Please note that I have written a sequel article called It Came From Planet Clipper: The Battle Over Cryptographic Key "Escrow" which takes the story up through October 1996.
Send all feedback here, please.

[Page 709]

THE METAPHOR IS THE KEY: CRYPTOGRAPHY,
THE CLIPPER CHIP, AND THE CONSTITUTION

A. Michael Froomkin*

Table of Contents

Introduction
I. Modern Cryptography: Private Security, Government Insecurity
II. The Escrowed Encryption Proposal--Legal, Policy and Technical Problems
III. Would Mandatory Key Escrow Be Constitutional?
IV. Ideas Are Weapons
Conclusion [Page 712]
Technical Appendix: Brute-Force Cryptanalysis, Public-Key Encryption and Digital Signatures

Published at 143 U. Penn. L. Rev. 709 (1995).
All rights, including electronic republication are reserved. Permission is hereby granted to make one (1) printed copy of this document for private use only.
[Page n] references relate to the pagination of the printed version.

Introduction

Without the ability to keep secrets, individuals lose the capacity to distinguish themselves from others, to maintain independent lives, to be complete and autonomous persons. . . . This does not mean that a person actually has to keep secrets to be autonomous, just that she must possess the ability to do so. The ability to keep secrets implies the ability to disclose secrets selectively, and so the capacity for selective disclosure at one's own discretion is important to individual autonomy as well.{1}

Secrecy is a form of power.{2} The ability to protect a secret, to preserve one's privacy, is a form of power.{3} The ability to penetrate secrets, to learn them, to use them, is also a form of power. Secrecy empowers, secrecy protects, secrecy hurts. The ability to learn a person's secrets without her knowledge to pierce a person's privacy in secret is a greater power still.

People keep secrets for good reasons and for evil ones. Learning either type of secret gives an intruder power over another. Depending on the people compromised and the secrets learned, this power may be deployed for good (preventing a planned harm) or ill (blackmail, intimidation).

This Article is about the clash between two types of power: the individual's power to keep a secret from the state and others, and the state's power to penetrate that secret.{4} It focuses on new[Page 713]conflicts between the perennial desire of law enforcement and intelligence agencies to have the capability to penetrate secrets at will, and private citizens who are acquiring the ability to frustrate these desires. This is an article about the Constitution and the arcana of secret-keeping: cryptography.{5}

This is also a long article. It is long because it addresses three complex issues. First, it outlines some of the promises and dangers of encryption. Second, it analyzes the constitutional implications of a major government proposal premised on the theory that it is reasonable for the government to request (and perhaps some day to require) private persons to communicate in a manner that makes governmental interception practical and preferably easy. Third, it speculates as to how the legal vacuum regarding encryption in cyberspace shortly will be, or should be, filled.

What fills that vacuum will have important consequences. The resolution of the law's encounter with cryptography has implications far beyond whether the government adopts the Clipper Chip or whether a particular cipher may be licensed for export. The resolution of this debate will shape the legal regulation of cyberspace and in so doing shape its social structures and social ethics.

Cryptologists{6} use a few terms that may not be familiar to lawyers, and it is useful to define them at the outset of any discussion relating to encryption. Cryptography is the art of creating and using methods of disguising messages, using codes, ciphers, and other methods, so that only certain people can see the real message. Codes and ciphers are not the same. A code is a system of communication that relies on a pre-arranged mapping of meanings such as those found in a code book. A cipher is a method of encrypting any text regardless of its content.{7} Paul Revere's "[o]ne, if by land, and two, if by sea" was a code.{8} If the British had landed by parachute,[Page 714]no quantity of lanterns would have sufficed to communicate the message. The modern cryptographic systems discussed in this Article are all ciphers, although some are also known as electronic code books.

Those who are supposed to be able to read the message disguised by the code or cipher are called recipients. "The original message is called a plaintext. The disguised message is called a ciphertext. Encryption means any procedure to convert plaintext into ciphertext. Decryption means any procedure to convert ciphertext into plaintext."{9} An algorithm is A more formal name for a cipher. An algorithm is a mathematical function used to encrypt and decrypt a message. Modern algorithms use a key to encrypt and decrypt messages.{10} A single-key system is one in which both sender and receiver use the same key to encrypt and decrypt messages. Until recently, all ciphers were single-key systems. One of the most important advances in cryptography is the recent invention of public-key systems, which are algorithms that encrypt messages with a key that permits decryption only by a different key.{11} The legal and social implications of this discovery figure prominently in this Article.

Cryptanalysis is the art of breaking the methods of disguise invented with cryptography. Lawyers will recognize the cryptographers' terms for cryptanalysts who seek to read messages intended only for recipients: enemies, opponents, interlopers, eavesdroppers, and third parties.{12} In this Article, however, cryptanalysts who work for U.S. law enforcement or intelligence organizations such as the FBI or the National Security Agency (NSA) will be called public servants. Key escrow refers to the practice of duplicating and holding the key to a cipher or the means of recreating or accessing the key to a cipher so that some third party (the escrow agent) can decrypt messages using that cipher. As used in the Clipper Chip debates, the term "escrow" is something of a misnomer because the escrow is[Page 715]primarily for the benefit of the government rather than the owner of the key.

Part I of this Article describes advances in encryption technology that are increasing personal privacy, particularly electronic privacy, but reducing the U.S. government's ability to wiretap telephones, read e-mail surreptitiously, and decrypt computer disks and other encrypted information. To ensure the continuation of the wiretapping and electronic espionage capabilities that it has enjoyed since soon after the invention of the telegraph and the telephone,{13} the government has devised an Escrowed Encryption Standard (EES),{14} to be implemented in the Clipper Chip{15} and other similar devices.{16} In Clipper and related products the government[Page 716]proposes a simple bargain: In exchange for providing the private sector with an encryption technology certified as unbreakable for years to come by the NSA,{17} the government plans to keep a copy of the keys{18}--the codes belonging to each chip which, the government hopes, will allow it to retain the ability to intercept messages sent by the chip's user. The government's proposal includes procedures designed to reduce the risk that the keys would be released to law enforcement agencies without legally sufficient justification, although the likely effectiveness of these procedures is debatable. Most U.S. residents remain free, however, to reject the government's offer, use alternatives to Clipper (so long as the software or hardware remains in the U.S.),{19} and withhold their keys from the government.{20} With ever more secure methods of [Page 717]encryption becoming easier to use, U.S. residents can protect their electronic communications and records so well that they are able to frustrate interception attempts by even the most sophisticated government agencies.{21}

Part II examines the legal justifications and constitutional implications of the EES proposal. It argues that the EES proposal violates the spirit, although not the letter, of the Administrative Procedures Act and represents an abuse of the technical standard-setting process. The involvement of the NSA may violate the Computer Security Act, but the absence of public information as to its role makes a firm judgment impossible. Part II also discusses Clipper's inherent policy and technical weaknesses and the inconsistencies between the Administration's policy objectives to the extent they are unclassified and the Clipper proposal itself. It concludes, however, that a purely voluntary Clipper program violates no statutory or constitutional provisions, and that even if it does, there is no one with standing to challenge such a violation. Part II also concludes that an optional Clipper will probably make only a modest contribution to the government's stated goal of maintaining its wiretap and electronic espionage capability.

Thus, Part III considers the constitutional implications of the more radical proposal that some commentators find implicit in the policies animating Clipper: requiring all users of strong encryption to register their ciphers' keys with the government. After a whirlwind survey of evolving conceptions of the constitutional right to privacy as well as more settled First, Fourth, and Fifth Amendment doctrines, Part III concludes that although mandatory key escrow would infringe personal privacy, reduce associational[Page 718]freedoms, potentially chill speech, constitute a potentially unreasonable search, and might even require a form of self-incrimination, the constitutionality of mandatory key escrow legislation remains a distressingly close question under existing doctrines.

Part IV addresses the cryptography controversy as an example of the law's occasionally awkward response to a new technology. The courts, and to a lesser extent the legislative and executive branches, have yet to come to grips with many cryptographic conundrums. As a result, this part of the legal "landscape" remains relatively barren. As more and more settlers arrive in cyberspace, the nature of this new landscape will depend critically on the legal metaphors that the colonists choose to bring with them.

Finally, the Technical Appendix discusses modern cryptographic systems, including the widely-used DatA Encryption Standard (DES), and how they can (at least theoretically) be broken by attackers armed with large numbers of relatively modest computers. It also provides an introduction to public-key cryptosystems and to digital signatures, which could represent the most important commercial application of modern cryptographic techniques.

I. Modern Cryptography: Private Security, Government Insecurity

Cryptography contributes to commercial, political, and personal life in a surprising number of ways. Now that modern cryptographic techniques have put strong, perhaps uncrackable, cryptography within the reach of anyone with a computer or even a telephone, the use of strong cryptography is likely to increase further. As A result, worried law enforcement and intelligence agencies have developed the Clipper Chip in order to retain their capability to eavesdrop on private electronic communications.

A. Who Needs Cryptography?

Many individuals and businesses want or need communications and data security.{22} Although these desires clearly have an objec[Page 719]tive basis in many cases, some of these desires are undoubtedly symbolic and psychological. Who other than the recipient, after all, is likely to want to read most private faxes and e-mail?{23} The subjective nature of a desire for privacy makes it no less real or worthy of respect.{24} Encryption can play A critical role in contributing to this communications and datA security.{25}

The government's assurance that a cryptosystem is secure also contributes to this security. Evaluating the strength of a cipher is a black art that requires skills few businesses or individuals possess. The government's endorsement will at least reassure those, such as banks and lawyers, who have a duty to secure their communications and data but lack the technical knowledge to determine what ciphers are reliable.

