Click here to jump to a specific page:
[Page 709][Page 712]
Without the ability to keep secrets, individuals lose the capacity to distinguish themselves from others, to maintain independent lives, to be complete and autonomous persons. . . . This does not mean that a person actually has to keep secrets to be autonomous, just that she must possess the ability to do so. The ability to keep secrets implies the ability to disclose secrets selectively, and so the capacity for selective disclosure at one's own discretion is important to individual autonomy as well.{1}Secrecy is a form of power.{2} The ability to protect a secret, to preserve one's privacy, is a form of power.{3} The ability to penetrate secrets, to learn them, to use them, is also a form of power. Secrecy empowers, secrecy protects, secrecy hurts. The ability to learn a person's secrets without her knowledge to pierce a person's privacy in secret is a greater power still.
People keep secrets for good reasons and for evil ones. Learning either type of secret gives an intruder power over another. Depending on the people compromised and the secrets learned, this power may be deployed for good (preventing a planned harm) or ill (blackmail, intimidation).
This Article is about the clash between two types of power:
the individual's power to keep a secret from the state and
others, and the state's power to penetrate that secret.{4} It focuses on new[Page
713]conflicts between the perennial desire of law
enforcement and intelligence agencies to have the capability to
penetrate secrets at will, and private citizens who are acquiring
the ability to frustrate these desires. This is an article about
the Constitution and the arcana of secret-keeping:
cryptography.{5}
This is also a long article. It is long because it addresses three complex issues. First, it outlines some of the promises and dangers of encryption. Second, it analyzes the constitutional implications of a major government proposal premised on the theory that it is reasonable for the government to request (and perhaps some day to require) private persons to communicate in a manner that makes governmental interception practical and preferably easy. Third, it speculates as to how the legal vacuum regarding encryption in cyberspace shortly will be, or should be, filled.
What fills that vacuum will have important consequences. The resolution of the law's encounter with cryptography has implications far beyond whether the government adopts the Clipper Chip or whether a particular cipher may be licensed for export. The resolution of this debate will shape the legal regulation of cyberspace and in so doing shape its social structures and social ethics.
Cryptologists{6} use a few terms that
may not be familiar to lawyers, and it is useful to define them
at the outset of any discussion relating to encryption.
Cryptography is the art of creating and using methods of
disguising messages, using codes, ciphers, and other methods, so
that only certain people can see the real message. Codes and
ciphers are not the same. A code is a system of
communication that relies on a pre-arranged mapping of meanings
such as those found in a code book. A cipher is a method
of encrypting any text regardless of its content.{7} Paul Revere's "[o]ne,
if by land, and two, if by sea" was a code.{8} If the British had landed
by parachute,[Page 714]no
quantity of lanterns would have sufficed to communicate the
message. The modern cryptographic systems discussed in this
Article are all ciphers, although some are also known as
electronic code books.
Those who are supposed to be able to read the message disguised by the code or cipher are called recipients. "The original message is called a plaintext. The disguised message is called a ciphertext. Encryption means any procedure to convert plaintext into ciphertext. Decryption means any procedure to convert ciphertext into plaintext."{9} An algorithm is A more formal name for a cipher. An algorithm is a mathematical function used to encrypt and decrypt a message. Modern algorithms use a key to encrypt and decrypt messages.{10} A single-key system is one in which both sender and receiver use the same key to encrypt and decrypt messages. Until recently, all ciphers were single- key systems. One of the most important advances in cryptography is the recent invention of public-key systems, which are algorithms that encrypt messages with a key that permits decryption only by a different key.{11} The legal and social implications of this discovery figure prominently in this Article.
Cryptanalysis is the art of breaking the methods of
disguise invented with cryptography. Lawyers will recognize the
cryptographers' terms for cryptanalysts who seek to read messages
intended only for recipients: enemies, opponents,
interlopers, eavesdroppers, and third
parties.{12} In this
Article, however, cryptanalysts who work for U.S. law enforcement
or intelligence organizations such as the FBI or the National
Security Agency (NSA) will be called public servants.
Key escrow refers to the practice of duplicating and
holding the key to a cipher or the means of recreating or
accessing the key to a cipher so that some third party (the
escrow agent) can decrypt messages using that cipher. As used in
the Clipper Chip debates, the term "escrow" is
something of a misnomer because the escrow is[Page 715]primarily for the benefit
of the government rather than the owner of the key.
