FYI: _Guardian_ Clipper article

[David Farber <farber@central.cis.upenn.edu>]

Date: Fri, 25 Mar 94 23:35:19 GMT
From: Mike Holderness <mikeh@gn.apc.org>




_Guardian_ Clipper piece


This piece on the Clipper controversy appeared in the London, UK
_Guardian_ on 3 March 1994. My apologies for the delay in circulating
this to all of you who helped with advice and comments or expressed
an interest; and to a couple people whose attributions got cut for space.


Some Netizens may find the piece a bit wishy-washy. Better that than
the _Independent_'s coverage, which was full of unsubstantiated claims --
if they _know_ the NSA has a back-door, I wish they'd publish
the evidence...


I _know_ the description of the technology ended up inexact. Anyone
who can give an exact description in fewer words gets a bottle of
champagne next time you're in London...




BEGIN ARTICLE


If you re-distribute this, please do so in its entirety and un-cut.
Contact me to discuss terms before you publish it on paper: I have
a freelance living to earn and a landlord to feed.


mikeh@gn.apc.org
London, UK

---


HED: Are these men a threat to freedom?
PIC: (4-column): Gore & Clinton


YOUR COMPANY is, at last, connected to the Internet. You can swap memos
with branch offices around the world within minutes. But you naturally
don't want your competitors, or their governments, siphoning the details
of your bid for that dam contract in the Philippines out of the net.
What do you do?


 On the other hand, when you receive an electronic message announcing a
call for tenders, how do you know it's genuine? You've heard that it's
possible to fake electronic mail, and you're worried about all the
possibilities for creative industrial espionage which this opens up.


 Then again, you might be a Cabinet minister, setting up a meeting with
your boyfriend on the mobile phone. Wouldn't it be good to know that
no-one could tap the message?


 The answer to all these problems lies in encryption technology. The
solution the US government proposed earlier this month, however, has
generated a furious row in the "on-line community" about the government
interfering in citizens' right to communicate in private. The disturbing
implications for people outside the US have gone largely unremarked.


 Computer programs that can do practically unbreakable encryption are
available to the public in the US and elsewhere. One, named PGP for
Pretty Good Privacy, is increasingly being used to authenticate
electronic messages (Computer Guardian, Nov ?? 1993). It can encrypt the
whole message, or send the main text "in clear", followed by an
encrypted block containing a mathematical "fingerprint" of the message
and the sender's name and address. The program can thus verify whether a
signature belongs to the purported sender and whether the message
arrives as it left.


 Encryption has long worried law-enforcement agencies. What if drug- dealers
and terrorists start using unbreakable encryption? The US government's
Key Escrow Encryption system -- commonly known by its working title,
Clipper -- is its answer.


 Clipper uses an encryption chip suitable for building into a mobile
phone or a modem. Its method of encryption, developed by the US National
Security Agency (NSA), depends on "keys". These are codes which are used
mathematically to mangle the text or speech. The receiver can only get
the original back out if they have the key and can use it to un-mangle
-- decrypt -- the message.


 PGP depends on a "public-key" system. Users sending signed messages
encrypt the signature with keys known only to them. They also issue
public keys. These are mathematically derived from the private key, and
allow anyone to verify the signature. If someone sends them a message
encrypted with their public key, only the private key will extract it.
By contrast, each Clipper chip will have an encryption key built in.
When the chip is manufactured, two parts of the key will be lodged with
two separate US government agencies. (In legal jargon, this is like
"holding the keys in escrow".) A secret "super-key" allows law
enforcement agencies to retrieve the serial number of the chip used on
the link they're tapping.


 Under US guidelines released on February 4, if a law enforcement agency
wants to eavesdrop on encrypted communications, it should send details
of a search warrant to the agencies holding the key components.


 This is a red rag to the inhabitants of Internet discussion forums,
"the world's largest functioning anarchy". There, discussions of the
right (under the First Amendment to the Constitution) to unrestricted
free speech can and do slip effortlessly into the belief that, as one
participant put it, "The People must be allowed to discuss anything,
including revolution."


 According to Brian Yoder, president of California company Networxx,
"The US Constitution doesn't grant the government the power to maintain
this kind of surveillance capability over the population. Period. The
assumption is that anything that enhances the ability of the police to
catch criminals is OK, but that is not what the Constitution says, and
that's not the kind of country I want to live in."


 Cryptology specialist Dr Dorothy Denning at Georgetown University in
Washington DC, who was part of a team reviewing the NSA's design
process, points out that Clipper "will not make it any easier to tap
phones, let alone computer networks. All it will do is make it
technically possible to decrypt communications that are encrypted with
the standard, assuming the communications are not super-encrypted with
something else. Law enforcers still need to get a court order."


 But who trusts the NSA? The Clipper design is secret. Many assume that
the Agency has built in a "trap-door" allowing it to break encryption
without the keys.


 No-one has proposed making non-Clipper encryption illegal, but the US
government clearly hopes to establish it as an industry standard. For
example, while it's usually illegal to export any form of encryption
technology from the US, it will be legal to export Clipper.


 Non-US companies using it to protect their communications will have to
live with the uneasy knowledge that the NSA could be listening in -- and
the NSA, like its UK sibling organisation GCHQ in Cheltenham, has a long
history of intercepting foreign commercial messages for the benefit of
home companies. (GCHQ declined to say whether it had been involved in
any discussions over Clipper.)


 The protests have started. A petition organised by Computer
Professionals for Social Responsibility against Clipper, and in favour
of a Bill to permit export of competing encryption systems, gathered
more than 20,000 electronic signatures in its first two weeks. Wired
magazine has proclaimed that ``This is a pivotal moment in history'',
accusing ``the Clinton-Gore administration'' of ``attempting a stealth
strike on our rights''. It has asked readers to sign the CPSR petition
against Clipper and to ``call or write your Congressional
representatives and let them know how you feel''.


 Encryption and authentication are important for much more than the
privacy of the frequently obscure or banal discussions on the Net.
Medical and financial records are now commonly held on computers, and a
growing proportion of business transactions take place on line.
Cyberspace is where your money is.


 For private communications, Emma Nicholson MP takes a relaxed view: "In
communicating, we should start from a belief that everyone listens to
everything. Gossip is what makes the world go round. I have very few
secrets. I would be deeply concerned if a device were marketed that
could stop interception -- I would support the FBI completely."


 Computer-law barrister Alistair Kelman, however, believes that any
attempt to enforce the Clipper chip as a worldwide standard would meet
stiff opposition. The European Commission could be expected to object
that it fell foul of Treaty of Rome provisions against misuse of a
dominant position. "If you want to have a world standard for encryption,
fine," Kelman said, but the EC could respond: "let's all get together
and settle on something that meets our requirements as well."


<ufpoints>


Wired articles on Clipper can be obtained via the Internet by putting
the following three lines into the body of an electronic mail message
addressed to infobot@wired.com:
   send clipper/privacy.meeks
   send clipper/privacy.barlow
   end




--ends--