25 February 1998

Date: Wed, 25 Feb 1998 13:40:27 -0500
To: cypherpunks@cyberpass.net
From: Declan McCullagh <declan@well.com>
Subject: CWD--Shadow Cryptocrats

CyberWire Dispatch // Copyright (c) 1998 //

Jacking in from the "Recurring Nightmare" Port:

Shadow Cryptocrats
by Declan McCullagh
Special to CyberWire Dispatch

WASHINGTON, DC, 2/24/98 -- What happens when the irresistible force of
American business collides with the immovable object of the U.S. federal
government? (a) A committee is formed; (b) corporations find out they're
not so irresistible after all; (c) all of the above.

Answer: (c). A new presidential advisory panel met yesterday for the first
time to wrestle with Washington's most intractable problem: encryption. The
20-person Export Council Encryption Subcommittee represents banks and
credit card companies, technology firms, police associations, and nonprofit
groups. All members have received security clearances, and some future
meetings will be closed to the public.

This must seem like a recurring nightmare to privacy advocates, who
previously have mustered favorable reports on crypto-regulation. First,
back in 1994, USACM published a study called "Codes, Keys, and Conflicts."
Two years later, the National Research Council released the "CRISIS"
report, commissioned by Congress. Last year a phalanx of cryptographers
published their findings on "key recovery" encryption backdoors. Just about
everyone pointed out problems with the Clinton-Gore administration's
current restrictions on overseas shipments of crypto-not to mention the
FBI's itch to ban unapproved encryption software at home. So why do we need
yet another commission-especially one the government estimates will cost
taxpayers at least $35,000 a year?

One explanation seems obvious: government cryptocrats want the subcommittee
to justify existing restrictions on encryption.  That accounts for the
presence of the police in the group: the University of Texas' top cop, the
chief of the Michigan State Police, the president of the National Sheriffs'
Association. If you've been playing without a scorecard, remember the
Sheriffs' Association wants not just export controls, but domestic controls
too. Last September they urged a House committee to require crypto products
to permit "immediate access" to "the plaintext of communications or
electronic information encrypted by such product without the knowledge or
cooperation of the person using such product." (That particular committee
rejected the plan, but the full House has yet to vote.)

Some of the firms selected also endorse restrictions. Trusted Information
Systems recently circulated a policy paper calling for "sensible"
legislation to "make the export of 56-bit current interim DES controls
permanent and permit the export of stronger encryption when it is combined
with a key recovery system." (Which, coincidentally, TIS is happy to sell

A letter that Commerce Department undersecretary William Reinsch sent to
subcommittee members on February 13 and obtained by Dispatch says: "We look
to the experience and knowledge of the subcommittee members in helping us
develop ways to maintain efficient and effective export controls in an
ever-changing global marketplace."

"Maintain export controls?" Ouch. No wonder most of the businesses on the
subcommittee seemed a bit skittish during its kickoff meeting yesterday.
What were they getting themselves into? Some members told Dispatch
privately they'd consider resigning in protest if the group veered too far
in the wrong direction.

Much of the meeting was procedural. Boring stuff, like deciding how often
the subcommittee would meet. Setting up a mailing list for members.
Organizing a teleconference or two.

No Political Will

Maybe nobody wanted to seem antagonistic. Maybe nobody wanted to get kicked
off the subcommittee. Maybe the companies had visions of the Commerce folks
surreptitiously putting their export licenses on hold. Whatever the reason,
everyone danced a nimble flamenco around the real issue: current
restrictions on export of encryption products really fuck over businesses.
Not only does it cost a bundle to add key recovery features, but other
countries generally don't have such rules. The silence on this point was

The only time sparks flew was when Citibank wondered where the White House
stood. "Mandatory key escrow is not the administration's policy,"
Commerce's Reinsch harrumphed.  Stephen Katz, Citibank's chief information
security officer, responded by saying you can see the FBI's Louis Freeh
demanding just that from Congress when you "turn on C-SPAN." Reinsch shot
back: "You believe everything you see on television?"

