(A Javascript-enabled browser is required to email me.)

Timothy C. May's comments on Grandson of Clipper

May 19, 1996

On 1996-05-18 at 4:09 pm, Will Rodger, Washington Bureau Chief of Inter@ctive Week, posted a note to the Cypherpunks mailing list pointing to an article he had just published, http://www.zdnet.com/intweek/daily/960518y.html. It describes a proposal the White House is preparing in response to Congressional calls to ease restrictions on the export of strong cryptography. The following is a note posted to Cypherpunks in response by Timothy C. May <tcmay@got.net>; it raises a number of questions about the reported key-encryption proposal. The note is copyright © 1996 by Timothy C. May and appears on the TBTF archive by permission. Some clarifications by Will Rodger, in > italics, were posted at 11:40 am on 1996-05-19.

Text in [square brackets] is mine. -- Keith Dawson

Date: Sat, 18 May 1996 23:03:31 -0700
To: rodger@interramp.com (Will Rodger), cypherpunks@toad.com
From: tcmay@got.net (Timothy C. May)
Subject: Re: Interactive Week exclusive - White House to launch "Clipper III"
Sender: owner-cypherpunks@toad.com

Many thanks to Will for passing this on the Cypherpunks list. Our
opposition to Clipper I and Clipper II was strong and, I expect, will
continue with CIII.

A question for Will Rodger: Is this "White Paper" ("The newest proposal is
contained in a 24-page White Paper, a draft of which hit Capitol Hill
earlier this week") related in any way to the one being prepared by Herb
Lin and a bunch of other folks? It was due out about this time, and the
topic seems similar.  A bunch of us gave input to Herb and his panel at the
CFP in '95...if this is the same White Paper, looks like we might just as
well have saved our breath.

  [A later poster clarified that the Herb Lin's report, being prepared under
   the auspices of the National Research Council for release 1996-05-30, is

I read the stuff at the URL,
  [ see <http://www.zdnet.com/
and at first blush it looks to say nothing
about _domestic_ (within the U.S. and Canada) encryption. I'll be anxious
to see what the White Paper says about domestic encryption.

> No restrictions domestically nor in Canada. Even so, these CAs and the
> policy body above it clearly give the govt. more of a role in controlling
> crypto.

(To be clear, there are currently _no_ laws whatsoever about the types of
crypto a citizen (or resident alien, or, for all intents and purposes,
anyone)  may use, nor about the key length, nor about any form of GAK, etc.
  ["governemnt access to keys" or GAK is how many on the Cypherpunks list
  refer to any key-escrow proposal.]
Even Clipper I did not actually mandate allowable forms of crypto, though
many of us thought that this was the desired end-state, down the road. So,
I am tentatively assuming that Clipper III, if passed, will not diretly
impinge on domestic encryption policy, about which the government currently
says nothing.)

However, as with other proposed crypto laws and "trial balloons," there are
several questions which arise:

1. Will there be pressures put on the browser companies (Netscape,
Microsoft, etc.) and the e-mail companies (Qualcomm, Microsoft, Claris,
Lotus, etc.) to produce a "world version" that meets export standards with
a single shrink-wrapped package?

(Recall that last fall some of the various companies stated as their goal
having a single package that could be shipped worldwide. Some of them
claimed having two versions, a domestic U.S. version and an international
version, was too onerous. I am skeptical of this, given that they have
multiple platforms to support, multiple operating systems, etc. But they
claim it is.)

2. Interoperability. How will U.S. users exchange messages with
international users? Will a U.S. user have to register with the Authorities
to get the proper credentials, protocols, etc.? Will the U.S.-sold versions
of Netscape or Explorer, for example, contain the international GAKed
versions for use with international users?

> No indications they would. Idea is each authority could talk to the other
> and request escrowed keys or info. a la interpol. Of course, as today,
> there's no guarantee that agreements will always be in place, nor honored.

3. With products like PGP, there are already international users (lots of
them). Thus, no "export laws" are involved. So, will I be able to
communicate with them using my existing PGP methods?

> Under the White Paper, yes.

(If not, then my right to use an encryption product is in fact being
limited, contrary to the putative wording of what Clipper III is supposed
to be. To make this clear, I'm _already_ communicating with PGP, so no
"export version" is needed.)

And if U.S. users can continue to interoperate with international users as
they are now doing, this puts the lie to claims about how key escrow will
be useful for law enforcement.

> Which makes it look a lot like the old proposal.

4. And of course there is always the issue of _superencryption_. How a
GAKked program can detect that superencryption is being used has never been
adequately explained (to my satisfaction at least). Entropy measures won't
do it, and forbidding any encryption of messages already containing "BEGIN
PGP" will clearly just be a klugey bandaid.

5. What about U.S.-based corporations with offshore offices? Is a company
supposed to replace its entire intranet corporate network with a GAKked
system if even a single user is outside the U.S.-Canada?

> If it's legal now, the paper suggests it should be legal in the future.

(I fear that this is indeed the proposal. The effect will then be to make
all corporations GAKked.)

6. What about U.S. persons travelling abroad?

7. What about packets zinging around the world? Lots of complications if
GAK is insisted upon. And lots of new avenues for "packet laundering."

8. The issue of why other countries would insist that their citizens GAK
their keys when U.S. citizens don't have to!!

("Yes, Herr Glomlutz, we are insisting that all Germans using Netscape 4.0
must deposit their keys mit der Key Authority. No, we are not requiring our
own citizens to do this." I don't think this will fly too well.)

I can't see how other countries will go along with this.

> The paper is quite unclear on this, as well. Presumably other countries
> will have equally spiffy stuff they will require be escrowed for export
> under COCOM. All of this, of course, assumes cooperation from OECD, et al.

And what about the usual problem of "rogue nations" like Iraq, Iran, North
Korea, Israel, and Liberia?

> Same as before.

9. Many other issues. (They never answered the similar questions raised the
last time, so I doubt they will this time.)

Clipper III, if it turns out to be another worthless proposal which is
laughed out of Washington, will be no real threat. If Clipper III actually
outlaws or places limits on domestic use of crypto (as I think it must,
else it can be too easily circumvented completely), then it will be a
rallying cry which will likely see our membership increase still further,
the anti-Washington rhetoric escalate, and likely some new developments in
the war.

In a way, I am hoping that "Clipper III" is proposed, as it will energize
us once again. Historically, the "Cypherpunks antibodies" have had their
most vigorous growth when faced with a government antigen.

--Tim May

Boycott "Big Brother Inside" software!
We got computers, we're tapping phone lines, we know that that ain't allowed.
Timothy C. May              | Crypto Anarchy: encryption, digital money,
tcmay@got.net  408-728-0152 | anonymous networks, digital pseudonyms, zero
W.A.S.T.E.: Corralitos, CA  | knowledge, reputations, information markets,
Licensed Ontologist         | black markets, collapse of governments.
"National borders aren't even speed bumps on the information superhighway."

[ TBTF for 1996-05-20 ]