1. Banks, ATM-Users, Electronic Transactors

Encryption is heavily used in banking, both in the United States and abroad. Fedwire and the Clearing House Interbank Payment System process a daily total of more than 350,000 messages with an estimated value of between $1 and $2 trillion. These transactions rely on U.S. government-approved encryption to protect against unauthorized modification and forgery.{26} The U.S. Department of the Treasury requires encryption of all U.S. electronic funds transfer [Page 720]messages.{27}

Banks use encryption to protect ID numbers that customers use at bank automated teller machines (ATMs).{28} In addition, many banks encrypt the customer data on ATM cards in order to protect against forgeries.{29} The banking sector's awareness of its vulnerability to electronic theft of funds has spurred the creation of cryptographic standards for both retail and inter-bank transactions.{30}

As the economy continues to move away from cash transactions towards "digital cash," both customers and merchants will need the authentication provided by unforgeable digital signatures in order to prevent forgery and transact with confidence.{31} Forgery is a perennial problem with electronic mail: copying is easy, there are no tangible permanent media involved in the communication, and programmers or system managers can alter e-mail headers to fake the source of a message. Cryptography can provide an authenticating function for these electronic transactions. Cryptographic [Page 721]techniques can be used to produce a digital signature which, when properly used, can prove that a cleartext message (such as a buy or sell order) was really sent by the party from whom the message appears to originate.{32} In addition, a digital signature attests to the integrity of the contents of a message. If the digital signature system is properly implemented, the signature of every document is uniquely calculated from the full text of the document, and is uniquely associated with the sender. There is no way to fake a signature by copying A signature from one document and attaching it to another, nor is it possible to alter the signed message in any way without the recipient immediately detecting the deception.{33} The slightest change in a signed document will cause the digital signature verification process to fail. Indeed, a signature verification failure will be caused by a transmission error affecting a single bit of the message.{34}

The proposed National Information Infrastructure, better known as Vice President Al Gore's information superhighway, envisions "telebanking" and other electronic transactions.{35} It recognizes, however, that as these services expand, so too will "public concern about communications and personal privacy."{36} One important issue will be the extent to which consumer-oriented digital payment systems allow for anonymity and privacy; another will be the extent to which law enforcement and banks will require audit trails that lead to the consumer.{37} [Page 722]

2. Businesses with Commercial and Trade Secrets

Stealing a secret is often much cheaper than discovering, or even rediscovering, it oneself. The United States annually invests more than $130 billion in nongovernmental research and development.{38} The fruits of this investment present a tempting target for industrial espionage, from both foreign and domestic competitors.{39}

Business information need not be scientific or technical to be of enormous value. Sensitive market information such as the amount that a corporation plans to bid at an auction for valuable oil leases or the amount that a construction company plans to offer at tender is of enormous benefit to a competitor.{40} Knowledge of A company's cost and price structure, market research, strategic plans,order and customer lists are of obvious benefit to competitors. For an investor, inside information such as planned merger or acquisition activity, can also reap huge profits. Encryption helps prevent high-tech eavesdropping, while at the same time discourages some low-tech theft: a stolen laptop with an encrypted disk represents a loss of hardware, but not of sensitive information.{41}

The increasing importance of intellectual property makes information security especially valuable to industry; the portability of ideas makes it ever-harder to achieve. The increase in mobile communications also plays a role. As workers rely on networks to tele-commute to the office, or use cellular telephones to communicate with colleagues, or download e-mail onto their laptops while away from the office, they expose their information to eavesdroppers.{42}

[Page 723]The risk to U.S. corporations of both high- and low-tech industrial espionage is particularly great because they are not just the target of domestic and foreign competitors, but also of foreign intelligence agencies. Indeed, according to the FBI, foreign governments routinely use their intelligence services to acquire valuable information about U.S. corporations.{43} As a result, without some form of communications and data security, sensitive technical and market information can be intercepted from faxes, cellular and microwave telephone calls, satellite communications, and inadequately protected computer systems.{44} Foreign firms may soon face a similar threat of industrial espionage by U.S. intelligence agencies searching for new roles, and continued appropriations, in the post-cold-war era.{45} [Page 724]

3. Professionals

Lawyers have long relied on ordinary telephones to communicate with clients and are increasingly using cellular telephones and electronic mail.{46} Every lawyer knows that she should never discuss client confidences in a crowded restaurant. If such a confidence is overheard by A third party, even unintentionally, waiver of the attorney-client privilege may be imputed.{47} Anyone with the right sort of receiver can overhear cellular telephone conversations. Unfortunately, the ease with which electronic mail messages can be intercepted by third parties means that communicating by public electronic mail systems, like the Internet, is becoming almost as insecure as talking in A crowded restaurant.{48} Similarly, the ease with which intruders can gain access to unprotected computers that can be accessed via the Internet means thatunencrypted data on such machines is at risk.{49} Even ordinary telephone con

[Page
725]

versations may be at risk if the signal travels by microwave or satellite.{50} Although there are no cases to date holding that failure to encrypt a cellular telephone conversation or an electronic mail message, much less A regular phone call, constitutes professional negligence, the ease with which these can be overheard or intercepted, combined with the growing simplicity of encryption software, make it conceivable that failure to use encryption may be considered a waiver of privilege at some point in the future (at least for insecure media such as electronic mail and cellular telephones).{51}

Lawyers are not the only professionals who receive client confidences. Doctors, therapists, and accountants all receive sensitive information which they then have a duty to keep confidential. These duties can arise in tort or contract, or pursuant to state and federal statutes.{52} Some of these duties are reflected in evidentiary privileges,{53} but a privilege is not required to create the duty.{54}

4. National ID Cards and Data Authentication

Because strong cryptography can be used to authenticate data,{55} it makes nearly unforgeable national ID cards possible. The cards could have the owner's date of birth, social security number, [Page 726]a digitized photograph, and any other information (for example, health, immigration status, or prior convictions).{56} Users (who might include liquor stores, police, banks, employers, or a national health insurance trust) would have a reader with the government's public key on it, which they would use to decrypt the card. So long as the government was able to keep its private key secret, the ID card would be unforgeable.

National ID cards raise a host of problems outside the scope of this Article, many of which could be exacerbated by the use of cryptography. Chief among these difficulties is the danger that the government might encrypt additional information on cards that would be invisible to the holder but might be accessible to law enforcement, or even some employers. Examples of such secret information include criminal record, military discharge status, or health information.{57} Less ominously, digital signatures provide a means of authenticating all electronic data. In a world in which bank, tax, and medical records, and the contents of the digital library are all at risk of accidental or malicious alteration, authentication of data becomes critical. By providing a reliable guarantee that data with a proper signature is authentic, digital signatures provide a certain means of detecting changes when someone tries to rewrite history. [Page 727]

5. Criminals

Cryptography not only allows individuals to keep their communications and records secret, it also allows them to keep theiridentities secret. We are accustomed to more anonymity in our commercial life than we realize, although this form of privacy is shrinking. Purchasing a newspaper for a few coins from a vending machine or a store leaves no audit trail: ordinary cash is anonymous.{58} Although the use of credit cards continues to increase, there are some transactions that people prefer to keep untraceable.{59} It seems safe to suppose that some cash transactions, while legal, might not occur if the only payment option were something that leaves A record.

Cryptologists have worked out protocols for untraceable, anonymous, electronic cash ("E$") that also resist illicit duplication. These permit customers to acquire E$ from A digital bank without disclosing their identity to the bank. Using high-level cryptographic techniques, the E$ is unforgeably certified as valid, but can be spent only once.{60}

Unfortunately, although cryptography allows the creation of privacy-enhancing E$ and helps ensure that an Orwellian surveillance state remains in the realm of fiction, its advantages come at a price. The same features that might make uncrackable encryption attractive to groups seeking to change the social order by lawful but unpopular means, and that protect those working towards unpopular causes from retribution, also provide security to lawbreakers. Untraceable E$ may help make untraceable "perfect crimes" possible.{61}

[Page 728]Undoubtedly, criminals and conspirators will find a use for encryption,{62} but so too will many others. Not every diarist records crimes in his daybook, but for many people there will be a certain satisfaction in knowing that their most private thoughts are safe from anyone's prying eyes, be they major governments or younger siblings.{63}

6. Users of Telephones, Electronic Mail, Faxes, or Computers

a. Cellular Telephones

There are at least twelve million cellular telephone subscribers in the United States.{64} Few of these telephones use encryption. Most of the cellular telephones that use some form of encryption use a very simple masking algorithm which is easy to defeat with parts available in any Radio Shack. Although cellular telephone eavesdropping is illegal,{65} it is easy.{66} [Page 729]

b. Standard Telephones

Currently, only the U.S. government has a large network of secure telephones, and they are expensive.{67} Although AT&T has developed secure telephones based on the Clipper Chip that will provide encrypted communications so long as both parties have a Clipper-equipped telephone, most telephone conversations remain vulnerable to legal and illegal wiretapping and, if the signal travels by microwave or satellite, to other forms of interception as well.{68}

c. Faxes

Faxes are as vulnerable to interception as any other telephone call, yet few fax transmissions are encrypted.{69} Fax interception equipment is "relatively inexpensive" and in some countries is routinely used by telephone companies or the government to monitor fax traffic.{70} Consequently, software vendors are now adding encryption options to common operating systems such as Microsoft's Windows.{71}

Encryption also protects against the consequences of misdialing a telephone number and reaching the wrong fax machine an increasingly common problem as the number of dedicated fax lines grows.

