May 19, 1996
On 1996-05-18 at 4:09 pm, Will Rodger, Washington Bureau Chief of Inter@ctive Week, posted a note to the Cypherpunks mailing list pointing to an article he had just published, http://www.zdnet.com/intweek/daily/960518y.html. It describes a proposal the White House is preparing in response to Congressional calls to ease restrictions on the export of strong cryptography. The following is a note posted to Cypherpunks in response by Timothy C. May <email@example.com>; it raises a number of questions about the reported key-encryption proposal. The note is copyright © 1996 by Timothy C. May and appears on the TBTF archive by permission. Some clarifications by Will Rodger, in > italics, were posted at 11:40 am on 1996-05-19.
Text in [square brackets] is mine. -- Keith Dawson
Date: Sat, 18 May 1996 23:03:31 -0700 To: firstname.lastname@example.org (Will Rodger), email@example.com From: firstname.lastname@example.org (Timothy C. May) Subject: Re: Interactive Week exclusive - White House to launch "Clipper III" Sender: email@example.com Many thanks to Will for passing this on the Cypherpunks list. Our opposition to Clipper I and Clipper II was strong and, I expect, will continue with CIII. A question for Will Rodger: Is this "White Paper" ("The newest proposal is contained in a 24-page White Paper, a draft of which hit Capitol Hill earlier this week") related in any way to the one being prepared by Herb Lin and a bunch of other folks? It was due out about this time, and the topic seems similar. A bunch of us gave input to Herb and his panel at the CFP in '95...if this is the same White Paper, looks like we might just as well have saved our breath. [A later poster clarified that the Herb Lin's report, being prepared under the auspices of the National Research Council for release 1996-05-30, is unrelated.] I read the stuff at the URL, [ see <http://www.zdnet.com/ intweek/daily/960518y.html>.] and at first blush it looks to say nothing about _domestic_ (within the U.S. and Canada) encryption. I'll be anxious to see what the White Paper says about domestic encryption. > No restrictions domestically nor in Canada. Even so, these CAs and the > policy body above it clearly give the govt. more of a role in controlling > crypto. (To be clear, there are currently _no_ laws whatsoever about the types of crypto a citizen (or resident alien, or, for all intents and purposes, anyone) may use, nor about the key length, nor about any form of GAK, etc. ["governemnt access to keys" or GAK is how many on the Cypherpunks list refer to any key-escrow proposal.] Even Clipper I did not actually mandate allowable forms of crypto, though many of us thought that this was the desired end-state, down the road. So, I am tentatively assuming that Clipper III, if passed, will not diretly impinge on domestic encryption policy, about which the government currently says nothing.) However, as with other proposed crypto laws and "trial balloons," there are several questions which arise: 1. Will there be pressures put on the browser companies (Netscape, Microsoft, etc.) and the e-mail companies (Qualcomm, Microsoft, Claris, Lotus, etc.) to produce a "world version" that meets export standards with a single shrink-wrapped package? (Recall that last fall some of the various companies stated as their goal having a single package that could be shipped worldwide. Some of them claimed having two versions, a domestic U.S. version and an international version, was too onerous. I am skeptical of this, given that they have multiple platforms to support, multiple operating systems, etc. But they claim it is.) 2. Interoperability. How will U.S. users exchange messages with international users? Will a U.S. user have to register with the Authorities to get the proper credentials, protocols, etc.? Will the U.S.-sold versions of Netscape or Explorer, for example, contain the international GAKed versions for use with international users? > No indications they would. Idea is each authority could talk to the other > and request escrowed keys or info. a la interpol. Of course, as today, > there's no guarantee that agreements will always be in place, nor honored. 3. With products like PGP, there are already international users (lots of them). Thus, no "export laws" are involved. So, will I be able to communicate with them using my existing PGP methods? > Under the White Paper, yes. (If not, then my right to use an encryption product is in fact being limited, contrary to the putative wording of what Clipper III is supposed to be. To make this clear, I'm _already_ communicating with PGP, so no "export version" is needed.) And if U.S. users can continue to interoperate with international users as they are now doing, this puts the lie to claims about how key escrow will be useful for law enforcement. > Which makes it look a lot like the old proposal. 4. And of course there is always the issue of _superencryption_. How a GAKked program can detect that superencryption is being used has never been adequately explained (to my satisfaction at least). Entropy measures won't do it, and forbidding any encryption of messages already containing "BEGIN PGP" will clearly just be a klugey bandaid. 5. What about U.S.-based corporations with offshore offices? Is a company supposed to replace its entire intranet corporate network with a GAKked system if even a single user is outside the U.S.-Canada? > If it's legal now, the paper suggests it should be legal in the future. (I fear that this is indeed the proposal. The effect will then be to make all corporations GAKked.) 6. What about U.S. persons travelling abroad? 7. What about packets zinging around the world? Lots of complications if GAK is insisted upon. And lots of new avenues for "packet laundering." 8. The issue of why other countries would insist that their citizens GAK their keys when U.S. citizens don't have to!! ("Yes, Herr Glomlutz, we are insisting that all Germans using Netscape 4.0 must deposit their keys mit der Key Authority. No, we are not requiring our own citizens to do this." I don't think this will fly too well.) I can't see how other countries will go along with this. > The paper is quite unclear on this, as well. Presumably other countries > will have equally spiffy stuff they will require be escrowed for export > under COCOM. All of this, of course, assumes cooperation from OECD, et al. And what about the usual problem of "rogue nations" like Iraq, Iran, North Korea, Israel, and Liberia? > Same as before. 9. Many other issues. (They never answered the similar questions raised the last time, so I doubt they will this time.) Clipper III, if it turns out to be another worthless proposal which is laughed out of Washington, will be no real threat. If Clipper III actually outlaws or places limits on domestic use of crypto (as I think it must, else it can be too easily circumvented completely), then it will be a rallying cry which will likely see our membership increase still further, the anti-Washington rhetoric escalate, and likely some new developments in the war. In a way, I am hoping that "Clipper III" is proposed, as it will energize us once again. Historically, the "Cypherpunks antibodies" have had their most vigorous growth when faced with a government antigen. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, firstname.lastname@example.org 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway."