April 15, 1997

ENCRYPTION KEY RECOVERY: PRIVACY DRAINS AWAY

by Andy Oram
American Reporter Correspondent

CAMBRIDGE, MASS.—On March 12, 1997, the Clinton Administration proposed a bill to set up a national encryption system. A significant departure from the Administration’s earlier Clipper proposal, this one is even more detrimental to individual privacy and weighted toward letting government officials have free access to our communications.

The Clinton Administration has earned a poor reputation among civil libertarians, particularly due to the various immigration, anti-terrorism, and wiretapping legislation it has championed over the years. Its latest foray, the proposed “Key Recovery Draft Legislation,” will unfortunately cause appraisals to plunge even further.

The thrust of the proposal is to force users who want to participate in the modern digital communications age—ordering goods and services online, exchanging information with friends and associates over email, even using cellular phones—to keep the keys to any encryption system they use in the hands of Trusted Third Parties, who will in turn hand over these keys to the government on demand. So far, the new proposal is like Clipper. Unlike Clipper, however, a court order is no longer required before a law enforcement official can obtain a key. Instead, any of the following may be used:

The Attorney General, as well as state officials, are thus being given enormous decision-making power over whose communications can be read. We would not even know if our email or phone calls are being intercepted, because the Trusted Third Party is prohibited from telling us. Given the long history of illegal government espionage—from COINTELPRO and Watergate through the Clinton Administration’s own embarrassment at admitting that it obtained unauthorized access to FBI files on hundreds of political figures—the proposed bill is not designed to make anyone feel at ease.

Encryption is going to be increasingly important as Americans move more and more of our communications to the Internet or other digital networks. Even without believing the rosy predictions of the futurists, you can expect to be sending credit card numbers or even digital cash across the wire, as well as sensitive communications to friends and business associates. You wouldn’t be too happy if somebody impersonated you to make a false order, or stole critical secrets. These things do happen, however, and to minimize their success we will all be moving more to encrypting our messages.

But if the Clinton Administration gets its way, there’s one potential enemy you won’t be able to keep out of your communications: the government.

The federal government has been trying to enforce the right to wiretap for a long time. In 1994 it succeeded in passing a Communications Assistance to Law Enforcement Act—first proposed by the Bush Administration—that requires digital telephone equipment to be built to allow wiretapping. The current campaign around key recovery goes back four years to the first Clipper proposal in April, 1993. Clipper suffered from many technical problems, including an actual bug in the algorithm that would have permitted snoopers to break the keys. So the Administration is taking a big step backward in its current proposal, guaranteeing the right to use “any encryption, regardless of the encryption algorithm selected.” Clipper may still reappear, of course, as their suggested method.

Never has the Administration tried to outlaw any forms of encryption that fail to meet its key recovery criteria. Outlawing them would be impossible, because there is no way a law enforcement agent can tell whether a stream of binary nonsense is an encrypted communication. It might be a new graphic or audio file format, or an executable file for a system with which the agent is unfamiliar. Users can avoid even the suspicion of using encryption by burying a message in scattered bits of, say, an innocuous graphic (a time-honored technique called steganography).

A more successful Administration plan would be to make their preferred form of encryption a de facto standard. They can do this by requiring it for all communications involving the government. Hence the clause of the new bill requiring manufacturers to label their encryption products to indicate “whether such products are authorized for use in transactions with the United States Government.”

So you may someday find your access to encryption limited simply by what is offered to you by the email software or telephone you buy off the shelf for $20. And all of us will lose the right to say what we want in safety and secrecy.


Editor, O’Reilly Media
Author’s home page
Other articles in chronological order
Index to other articles