d. E-mail

The exponential growth in the Internet's popularity has fueled the private demand for encryption.{72} Military-grade cryptography, or something close to it, is easily available free to any user of the Internet who knows how to download a file.{73} [Page 730]

e. Personal Records

Many people have things they want to hide from their colleagues or family members. The secret can be as trivial as a planned surprise party, as personal as a love letter or sexual orientation, or as unsavory as a planned theft or past misdeed. It can be A private diary or the plans for a bomb. These records may be on paper or stored on a computer disk. Some people derive a sense of security from the knowledge that their communications and data are safe from unauthorized snooping by their friends, family, or anonymous computer hackers. Others seek an even greater sense of security by attempting to encrypt their communications and records in a manner that cannot be decrypted even by authorized law enforcement.{74}

7. Dissidents and Others

Most, if not all, of the readers of this Article probably experience life in the United States as one of political freedom. For some of these readers, a desire for communications and electronic records security, particularly security from possible or suspected government surveillance or intrusion, may appear to be an excess of libertarian paranoia. The existence of low-water marks in civil liberties (such as the 1798 Alien and Sedition Act,{75} the 1920s'[Page 731]"Palmer raids,"{76} the Japanese internment during World War II,{77} and COINTELPRO{78}) may be seen by some readers as well-documented and anomalous departures from American ideals; other readers may see them as symptoms of A more general tendency of those in authority, approaching the "iron law of oligarchy."{79}

Organized government intrusion into personal communications and data privacy is less visible than an order to round up thousands of civilians. It is also far more frequent. When given the duty and authority to identify threats to national security,{80} public servants have shown a tendency to adopt a "vacuum cleaner[]" approach to private information.{81} Indeed, the Senate committee charged with investigating domestic surveillance noted "the tendency of intelligence activities to expand beyond their initial scope" and stated that government officials "have violated or ignored the law over long periods of time and have advocated and defended their right to break the law."{82}

[Page 732]It is harder to view fears of government surveillance as aberrational when one learns that in the 1950s the FBI identified 26,000 "potentially dangerous" persons who should be rounded up in the event of a "national emergency," and that it maintained this list for many years.{83} During the 1970s, even sympathizers dismissed as fantastical the claims by Black Panthers and other dissident groups that they were being wiretapped and bugged by the FBI. These allegations proved to be correct.{84} Indeed, the U.S. government has an unfortunate recent history of intrusion into private matters. During the 1970s, the FBI kept information in its files covering the beliefs and activities of more than one in four hundred Americans;{85} during the 1960s, the U.S. Army created files on about 100,000 civilians.{86} Between 1953 and 1973, the CIA opened and photographed almost 250,000 first class letters within the U.S. from which it compiled a database of almost 1.5 million names.{87} Similarly, the FBI opened tens of thousands of domestic letters, while the NSA obtained millions of private telegrams sent from, to, or through the United States.{88}

Although the Constitution guarantees a high degree of political freedom and autonomy, "[t]he Government has often undertaken the secret surveillance of citizens on the basis of their political beliefs, even when those beliefs posed no threat of violence or illegal acts on behalf of a hostile foreign power."{89} Certainly, neither statutory nor constitutional prohibitions have proved consistently effective in preventing civil liberties abuses. For example, U.S. Census data is supposed to be private, and that privacy is guaranteed by law. Nevertheless, during World War II the government used census data to identify and locate 112,000 [Page 733]Americans of Japanese ancestry who were then transported to internment camps.{90} Similarly, the CIA repeatedly violated the prohibition on domestic intelligence contained in its charter.{91}

One need not believe that such excesses are routine to sympathize with those who fear that another such excess is foreseeable. Indeed, whether one considers these operations to have been justified, to have resulted from a type of a bureaucratic rationality that rewards results regardless of legal niceties,{92} or to have been a form of security paranoia, this history could cause a reasonable person to fear she might someday be swept up in an investigation.{93} The passage of Title III of the Omnibus Crime Control and Safe Streets Act of 1968 (Title III),{94} designed to define standards for the use of wiretaps, appears to have reduced greatly the amount of illegal wiretapping by police. Nonetheless, illegal wiretapping by police has not been completely eliminated.{95}

Not all governmentintrusion into privacy is centrally organized, but that hardly makes it less intrusive. During the past five years the IRS has caught hundreds of its employees snooping into the tax records "of friends, neighbors, enemies, potential in-laws, stockbrokers, celebrities and former spouses."{96} Authorized users of the FBI's National Crime Information Center have used its databases to check up on friends and neighbors and to check backgrounds for political purposes.{97} It is an article of faith for many Americans that postal workers read the postcards they process and not without reason when postal workers are heard to say that they "pass the really good ones around the office."{98}

A reasonable person may also be concerned about surveillance by nongovernmental actors. For instance, political campaigns are notorious for dirty tricks, including the bugging of opponents;{99} the yellow pages in any major city contain numerous advertisements for detective agencies and investigators;{100} and eavesdropping and bugging devices are readily available in stores.{101}

In light of this history of public and private intrusion into personal privacy and the growing interconnection of computers and communications envisioned by the National Information Infrastructure, it is impossible to dismiss the desire for personal communica[Page 735]tions and records security as pure paranoia. It may, in fact, be very sensible.

B. The U.S. Data Encryption Standard (DES) Is Increasingly Vulnerable

While the need for communications security grows, the officially sanctioned tools for providing that security are beginning to look dated and vulnerable.

1. How DES Became a Standard

In the early 1970s, the National Bureau of Standards (NBS), since renamed the National Institute of Standards and Technology (NIST), decided to define a national standard cryptographic algorithm.{102} The absence of A government standard, the NBS determined, caused people to use competing cryptographic products that were unable to communicate with each other.{103} The lack of interoperability among commercial cryptographic products deterred firms from using encryption when it would have been of value. Similarly, the absence of a standard kept the costs of products high and reduced the incentive to improve them. In selecting a standard cryptographic system, the NBS proposed to certify the strength of its algorithm, and thus reassure potential users that the system was strong enough to resist attack, something that most users would be unable to determine for themselves. The NBS determined that the algorithm it selected should be easy to use, strong, suitable for use in electronic devices, and yet sufficiently weak to be exportable without running afoul of export control regulations which control cryptography.{104}

[Page 736]In 1977, after several years of acrimonious public debate among professional cryptologists, the NBS selected an algorithm developed by IBM that the NSA had certified as "free of any statistical or mathematical weaknesses."{105} It is now known as the Data Encryption Standard (DES).{106} DES is a single-key cipher: the sender and the receiver use the same key to encrypt and decrypt the message. DES keys are fifty-six bits (about eight ASCII characters) long.{107} This means that there are seventy-two quadrillion (actually 72,057,594,037,927,936) different possible keys.{108} DES is approved for use by the government for its sensitive information, but not for classified information.{109}

The designation of DES as the U.S. standard was controversial, foreshadowing the current controversy over Clipper. An earlier version of the IBM project used a key with well over one hundred bits.{110} The key shrank to fifty-six bits by the time it became the U.S. standard. Critics charged that the shortened key was designed to be long enough to frustrate corporate eavesdroppers, but short enough to be broken by the NSA.{111} Some critics also feared there might be a "back door,"{112} an implanted weakness in a key[Page 737]part of the encryption algorithm known as S-boxes, that would allow the agency to use computational shortcuts to break the code.{113}

The problem was exacerbated by the unwillingness of DES's creators to explain why they had chosen the particular, seemingly arbitrary, method of mixing up bits that they had selected. Cryptology is a field for the truly devious, and many cryptologists were concerned that there might be a mathematical vulnerability intentionally inserted by the cryptographers who designed the DES cipher. The search for such back doors in government- sponsored ciphers such as DES has been a popular pastime among suspicious cryptologists since the NBS proposed DES, yet no back door has been reported. Recently, however, academic cryptologists determined that DES's unusual algorithm is peculiarly resistant to a newly discovered mathematical attack called "differential cryptanalysis"a technique which had not been discovered, at least in unclassified form, at the time DES became the U.S. standard. DES's inventors have since stated that they were aware in 1974 of DES's resistance to differential cryptanalysis, but kept quiet to protect national security.{114}

Export of DES is controlled by the State Department as if it were a weapon like a tank or fighter plane.{115} Financial institutions and the foreign offices of U.S.-controlled corporations routinely receive clearance to export DES if they show a need, but the State Department presumably acting under the advice of the NSA usually refuses to allow others to export it.

Although U.S. law ordinarily prevents Americans from selling DES- equipped encryption products to foreigners, DES is found around the world and freely sold by foreign corporations in many countries. It may be "the most widely used cryptosystem in the [Page 738]world."{116} A full specification of DES is available in books sold in the United States,{117} the export of which is not controlled,{118} presumably on First Amendment grounds.{119}

2. DES Is Vulnerable to Attack

In a world where computing speed almost doubles every year, DES looks as if it has been a standard for a very long time. Its 56- bit keys look more vulnerable to attack than ever before. DES is thus approaching the end of its useful life, at least for high security information. NIST recertified DES in 1993 but suggested that its days as an official standard are numbered.{120}

Given that computer processors become cheaper every day, brute- force searches for DES keys are now well within the reach of relatively affordable, massively parallel machines.{121} A recent paper describes a brute-force attack on DES as "alarmingly economical," estimating that for $1 million one could build an optimized machine that would try fifty million keys per second and would crack a DES key in an average of 3.5 hours.{122} An investment of $10 million would produce a machine that would be expected to crack A DES key every twenty-one minutes.{123} DES-cracking remains beyond the means of the casual snooper, but is now within the means of many corporations and every government.

[Page 739]The security problem is compounded by the probabilistic nature of a brute-force key search. The strength of an algorithm is expressed in the amount of time it would take to be certain of finding the key by trying every possibility. The expected (average) amount of time per key is only half that amount. If, however, an attacker is engaged in a routine program of successively trying to break keys, and knows how often they are changed, the attacker will inevitably get lucky. This can be a serious threat in situations where one piece of luck will garner the attacker a large return.

