EFFector Online Volume 6 No. 1

September 17 1993
A Publication of the Electronic Frontier Foundation
editors@eff.org
ISSN 1062-9424

Top level of EFF WWW Server

Download a plain ASCII text copy of this issue.

EFF Alerts

In This Issue:

Clipper Escrow Agents Chosen
Barlow's "A Plain Text on Crypto Policy"
Crypto Conference in Austin
Virginians Against Censorship
Administrivia

Subject: Clipper Escrow Agents Chosen

In the next several days, the Administration will announce it has chosen at least one escrow agency and has developed procedures for accessing escrow keys pursuant to warrant. Here is an account of an Administration hill staff briefing on September 16, 1993, and the draft procedures for law enforcement, foreign intelligence, and state and local law enforcement wiretapping. We are looking for comments and analysis. Please circulate widely.

Jerry Berman, EFF.

RE: Clipper Escrow Agent Briefing for Congressional Staff Yesterday, September 15, 1993, a briefing was held for congressional staff regarding the status of the Clipper project. The lead briefers for the Administration were Mark Richard, Deputy Assistant Attorney General, Criminal Division, DOJ; Jim Kallstrom, FBI; Geoff Greiveldinger, Special Counsel, Narcotic and Dangerous Drug Section, DOJ; and John Podesta. Also present were Mary Lawton, Counsel for Intelligence Policy and Review, DOJ; Mike Waguespack, NSC; and Dwight Price, National District Attorneys Association.

The Administration has tentatively settled on NIST and a yet to be determined non-law enforcement component of the Department of the Treasury as the "escrow agents." The Administration will finalize the choices in the next few days, according to John Podesta. The Attorney General will make an announcement, in what form has not been determined, but it will probably not be a Federal Register notice. The Attorney General will announce that she has adopted, and the escrows have agreed to follow, the attached procedures.

The system will work as follows:

(1) A black box (actually a PC) in the possession of a law enforcement agency will be able to read the Law Enforcement Access Field in a Clipper encrypted data stream and extract the identification number specific to the Clipper chip being used by the intercept target. Cost of the black box yet undetermined. How many will be purchased by law enforcement yet undetermined, although if use of Clipper becomes common, the black boxes will be in great demand, by federal as well as state and local agencies. They will be available only to law enforcement, with yet to be specified controls on their sale. Each black box will have a unique identifier.

(2) The law enforcement agency will fax the device ID number to each of the escrow agents, along with a certification that the agency has authority to conduct the intercept, the ID number of the intercepting agency's black box, and the time period for which the intercept is authorized (in the case of Title III's, up to thirty days, with extensions).

(3) The escrow agents will transmit the key components by encrypted link directly into the black box of the requesting law enforcement agency. The key components will only work with that particular black box, and will only work for the stated duration of the intercept. If the intercept is extended, the law enforcement agency will have to send a new request to the escrow agents to extend the life of the key components. The escrow agents will maintain logs of the requests. Greiveldinger stressed that the system is "replete with recordation of the transactions that will occur." The escrow agents also have a responsibility for maintaining the integrity of the chip manufacturing process.

In opening remarks describing the need for the Clipper escrow system, Kallstrom had stressed that the AT&T product posed a unique threat in terms of voice quality, affordability, portability and strength of the encryption. The Administration rejects the argument that voice encryption is readily available. The AT&T product, which isn't available yet, is unique, and competing products, the Administration argues, are yet further in the future.

The next voice encryption product in the pipeline is Motorola's, and Motorola has expressed interest in using Clipper in its product. The Administration argued that the need for compatibility would drive a significant share of the market to Clipper or Capstone-based products. Escrow coverage will not be complete, but the bad guys are careless and are expected to use Clipper products.