Part I of this Article describes advances
in encryption technology that are increasing personal privacy,
particularly electronic privacy, but reducing the U.S.
government's ability to wiretap telephones, read e-mail
surreptitiously, and decrypt computer disks and other encrypted
information. To ensure the continuation of the wiretapping and
electronic espionage capabilities that it has enjoyed since soon
after the invention of the telegraph and the telephone,{13} the government has devised an Escrowed
Encryption Standard (EES),{14} to be implemented
in the Clipper Chip{15} and other similar
devices.{16} In Clipper and related
products the government[Page
716]proposes a simple bargain: In exchange for
providing the private sector with an encryption technology
certified as unbreakable for years to come by the NSA,{17} the government plans to
keep a copy of the keys{18}--the codes
belonging to each chip which, the government hopes, will allow it
to retain the ability to intercept messages sent by the chip's
user. The government's proposal includes procedures designed to
reduce the risk that the keys would be released to law
enforcement agencies without legally sufficient justification,
although the likely effectiveness of these
procedures is debatable. Most U.S. residents remain free,
however, to reject the government's offer, use alternatives to
Clipper (so long as the software or hardware remains in the
U.S.),{19} and withhold their keys
from the government.{20} With ever more
secure methods of [Page
717]encryption becoming easier to use, U.S. residents
can protect their electronic communications and records so well
that they are able to frustrate interception attempts by even the
most sophisticated government agencies.{21}
Part II examines the legal justifications and constitutional implications of the EES proposal. It argues that the EES proposal violates the spirit, although not the letter, of the Administrative Procedures Act and represents an abuse of the technical standard-setting process. The involvement of the NSA may violate the Computer Security Act, but the absence of public information as to its role makes a firm judgment impossible. Part II also discusses Clipper's inherent policy and technical weaknesses and the inconsistencies between the Administration's policy objectives to the extent they are unclassified and the Clipper proposal itself. It concludes, however, that a purely voluntary Clipper program violates no statutory or constitutional provisions, and that even if it does, there is no one with standing to challenge such a violation. Part II also concludes that an optional Clipper will probably make only a modest contribution to the government's stated goal of maintaining its wiretap and electronic espionage capability.
Thus, Part III considers the
constitutional implications of the more radical proposal that
some commentators find implicit in the policies animating
Clipper: requiring all users of strong encryption to register
their ciphers' keys with the government. After a whirlwind
survey of evolving conceptions of the constitutional right to
privacy as well as more settled First, Fourth, and Fifth
Amendment doctrines, Part III concludes that
although mandatory key escrow would infringe personal privacy,
reduce associational[Page 718]freedoms, potentially chill
speech, constitute a potentially unreasonable search, and might
even require a form of self-incrimination, the constitutionality
of mandatory key escrow legislation remains a distressingly close
question under existing doctrines.
Part IV addresses the cryptography controversy as an example of the law's occasionally awkward response to a new technology. The courts, and to a lesser extent the legislative and executive branches, have yet to come to grips with many cryptographic conundrums. As a result, this part of the legal "landscape" remains relatively barren. As more and more settlers arrive in cyberspace, the nature of this new landscape will depend critically on the legal metaphors that the colonists choose to bring with them.
Finally, the Technical Appendix discusses modern cryptographic systems, including the widely-used DatA Encryption Standard (DES), and how they can (at least theoretically) be broken by attackers armed with large numbers of relatively modest computers. It also provides an introduction to public-key cryptosystems and to digital signatures, which could represent the most important commercial application of modern cryptographic techniques.
I. Modern Cryptography: Private Security, Government
Insecurity
Cryptography contributes to commercial, political, and personal
life in a surprising number of ways. Now that modern
cryptographic techniques have put strong, perhaps uncrackable,
cryptography within the reach of anyone with a computer or even a
telephone, the use of strong cryptography is likely to increase
further. As A result, worried law enforcement and intelligence
agencies have developed the Clipper Chip in order to retain their
capability to eavesdrop on private electronic communications.
A. Who Needs Cryptography?
Many individuals and businesses want or need communications and
data security.{22}
Although these desires clearly have an objec[Page 719]tive basis in many cases,
some of these desires are undoubtedly symbolic and psychological.
Who other than the recipient, after all, is likely to want to
read most private faxes and e-mail?{23} The subjective nature of a desire for
privacy
makes it no less real or worthy of respect.{24} Encryption can play A critical role in
contributing to this communications and datA security.{25}
The government's assurance that a cryptosystem is secure also contributes to this security. Evaluating the strength of a cipher is a black art that requires skills few businesses or individuals possess. The government's endorsement will at least reassure those, such as banks and lawyers, who have a duty to secure their communications and data but lack the technical knowledge to determine what ciphers are reliable.