Suppose, for example, that a bank which becomes concerned about the vulnerability of its DES keys decides to change the key used for interbank financial transactions every day. Does this give it security? If an attacker has a machine that is certain to break A key in a year, then the attacker has over a 0.01% chance of breaking the new key in an hour, and a 0.27% chance of breaking it in a day.{124} In plain English, the attacker has just better than a one in ten thousand chance of breaking each key in the first hour; she has a chance of about one in 370 of breaking each key before it is changed. The attacker thus can hope for a large electronic funds transfer to her bank account about once a year.{125}

Worse, the attacker does not need special computers so long as she has several of them. An attacker armed with only one 100Mhz Pentium computer would have a minuscule daily chance of success. If she links a group of 500 Pentium computers on a university network, however, her chance of cracking DES in a day rises to just above one in 40,000.{126} These are not bad odds for a lottery in which the payoff can be in the millions, and the cost of a ticket idle [Page 740]time on computers in A university network may be zero to the user.

The idea of networks of computers harnessed together to crack A DES password may sound like science fiction, but something similar is already happening. A group of computer scientists and mathematicians recently used the Internet to harness computer time donated by 600 volunteers. Using a total of about 5000 MIPS- years{127} of processing time to make 100 quadrillion calculations over an eight month period, the group solved a problem equal in complexity to breaking a 129-digit RSA key.{128} RSA is a commercial public-key cryptosystem{129} and its keys are not precisely comparable to DES keys, but even so the problem was far harder than breaking DES's 56-bit key.{130}

3. How to Achieve Better Security

One solution to the aging DES problem may be to switch to "triple-DES." As the name suggests, in triple-DES A message is processed with DES three times, although the middle step is a decryption (with a different key) in order to make the final product [Page 741]compatible with regular DES.{131} The advantage of using triple-DES rather than a single 56-bit encryption is that messages remain more compatible with existing equipment; the disadvantages are a loss in speed, a need to revise existing software and hardware, inelegance, and some lingering uncertainty as to its safety.{132} NIST has been silent on the security (or lack thereof) of triple-DES. The NSA has not disclosed whether it considers triple-DES insecure, too secure, or neither.{133} It may be that the NSA has been silent on triple-DES in the hopes that it will be elbowed out of the market by "escrowed" encryption products such as Clipper. Triple-DES is probably very hard to break; breaking through Clipper's protections will involve no (computational) effort for authorized persons because the government will keep a copy of the keys.{134}

[Page 742]A second solution, applicable only to time-sensitive information, is to change DES keys very frequently. If a new DES key is used for every message, by the time the attacker figures out the old key, it is too late. Of course, this solution does not work for things that need to be kept secret for long periods of time. It also requires that parties to communication have some way to agree on a continuing supply of new keys which, by definition, they cannot do on the insecure channel which requires the encryption in the first place.{135}

A third solution is to abandon DES, in whole or in part, and try something new. The U.S. government has selected a replacement for DES that involves escrowed encryption using a new algorithm called SKIPJACK. The government has indicated that it hopes U.S. users of cryptography will adopt this option.

C. The Escrowed Encryption Standard (EES)

The industrialized world is in the opening stages of an "ongoing telecommunications revolution with still undefined potential to affect the way we communicate and develop our intellectual resources."{136} These changes can be liberating, and they can be painful; some have distributional consequences affecting relative power as well as access to information.

The increases in personal privacy and communications security promised by cryptography come at the expense of those who benefit from insecure communications. If every telephone call is routinely encrypted, domestic law enforcement agencies, such as the FBI and local police forces, will find wiretapping harder or even impossible. If information on computers is routinely encrypted police may find evidence inaccessible or incomprehensible. When sophisticated encryption technologies are used abroad, intelligence agencies such as the NSA, which routinely seek to penetrate the communications of foreign powers, find their missions complicated. To the extent [Page 743]that American citizens are better off because wiretaps help catch and convict criminals, and to the extent that communications intelligence protects the national interest from foreign threats, developments that impede legitimate wiretaps may make us all worse off.

The fear of losing electronic surveillance capabilities because of advances in encryption technology has produced a three-pronged reaction from the law enforcement and intelligence communities. First, their spokespersons have begun a public relations offensive designed to explain why these capabilities matter.{137} Second, they have sought legislation requiring that telephone networks and other similar communications channels be designed in a manner that facilitates wiretapping.{138} Third, they have designed and supported EES, best known in its most famous implementation, the Clipper Chip, which enables the government to keep a copy of the key needed to decrypt all communications using EES. These activities share the premise that it is reasonable for the government to request, and in some cases require, that private persons communicate in a manner that makes interception by the government at least practical and preferably easy.

1. Why the Government Wants EES to Replace DES

"What! fear not, man, but yield me up the keys."{139}

The Administration{140} makes two types of arguments in favor of EES. In its hard sell, the Administration, primarily through the [Page 744]FBI, paints a lurid picture of law enforcement stripped of an essential crime-detection and evidentiary tool wiretapping while pornographers, drug dealers, terrorists, and child molesters conspire via unbreakable ciphers, storing their records and child pornography in computers that become virtual cryptographic fortresses. Meanwhile, the intelligence agencies, primarily the NSA, quietly murmur that existing policies have proved ineffective in preventing the increasing use of unescrowed encryption, and suggest that their proposals should be adopted to prevent developments that might (or might not, they won't say) undermine the nation's communications intelligence capabilities.

In its soft sell, the government argues that if the NSA has designed a cryptographic system that it is willing to certify as secure and make available to the American public, the government has an obligation to take steps to prevent that cipher from being used against it by criminals and foreign governments. In fact, the current national standard cipher, DES, is strong enough that the U.S. government has sought to prevent its export and may indeed regret having let the algorithm become publicly available.{141} EES, the argument goes, just maintains the status quo. Even if everyone used A Clipper-equipped telephone, telephone conversations would be no less secure against legitimate government wiretapping than they are today, while being more secure against illicit eavesdropping.{142}

a. Domestic Law Enforcement

According to FBI Director Louis Freeh, electronic intelligence, especially wiretapping, is crucial to effective law enforcement: if the FBI and local police were to lose the ability to tap telephones because of the widespread use of strong cryptography, the "country [would] be unable to protect itself against terrorism, violent crime, foreign threats, drug trafficking, espionage, kidnapping, and other crimes."{143}

From the statistics available, it is difficult to determine how [Page 745]much difference wiretaps actually make.{144} The FBI estimates that wiretaps play a role in an average of 2200 convictions per year,{145} but it is unclear how many of these convictions could have been obtained without wiretaps. Despite an almost 50% increase since 1983, court-ordered wiretaps are still relatively rare: only 919 were authorized in 1992 for all federal, state, and local police forces.{146} Of these, only 141 wiretap orders covered electronic devices such as faxes, digital display pagers, voice pagers, cellular phones, or electronic mail. In 1993, the 976 active court-ordered wiretaps allowed police to hear approximately 1.7 million conversations involving nearly 94,000 persons. The listeners described about 20% of the conversations as incriminating.{147} The law enforcement community suggests that wiretaps make the biggest difference in the largest cases because wiretaps have been used to gather evidence in 90% of the terrorism cases brought to trial.{148} The average cost of a wiretap was $57,256 in 1993,{149} so it may be that the biggest cases are the only ones in which the expense of monitoring a telephone line seems justified.{150}

Statistics aside, it seems only logical that the spread of strong, user-friendly cryptography would increase the risk that evil people will be able to frustrate law enforcement attempts to crack their computers or bug their telephones. Whether the risk has yet [Page 746]manifested itself is less clear. For all its predications of disaster in the making, "the FBI has not been able to point to a single instance to date [(September 1994)] where encryption has hampered [its] investigation of a case."{151}

Nevertheless, the fear that rogue cryptography might allow "terrorists, drug dealers, and other criminals"{152} to evade law enforcement seems to supply a large part of the motivation for the Administration's support for EES. One can only sympathize with officials who were, no doubt, asked whether they wished to go down in history as the individuals responsible for letting loose A technology that might someday hamper the investigation of A terrorist threat to a large population center.{153} Faced with the FBI's Manichaean vision of, on the one hand, a world of rampant cryptography in which the bad guys remain impregnable behind cryptological walls and, on the other hand, an ambitious plan to return to the status quo ante in which the police remain able to intercept and understand most if not all electronic communication, it is not surprising that the Clinton Administration opted for what must have appeared to be the safer course.
[Page 747]

b. Intelligence-Gathering

The communications intelligence capabilities of the United States are a subject "characterized by secrecy even greater than that surrounding nuclear weapons."{154} Unclassified discussion of the effect of strong private cryptography on the capabilities of intelligence agencies quickly becomes conjecture. We do know, however, that two of the most important functions of the NSA are to acquire and decrypt foreign communications, and to conduct traffic analysis of foreign and international communications.