The key criterion used in selecting the escrow agents was whether the agency had experience in and an infrastructure for handling sensitive information. The Administration did not want to use a law enforcement or national security component, for credibility reasons. It did not want to use private entities based on concerns about longevity and not wanting security to be governed by the need to make a profit. The briefers admitted that the proposed system is not really an escrow. The agencies holding the key components will not have any duties or responsibilities to the Clipper users. The escrows' obligation will be to the government, and they will be liable to Clipper users only under the Bivens doctrine, where any failure must be shown to be wilful.

Both John Podesta and Mark Richard stated that there is no plan on or over the horizon to outlaw non-escrowed encryption.

John and Mark said that the international aspects of the escrow/encryption issue are the thorniest to deal with, and there are no answers yet. Clipper products would be exportable with a license, although other countries may try to keep them out. (Nobody asked questions about changes in the rules governing export of non-Clipper encryption.) Other nations would not participate in the escrow system, nor, presumably, would they be allowed to buy the black boxes. E.G., if the British intercepted an IRA communication that appeared to be encrypted with Clipper, and came to the FBI for help, the anticipated escrow system would not allow the FBI to get the key from the escrow agents.

PROPOSED PROCEDURES

AUTHORIZATION PROCEDURES FOR RELEASE OF ENCRYPTION KEY COMPONENTS IN CONJUNCTION WITH INTERCEPTS PURSUANT TO TITLE III The following are the procedures for the release of escrowed key components in conjunction with lawfully authorized interception of communications encrypted with a key-escrow encryption method. These procedures cover all electronic surveillance conducted pursuant to Title III of the omnibus Crime Control and Safe Streets Act of 1968, as amended (Title III), Title 18, United States Code, Section 2510 et seq.

1) In each case there shall be a legal authorization for the interception of wire and/or electronic communications.

2) All electronic surveillance court orders under Title III shall contain provisions authorizing after-the-fact minimization, pursuant to 18 U.S.C. 2518(5), permitting the interception and retention of coded communications, including encrypted communications.

3) In the event that federal law enforcement agents discover during the course of any lawfully authorized interception that communications encrypted with a key escrow encryption method are being utilized, they may obtain a certification from the investigative agency conducting the investigation, or the Attorney General of the United States or designee thereof. Such certification shall

(a) identify the law enforcement agency or other authority conducting the interception and the person providing the certification; (b) certify that necessary legal authorization has been obtained to conduct electronic surveillance regarding these communications; (c) specify the termination date of the period for which interception has been authorized; (d) identify by docket number or other suitable method of specification the source of the authorization; (e) certify that communications covered by that authorization are being encrypted with a key-escrow encryption method; (f) specify the identifier (ID) number of the key escrow encryption chip providing such encryption; and (g) specify the serial (ID) number of the key-escrow decryption device that will be used by the law enforcement agency or other authority for decryption of the intercepted communications.

4) The agency conducting the interception shall submit this certification to each of the designated key component escrow agents. If the certification has been provided by an investigative agency, as soon thereafter as practicable, an attorney associated with the United States Attorney's Office supervising the investigation shall provide each of the key component escrow agents with written confirmation of the certification.

5) Upon receiving the certification from the requesting investigative agency, each key component escrow agent shall release the necessary key component to the requesting agency. The key components shall be provided in a manner that assures they cannot be used other than in conjunction with the lawfully authorized electronic surveillance for which they were requested.

6) Each of the key component escrow agents shall retain a copy of the certification of the requesting agency, as well as the subsequent confirmation of the United States Attorney's office. In addition, the requesting agency shall retain a copy of the certification and provide copies to the following:

(a) the United States Attorney's office supervising the investigation, and (b) the Department of Justice, Office of Enforcement operations .

7) Upon, or prior to, completion of the electronic surveillance phase of the investigation, the ability of the requesting agency to decrypt intercepted communications shall terminate, and the requesting agency may not retain the key components.

These procedures do not create, and are not intended to create, any substantive rights for individuals intercepted through electronic surveillance, and noncompliance with these procedures shall not provide the basis for any motion to suppress or other objection to the introduction of electronic surveillance evidence lawfully acquired.