[Page 720]messages.{27}Banks use encryption to protect ID numbers that customers use at bank automated teller machines (ATMs).{28} In addition, many banks encrypt the customer data on ATM cards in order to protect against forgeries.{29} The banking sector's awareness of its vulnerability to electronic theft of funds has spurred the creation of cryptographic standards for both retail and inter-bank transactions.{30}
As
the economy continues to move away from cash transactions towards
"digital cash," both customers and merchants will need
the authentication provided by unforgeable digital
signatures in order to prevent forgery and transact with
confidence.{31} Forgery
is a perennial problem with electronic mail: copying is easy,
there are no tangible permanent media involved in the
communication, and programmers or system managers can alter e-
mail headers to fake the source of a message. Cryptography can
provide an authenticating function for these electronic
transactions. Cryptographic [Page
721]techniques
can be used to produce a digital signature which, when
properly used, can prove that a cleartext message (such as a buy
or sell order) was really sent by the party from whom the message
appears to originate.{32} In addition, a
digital signature attests to the integrity of the contents of a
message. If the digital signature system is properly
implemented, the signature of every document is uniquely
calculated from the full text of the document, and is uniquely
associated with the sender. There is no way to fake a signature
by copying A signature from one document and attaching it to
another, nor is it possible to alter the signed message in any
way without the recipient immediately detecting the deception.{33} The slightest change in
a signed document will cause the digital signature verification
process to fail. Indeed, a signature verification failure will
be caused by a transmission error affecting a single bit of the
message.{34}
The proposed National
Information Infrastructure, better known as Vice President Al
Gore's information superhighway, envisions
"telebanking" and other electronic transactions.{35} It recognizes, however,
that as these services expand, so too will "public concern
about communications and personal privacy."{36} One important issue
will be the extent to which consumer-oriented digital payment
systems allow for anonymity and privacy; another will be the
extent to which law enforcement and banks will require audit
trails that lead to the consumer.{37}
[Page 722]
Business information need not be scientific or technical to be of enormous value. Sensitive market information such as the amount that a corporation plans to bid at an auction for valuable oil leases or the amount that a construction company plans to offer at tender is of enormous benefit to a competitor.{40} Knowledge of A company's cost and price structure, market research, strategic plans,order and customer lists are of obvious benefit to competitors. For an investor, inside information such as planned merger or acquisition activity, can also reap huge profits. Encryption helps prevent high-tech eavesdropping, while at the same time discourages some low-tech theft: a stolen laptop with an encrypted disk represents a loss of hardware, but not of sensitive information.{41}
The increasing importance of intellectual property makes information security especially valuable to industry; the portability of ideas makes it ever-harder to achieve. The increase in mobile communications also plays a role. As workers rely on networks to tele-commute to the office, or use cellular telephones to communicate with colleagues, or download e-mail onto their laptops while away from the office, they expose their information to eavesdroppers.{42}
[Page 723]The risk to U.S.
corporations of both high- and low-tech industrial espionage is
particularly great because they are not just the target of
domestic and foreign competitors, but also of foreign
intelligence agencies.
Indeed, according to the FBI, foreign governments routinely use
their intelligence services to acquire valuable information about
U.S. corporations.{43} As a result,
without some form of communications and data security, sensitive
technical and market information can be intercepted from faxes,
cellular and microwave telephone calls, satellite
communications, and inadequately protected computer systems.{44} Foreign firms may soon
face a similar threat of industrial espionage by U.S.
intelligence agencies searching for new roles, and continued
appropriations, in the post-cold-war era.{45} [Page
724]
[Page
725]versations may be at risk if the signal travels by
microwave or satellite.{50} Although there are
no cases to date holding that failure to encrypt a cellular
telephone conversation or an electronic mail message, much less A
regular phone call, constitutes professional negligence, the ease
with which these can be overheard or intercepted, combined with
the growing simplicity of encryption software, make it
conceivable that failure to use encryption may be considered a
waiver of privilege at some point in the future (at least for
insecure media such as electronic mail and cellular
telephones).{51}Lawyers are not the only professionals who receive client confidences. Doctors, therapists, and accountants all receive sensitive information which they then have a duty to keep confidential. These duties can arise in tort or contract, or pursuant to state and federal statutes.{52} Some of these duties are reflected in evidentiary privileges,{53} but a privilege is not required to create the duty.{54}
[Page 726]a digitized photograph, and
any other information (for example, health, immigration status,
or prior convictions).{56} Users (who might
include liquor stores, police, banks, employers, or a national
health insurance trust) would have a reader with the government's
public key on it, which they would use to decrypt the card. So
long as the government was able to keep its private key secret,
the ID card would be unforgeable.