The two functions are related, but different. Acquisition and decryption of foreign communications are the stuff of headlines: listening to the Soviet President's telephone calls made from his limousine or breaking German codes during World War II. Traffic analysis is more subtle, but no less important. It is the study of the sources and recipients of messages, including messages that the eavesdropper cannot understand. In wartime, traffic analysis allows intelligence agencies to deduce lines of command. Changes in the volume and direction of traffic can signal the imminence of operations.{155}

Widespread foreign access to even medium-grade cryptography makes it more difficult for U.S. communications intelligence to select the messages that are worth decrypting, or even worth reading.{156} Worse, it makes traffic analysis much more difficult. So long as most electronic communications are unencrypted, intelligence agencies are able to sort messages in real time, and identify those of interest, or those which warrant further attention.{157} [Page 748]Furthermore, if most traffic is plaintext, then ciphertext cries out for attention here is someone with something to hide. Even if the message cannot be decrypted quickly, the source can be flagged for traffic analysis, which enables the intelligence agency to build up a picture of the persons with whom the source communicates. If everyone is using strong cryptography, then the most secret messages no longer stand out.

c. Failure of Laws Designed to Prevent the Spread of Strong Cryptography

The United States has several long-standing laws and policies designed to prevent strong cryptography from spreading abroad, and even from being widely used at home. Although these may have served to slow the spread of strong cryptography, ultimately they have failed to stop it. The following is only a brief summary of two exemplary policies and their effects.{158}

i. Export Control: The ITAR

U.S. export control is designed to prevent foreigners from acquiring cryptographic systems that are strong enough to create A serious barrier to traffic analysis, or that are difficult to crack.{159} Two sets of regulations govern the export of encryption software: the Export Administration Regulations (EAR) govern "dual use" technologies{160} and the International Traffic in Arms Regulations (ITAR) apply to items that the government considers inherently military in nature.{161} The EAR are generally less demanding, but the ITAR take precedence.{162} Under the ITAR regime, applica[Page 749]tions to export cryptographic software as strong as (or stronger than) DES are routinely denied.{163} Only strong products that lack [Page 750]the capability of being adapted for encryption, or which are designed for specific banking applications, receive official export clearance.{164}

The ITAR have failed to prevent the spread of strong cryptography. The ITAR prohibit export of cryptographic software,{165} nevertheless software created in the United States routinely and quickly finds its way abroad. For example, when version 2.6 of PGP, a popular military- grade cryptography program, was released in the United States by graduate students at MIT as freeware,{166} a researcher at the Virus Test Center at the University of Hamburg, in Germany, received a copy within days from an anonymous remailer.{167} He then placed it on his internationally- known Internet distribution site.{168} As would-be sellers of cryptographic products have frequently testified to Congress, the major effect of the ITAR is to prevent U.S. companies from competing with those foreign companies that sell sophisticated cryptographic software abroad.{169}

[Page 751]Meanwhile, enforcement of the ITAR has produced absurd results. The State Department has refused to license the export of a floppy disk containing the exact text of several cryptographic routines identical to those previously published in book form.{170} The refusal was all the more bizarre because the book itself was approved for export.{171} The only reasons given by the State Department for its refusal were that "[e]ach source code listing has been partitioned into its own file and has the capability of being compiled into an executable subroutine,"{172} and that the source code is "of such a strategic level as to warrant" continued control.{173} The State Department also concluded that the "public domain" exception to the ITAR{174} did not apply and most bizarrely of all that its decision was consistent with the First Amendment.{175}

ii. "Classified at Birth"

The Inventions Secrecy Act{176} gives the Commissioner of Patents the authority to issue patent secrecy orders. Even if the government has no ownership interest in the invention, the orders block the issuance of a patent and place the application under seal. If the Nuclear Regulatory Commission or the Department of Defense states that publicizing the invention would be detrimental to the national security, the patent will be withheld "for such period as the national interest requires."{177} Willful disclosure of an invention covered by a secrecy order is a criminal offense.{178}

[Page
752]

While the application of the Inventions Secrecy Act to privately created cryptographic devices has sometimes occasioned publicity,{179} most devices covered by secrecy orders are invented at government expense.{180}

The existence of a number of high-level cryptographic algorithms in public circulation, some patented,{181} some not, suggests that the Inventions Secrecy Act has been far from successful at preventing the spread of strong cryptography.{182}

2. How Clipper Works

"Here, here, here be my keys; ascend my chambers;
search, seek, find out."{183}

The Escrow Encryption Standard is designed to provide users with communications that are secure against decryption by all third parties except authorized agents of the U.S. government. Before A Clipper Chip is installed in a telephone,{184} the government will permanently inscribe it with a unique serial number and A unique encryption key. The government will keep both of these numbers on file. In order to reduce the danger that the file might be stolen or otherwise compromised, the chip's unique encryption key will be split into two pieces, each held by a different "escrow agent." The escrow agents will be required to guard the segments and release them only to persons who can demonstrate they will be used for authorized intercepts. Reuniting the pieces of a chip's unique key gives the government the capability to decrypt any Clipper conversations. [Page 753]

a. A Tale of Three Keys

From the user's point of view, the Clipper Chip is a black box: pick up your Clipper-equipped telephone, dial another Clipperphone, push a red button to initiate the security feature, wait a few seconds for the two chips to synchronize, read off the character string displayed on the telephone to the other party to confirm the security of the conversation,{185} and start the conversation.{186} The conversation is scrambled with a classified algorithm called SKIPJACK, which took the NSA ten years to develop, and which the government certifies as secure for the foreseeable future.{187} What

[Page
754]

happens during those few seconds before the conversation begins, and why, are the essence of EES and the source of controversy.

From the government's point of view, EES relies on three keys: the session key,{188} the chip key, and the family key. The session key is what SKIPJACK uses to encrypt and decrypt the conversation. Every conversation has a new session key, and any third party seeking to eavesdrop on the conversation would need to have the session key to decrypt the conversation. Oddly, the Clipper Chip does not select the session key; indeed, the Clipper Chips do not care how the telephones do this.

Suppose Alice wants to have a secure conversation with Bob. Alice calls Bob, then pushes the red button. At this point, the two Clipperphones have to agree to a session key according to A method selected by the manufacturer. The maker of the Clipperphone is free to use as secure a method as she likes. The two Clipperphones might, for example, use a supersecure method of agreeing on the session key which is so safe that two strangers who have never met before can agree on a session key in public while being overheard, and yet anyone who overhears what they say will still be unable to work out what the key is.{189} Assume that Alice and Bob use telephones that have this supersecure selection method built in. Once the two telephones agree on the session key, each phone feeds the key to its Clipper Chip.{190} As soon as the Clipper Chips are [Page 755]told the session key, they begin the Clipper telephone session. The first step in a Clipper telephone session is to undermine the eavesdropper-proof creation of the session key by transmitting the session key in encrypted form for the benefit of any public servants who may be listening.

At the start of every Clipper session, a Clipper Chip sends A stream of data called a Law Enforcement Access Field (LEAF).{191} Unless Bob's Clipper Chip receives a valid LEAF from Alice's chip, Bob's chip will not talk with it.{192} As can be seen from the Figure on page 756, the LEAF is built in layers. At the center lies the session key. The chip encrypts the session key with the unique chip key. It then appends the sending chip's serial number and a checksum, then reencrypts the data with the family key, which is a master key held by the government.{193} [Page 756]

In short, eavesdroppers seeking access to the session key must use two keys to decrypt the LEAF: the family key (which is common to all chips) and the chip key (which is different for every chip). Assuming that the family key will be in fairly wide circulation,{194} the security of the Clipper Chip stands or falls on the security of the master list of chip keys. This list, or the two lists of key segments, would be of enormous value to any attacker, such as a foreign government bent on industrial espionage. The way in which the keys are created, and the method by which they are held and released, are critical elements of the user's security.

When a public servant engage in a lawful wiretap first comes across a Clipper session, she records it, including the LEAF. The public servant must now acquire the family key if she does not already possess it. According to NIST, the family keys will not be transmitted to law enforcement personnel, but will instead be stored [Page 757]in special circuit boards capable of being installed in ordinary PCs.{195} Once decrypted with the family key, the LEAF reveals the serial number of the Clipper Chip and also reveals the encrypted session key. The public servant must then contact the two escrow agencies, giving them the chip's serial number and a legally valid reason for the wiretap, usually in the form of a warrant from a state court, a federal court, or the special Foreign Intelligence Surveillance Act (FISA) court.{196} The requestor must "certify that [the] necessary legal authorization for interception has been obtained to conduct electronic surveillance regarding these communications."{197} How this certification operates when the legal basis [Page 758]is "exigent circumstances" (which is determined by the same officer who would be requesting the key segment), is not explained,{198} perhaps because warrantless wiretaps based on exigent circumstances are relatively rare.{199} There remains some doubt as to how the NSA and other agencies in the national security community will obtain keys. It is notable that in a recent meeting involving the FBI, the NSA, and AT&T's Bell Labs, "the NSA did not answer a question as to whether the national security community would obtain keys from the same escrow mechanism for their (legally authorized) intelligence gathering or whether some other mechanism would exist for them to get the keys."{200}

The escrow agents have no duty to make any independent inquiries as to the adequacy of the certification before releasing the key segments.{201} Once satisfied that the wiretap request appears legitimate (in that it comes from someone authorized to make a request and contains her certification that adequate legal authority exists), the escrow agents are required to disclose the key segments for the key for which the serial number was submitted. The public servant requesting the key fragments puts them together and uses [Page 759]the reconstituted chip key to decrypt the session key. Armed with the decrypted session key, the public servant can at last decrypt the conversation. Because the presence of the Clipper Chip has no effect on the applicable constitutional and statutory rules, the public servant remains obligated to minimize the intrusion.{202}

In summary, a public servant might decrypt an EES message as follows:

Public servant
(1) intercepts the message, including the LEAF (128-bit LEAF encrypted with the family key);
(2) decrypts the LEAF with the family key (32-bit chip ID, 80- bit session key encrypted with chip key, 16-bit checksum);
(3) contacts her escrow agents, reports the chip ID, and avers existence of the legal authority for the wiretap;
(4) receives two 80-bit key segments;
(5) XORs{203} the key segments to produce an 80-bit chip key;
(6) decrypts the encrypted session key with the chip key;
(7) decrypts the entire message with her decrypted session key.

b. The Escrow Agents' Critical Role

The Department of Commerce's NIST and the Treasury Department's Automated Systems Division will be the two escrow agents who will create and hold the key segments.{204} Both escrow agencies will participate in the creation of each Clipper Chip's unique chip key. After raw Clipper Chips emerge from the factory

