The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 13 Issue 60

Wednesday 1 July 1992

Contents

o Houston Chronicle Crypto Article
Joe Abernathy
o The NSA Papers
Joe Abernathy
o Info on RISKS (comp.risks)

Houston Chronicle Crypto Article

Joe Abernathy <Joe.Abernathy@houston.chron.com>
Wed, 24 Jun 92 18:02:18 CDT
This cryptography article appeared Sunday, June 21. It is being forwarded to
RISKS as a way of giving back something to the many thoughtful participants
here who helped give shape to the questions and the article.

In a companion submission [see RISKS-13.61], I include the scanned text of the
NSA's 13-page response to my interview request, which appears to be the most
substantial response they've provided to date. I would like to invite feedback
and discussion on the article and the NSA document.  Please send comments to
edtjda@chron.com

               Promising technology alarms government --
  Use of super-secret codes would block legal phone taps in FBI's crime work
          By JOE ABERNATHY, Copyright 1992, Houston Chronicle

   Government police and spy agencies are trying to thwart new technology that
allows conversations the feds can't tap.  A form of cryptography -- the science
of writing and deciphering codes -- this technology holds the promise of
guaranteeing true privacy for transactions and communications.  But an array
of Federal agencies is seeking to either outlaw or severely restrict its use,
pointing out the potency of truly secret communications as a criminal tool.

   ``Cryptography offers or appears to offer something that is unprecedented,''
said Whitfield Diffie, who with a Stanford University colleague devised public
key cryptography,'' an easily used cryptography that is at the center of the
fight.  ``It looks as though an individual might be able to protect information
in such a way that the concerted efforts of society are not going to be able to
get at it.  ``No safe you can procure has that property; the strongest safes
won't stand an hour against oxygen lances. But cryptography may be different. I
kind of understand why the police don't like it.''

   The National Security Agency, whose mission is to conduct espionage against
foreign governments and diplomats, sets policy for the government on matters
regarding cryptography.  But the FBI is taking the most visible role. It is
backing legislation that would address police fears by simply outlawing any use
of secure cryptography in electronic communications.  The ban would apply to
cellular phones, computer networks, and the newer standard telephone equipment
-- already in place in parts of Houston's phone system and expected to gain
wider use nationwide.

   ``Law enforcement needs to keep up with technology,'' said Steve Markardt, a
spokesman for the FBI in Washington.  ``Basically what we're trying to do is
just keep the status quo. We're not asking for anything more intrusive than we
already have.''  He said the FBI uses electronic eavesdropping only on complex
investigations involving counterterrorism, foreign intelligence, organized
crime, and drugs.  ``In many of those,'' he said, we would not be able to
succeed without the ability to lawfully intercept.''

   The State and Commerce departments are limiting cryptography's spread
through the use of export reviews, although many of these reviews actually are
conducted by the NSA. The National Institute of Standards and Technology,
meanwhile, is attempting to impose a government cryptographic standard that
critics charge is flawed, although the NSA defends the standard as adequate
for its intended, limited use.

   ``It's clear that the government is unilaterally trying to implement a
policy that it's developed,'' said Jim Bidzos, president of RSA Data Security,
which holds a key cryptography patent.  ``Whose policy is it, and whose
interest does it serve? Don't we have a right to know what policy they're
pursuing?''  Bidzos and a growing industry action group charge that the policy
is crippling American business at a critical moment.

   The White House, Commerce Department, and NIST refused to comment.

   The NSA, however, agreed to answer questions posed in writing by the Houston
Chronicle. Its purpose in granting the rare, if limited, access, a spokesman
said, was ``to give a true reflection'' of the policy being implemented by the
agency.  ``Our feeling is that cryptography is like nitroglycerin: Use it
sparingly then put it back under trusted care,'' the spokesman said.

   Companies ranging from telephone service providers to computer manufacturers
and bankers are poised to introduce new services and products including
cryptography.  Users of electronic mail and computer networks can expect to see
cryptography-based privacy enhancements later this year.

   The technology could allow electronic voting, electronic cash transactions,
and a range of geographically separated -- but secure -- business and social
interactions. Not since the days before the telephone could the individual
claim such a level of privacy.

   But law enforcement and intelligence interests fear a world in which it
would be impossible to execute a wiretap or conduct espionage.

   ``Secure cryptography widely available outside the United States clearly
has an impact on national security,'' said the NSA in its 13-page response to
the Chronicle.  ``Secure cryptography within the United States may impact law
enforcement interests.''

   Although Congress is now evaluating the dispute, a call by a congressional
advisory panel for an open public policy debate has not yet been heeded, or
even acknowledged, by the administration.

   The FBI nearly won the fight before anyone knew that war had been declared.
Its proposal to outlaw electronic cryptography was slipped into another bill as
an amendment and nearly became law by default last year before civil liberties
watchdogs exposed the move.

    ``It's kind of scary really, the FBI proposal being considered as an
amendment by just a few people in the Commerce Committee without really
understanding the basis for it,'' said a congressional source, who requested
anonymity.  ``For them, I'm sure it seemed innocuous, but what it represented
was a fairly profound public policy position giving the government rights to
basically spy on anybody and prevent people from stopping privacy
infringements.''

   This year, the FBI proposal is back in bolder, stand-alone legislation that
has created a battle line with law enforcement on one side and the technology
industry and privacy advocates on the other.  ``It says right on its face that
they want a remote government monitoring facility'' through which agents in
Virginia, for instance, could just flip a switch to tap a conversation in
Houston, said Dave Banisar of the Washington office of Computer Professionals
for Social Responsibility.

   Though the bill would not change existing legal restraints on phone-tapping,
it would significantly decrease the practical difficulty of tapping phones --
an ominous development to those who fear official assaults on personal and
corporate privacy.  And the proposed ban would defuse emerging technical
protection against those assaults.

   CPSR, the point group for many issues addressing the way computers affect
peoples' lives, is helping lend focus to a cryptographic counterinsurgency that
has slowly grown in recent months to include such heavyweights as AT&T, DEC,
GTE, IBM, Lotus, Microsoft, Southwestern Bell, and other computer and
communications companies.

   The proposed law would ban the use of secure cryptography on any message
handled by a computerized communications network.  It would further force
service providers to build access points into their equipment through which the
FBI -- and conceivably, any police officer at any level -- could eavesdrop on
any conversation without ever leaving the comfort of headquarters.

    ``It's an open-ended and very broad set of provisions that says the FBI can
demand that standards be set that industry has to follow to ensure that (the
FBI) gets access,'' said a congressional source.  ``Those are all code words
for if they can't break in, they're going to make (cryptography) illegal.
``This is one of the biggest domestic policy issues facing the country. If you
make the wrong decisions, it's going to have a profound effect on privacy and
security.''

   The matter is being considered by the House Judiciary Committee, chaired by
Rep. Jack Brooks, D-Texas, who is writing a revision to the Computer Security
Act of 1987, the government's first pass at secure computing.

   The recent hearings on the matter produced a notable irony, when FBI
Director William Sessions was forced to justify his stance against cryptography
after giving opening remarks in which he called for stepped-up action to combat
a rising tide of industrial espionage. Secure cryptography was designed to
address such concerns.

   The emergence of the international marketplace is shaping much of the debate
on cryptography. American firms say they can't compete under current policy,
and that in fact, overseas firms are allowed to sell technology in America that
American firms cannot export.

    ``We have decided to do all further cryptographic development overseas,''
said Fred B. Cohen, a noted computer scientist.  ``This is because if we do it
here, it's against the law to export it, but if we do it there, we can still
import it and sell it here. What this seems to say is that they can have it,
but I can't sell it to them -- or in other words -- they get the money from our
research.''

   A spokeswoman for the the Software Publishers Association said that such
export controls will cost $3-$5 billion in direct revenue if left in place over
the next five years. She noted the Commerce Department estimate that each $1
billion in direct revenue supports 20,000 jobs.

   The NSA denied any role in limiting the power of cryptographic schemes used
by the domestic public, and said it approves 90 percent of cryptographic
products referred to NSA by the Department of State for export licenses. The
Commerce Department conducts its own reviews.  But the agency conceded that its
export approval figures refer only to products that use cryptology to
authenticate a communication -- the electronic form of a signed business
document -- rather than to provide privacy.

   The NSA, a Defense Department agency created by order of President Harry
Truman to intercept and decode foreign communications, employs an army of
40,000 code-breakers.  All of its work is done in secret, and it seldom
responds to questions about its activities, so a large reserve of distrust
exists in the technology community.

   NSA funding is drawn from the so-called ``black budget,'' which the Defense
Budget Project, a watchdog group, estimates at $16.3 billion for 1993.

   While the agency has always focused primarily on foreign espionage, its
massive eavesdropping operation often pulls in innocent Americans, according to
James Bamford, author of _The Puzzle Palace_, a book focusing on the NSA's
activities. Significant invasions of privacy occurred in the 1960s and 1970s,
Bamford said.

   Much more recently, several computer network managers have acknowledged
privately to the Chronicle that NSA has been given access to data transmitted
on their networks -- without the knowledge of network users who may view the
communications as private electronic mail.

   Electronic cryptology could block such interceptions of material circulating
on regional networks or on Internet -- the massive international computer link.

   While proponents of the new technology concede the need for effective law
enforcement, some question whether the espionage needs of the post-Cold War
world justify the government's push to limit these electronic safeguards on
privacy.

    ``The real challenge is to get the people who can show harm to our national
security by freeing up this technology to speak up and tell us what this harm
is,'' said John Gilmore, one of the founders of Sun Microsystems.  ``When the
privacy of millions of people who have cellular telephones, when the integrity
of our computer networks and our PCs against viruses are up for grabs here, I
think the battleground is going to be counting up the harm and in the public
policy debate trying to strike a balance.''

   But Vinton Cerf, one of the leading figures of the Internet community, urged
that those criticizing national policy maintain perspective.  ``I want to ask
you all to think a little bit before you totally damn parts of the United
States government,'' he said.  ``Before you decide that some of the policies
that in fact go against our grain and our natural desire for openness, before
you decide those are completely wrong and unacceptable, I hope you'll give a
little thought to the people who go out there and defend us in secret and do so
at great risk.''

Please report problems with the web pages to the maintainer

Top