****************************************************************** ////////////// ////////////// ////////////// /// /// /// /////// /////// /////// /// /// /// ////////////// /// /// ****************************************************************** EFFector Online Volume 5 No. 9 5/28/1993 editors@eff.org A Publication of the Electronic Frontier Foundation ISSN 1062-9424 502 lines -==--==--==-<>-==--==--==- In this issue: EFF Comments to NIST Computers, Freedom and Privacy Conference 1994 Summary of Rural Datafications Conference -==--==--==-<>-==--==--==- EFF Comments to the NIST (the National Institute of Standards and Technology: May 27, 1993 Before the COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD Technology Building, Room B-154 National Institute of Standards and Technology Gaithersburg, MD 20899 COMMENTS OF THE ELECTRONIC FRONTIER FOUNDATION Regarding Key Escrow Chip Cryptographic Technology and Government Cryptographic Policies and Regulations The Electronic Frontier Foundation (EFF) commends the Computer System Security and Privacy Advisory Board for offering the public the opportunity to comment on developments in cryptography and communications privacy policy. Recent Administration proposals, including use of the Clipper Chip and establishment of a government- controlled key escrow system, raise questions that cut to the core of privacy protection in the age of digital communication technology. The questions noted by the Advisory Board in its Notice of Open Meeting (58 FR 28855) reflect a broad range of concerns, from civil liberties to global competitiveness. The Digital Privacy and Security Working Group -- a cooperative effort of civil liberties organizations and corporate users and developers of communication technology which is chaired by the EFF -- has also submitted over one hundred questions to the Administration. (These questions are being submitted to the Advisory Board under separate cover on behalf of the Working Group.) That there are so many questions demonstrates the need for a comprehensive review of cryptography and privacy policy. We are encouraged that the Administration has expressed a willingness to undertake such a review. However, it has become clear that plans for rapid introduction of the Clipper Chip could unacceptably distort this important policy review. The Administration has made no secret of the fact that it hopes to use government purchasing power to promote Clipper as a de facto standard for encryption. With Clipper on the market, the policy process will be biased toward a long-term solution such as Clipper with key escrow. Moreover, the rush to introduce Clipper is already forcing a hasty policy review which may fail to provide adequate public dialogue on the fundamental privacy questions which must be resolved to reach a satisfactory cryptography policy. Based on the depth and complexity of questions raised by this review, EFF believes that no solution, with Clipper Chip or otherwise, should be adopted by the government until the comprehensive cryptography review initiated by the Administration is complete. EFF is a nonprofit, public interest organization whose public policy mission is to insure that the new electronic highways emerging from the convergence of telephone, cable, broadcast, and other communications technologies enhance free speech and privacy rights, and are open and accessible to all segments of society. In these comments, we will elaborate on questions 1, 2, and 3 listed in the Advisory Board's Notice. We offer these comments primarily to raise additional questions that must be answered during the course of the Administration's policy review. A. WILL PARTICULAR ENCRYPTION TECHNOLOGIES BE MANDATED OR PROSCRIBED?: A THRESHOLD QUESTION Unraveling the current encryption policy tangle must begin with one threshold question: will there come a day when the federal government controls the domestic use of encryption through mandated key escrow schemes or outright prohibitions against the use of particular encryption technologies? Is Clipper the first step in this direction? A mandatory encryption regime raises profound constitutional questions, some of which we will discuss below. So far, the Administration has not declared that use of Clipper will be mandatory, but several factors point in that direction: 1. Secrecy of the algorithm justified by need to ensure key escrow compliance: Many parties have already questioned the need for a secret algorithm, especially given the existence of robust, public-domain encryption techniques. The most common explanation given for use of a secret algorithm is the need to prevent users from by-passing the key escrow system proposed along with the Clipper Chip. If the system is truly voluntary, then why go to such lengths to ensure compliance with the escrow procedure? 2. How does a voluntary system solve law enforcement's problems? The major stated rationale for government intervention in the domestic encryption arena is to ensure that law enforcement has access to criminal communications, even if they are encrypted. Yet, a voluntary scheme seems inadequate to meet this goal. Criminals who seek to avoid interception and decryption of their communications would simply use another system, free from escrow provisions. Unless a government-proposed encryption scheme is mandatory, it would fail to achieve its primary law enforcement purpose. In a voluntary regime, only the law-abiding would use the escrow system. B. POLICY CONCERNS ABOUT GOVERNMENT-RUN KEY ESCROW SYSTEM Even if government-proposed encryption standards remain voluntary, the use of key escrow systems still raises serious concerns: 1. Is it wise to rely on government agencies, or government-selected private institutions to protect the communications privacy of all who would someday use a system such as Clipper? 