[Page
760]

they will be taken to a secure, compartmented information facility,{205} which is the vault-like room that the government uses when handling classified documents. Each of the escrow agents will provide a list of random numbers which, when combined, will provide the numbers from which the keys will be generated.{206}

After the keys are generated, the escrow agents will be given A disk containing lists of chip serial numbers and an associated 80- bit number which represents half the information needed to recreate a chip's key. Both key segments must be combined to retrieve the chip key, and neither segment alone provides the holder with any information as to the chip key's contents.{207}

Although the escrow agents do not check the bona fides of any requests for key fragments, they do require a substantial amount of paperwork before releasing a key. The escrow agents are also required to keep detailed records of key segment requests and releases. The existence of this paper trail should provide A significant disincentive to rogue wiretapping requests by agents in the field. Similarly, NIST has announced an elaborate system of safeguards to protect each Clipper Chip's unique key. The scheme [Page 761]involves complex rationing of information and mutual monitoring by the escrow agents from the moment the Clipper Chip is created. Further security attends the inscription of the key upon a Clipper Chip, its subsequent division into two key segments, and ultimate safeguarding by the two escrow agents.{208}

The security precautions introduced by NIST in late 1994 are complex. To the nonspecialist they appear sufficient to prevent security breaches at the time the keys are "burned in" and to prevent surreptitious copying or theft of the key list from the escrow agents. But no amount of technical ingenuity will suffice to protect the key fragments from a change in the legal rules governing the escrow agents. Thus, even if the technical procedures are sound, the President could direct the Attorney General to change her rules regarding the escrow procedures. Because these rules were issued without notice or comment, affect no private rights, and (like all procedural rules) can therefore be amended or rescinded at any time without public notice, there is no legal obstacle to a secret amendment or supplement to the existing rules permitting or requiring that the keys be released to whomever, or according to whatever, the President directs. Because the President's order would be lawful, none of the security precautions outlined by NIST would protect the users of the EES system from disclosure of the key segments by the escrow agents. Nothing in the EES proposal explicitly states that the NSA will not keep a set of keys; indeed, the only way to acquire a set of EES- compliant chips is to have the device that incorporates them tested and approved by the NSA. Similarly, although the specifications for the decrypt processor call for it to delete keys when a warrant expires and to automatically send a confirmation message to the key escrow agents, the interim model (there is only one) in use by law enforcement organizations relies on manual deletion.{209} [Page 762]

c. Limited Recourse for Improper Key Disclosure

The escrow system lacks legal guarantees for the people whose keys are generated by the government and held by the escrow agents. Indeed, the Attorney General's escrow procedures state that they "do not create, and are not intended to create, any substantive rights for individuals intercepted through electronic surveillance."{210} In short, the government disclaims in advance any reliance interest that a user of an EES-equipped device might have in the government's promise to keep the key secret.{211} A victim of an illegal wiretap would have a cause of action under Title III against the wiretapper,{212} but, it appears, no remedy against the escrow agents, even if the escrow agents acted negligently or failed to follow their own procedures.{213} The Attorney General's proce[Page 763]dures themselves are merely directives. They are not even legislative rules, which might be subject to notice and comment restrictions before being rescinded. A future administration could, if it wanted, secretly{214} instruct the escrow agents to deliver copies of the keys to an intelligence or law enforcement agency, or even White House "plumbers," thereby violating no law or regulation (the plumbers, though, would violate Title III when they used the information).{215} Because the chip- unique keys were voluntarily disclosed to the government, the chip's owner might lack a "legitimate" (that is, enforceable) expectation of privacy in the information.{216}

If the intercepted communication were an e-mail or a file transfer, rather than a telephone call, the chip owner subject to an illegal or inadvertent disclosure by the escrow agents may be in a particularly weak position if the information ever makes its way to court: many Title III protections granted to voice communications do not apply to transfers of digitized data.{217}

Shortly before the 103d Congress adjourned, Congressman George Brown introduced the Encryption Standards and Procedures Act of 1994,{218} which would have waived the sovereign immunity of the United States for "willful" but unauthorized disclosures of key fragments by its officials and excluded liability in all other circumstances.{219} In the absence of similar legislation, however, there [Page 764]may currently be no monetary remedy even for a "willful" disclosure.

II. The Escrowed Encryption Proposal--Legal, Policy and Technical Problems

The Clinton Administration introduced EES through a procedural back door that relies on market power to prevent a substantial increase in the communications privacy of Americans, an outcome not authorized by any statute. EES used a standard-setting procedure but failed to set an intelligible standard. The procedure violates the spirit, although not the letter, of the Administrative Procedures Act (APA).

The Administration is spending large sums of money on A controversial project in the absence of congressional authorization. This policy cuts out the legislature, and indeed the public, from the decision to proceed with EES.{220} Only Congress can intervene, because, as things currently stand, no one has standing to sue. The Administration's use of a standard-setting procedure to make substantive policy sets an alarming precedent of rule making with highly attenuated accountability.

A. EES: The Un-Rule Rule

1. FIPS 185: A Strange Standard

An appreciation of both the novelty and the danger of the Administration's regulatory approach requires some understanding of the regulatory device that NIST used to introduce EES. The Constitution gives Congress the power to "fix the Standard of Weights and Measures."{221} NIST (formerly the Bureau of Standards) is the agency charged with this responsibility. Federal [Page 765]Information Processing Standards (FIPS) are standards and guidelines intended to improve the federal government's use and management of computers and information technology, and to standardize procurement of those goods.{222} FIPS are also used to announce national norms in areas of changing technology where NIST believes industry would benefit from the existence of a standard. Officially, the only bodies required to conform to FIPS are agencies within the federal government (and in some cases government contractors), although in practice they are often adopted as de facto national standards by industry and the public.{223} The private sector finds FIPS attractive because they allow [Page 766]conformity with, and sales to, the government, and because the standards themselves often have technical merit, or at least reflect a technical consensus of the many public and private interests that NIST routinely consults before it promulgates a FIPS.{224} EES is FIPS 185.{225}

One of the more serious complaints about FIPS 185 is that it fails to set a standard. One member of the NIST Computer Privacy and Security Advisory Board went so far as to submit a comment calling the FIPS "content-free."{226} Most FIPS describe a conforming device or procedure in sufficient detail for the reader to understand what it is; FIPS 185 does not. Instead, it states, "Implementations which are tested and validated by NIST will be considered as complying with this standard."{227} FIPS 185 requires the use of the SKIPJACK encryption algorithm and a LEAF creation method.{228} But the standard does not define those terms because the specifications for both are classified. Instead, FIPS 185 unhelpfully notes:

Organizations holding an appropriate security clearance and entering into a Memorandum of Agreement with the National Security Agency regarding implementation of the standard will be provided access to the classified specifications. Inquiries may be made regarding the Technical Reports and this program to Director, National Security Agency, Fort George G. Meade . . . .{229}

[Page 767]Nor does the standard explain what sorts of devices it covers. It merely states that "[v]arious devices implementing this standard are anticipated. The implementation may vary with the application. The specific electric, physical and logical interface will vary with the implementation."{230} Admittedly, FIPS 185 at least has the good grace to acknowledge that it is "not an interoperability standard. It does not provide sufficient information to design and implement a security device or equipment. Other specifications and standards will be required to assure interoperability of EES devices in various applications."{231} In sum, FIPS 185 says something to this effect: "Various electronic devices will contain classified components that will provide escrowed encryption using a classified algorithm. If you ask nicely, we may let you use one in your design, and we will tell you whether we approve of your device and whether we will let you produce it." This is a strange sort of standard.

2. An End-Run Around Accountability

Such an unorthodox standard is the result of an even more unorthodox procedure. FIPS 185 is not just a standardless standard; it is an un-rule rule which seeks to coerce the public by wielding federal market power to generate a de facto standard without providing any real administrative accountability. Despite conforming to the notice and comment procedure of 553 of the APA,{232} and being duly published in the Federal Register,{233} FIPS 185 is not A legislative rule because it does not seek, at least on its face, to bind the public.{234} Nor, despite being on its face an

[Page
768]

announcement, is FIPS 185 a nonlegislative rule as the term is usually understood.{235} Familiar types of nonlegislative rules include interpretative rules, statements of policy and "publication rulemaking." FIPS 185 fits into none of these categories.{236} Interpretative rules set forth an agency's understanding of A statutory provision, a judicial or administrative decision, or another rule,{237} and FIPS 185 clearly does not provide any of these. Nor is FIPS 185 an example of what Peter Strauss has called "publication rulemaking"{238} in which agency staff, acting pursuant to APA

[Page
769]

§ 552(a)(1)-(2), publish technical guidelines, staff manuals, or standards (such as IRS Revenue Rulings) that inform the public of the agency's likely position in future enforcement, application-and-approval, or benefit/reimbursement cases.{239} Nor is FIPS 185 a statement of policy.{240} Nothing within the four corners of FIPS 185 establishes or explicates a policy, unless giving federal agencies the option to purchase certain devices constitutes a policy.{241}

On its face, FIPS 185 is a minor internal housekeeping regulation. Whether anyone, inside or outside of the government, chooses to comply with it is entirely up to her, although FIPS 185 states that use of EES by nonfederal government organizations "is encouraged."{242} In form, EES is a description of something, as well as a grant of permission for agencies to use that something instead of other things they are currently using. Yet despite explicitly disclaiming any intention of legally binding the public, FIPS 185 is part of a strategy to coerce the public by use of the government's market power to create a de facto national standard. At the same time that the Department of Commerce promulgated EES, the Department of Justice announced that it was buying 9000 Clipper-equipped telephones, using money from its Asset Forfeiture Super Surplus Fund,{243} a fund comprised of profits from RICO, [Page 770]drug, and other asset forfeitures.{244} Expenditures from the Asset Forfeiture Super Surplus Fund require no congressional appropriations. The effect is to cut Congress out of the decision-making process on an issue which may eventually affect the privacy rights of most Americans. One need not be an opponent of EES to believe that a decision with significant potential effects on communication privacy should have been left to the legislature.

