge on civil fines and penalties." The report also notes that"the President's Fiscal Year 1997 budget request proposes $100
millionin funding for telephone carrier compliance through a directappropriation."
More information on digital telephony and wiretapping is available at:
A full set of trial transcripts from the CDA trial are now available at:
Human Rights Watch has released a paper titled "Silencing the Net: TheThreat to Freedom of Expression On-line" on restrictions on
free speechand privacy online.
The Data Protection Commissioner of the Isle of Man -- information onManx privacy law and guidelines.
InfoWarCon (Europe) '96, Defining the European Perspective. May 23-24,
1996. Brussels, Belgium. Sponsored by the National Computer SecurityAssociation. Contact: euroinfowarncsa.com.
Consumer Privacy on the Global Information Infrastructure. June 4-5,
1996. Washington, DC. The Federal Trade Commission's Bureau ofConsumer Protection. Contact Martha Landesberg (202) 326-2825 ormlandesbergftc.gov.
Practicing Law Institute's 16th Annual Institute on Computer Law:
Understanding the Business and Legal Aspects of the Internet, June17-18, 1996, San Francisco. infopli.edu for info
or call 800/4770300.
Personal Information - Security, Engineering and Ethics. 21-22 June,
1996. Isaac Newton Institute, Cambridge. Sponsored by CambridgeUniversity and British Medical Association. Paper submission due 10
May1996. Contact: Ross Anderson (rja14newton.cam.ac.uk).
Australasian Conference on Information Security and Privacy. June24-26, 1996. New South Wales, Australia. Sponsored by AustralasianSociety
for Electronic Security and University of Wollongong.
Contact: Jennifer Seberry (jenniecs.uow.edu.au).
The Internet: Transforming our Society Now. 25-28 June 1996. MontrealConvention Center, Montreal (Quebec), Canada. The Internet Society.
Privacy Laws & Business 9th Annual Conference. July 1-3, 1996. St.
John's College, Cambridge, England. Contact: Ms. Gill Ehrlich +44 181423 1300 (tel), +44 181 423 4536 (fax).
DEF CON IV. July 26-28. Los Vegas, NV. Annual Hacker Convention.
Contact: dtangentdefcon.org or http://www.defcon.org/.
Surveillance Expo 96. August 19-21. McLean, Virginia. Sponsored byRoss Associates. Contact: Marilyn Roseberry 703-450-2200.
Fifth International Information Warfare Conference, "Dominating theBattlefields of Business and War", September 5-6, 1996.
Washington, DC. Sponsored by Interpact, NCSA, OSS. Contact:
Advanced Surveillance Technologies II. Sponsored by EPIC and PrivacyInternational. September 16, 1996. Ottawa, Canada. Contact:
http://www.privacy.org/pi/conference/ottawa/ or email piprivacy.org.
18th International Conference of Data Protection and PrivacyCommissioners. September 18-20, 1996. Ottawa, Canada. Sponsored bythe
Privacy Commissioner of Canada.
(Send calendar submissions to Alertepic.org)
The EPIC Alert is a free biweekly publication of the ElectronicPrivacy Information Center. To subscribe, send email toepic-newsepic.org with the subject: "subscribe" (no quotes).
Back issues are available via http://www.epic.org/alert/
The Electronic Privacy Information Center is a public interestresearch center in Washington, DC. It was established in 1994 to focuspublic
attention on emerging privacy issues relating to the NationalInformation Infrastructure, such as the Clipper Chip, the DigitalTelephony
proposal, medical record privacy, and the sale of consumerdata. EPIC is sponsored by the Fund for Constitutional Government, anon-profit
organization established in 1974 to protect civil libertiesand constitutional rights. EPIC publishes the EPIC Alert, pursuesFreedom
of Information Act litigation, and conducts policy research.
For more information, email infoepic.org, HTTP://www.epic.org orwrite EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC20003. +1 202 544 9240 (tel), +1 202 547 5482 (fax).
If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible. Checks should
be made out to "The Fund for Constitutional Government" and sent to EPIC,
666 Pennsylvania Ave., SE, Suite 301, Washington DC 20003.
Your contributions will help support Freedom of Information Act and First
Amendment litigation, strong and effective advocacy for the right of
privacy and efforts to oppose government regulation of encryption and
funding of the National Wiretap Plan.
Thank you for your support.