Jerry J. Berman, Executive Director Electronic Frontier Foundation
Committee on Science, Space and Technology
Subcommittee on Technology, Environment and Aviation
U.S. House of Representatives
Communications and Computer Surveillance, Privacy and Security
May 3, 1994 Mr. Chairman and Members of the Committee I want to thank you for the opportunity to testify today on communications and computer surveillance, privacy, and security policy. The Electronic Frontier Foundation (EFF) is a public interest membership organization dedicated to achieving the democratic potential of new communications and computer technology and works to protect civil liberties in new digital environments. EFF also coordinates the Digital Privacy and Security Working Group (DPSWG), a coalition of more than 50 computer, communications, and public interest organizations and associations working on communications privacy issues. The Working Group has strongly opposed the Administration's clipper chip and digital telephony proposals. EFF is especially pleased that this subcommittee has taken an interest in these issues. It is our belief that Administration policy developed in this area threatens individual privacy rights, will thwart the development of the information infrastructure, and does not even meet the stated needs of law enforcement and national security agencies. A fresh and comprehensive look at these issues is needed.
I. Background on digital privacy and security policy From the beginning of the 1992 Presidential campaign, President Clinton and Vice President Gore committed themselves to support the development of the National Information Infrastructure. They recognize that the "development of the NII can unleash an information revolution that will change forever the way people live, work, and interact with each other." They also know that the information infrastructure can only realize its potential if users feel confident about security measures available. If allowed to reach its potential, this information infrastructure will carry vital personal information, such as health care records, private communications among friends and families, and personal financial transactions. The business community will transmit valuable information such as plans for new products, proprietary financial data, and other strategic communications. If communications in the new infrastructure are vulnerable, all of our lives and businesses would be subject to both damaging and costly invasion. In launching its Information Infrastructure Task Force (IITF) the Clinton Administration recognized this when it declared that:
The trustworthiness and security of communications channels and networks are essential to the success of the NII.... Electronic information systems can create new vulnerabilities. For example, electronic files can be broken into and copied from remote locations, and cellular phone conversations can be monitored easily. Yet these same systems, if properly designed, can offer greater security than less advanced communications channels. [Agenda for Action, 9] Cryptography -- technology which allows encoding and decoding of messages -- is an absolutely essential part of the solution to information security and privacy needs in the Information Age. Without strong cryptography, no one will have the confidence to use networks to conduct business, to engage in commercial transactions electronically, or to transmit sensitive personal information. As the Administration foresees, we need
network standards and transmission codes that facilitate interconnection and interoperation between networks, and ensure the privacy of persons and the security of information carried.... [Agenda for Action, 6] While articulating these security and privacy needs, the Administration has also emphasized that the availability of strong encryption poses challenges to law enforcement and national security efforts. Though the vast majority of those who benefit from encryption will be law abiding citizens, some criminals will find ways to hide behind new technologies.
II. Current cryptography policy fails to meet the needs of the growing information infrastructure As a solution to the conflict between the need for user privacy and the desire to ensure law enforcement access, the Administration has proposed that individuals and organizations who use encryption deposit a copy of their private key -- the means to decode any communications they send -- with the federal government. In our view, this is not a balanced solution but one that undermines the need for security and privacy without resolving important law enforcement concerns. It is up to the Congress to send the Administration back to the drawing board.
A. Current Export Controls and New Clipper Proposal Stifle Innovation Two factors are currently keeping strong encryption out of the reach of United States citizens and corporations. First, general uncertainty about what forms of cryptography will and will not be legal to produce in the future. Second, export controls make it economically impossible for US manufacturers that build products for the global marketplace to incorporate strong encryption for either the domestic or foreign markets. Despite this negative impact on the US market, export controls are decreasingly successful at limiting the foreign availability of strong encryption. A recent survey shows that of the more than 260 foreign encryption products now available globally, over 80 offer encryption which is stronger than what US companies are allowed to export. Export controls do constrain the US market, but the international market appears to be meeting its security needs without help from US industry. The introduction of Clipper fails to address the general uncertainty in the cryptography market. Announcement of a key escrow policy alone is not sufficient to get the stalled US cryptography market back on track.
B. The secrecy of the Clipper/Skipjack algorithm reduces public trust and casts doubt on the voluntariness of the whole system Many parties have already questioned the need for a secret algorithm, especially given the existence of robust, public-domain encryption techniques. The most common explanation given for use of a secret algorithm is the need to prevent users from bypassing the key escrow system proposed along with the Clipper Chip. Clipper has always been presented by the Administration as a voluntary option. But if the system is truly voluntary, why go to such lengths to ensure compliance with the escrow procedure?
C Current plans for escrow system offer inadequate technical security and insufficient legal protections for users The implementation of a nationwide key escrow system is clearly a complex task. But preliminary plans available already indicate several areas of serious concern:
1. No legal rights for escrow users: As currently written, the escrow procedures insulate the government escrow agents from any legal liability for unauthorized or negligent release of an individual's key. This is contrary to the very notion of an escrow system, which ordinarily would provide a legal remedy for the depositor whose deposit is released without authorization. If anything, escrow agents should be subject to strict liability for unauthorized disclosure of keys.
2. No stability in escrow rules: The Administration has specifically declared that it will not seek to have the escrow procedures incorporated into legislation or official regulations. Without formalization of rules, users have no guaranty that subsequent administrations will follow the same rules or offer the users the same degree of protection. This will greatly reduce the trust in the system.
3. Fixed Key: A cardinal rule of computer security is that encryption keys must be changed often. Since the Clipper keys are locked permanently into the chips, the keys can never be changed. This is a major technical weakness of the current proposal.
4. Less intrusive, more secure escrow alternatives are available: The Clipper proposal represents only one of many possible kinds of key escrow systems. More security could be provided by having more than two escrow agents. And, in order to increase public trust, some or all of these agents could be non-governmental agencies, with the traditional fiduciary duties of an escrow agent.
D. Escrow Systems Threaten Fundamental Constitutional Values The Administration, Congress, and the public ought to have the opportunity to consider the implications of limitations on cryptography from a constitutional perspective. A delicate balance between constitutional privacy rights and the needs of law enforcement has been crafted over the history of this country. We must act carefully as we face the constitutional challenges posed by new communication technologies. Unraveling the current encryption policy tangle must begin with one threshold question: will there come a day when the federal government controls the domestic use of encryption through mandated key escrow schemes or outright prohibitions against the use of particular encryption technologies? Is Clipper the first step in this direction? A mandatory encryption regime raises profound constitutional questions. In the era where people work for "virtual corporations" and conduct personal and political lives in "cyberspace," the distinction between communication of information and storage of information is increasingly vague. The organization in which one works may constitute a single virtual space, but be physically dispersed. So, the papers and files of the organization or individual may be moved within the organization by means of telecommunications technology. Instantaneous access to encryption keys, without prior notice to the communicating parties, may well constitute a secret search, if the target is a virtual corporation or an individual whose "papers" are physically dispersed. Wiretapping and other electronic surveillance has always been recognized as an exception to the fundamental Fourth Amendment prohibition against secret searches. Even with a valid search warrant, law enforcement agents must "knock and announce" their intent to search a premises before proceeding. Failure to do so violates the Fourth Amendment. Until now, the law of search and seizure has made a sharp distinction between, on the one hand, seizures of papers and other items in a person's physical possession, and on the other hand, wiretapping of communications. Seizure of papers or personal effects must be conducted with the owner's knowledge, upon presentation of a search warrant. Only in the exceptional case of wiretapping, may a person's privacy be invaded by law enforcement without simultaneously informing that person. Proposals to regulate the use of cryptography for the sake of law enforcement efficiency should be viewed carefully in the centuries old tradition of privacy protection.
E. Voluntary escrow system will not meet law enforcement needs Finally, despite all of the troubling aspects of the Clipper proposal, it is by no means clear that it will even solve the problems that law enforcement has identified. The major stated rationale for government intervention in the domestic encryption arena is to ensure that law enforcement has access to criminal communications, even if they are encrypted. Yet, a voluntary scheme seems inadequate to meet this goal. Criminals who seek to avoid interception and decryption of their communications would simply use another system, free from escrow provisions. Unless a government-proposed encryption scheme is mandatory, it would fail to achieve its primary law enforcement purpose. In a voluntary regime, only the law-abiding would use the escrow system.
* Delayed Cryptography Policy ReportThe policy analysis called for along with the April 16, 1993 Presidential Decision Directive has not been released, though it was promised to have been completed by early fall of 1993. We had hoped that this report would be the basis for public dialogue on the important privacy, competitiveness, and law enforcement issues raised by cryptography policy. To date, none of the Administration's policy rationale has been revealed to the public, despite the fact that agencies in the Executive Branch are proceeding with their own plan
* Escrowed Encryption Federal Information Processing Standard (FIPS) approved against overwhelming weight of public commentsThe Presidential Decision Directive also called for consideration of a Federal Information Processing Standard (FIPS) for key-escrow encryption systems. This process was to have been one of several forums whereby those concerned about the proposed key-escrow system could voice opinions. EFF, as well as over 225 of our individual members, raised a number of serious concerns about the draft FIPS in September of this 1993. EFF expressed its opposition to government implementation of key-escrow systems as proposed. We continue to oppose the deployment of Skipjack family escrow encryption systems both because they violate fundamental First, Fourth, and Fifth amendment principles, and because they fail to offer users adequate security and flexibility.Despite overwhelming opposition from over 300 commenters, the Department of Commerce recently approved FIPS 185.