The Department of Defense, too, is considering buying millions of EES-compliant devices,{245} although this purchase may require congressional approval. The government's market power as a bulk purchaser suggests that, all other things being equal, producer economies of scale will allow EES-compliant devices to be the lowest-cost hardware-based civilian cryptography products available. In addition, EES products will have the significant advantage of being able to communicate with the government's telephones, something that any competing technology will lack.{246}

The Clinton Administration also announced that it will exempt EES products from the export ban in the ITAR.{247} If the ITAR [Page 771]are revised in this manner, EES products will become the only U.S.-made exportable products offering strong encryption, disadvantaging U.S-based competitors further.{248} These efforts have already had an effect: the day that the Administration announced its plans for Clipper, AT&T announced that its new secure telephone, the 3600, would not use a DES device as originally announced, but would use Clipper instead.{249}

The current Administration makes no secret of its hope that the combination of federal standard-setting, federal purchasing power, and fine-tuning of export control will allow it to impose a de facto standard on the public, even though there is no statutory authority for the standard, and even though Congress has never appropriated a penny to support the standard. In so doing, NIST has pioneered a new type of un-rule. It is a rule that the Administration indeed hopes and intends to have a "practical binding effect,"{250} but not because the rule announces to the public how the agency will act in the future, nor because the agency intends to act in compliance with the rule, nor because the rule describes safe harbors for compliance [Page 772]with existing rules.{251} Rather, by issuing the rule (if a rule it be), the agency hopes to set in motion A train of events that will coerce the public's compliance.

NIST's use of a FIPS in this manner is an interesting reversal of the usual circumstance of a nonlegislative rule that an agency intends to be binding.{252} In the ordinary situation, an agency has chosen not to use the notice and comment procedure that characterizes informal rule making under APA § 553, and has simply issued the rule, perhaps labeling it "interpretative" or "policy guidance." A party seeking to challenge the rule attempts to demonstrate that the rule is actually legislative and thus invalid without notice and comment. The aggrieved party argues that it was entitled to be consulted on the rule and that the agency may not deprive the party of its right to make comments. Once the comments are duly docketed, the agency has a duty to take them seriously and may not reject them without giving nonarbitrary reasons.{253} In the classic case, the agency responds by denying the substantive import of its rule and arguing that, because the rule breaks no new ground, notice and comment are not necessary.

With FIPS 185, NIST has turned this process on its head. A proposed version of FIPS 185 was published in the Federal Register, and NIST solicited comments.{254} It received hundreds.{255} NIST accepted a few, but rejected many others on the disingenuous grounds that because the standard was entirely voluntary, it could cause no harm.{256} NIST thus invoked the formally voluntary [Page 773]nature of the FIPS as justification for dismissing the concerns of commentators who saw FIPS 185 for what it was, and what NIST itself surely understood it to be: an attempt to coerce the public through market means. NIST simply failed to address the merits of many important complaints, including those challenging the security, necessity, or wisdom of its proposal, with the result of significantly devaluing the opportunity to comment.{257} Yet, unlike most agencies that fail to address the merits of comments received on a proposed rule, NIST likely has little to fear from judicial review of its decision because there appears to be no one with standing to challenge its actions.

Even a competing product manufacturer would be unlikely to have standing to protest a procurement order for products conforming to FIPS 185.{258} As A plaintiff, such a competitor might be able to argue that had it not been for the permission to purchase the items granted in FIPS 185, the procuring agency might have purchased the plaintiff's devices instead. Such a claim would, however, be risky at best. The plaintiff would have to mount a convincing case regarding causation, somehow demonstrating that but for FIPS 185, the plaintiff's products would have conformed with the agency's requirements;{259} the plaintiff would also need to [Page 774]show that the agency would have been unable to obtain a waiver from the preexisting requirement that it use a DES product to protect sensitive information.{260} Without an extraordinarily good factual basis, this barrier is probably insurmountable, leaving the would-be plaintiff without the direct personal stake in the case necessary for standing.

One other possible strategy for the plaintiff would be to claim "reputational" injury to its product or firm on the grounds that the FIPS would cause customers other than the government to reject its nonconforming products. Those employing this strategy could then try to invoke Meese v. Keene{261} to overturn the no- standing-to-challenge-a-FIPS rule of Control Data Corp. v. Baldridge.{262}

Otherwise, it is very difficult to imagine who might have standing to sue to overturn FIPS 185. A party seeking relief would have to argue that the FIPS was not as harmless as NIST claimed, and that the replies to comments were therefore defective. Just as NIST was able to ignore critical comments on its draft FIPS by saying that the standard was optional and hence harmless,{263} so too could it argue that because the standard is nonbinding, no one has a legal right to demand that a court review it.{264}

Should the Administration's attempt to combine technical standard-setting authority with market power succeed, however, [Page 775]many parties will be justly aggrieved. Makers of competing products will lose market share, and perhaps may be driven out of their market altogether. Individuals who might have preferred non-escrowed encryption, if it could be obtained at or near the same price as an EES device, may find that option closed to them. Such a policy will establish A new and undesirable process by which the government will likely be able to avoid the APA in a small, but significant, class of cases.{265} Current law does not recognize any of these injuries, save perhaps the claim of lost market share, as legally cognizable.{266} A major decision as to the degree of privacy to be afforded to U.S. citizens will have been made without effective congressional or popular participation.

Placing all FIPS, or all standard-setting relating to high technology, under the APA would be one way of ensuring that the executive branch can never again use standard-setting to manipulate the market for high technology items, at least not without judicial review for reasonableness. Although this change would vaccinate against the disease, it would also have undesirable side-effects. Neither nonbinding national technical standards nor the government's internal procurement standards should be litigated.{267} If A manufacturer is dissatisfied because a national or procurement standard more closely conforms to a competitor's product than its own, the proper place to fight that battle is the marketplace, not a court. EES is a special case because the technology at issue has social implications far beyond the ordinary FIPS, and because the government is seeking to use its purchasing power to coerce the market to achieve an end other than reliability, ease of use, or technical excellence. It would be a pity if prevention of such special cases were to force so disruptive a change on a system which ordinarily seems to work reasonably well.{268}

[Page 776]Trying to find an avenue for judicial review of a coercive but formally voluntary FIPS is probably more trouble than it is worth.{269} The greatest procedural problem with FIPS 185 is not the absence of judicial review but the attempt to evade congressional participation in A decision that may have major social consequences for many years. The solution to this problem is logically, if not politically, simple. If the executive branch did not have funds available with which to purchase thousands of EES-equipped devices, it would have to go to Congress for the money. Congress could then debate the issue and, regardless of what it decided, the process would conform with the values of openness, explanation, and representative democracy which the un-rule rule undermines. To prevent further abuses of the FIPS procedure, either the Justice Department's Asset Forfeiture Fund should be returned to the Treasury, or its terms should be narrowed to make it clear that its proceeds cannot be used to attempt to influence product markets.{270}

3. Did NIST's Cooperation with the NSA over FIPS 185 Violate the Computer Security Act of 1987?

NIST's relationship with the NSA is poorly documented.{271} Clipper's critics argue that NIST's adoption of EES in FIPS 185 violated either the letter or the spirit of the Computer Security Act [Page 777]of 1987{272} (Act), because, even though the Act was designed to ensure civilian control of computer security issues, NIST effectively and illegally ceded its powers to the NSA.{273} NIST and the NSA have refused to make public any information regarding their discussions that would show whether NIST complied with the Act. Consequently, it is currently impossible to make an informed judgment as to NIST's compliance with the Act.{274} All that can be said pending litigation is that NIST has not proved that it complied with the Act.{275}

The claim that NIST violated the Act draws much of its force from the legislative history of the Act and from NIST's subsequent close relationship with the NSA, which arguably violates the spirit of the Act.{276} In 1984 President Ronald Reagan issued National Security Decision Directive (NSDD) 145, which put in motion a train of events leading to the Act. NSDD 145 granted the NSA sweeping powers to make policy and develop standards for the "safeguarding" of both classified and unclassified information in civilian agencies and in the private sector.{277} This transfer to the NSA of authority [Page 778]over civilian and especially private information was the precise evil that the Act was designed to cure.{278} The legislative history states that Congress believed that the NSA's "natural tendency to restrict and even deny access to information" disqualified it from that role,{279} and Congress therefore rejected the NSA's suggestion, made in testimony to A House committee, that the Act should formally place the NSA in charge of all government computer security.{280}

Nevertheless, the Act does not require a watertight separation between NIST and the NSA. Instead, the Act directs NIST to "draw[] on the technical advice and assistance" of the NSA "where appropriate."{281} NIST is also directed to "coordinate closely" with several other agencies, including the NSA, to avoid duplication of effort{282} and to use the NSA's computer security guidelines to the extent that NIST, not the NSA, determines they should apply.{283}

Soon after the Act became law, NIST and the NSA signed A Memorandum of Understanding (MOU) setting out a detailed regime of cooperation regarding computer and telecommunications security issues.{284} With one exception, the MOU appears to be designed to create interagency consultation and to prevent duplication of effort, as required by the Act. That exception, though, is not trivial: NIST agrees to submit "all matters" regarding "techniques to be developed for use in protecting sensitive information" in its purview to review by a Technical Working Group comprised of equal numbers of the NSA and NIST staff in order "to ensure they are consistent with the national security of the United States."{285} If the two agencies are unable to agree, then either agency can refer the matter to both the Secretary of Commerce and [Page 779]the Secretary of Defense, from where it may go to either the National Security Council or the President for an ultimate decision. Meanwhile, "[n]o action shall be taken on such an issue until it is resolved."{286}

