CyberWire Dispatch // Copyright (c) 1998 //

Jacking in from the "Recurring Nightmare" Port:


Shadow Cryptocrats
by Declan McCullagh
Special to CyberWire Dispatch

WASHINGTON, DC, 2/24/98 -- What happens when the irresistible force of American business collides with the immovable object of the U.S. federal government? (a) A committee is formed; (b) corporations find out they're not so irresistible after all; (c) all of the above.

Answer: (c). A new presidential advisory panel met yesterday for the first time to wrestle with Washington's most intractable problem: encryption. The 20-person Export Council Encryption Subcommittee represents banks and credit card companies, technology firms, police associations, and nonprofit groups. All members have received security clearances, and some future meetings will be closed to the public.

This must seem like a recurring nightmare to privacy advocates, who previously have mustered favorable reports on crypto-regulation. First, back in 1994, USACM published a study called "Codes, Keys, and Conflicts." Two years later, the National Research Council released the "CRISIS" report, commissioned by Congress. Last year a phalanx of cryptographers published their findings on "key recovery" encryption backdoors. Just about everyone pointed out problems with the Clinton-Gore administration's current restrictions on overseas shipments of crypto-not to mention the FBI's itch to ban unapproved encryption software at home. So why do we need yet another commission-especially one the government estimates will cost taxpayers at least $35,000 a year?

One explanation seems obvious: government cryptocrats want the subcommittee to justify existing restrictions on encryption. That accounts for the presence of the police in the group: the University of Texas' top cop, the chief of the Michigan State Police, the president of the National Sheriffs' Association. If you've been playing without a scorecard, remember the Sheriffs' Association wants not just export controls, but domestic controls too. Last September they urged a House committee to require crypto products to permit "immediate access" to "the plaintext of communications or electronic information encrypted by such product without the knowledge or cooperation of the person using such product." (That particular committee rejected the plan, but the full House has yet to vote.)

Some of the firms selected also endorse restrictions. Trusted Information Systems recently circulated a policy paper calling for "sensible" legislation to "make the export of 56-bit current interim DES controls permanent and permit the export of stronger encryption when it is combined with a key recovery system." (Which, coincidentally, TIS is happy to sell you...)

A letter that Commerce Department undersecretary William Reinsch sent to subcommittee members on February 13 and obtained by Dispatch says: "We look to the experience and knowledge of the subcommittee members in helping us develop ways to maintain efficient and effective export controls in an ever-changing global marketplace."

"Maintain export controls?" Ouch. No wonder most of the businesses on the subcommittee seemed a bit skittish during its kickoff meeting yesterday. What were they getting themselves into? Some members told Dispatch privately they'd consider resigning in protest if the group veered too far in the wrong direction.

Much of the meeting was procedural. Boring stuff, like deciding how often the subcommittee would meet. Setting up a mailing list for members. Organizing a teleconference or two.


No Political Will

Maybe nobody wanted to seem antagonistic. Maybe nobody wanted to get kicked off the subcommittee. Maybe the companies had visions of the Commerce folks surreptitiously putting their export licenses on hold. Whatever the reason, everyone danced a nimble flamenco around the real issue: current restrictions on export of encryption products really fuck over businesses. Not only does it cost a bundle to add key recovery features, but other countries generally don't have such rules. The silence on this point was deafening.

The only time sparks flew was when Citibank wondered where the White House stood. "Mandatory key escrow is not the administration's policy," Commerce's Reinsch harrumphed. Stephen Katz, Citibank's chief information security officer, responded by saying you can see the FBI's Louis Freeh demanding just that from Congress when you "turn on C-SPAN." Reinsch shot back: "You believe everything you see on television?"

Katz shut up. He shouldn't have. After all, FBI directors are rarely joking when they demand legislation from Congress. Freeh spent much of last year demanding a ban on programs like PGP. He told Congress in September that the Feds must "have an immediate lawful decryption of the communications in transit or the stored data. That could be done in a mandatory manner. It could be done in an involuntary manner. But the key is that we have the ability." FBI Deputy Director Bob Bryant echoed him last month, and the bureau has offered even more ominous warnings behind closed doors.

Soon the export subcommittee members will enjoy their very own clandestine sessions. A "regulations and procedures" memo sent to members says that "you will also receive a security briefing." It warns not to "reveal classified information imparted to you... you should not make written notes of classified discussions. You should report any attempt to obtain classified information from you."

One bit of information the government didn't mind releasing in public came from Bruce McConnell, a longtime cryptocrat from the Office of Management and Budget. He explained to the subcommittee how federal agencies are testing out "key recovery" and "key escrow" pilot projects. "We asked them if you have business applications" and "would you like to participate?" McConnell said.

One of the agencies that signed up was the Customs Service. It wants to speed the processing of trucks driving across the border. "Once the truck leaves Canada, the manifest is transmitted to Customs in encrypted form," McConnell said. Other agencies dipping a toe in the key recovery waters include the Patent and Trademark Office, the Social Security Administration, and the Small Business Administration.

Now, keep in mind why the government needs to launch these so-called pilots... Imagine, hypothetically, that the FBI wants Americans to buy, say, pens that transmit everything written to the Feds. The FBI claims this will reduce terrorism, and promises agents will follow lawful procedure when they want to read what you're writing.

Problem is, nobody buys the pens. A nettled FBI resorts to coercing federal agencies to purchase them. The government also requires that anyone submitting forms to the government (and a lot of people are required to submit forms to the government) write with 'em. The goal, then, is twofold: to work the bugs out of the system, and to get people buying the "key recovery pens"-whether anyone really wants to or not.

Add the Commerce Department, of all places, to the list of agencies that really would rather not deal with key recovery. (Yes, this is the same agency that has been ramming it down the throats of software companies.) Recently it found out firsthand the headaches involved in setting it up. In an email message rich with irony, Bureau of Export Administration webmaster Bill Sargent pleaded with the Net for help with key recovery:

"I am working on a project to provide for the internet submission of Export License Applications for the Bureau of Export Administration here at the Department of Commerce. I am trying to gather as much knowledge as possible in the area of key recoverable encryption... we want to make our system easy and as transparent as possible for the user while also safeguarding the business proprietary information being provided and making sure that we meet the Administration's desire to have the encrypted information be key recoverable by Federal law enforcement agencies."

I asked Sargent why he needed to use a complicated key recovery system when he could just keep a copy of the Commerce Department's private key in a safe instead. He replied, "The administration policy is that encryption should be key recoverable. BXA is one of the administration's spokesmen in that regard. Therefore we would be hard pressed to tell industry to 'Do as we say not as we do!'"

Just so. Another person chatting with industry groups is John Podesta, deputy chief of staff and former Clinton privacy and telecom aide. He took time out from dealing with subpoenas from Ken Starr and dropped by the subcommittee meeting yesterday. "We've been meeting over the last couple months to reenergize our effort to have a real dialogue" with "all the industry segments," Podesta said.

For their part, "industry segments" have been busily organizing the Alliance for Computer Privacy, which they hope will muster enough support on Capitol Hill to lift export controls. Next steps happen when Congress revisits crypto. This could take place as soon as next month in the Senate.

Stay tuned. It's your lock, but the Feds have a jones for your key...

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Declan McCullagh (declan@well.com) is the Washington correspondent for TIME's The Netly News. Read more of his reports on encryption at (http://www.well.com/~declan/politech/)


Copyright © 1998 CyberWire Dispatch / Brock N. Meeks <brock@well.com>