2. Will the public ever trust a secret algorithm with an escrow system enough to make such a standard widely used? C. CONSTITUTIONAL IMPLICATIONS OF GOVERNMENT CONTROLS ON USE OF ENCRYPTION Beyond the present voluntary system is the possibility that specific government controls on domestic encryption could be enacted. Any attempt to mandate a particular cryptographic standard for private communications, a requirement that an escrow system be used, or a prohibition against the use of specific encryption algorithms, would raise fundamental constitutional questions. In order to appreciate the importance of the concerns raised, we must recognize that we are entering an era in which most of society will rely on encryption to protect the privacy of their electronic communications. The following questions arise: 1. Does a key escrow system force a mass waiver of all users' Fifth Amendment right against self-incrimination? The Fifth Amendment protects individuals facing criminal charges from having to reveal information which might incriminate them at trial. So far, no court has determined whether or not the Fifth Amendment allows a defendant to refuse to disclose his or her cryptographic key. As society and technology have changed, courts and legislatures have gradually adapted fundamental constitutional rights to new circumstances. The age of digital communications brings many such challenges to be resolved. Such decisions require careful, deliberate action. But the existence of a key escrow system would have the effect of waiving this right for every person who used the system in a single step. We believe that this question certainly deserves more discussion. 2. Does a mandatory key escrow system violate the Fourth Amendment prohibition against "unreasonable search and seizure"? In the era where people work for "virtual corporations" and conduct personal and political lives in cyberspace, the distinction between communication of information and storage of information is increasingly vague. The organization in which one works or lives may constitute a single virtual space, but be physically dispersed. So, the papers and files of the organization or individual may be moved within the organization by means of telecommunications technology. Until now, the law of search and seizure has made a sharp distinction between, on the one hand, seizures of papers and other items in a person's physical possession, and on the other hand, wiretapping of communications. Seizure of papers or personal effects must be conducted with the owner's knowledge, upon presentation of a search warrant. Only in the exceptional case of wiretapping, may a person's privacy be invaded by law enforcement without simultaneously informing the target. Instantaneous access to encryption keys, without prior notice to the communicating parties, may well constitute a secret search, if the target is a virtual organization or an individual whose "papers" are physically dispersed. Under the Fourth Amendment, secret searches are unconstitutional. 3. Does prohibition against use of certain cryptographic techniques infringe individuals' right to free speech? Any government restriction on or control of speech is to be regarded with the utmost scrutiny. Prohibiting the use of a particular form of cryptography for the express purpose of making communication intelligible to law enforcement is akin to prohibiting anyone from speaking a language not understood by law enforcement. Some may argue that cryptography limitations are controls on the "time, place and manner" of speech, and therefore subject to a more lenient legal standard. However, time, place and manner restrictions that have been upheld by courts include laws which limit the volume of speakers from interfering with surrounding activities, or those which confine demonstrators to certain physical areas. No court has ever upheld an outright ban on the use of a particular language. Moreover, even a time, place and manner restriction must be shown to be the "least restrictive means" of accomplishing the government's goal. It is precisely this question -- the availability of alternatives which could solve law enforcement's actual problems -- that must be explored before a solution such as Clipper is promoted. D. PUBLIC PROCESS FOR CRYPTOGRAPHY POLICY As this Advisory Board is well aware, the Computer Security Act of 1987 clearly established that neither military nor law enforcement agencies are the proper protectors of personal privacy. When considering the law, Congress asked, "whether it is proper for a super-secret agency [the NSA] that operates without public scrutiny to involve itself in domestic activities...?" The answer was a clear "no." Recent Administration announcements regarding the Clipper Chip suggest that the principle established in the 1987 Act has been circumvented. For example, this Advisory Board was not consulted with until after public outcry over the Clipper announcements. Not only does the initial failure to consult eschew the guidance of the 1987 Act, but also it ignored the fact that this Advisory Board was already in the process of conducting a cryptography review. As important as the principle of civilian control was in 1987, it is even more critical today. The more individuals around the country come to depend on secure communications to protect their privacy, the more important it is to conduct privacy and security policy dialogues in