* Large-Scale Skipjack Deployment AnnouncedAt the December 9, 1993 meeting of the Computer Systems Security and Privacy Advisory Board, an NSA official announced plans to deploy from 10,000 to 70,000 Skipjack devices in the Defense Messaging System in the near future. The exact size of the order was said to be dependent only on budget constraints. The Administration is on record in the national press promising that no large-scale Skipjack deployment would occur until a final report of the Administration Task Force was complete. Ten thousand units was set as the upper limit of initial deployment. Skipjack deployment at the level planned in the Defense Messaging System circumvents both the FIPS notice and comments process which has been left in a state of limbo, as well as the Administration's promise of a comprehensive policy framework. * New FBI Digital Telephony Legislation ProposedThe FBI recently proposed a new "Digital Telephony" bill. After initial analysis, we strongly oppose the bill, which would require all common carriers to construct their networks to deliver to law enforcement agencies, in real time, both the contents of all communications on their networks and the "signaling" or transactional information.
In short, the bill lays the groundwork for turning the National Information Infrastructure into a nation-wide surveillance system, to be used by law enforcement with few technical or legal safeguards. This image is not hyperbole, but a real assessment of the power of the technology and inadequacy of current legal and technical privacy protections for users of communications networks.
Although the FBI suggests that the bill is primarily designed to maintain status quo wiretap capability in the face of technological changes, in fact, it seeks vast new surveillance and monitoring tools.
Lengthy delays on the promised policy report, along with these unilateral steps toward Clipper/Skipjack deployment, lead us to believe that Administration policy is stalled by the Cold War-era national security concerns that have characterized cryptography policy for the last several decades. EFF believes that it would be a disastrous error to allow national information policy -- now a critical component of domestic policy -- to be dictated solely by backward-looking national-security priorities and unsubstantiated law-enforcement claims. The directions set by this Administration will have a major impact on privacy, information security, and the fundamental relationship between the government and individual autonomy. This is why the Administration must take action--and do so before the aforementioned agencies proceed further--to ensure that cryptography policy is restructured to serve the interests of privacy and security in the National Information Infrastructure. We still believe the Administration can play the leadership role it was meant to play in shaping this policy. If it does not, the potential of the NII, and of fundamental civil liberties in the information age, will be threatened.
All participants in this debate recognize that the need for privacy and security is real, and that new technologies pose real challenges for law enforcement and national security operations. However, the solutions now on the table cripple the NII, pose grave threats to privacy, and fail to even meet law enforcement objectives. In our judgment, the Administration has failed, thus far, to articulate a comprehensive set of policies which will advance the goals upon which we all agree. Congress must act now to ensure that cryptography policy is developed in the context of the broader goal of promoting the development of an advanced, interoperable, secure, information infrastructure. In order to meet the privacy and security needs of the growing infrastructure, Congress should seek a set of public policies which promote the widespread availability of cryptographic systems according to the following criteria:
* Use Voluntary Standards to Promote Innovation and Meet Diverse Needs: The National Information Infrastructure stretches to encompass devices as diverse as super computers, handheld personal digital assistants and other wireless communications devices, and plain old telephones. Communication will be carried over copper wires, fiber optic cables, and satellite links. The users of the infrastructure will range from elementary school children to federal agencies. Encryption standards must be allowed to develop flexibly to meet the wide-ranging needs all components of the NII. In its IITF Report, the Administration finds that
standards also must be compatible with the large installed base of communications technologies, and flexible and adaptable enough to meet user needs at affordable costs. [AA, 9] The diverse uses of the NII require that any standard which the government seeks to promote as a broadly deployed solution should be implementable in software as well as hardware and based on widely available algorithms.
* Develop Trusted Algorithms and End-to-End Security: Assuring current and future users of the NII that their communications are secure and their privacy is protected is a critical task. This means that the underlying algorithms adopted must have a high level of public trust and the overall systems put in place must be secure.
* Encourage National and International Interoperability: The promise of the NII is seamless national and international communications of all types. Any cryptographic standard offered for widespread use must allow US corporations and individuals to function as part of the global economy and global communications infrastructure.
* Seek Reasonable Cooperation with Law Enforcement and National Security Needs: New technologies pose new challenges to law enforcement and national security surveillance activities. American industry is committed to working with law enforcement to help meet its legitimate surveillance needs, but the development of the NII should not be stalled on this account.
* Promote Constitutional Rights of Privacy and Adhere to Traditional Fourth Amendment Search and Seizure Rules: New technology can either be a threat or an aid to protection of fundamental privacy rights. Government policy should promote technologies which enable individuals to protect their privacy and be sure that those technologies are governed by laws which respect the long history of constitutional search and seizure restraints.
* Maintain Civilian Control over Public Computer and Communications Security: In accordance with the Computer Security Act of 1987, development of security and privacy standards should be directed by the civilian
V. Conclusion Among the most important roles that the federal government has in NII deployment are setting standards and guaranteeing privacy and security. Without adequate security and privacy, the NII will never realize it economic or social potential. Cryptography policy must, of course, take into account the needs of law enforcement and national security agencies, but cannot be driven by these concerns alone. The Working Group, along with other industry and public interest organizations, is committed to working with the Administration to solving the privacy and security questions raised by the growing NII. This must be done based on the principles of voluntary standards, promotion of innovation, concern for law enforcement needs, and protection of constitutional rights of privacy. * * * * *