AUTHORIZATION PROCEDURES FOR RELEASE OF ENCRYPTION KEY COMPONENTS IN CONJUNCTION WITH INTERCEPTS PURSUANT TO FISA

The following are the procedures for the release of escrowed key components in conjunction with lawfully authorized interception of communications encrypted with a key-escrow encryption method. These procedures cover all electronic surveillance conducted pursuant to the Foreign Intelligence Surveillance Act (FISA), Pub. L. 9S-511, which appears at Title 50, U.S. Code, Section 1801 et seq.

1) In each case there shall be a legal authorization for the interception of wire and/or electronic communications.

2) In the event that federal authorities discover during the course of any lawfully authorized interception that communications encrypted with a key-escrow encryption method are being utilized, they may obtain a certification from an agency authorized to participate in the conduct of the interception, or from the Attorney General of the United States or designee thereof. Such certification shall

(a) identify the agency participating in the conduct of the interception and the person providing the certification; (b) certify that necessary legal authorization has been obtained to conduct electronic surveillance regarding these communications; (c) specify the termination date of the period for which interception has been authorized; (d) identify by docket number or other suitable method of specification the source of the authorization; (e) certify that communications covered by that authorization are being encrypted with a key-escrow encryption method; (f) specify the identifier (ID) number of the key escrow encryption chip providing such encryption; and (g) specify the serial (ID) number of the key-escrow decryption device that will be used by the agency participating in the conduct of the interception for decryption of the intercepted communications.

4) This certification shall be submitted to each of the designated key component escrow agents. If the certification has been provided by an agency authorized to participate in the conduct of the interception, as soon thereafter as practicable, an attorney associated with the Department of Justice, office of Intelligence Policy and Review, shall provide each of the key component escrow agents with written confirmation of the certification.

5) Upon receiving the certification, each key component escrow agent shall release the necessary key component to the agency participating in the conduct of the interception. The key components shall be provided in a manner that assures they cannot be used other than in conjunction with the lawfully authorized electronic surveillance for which they were requested.

6) Each of the key component escrow agents shall retain a copy of the certification, as well as the subsequent written confirmation of the Department of Justice, Office of Intelligence Policy and Review.

7) Upon, or prior to, completion of the electronic surveillance phase of the investigation, the ability of the agency participating in the conduct of the interception to decrypt intercepted communications shall terminate, and such agency may not retain the key components.

AUTHORIZATION PROCEDURES FOR RELEASE OF ENCRYPTION KEY COMPONENTS IN CONJUCTION WITH INTERCEPTS PURSUANT TO STATE STATUTES

Key component escrow agents may only release escrowed key components to law enforcement or prosecutorial authorities for use in conjunction with lawfully authorized interception of communications encrypted with a key escrow encryption method. These procedures apply to the release of key components to State and local law enforcement or prosecutorial authorities for use in conjunction with interceptions conducted pursuant to relevant State statutes authorizing electronic surveillance, and Title III of the omnibus Crime Control and Safe Streets Act of 1968, as amended, Title 18, United States Code, Section 2510 et seq.

1) The State or local law enforcement or prosecutorial authority must be conducting an interception of wire and/or electronic communications pursuant to lawful authorization.

2) Requests for release of escrowed key components must be submitted to the key component escrow agents by the principal prosecuting attorney of the State, or of a political subdivision thereof, responsible for the lawfully authorized electronic surveillance.

3) The principal prosecuting attorney of such State or political subdivision of such State shall submit with the request for escrowed key components a certification that shall

(a) identify the law enforcement agency or other authority conducting the interception and the prosecuting attorney responsible therefore; (b) certify that necessary legal authorization for interception has been obtained to conduct electronic surveillance regarding these communications; (c) specify the termination date of the period for which interception has been authorized (d) identify by docket number or other suitable method of specification the source of the authorization; (e) certify that communications covered by that authorization are being encrypted with a key-escrow encryption method; (f) specify the identifier (ID) number of the key escrow chip providing such encryption; and (g) specify the serial (ID) number of the key-escrow decryption device that will be used by the law enforcement agency or other authority for decryption the intercepted communications.