public, civilian forums. CONCLUSION The EFF thanks the Advisory Board for the opportunity to comment on these critical public policy issues. In light of the wide range of difficult issues raised in this inquiry, we encourage the Advisory Board to call on the Administration to delay the introduction of Clipper-based products until a thorough, public dialogue on encryption and privacy policy has been completed. Respectfully Submitted, Electronic Frontier Foundation Jerry Berman Executive Director jberman@eff.org Daniel J. Weitzner Senior Staff Counsel djw@eff.org -==--==--==-<>-==--==--==- Computers, Freedom and Privacy '94 Announcement The fourth annual conference, "Computers, Freedom, and Privacy," will be held in Chicago, Il., March 23-26, 1994. This conference will be jointly sponsored by the Association for Computing Machinery (ACM) and The John Marshall Law School. George B. Trubow, professor of law and director of the Center for Informatics Law at John Marshall, is general chairman of the conference. The series began in 1991 with a conference in Los Angeles, and subsequent meetings took place in Washington, D.C., and San Francisco, in successive years. Each conference has addressed a broad range of issues confronting the "information society" in this era of the computer revolution. The advance of computer and communications technologies holds great promise for individuals and society. From conveniences for consumers and efficiencies in commerce to improved public health and safety and increased knowledge of and participation in government and community, these technologies are fundamentally transforming our environment and our lives. At the same time, these technologies present challenges to the idea of a free and open society. Personal privacy is increasingly at risk from invasions by high-tech surveillance and monitoring; a myriad of personal information data bases expose private life to constant scrutiny; new forms of illegal activity may threaten the traditional barriers between citizen and state and present new tests of Constitutional protection; geographic boundaries of state and nation may be recast by information exchange that knows no boundaries as governments and economies are caught up in global data networks. Computers, Freedom, and Privacy '94 will present an assemblage of experts, advocates and interested parties from diverse perspectives and disciplines to consider the effects on freedom and privacy resulting from the rapid technological advances in computer and telecommunication science. Participants come from fields of computer science, communications, law, business and commerce, research, government, education, the media, health, public advocacy and consumer affairs, and a variety of other backgrounds. A series of pre-conference tutorials will be offered on March 23, 1994, with the conference program beginning on Thursday, March 24, and running through Saturday, March 26, 1994. The emphasis in '94 will be on examining the many potential uses of new technology and considering recommendations for dealing with them. "We will be looking for specific suggestions to harness the new technologies so society can enjoy the benefits while avoiding negative implications," said Trubow. "We must manage the technology, or it will manage us," he added. Trubow is putting out a call for papers or program suggestions. "Anyone who is doing a paper relevant to our subject matter, or who has an idea for a program presentation that will demonstrate new computer or communications technology and suggest what can be done with it, is invited to let us know about it." Any proposal must state the title of the paper or program, describe the theme and content in a short paragraph, and set out the credentials and experience of the author or suggested speakers. Conference communications should be sent to: CFP'94 John Marshall Law School 315 S. Plymouth Ct. Chicago, IL 60604 (Voice: 312-987-1419; Fax: 312-427-8307; E-mail: CFP94@jmls.edu) Trubow anticipates that announcement of a student writing competition for CFP'94 will be made soon, together with information regarding the availability of a limited number of student scholarships for the conference. Trubow said, "I expect the organizational structure for CFP'94, including the designation of program committees, to be completed by about the first of August, to allow plenty of time for the development of a stimulating and informative conference." The venerable Palmer House, a Hilton hotel located at the corner of State Street and Washington Ave. in Chicago's "loop," and only about a block from the John Marshall Law School buildings, will be the conference headquarters. Room reservations should be made directly with the hotel, mentioning John Marshall Law School or "CFP'94" to get the special conference rate of $99.00, plus tax. The Palmer House Hilton 17 E. Monroe., Chicago, Il., 60603 Tel: 312-726-7500; 1-800-HILTONS; Fax 312-263-2556 -==--==--==-<>-==--==--==- Preliminary Report -- Rural Datafication Conference Chicago, May 13 & 14, 1993 Over 200 hundred people from all over the United States and Canada gathered in Chicago last week to participate in _Rural Datafication: achieving the goal of ubiquitous access to the Internet_. The conference was sponsored by CICNet and nine cooperating state communications networks or organizations: NetILLINOIS, INDNet, IREN, MichNet, MRNet, NYSERNet, PREPnet, WiscNet, and WVNET. Two of the represented states (Minnesota and Indiana) took the opportunity to caucus among themselves to further define their own activities. The program began Thursday afternoon with hosted discussion groups intended to discover