Katz shut up. He shouldn't have. After all, FBI directors are rarely joking
when they demand legislation from Congress. Freeh spent much of last year
demanding a ban on programs like PGP.  He told Congress in September that
the Feds must "have an immediate lawful decryption of the communications in
transit or the stored data. That could be done in a mandatory manner. It
could be done in an involuntary manner. But the key is that we have the
ability." FBI Deputy Director Bob Bryant echoed him last month, and the
bureau has offered even more ominous warnings behind closed doors.

Soon the export subcommittee members will enjoy their very own clandestine
sessions. A "regulations and procedures" memo sent to members says that
"you will also receive a security briefing." It warns not to "reveal
classified information imparted to you... you should not make written notes
of classified discussions. You should report any attempt to obtain
classified information from you."

One bit of information the government didn't mind releasing in public came
from Bruce McConnell, a longtime cryptocrat from the Office of Management
and Budget. He explained to the subcommittee how federal agencies are
testing out "key recovery" and "key escrow" pilot projects. "We asked them
if you have business applications" and "would you like to participate?"
McConnell said.

One of the agencies that signed up was the Customs Service. It wants to
speed the processing of trucks driving across the border. "Once the truck
leaves Canada, the manifest is transmitted to Customs in encrypted form,"
McConnell said.  Other agencies dipping a toe in the key recovery waters
include the Patent and Trademark Office, the Social Security
Administration, and the Small Business Administration.

Now, keep in mind why the government needs to launch these so-called
pilots... Imagine, hypothetically, that the FBI wants Americans to buy,
say, pens that transmit everything written to the Feds. The FBI claims this
will reduce terrorism, and promises agents will follow lawful procedure
when they want to read what you're writing.

Problem is, nobody buys the pens. A nettled FBI resorts to coercing federal
agencies to purchase them. The government also requires that anyone
submitting forms to the government (and a lot of people are required to
submit forms to the government) write with 'em. The goal, then, is twofold:
to work the bugs out of the system, and to get people buying the "key
recovery pens"-whether anyone really wants to or not.

Add the Commerce Department, of all places, to the list of agencies that
really would rather not deal with key recovery.  (Yes, this is the same
agency that has been ramming it down the throats of software companies.)
Recently it found out firsthand the headaches involved in setting it up. In
an email message rich with irony, Bureau of Export Administration webmaster
Bill Sargent pleaded with the Net for help with key recovery:

"I am working on a project to provide for the internet submission of Export
License Applications for the Bureau of Export Administration here at the
Department of Commerce. I am trying to gather as much knowledge as possible
in the area of key recoverable encryption...  we want to make our system
easy and as transparent as possible for the user while also safeguarding
the business proprietary information being provided and making sure that we
meet the Administration's desire to have the encrypted information be key
recoverable by Federal law enforcement agencies."

I asked Sargent why he needed to use a complicated key recovery system when
he could just keep a copy of the Commerce Department's private key in a
safe instead. He replied, "The administration policy is that encryption
should be key recoverable. BXA is one of the administration's spokesmen in
that regard. Therefore we would be hard pressed to tell industry to 'Do as
we say not as we do!'"

Just so. Another person chatting with industry groups is John Podesta,
deputy chief of staff and former Clinton privacy and telecom aide. He took
time out from dealing with subpoenas from Ken Starr and dropped by the
subcommittee meeting yesterday. "We've been meeting over the last couple
months to reenergize our effort to have a real dialogue" with "all the
industry segments," Podesta said.

For their part, "industry segments" have been busily organizing the
Alliance for Computer Privacy, which they hope will muster enough support
on Capitol Hill to lift export controls. Next steps happen when Congress
revisits crypto. This could take place as soon as next month in the Senate.

Stay tuned. It's your lock, but the Feds have a jones for your key...

Declan McCullagh (declan@well.com) is the Washington correspondent for
TIME's The Netly News (http://netlynews.com/).  Read more of his reports on
encryption at (http://www.well.com/~declan/politech/)