4) Such certification must be submitted by the principal prosecuting attorney of that State or political subdivision to each of the designated key component escrow agents.

5) Upon receiving the certification from the principal prosecuting attorney of the State or political subdivision, each key component escrow agent shall release the necessary key component to the intercepting State or local law enforcement agency or other authority. The key components shall be provided in a manner that assures they cannot be used other than in conjunction with the lawfully authorized electronic surveillance for which they were requested.

6) Each of the key component escrow agents shall retain a copy of the certification of the principal prosecuting attorney of the State or political subdivision. In addition, such prosecuting attorney shall provide a copy of the certification to the Department of Justice.

7) The U.S. Department of Justice may, to assure conformance with these procedures, make inquiry of the certifying prosecuting attorney regarding, inter alia, the genuineness of the certification and confirmation of the existence of lawful authorization to conduct the relevant electronic surveillance. The inquiry of the U.S. Department of Justice will not involve intrusion into matters that must, under relevant statute, be kept from public disclosure.

8) Upon, or prior to, completion of the electronic surveillance phase of the investigation, the ability of the intercepting law enforcement agency or other authority to decrypt intercepted communications shall terminate, and the intercepting law enforcement agency or other authority may not retain the key components.

Return to the Table of Contents

Subject: Crypto Conference in Austin

EFF / EFF-Austin Cryptography Conference
September 22, 1993 - Ramada Inn North, Austin
9220 N. IH-35 at Rundberg

Introductory Remarks: 1 to 1:30 p.m.
Steve Jackson - Welcome.
Bruce Sterling - Keynote Address.

Panel #1: 1:45 to 3:00. POLICY.
Mitch Kapor
Jerry Berman
Dave Farber

Panel #2: 3:15 to 4:30. LAW ENFORCEMENT.
Esther Dyson
Mike Godwin
FBI Representative (invited but not confirmed)
(Possibly others tba)

Panel #3: 4:45 to 6:00. CYPHERPUNKS.
John Perry Barlow
Eric Hughes
John Gilmore
(Possibly others tba)

Dinner Break: 6 to 8 p.m. Everyone is on their own. The hotel restaurant will offer a buffet, or you can order from the menu, or there is other good dining nearby.

Reception: 8-10 p.m. - cash bar, everyone is invited.

Return to the Table of Contents

Subject: Virginians Against Censorship

P.O. BOX 64608 - VIRGINIA BEACH, VA 23467 (804) 499-3303

In a revolution as significant as that of the printing press, computers are changing the way we communicate and store knowledge. Gutenberg's invention led to our Constitutional protection of Freedom of the Press. Will this protection be extended to speech in the form of electrons?

In order to give citizens an opportunity to examine the issues, Virginians Against Censorship will hold a free informational program, The First Amendment in Cyberspace, on Thursday, September 30, 1993, at 7:00pm in meeting room B of the Virginia Beach Central Library, 4100 Virginia Beach Blvd.

Everyone is invited to hear Shari Steele, Director of Legal Services for the Electronic Frontier Foundation describe threats to civil liberties in cyberspace: seizure of a publishing company's computers because an employee was suspected of hacking; seizure and erasure of email messages from and to people who were suspected of nothing at all; arrest and trial of a teenage electronic magazine publisher because information in an article had originally been hacked; refusal of the government to permit development of encryption software that would allow individual citizens to protect their privacy. Law enforcement excesses don't mean there's no need for law on the electronic frontier, but that law must be created and monitored by informed citizens.

To register for this program, call 804/431-3071 between 9:00am and 5:00pm.