where we could make improvements in networked information services. Then a panel described current successful projects in British Columbia (Roger Hart), North Dakota (Dan Pullen), Montana (Frank Odasz), Washington, Alaska, and Oregon (Sherrilynne Fuller), Pennsylvania (Art Hussey), and Massachusetts (Miles Fidelman). Questions from the panel and the audience would have kept the room filled far into the night had the moderator not sent everyone out to dinner. The next morning's sessions featured knowledgeable speakers open to interaction with the other conference attendees. Mike Staman set the stage. He was followed by Ross Stapleton who spoke about recognizing that our government is also not well-networked; by Simona Nass who spoke about some of the legal and policy issues of networked communities; by Anthony Riddle who spoke about how the networked information community could build from the experiences of the community access television people; and by George Baldwin who spoke about using networked information to preserve Native American cultures. Rick Gates finished up the morning with a presentation that described his efforts to teach information discovery on the nets using play. The afternoon session featured reports from the hosted discussion groups on agriculture, on health care and health education, on libraries, on post-secondary education, on community and government information, and on K-12 education. Joel Hartman of Bradley University and netILLINOIS moderated. The interaction among the attendees and between and with the speakers and panelists brought the most benefit, according to some attendees. The attendees recognized that we haven't quite figured out how to solve the extensive problems that bar network access to all but they are excited about continuing to identify and work on removing the barriers. A number suggested that the meeting should actually be the first Rural Datafication Conference and offered to host and/or organize the anticipated follow-on meeting next year. Many offered format and speaker suggestions for that meeting and look forward to the anticipated proceedings from the conference which CICNet expects to publish. CICNet is working on a summary of the meeting and working to build a gopher/ftp-archive and printed version of the meeting. We'll announce the availability of those versions as soon as we can. Thanks to all the participants for a successful meeting and to all of you who have expressed interest but couldn't come. ____________________________ Glee Harrah Cady, Manager, Information Services, CICNet 2901 Hubbard, Ann Arbor, MI 48105 +1.313.998.6419 glee@cic.net ============================================================= EFFector Online is published by The Electronic Frontier Foundation 666 Pennsylvania Ave. SE Suite 303 Washington, DC 20003 USA Phone: +1 202 544 9237 FAX: +1 202 547 5481 Internet Address: eff@eff.org Coordination, production and shipping by Cliff Figallo, EFF Online Communications Coordinator (fig@eff.org) Reproduction of this publication in electronic media is encouraged. Signed articles do not necessarily represent the view of the EFF. To reproduce signed articles individually, please contact the authors for their express permission. *This newsletter is printed on 100% recycled electrons* ============================================================= MEMBERSHIP IN THE ELECTRONIC FRONTIER FOUNDATION In order to continue the work already begun and to expand our efforts and activities into other realms of the electronic frontier, we need the financial support of individuals and organizations. If you support our goals and our work, you can show that support by becoming a member now. Members receive our bi-weekly electronic newsletter, EFFector Online (if you have an electronic address that can be reached through the Net), and special releases and other notices on our activities. But because we believe that support should be freely given, you can receive these things even if you do not elect to become a member. Your membership/donation is fully tax deductible. Our memberships are $20.00 per year for students and $40.00 per year for regular members. You may, of course, donate more if you wish. Our privacy policy: The Electronic Frontier Foundation will never, under any circumstances, sell any part of its membership list. We will, from time to time, share this list with other non-profit organizations whose work we determine to be in line with our goals. But with us, member privacy is the default. This means that you must actively grant us permission to share your name with other groups. If you do not grant explicit permission, we assume that you do not wish your membership disclosed to any group for any reason. ============================================================= Mail to: Membership Coordinator The Electronic Frontier Foundation 666 Pennsylvania Ave. SE Suite 303 Washington, DC 20003 USA I wish to become a member of the EFF. I enclose: $_______ I wish to renew my membership in the EFF. I enclose: $_______ $20.00 (student or low income membership) $40.00 (regular membership) [ ] I enclose an additional donation of $_______ Name: Organization: Address: City or Town: State: Zip: Phone: ( ) (optional) FAX: ( ) (optional) Email address: I enclose a check [ ]. Please charge my membership in the amount of $ to my Mastercard [ ] Visa [ ] American Express [ ] Number: Expiration date: Signature: ________________________________________________ Date: I hereby grant permission to the EFF to share my name with other non-profit groups from time to time as it deems appropriate [ ]. Initials:___________________________ --