It is clear that NIST and the NSA have had extensive contacts regarding EES.{287} Whether these contacts, and in particular the actions of the Technical Working Group, amount to a violation of the Act depends on whether EES was referred to the Technical Working Group, and on how the NIST-NSA relationship worked. The Act clearly requires NIST to make its own decisions;{288} there is no statutory authority for NIST to let the NSA make decisions for it. Just as clearly, the Act requires NIST to consult with the NSA, although it directs NIST to decide when consultation is appropriate.{289}

There is no reason, with or without the Act or the MOU, that NIST could not allow itself to be persuaded by the NSA, so long as NIST were to keep the ultimate power of decision.{290} The MOU [Page 780]between the NSA and NIST does, however, suggest two scenarios that would violate the Act. If the working group deadlocked on some issue, or took votes in which the two NIST members were outvoted four-to-two (or three-to- two), and if NIST changed its policies as a result of either of these votes,{291} then NIST would no longer be in the position of allowing itself to be persuaded by the NSA. Instead, the NSA would be dictating to NIST. This would violate the Act. As the decision to proceed with EES clearly comes from the highest levels of the U.S. government,{292} in the absence of firm information one cannot reject the deadlock scenario out of hand. There is, however, some reason to doubt it.

The deadlock scenario was anticipated in a 1989 codicil to the MOU.{293} After members and staff of the House Committee on Government Operations expressed concern about the apparent grant to the NSA of an effective veto over NIST's decisions, NIST and the NSA explained that although the Technical Working Group had broad jurisdiction as a discussion forum, the appeals process described in the MOU applied only to "proposed research and development projects in new areas."{294} This codicil, signed by representatives of both agencies with the express intent of binding their successors, distinguishes between "promulgation of standards and guidelines" by NIST, which are not subject to appeal,{295} and [Page 781]the "early stage in the standards research and development process-- usually years before a standard is promulgated,"{296} from which appeals are permitted.

Neither NIST nor the NSA have made public statements as to the involvement of the Technical Working Group in the decision to promulgate FIPS 185. Whether the agreement required NIST to refer EES to the Technical Working Group before issuing FIPS 185 is unclear. But it appears that under the distinction set out in the 1989 codicil to the MOU, FIPS 185 would have been within the jurisdiction of the Technical Working Group, but outside the appeals procedure. Thus, if the 1989 codicil controlled, the deadlock scenario could only have applied if NIST preferred an alternative to EES but was persuaded to use EES against its better judgment. Alternately, because SKIPJACK was developed by the NSA, it is entirely possible that the entire EES proposal originated in the NSA, and that by the time the NSA disclosed SKIPJACK to NIST, the NSA had decided that neither SKIPJACK nor EES was A "proposed research and development project[] in [a] new area[]" under the terms of the codicil.{297} Both NIST and the NSA assert that the appeals procedure has never been used.{298} The agencies contend that the lack of appeals is evidence of the success of their cooperation.{299} Whatever the facts, NIST owes the public, and Congress, a clearer explanation of its relationship with the intelligence community. Congress is entitled to an explicit reassurance that NIST remains in complete control of security for civilian federal computer systems as required by the Act. The House and Senate committees with oversight over NIST should force it to provide these assurances. If NIST is unable to do so because it has allowed its judgment to be suppressed by the NSA's veto, then Congress will need to revise the Computer Security Act to create stronger incentives for NIST to preserve its jurisdiction--perhaps even instituting penalties for noncompliance.{300}

[Page 782]

4. Who Should Hold the Keys?

The Administration does not intend to give the escrow agencies the sort of permanence or legal authority that derives from legislation, much less the autonomy that attaches to an independent agency or a nongovernmental actor.{301} This decision is very unfortunate given the crucial role that the escrow agents play in generating and safeguarding the keys. As ordinary administrative agencies within the executive branch, the escrow agents fall within the regular civilian chain of command and have no recourse if legally ordered to grant access to the keys to the NSA, the FBI, or future White House "plumbers." The heads of both escrow agencies serve at the pleasure of the President. The absence of any formal regulations that would impose delays, along with the absence of publicity as the rules are changed, prevents even a delaying action of the kind contemplated in Nader v. Bork{302} and United States v. Nixon.{303} Under current rules, the terms under which the escrow agents work can be modified, waived, or amended at any time without public notice, although the public might be able to find out about unclassified changes or waivers after the fact via the Freedom of Information Act.{304}

Ideally, the escrow agents would be as incorruptible as possible, possessed of a clear charter setting out their positive and negative duties, insulated from pressure from the law enforcement and intelligence communities, and outfitted with secure facilities to store the list of key fragments (which may, if EES catches on, become one of the most valuable items of information held by the U.S. govern[Page 783]ment). They must also be trusted by the public, or the public will not participate in the EES scheme. With the exception of the secure facilities, the list of necessary attributes describes a body resembling the federal judiciary. Not surprisingly, some noted cryptologists have suggested that the judiciary hold the keys.{305} No doubt the judiciary could acquire the technical competence and equipment required to generate and secure the keys.

Whether judges could constitutionally hold one or more key fragments is a close question.{306} It is clear that Congress could not hold the keys, nor could any congressional agent.{307} Holding keys is an executive function. It would involve judges in the law enforcement process at a time when there is no case or controversy and, as regards the large majority of the keys, no prospect of one. Because holding keys is an executive function, the judiciary (or an agency such as the Administrative Office of the U.S. Courts, which is responsible only to judges) can constitutionally hold the keys only if the function is "incidental" to its Article III functions.{308} If the task is more than "incidental," then the principle of separation of powers requires that it be undertaken by the executive branch or by private citizens.{309} The court taking [Page 784] custody of the keys would be in a position reminiscent of Hayburn's Case,{310} which has long stood for the proposition that neither the legislative nor executive branches may assign duties to the judiciary "but such as are properly judicial, and to be performed in a judicial manner."{311} Unlike Hayburn's Case, however, the judges would not be asked to decide anything until the government was granted a search warrant. The court would presumably disclose the key fragment(s) along with the ex parte order granting the warrant.

Judges already do a number of things that come close to holding a key fragment, but each is distinguishable. Courts and their adjuncts have for many years exercised a wide variety of ancillary powers such as rule making, and the appointment and supervision of court personnel, which are "reasonably ancillary to the primary, dispute-deciding function of the courts."{312} Courts have also supervised grand juries for many years.{313} More recently, Congress has given the judges and courts additional responsibilities, including membership on the Sentencing Commission,{314} and the selection and supervision of independent counsel.{315} Indeed, the granting of warrants (and the record-keeping which follows) are ex parte proceedings, clearly within the Article III jurisdiction of the courts. Taking custody of a key in advance of any adversary or even any ex parte proceeding, with the knowledge that most keys will never be subject to such a proceeding, goes beyond any of these precedents. Perhaps the closest analogy is the court's marshal who is instructed to keep order even though there is no reason to believe [Page 785]that any particular person will seek to disrupt the court's functioning. Even the marshals are an imperfect parallel, however, because their activities impinge only on persons who come into contact with the court or with court personnel; holding key fragments could affect the privacy of many who have no other contact with the judicial system.

Whether the functions of protecting keys from disclosure and disclosing keys to facilitate wiretaps are sufficiently ancillary to the judicial function of issuing wiretap orders and warrants as to be constitutional is ultimately a matter of taste. The existence of the FISA court,{316} whose sole jurisdiction is to receive and rule on petitions for foreign-intelligence-related surveillance, adds some support to the argument that holding a key fragment would be incidental to Article III functions, because the act of holding the keys is only a little more ancillary to traditional judicial functions than are the FISA court's actions.{317}

As a quick fix, the Secretary of Commerce and the Secretary of the Treasury should each immediately issue separate regulations, published in the Federal Register, defining the role of the escrow agents in their respective agencies and making clear that the escrow agents have a legal duty to protect the keys from all release except as specified in the rules. In the longer term, Congress should pass legislation vesting the escrow function in independent agencies specifically created for that purpose.{318} Although opinions differ as to the degree of tenure in office that the Constitution allows Congress to confer on the heads of independent agencies,{319} there [Page 786]is no debate that independent agency status represents an attempt to shield a function from political manipulation, and that the officers of an independent agency have at least political insulation from dismissal by A President who finds them insubordinate. Alternate structures, in which EES-product users can choose to lodge their keys with any one of a number of private escrow agents, might provide even greater security to users, but at the price of some additional complexity. One can imagine a system in which private escrow agents would apply to the Attorney General for certification as suitably secure and perhaps post bond to ensure that they would deliver up keys when legally ordered to do so. Although this system might satisfy both the user's desire for security and the government's desire for certain access, it introduces practical problems. The government will still need to keep a master list of chip serial numbers in order to know which escrow agent has the key. Furthermore, A private escrow agent would have to charge a fee, to be paid either by the chip user or the taxpayer. There is also no particular reason to believe private escrow agents would be less corruptible than the Justice Department, although if key fragments were distributed among many different escrow agents, the harm caused by compromise of any given database would be lessened.{320}

B. Unresolved Issues

In testimony to the haste with which the Administration launched the EES program, important implementation issues remain unresolved. [Page 787]

1. Requests From Foreign Governments

The National Security Council is currently considering under what circumstances, if any, foreign governme

THE METAPHOR IS THE KEY: CRYPTOGRAPHY, THE CLIPPER CHIP, AND THE CONSTITUTION