For more information, call Carolyn Caywood at 804/460-7518. Or email a request by clicking here or direct to ccaywood@wyvern.wyvern.com

Return to the Table of Contents

Administrivia

-------- 8< ------- cut here ------- 8< --------

================================================

MEMBERSHIP IN THE ELECTRONIC FRONTIER FOUNDATION

================================================

Print out and mail to:
Membership Coordinator
Electronic Frontier Foundation
1001 G Street, NW, Suite 950 East, Washington, DC 20001

I wish to become a member of the Electronic Frontier Foundation. I enclose:
$__________ Regular membership -- $40
$__________ Student membership -- $20

Special Contribution

I wish to make an additional tax-deductible donation in the amount of $__________ to further support the activities of EFF and to broaden participation in the organization.

PAYMENT METHOD:

___ Enclosed is a check payable to the Electronic Frontier Foundation.

___ Please charge my:
___ MasterCard ___ Visa ___ American Express

Card Number: ___________________________________________

Expiration Date: _________________________________________

Signature: ______________________________________________

NOTE: We do not recommend sending credit card information via the Internet!

YOUR CONTACT INFORMATION:

Name: _________________________________________________

Organization: ____________________________________________

Address: ________________________________________________

___________________________________________________

Phone: (____) _______________ FAX: (____) _______________ (optional)

E-mail address: __________________________________________

PREFERRED CONTACT

___ Electronic: Please contact me via the Internet address listed above.
I would like to receive the following at that address:

___ EFFector Online - EFF's biweekly electronic newsletter (back issues available from ftp.eff.org/ pub/EFF/Newsletters/EFFector).

___ Online Bulletins - bulletins on key developments affecting online communications.

NOTE: Traffic may be high. You may wish to browse these publications in the Usenet newsgroup comp.org.eff.news (also available in FidoNet, as EFF-NEWS).

___ Paper: Please contact me through the U.S. Mail at the street address listed above.

PRIVACY POLICY

EFF occasionally shares our mailing list with other organizations promoting similar goals. However, we respect an individual's right to privacy and will not distribute your name without explicit permission.

___ I grant permission for the EFF to distribute my name and contact information to organizations sharing similar goals.

This form came from EFFector Online (please leave this line on the form!)

-------- 8< ------- cut here ------- 8< --------

EFFector Online is published by:

The Electronic Frontier Foundation
1667 K St. NW, Suite 801
Washington DC 20006-1605 USA
+1 202 861 7700 (voice)
+1 202 861 1258 (fax)
+1 202 861 1223 (BBS - 16.8k ZyXEL)
+1 202 861 1224 (BBS - 14.4k V.32bis)
Membership & donations: membership@eff.org
Legal services: ssteele@eff.org
Hardcopy publications: pubs@eff.org
General EFF, legal, policy or online resources queries: ask@eff.org

Editor: Stanton McCandlish, Online Services Mgr./Activist/Archivist (mech@eff.org)
This newsletter printed on 100% recycled electrons.

Reproduction of this publication in electronic media is encouraged. Signed articles do not necessarily represent the views of EFF. To reproduce signed articles individually, please contact the authors for their express permission. Press releases and EFF announcements may be reproduced individ- ually at will.

To subscribe to EFFector via email, send message body of "subscribe effector-online" (without the "quotes") to listserv@eff.org, which will add you to a subscription list for EFFector.

Back issues are available at:

ftp.eff.org,/pub/EFF/Newsletters/EFFector/
gopher.eff.org,1/EFF/Newsletters/EFFector/
http://www.eff.org/pub/EFF/Newsletters/EFFector/

To get the latest issue, send any message to effector-reflector@eff.org (or er@eff.org), and it will be mailed to you automagically. You can also get the file "current" from the EFFector directory at the above sites at any time for a copy of the current issue.

HTML editions available at:

http://www.eff.org/pub/EFF/Newsletters/EFFector/HTML/ at EFFweb.

Effector Online HTML work by EFF Volunteer Steve Gilmore

Return to the Table of Contents