National ID cards raise a host of problems outside the scope of
this Article, many of which could be exacerbated by the use of
cryptography. Chief among these difficulties is the danger that
the government might encrypt additional information on cards that
would be invisible to the holder but might be accessible to law
enforcement, or even some employers. Examples of such secret
information include criminal record, military discharge status,
or health information.{57} Less ominously,
digital signatures provide a means of
authenticating all electronic data. In a world in which bank,
tax, and medical records, and the contents of the digital library
are all at risk of accidental or malicious alteration,
authentication of data becomes critical. By providing a reliable
guarantee that data with a proper signature is authentic, digital
signatures provide a certain means of detecting changes when
someone tries to rewrite history. [Page
727]
Cryptologists have worked out protocols for untraceable, anonymous, electronic cash ("E$") that also resist illicit duplication. These permit customers to acquire E$ from A digital bank without disclosing their identity to the bank. Using high-level cryptographic techniques, the E$ is unforgeably certified as valid, but can be spent only once.{60}
Unfortunately, although cryptography allows the creation of privacy-enhancing E$ and helps ensure that an Orwellian surveillance state remains in the realm of fiction, its advantages come at a price. The same features that might make uncrackable encryption attractive to groups seeking to change the social order by lawful but unpopular means, and that protect those working towards unpopular causes from retribution, also provide security to lawbreakers. Untraceable E$ may help make untraceable "perfect crimes" possible.{61}
[Page
728]Undoubtedly, criminals and conspirators will find
a use for encryption,{62} but so too will
many others. Not every diarist records crimes in his daybook,
but for many people there will be a certain satisfaction in
knowing that their most private thoughts are safe from anyone's
prying eyes, be they major governments or younger siblings.{63}
[Page 729] Encryption
also protects against the consequences of misdialing a telephone
number and reaching the wrong fax machine an
increasingly common problem as the number of dedicated fax lines
grows.
d. E-mail
The exponential growth in the Internet's popularity has fueled
the private demand for encryption.{72} Military-grade cryptography, or something
close to it, is easily available free to any user of the Internet
who knows how to download a file.{73}
[Page 730]
e. Personal Records
Many people have things they want to hide from their colleagues
or family members. The secret can be as trivial as a planned
surprise party, as personal as a love letter or sexual
orientation, or as unsavory as a planned theft or past misdeed.
It can be A private diary or the plans for a bomb. These records
may be on paper or stored on a computer disk. Some people derive
a sense of security from the knowledge that their communications
and data are safe from unauthorized snooping by their friends,
family, or anonymous computer hackers. Others seek an even
greater sense of security by attempting to encrypt their
communications and records in a manner that cannot be decrypted
even by authorized law enforcement.{74}
7. Dissidents and Others
Most, if not all, of the readers of this Article probably
experience life in the United States as one of political freedom.
For some of these readers, a desire for communications and
electronic records security, particularly security from possible
or suspected government surveillance or intrusion, may appear to
be an excess of libertarian paranoia. The existence of low-water
marks in civil liberties (such as the 1798 Alien and Sedition
Act,{75} the 1920s'[Page 731]"Palmer raids,"{76} the Japanese internment during World War
II,{77} and COINTELPRO{78}) may be seen by some readers as well-
documented and anomalous departures from American ideals; other
readers may see them as symptoms of A more general tendency of
those in authority, approaching the "iron law of
oligarchy."{79}
Organized government intrusion into personal communications and data privacy is less visible than an order to round up thousands of civilians. It is also far more frequent. When given the duty and authority to identify threats to national security,{80} public servants have shown a tendency to adopt a "vacuum cleaner[]" approach to private information.{81} Indeed, the Senate committee charged with investigating domestic surveillance noted "the tendency of intelligence activities to expand beyond their initial scope" and stated that government officials "have violated or ignored the law over long periods of time and have advocated and defended their right to break the law."{82}
[Page 732]It is harder to view fears
of government surveillance as aberrational when one learns that
in the 1950s the FBI identified 26,000
"potentially dangerous" persons who should be rounded
up in the event of a "national emergency," and that it
maintained this list for many years.{83} During the 1970s, even sympathizers
dismissed as fantastical the claims by Black Panthers and other
dissident groups that they were being wiretapped and bugged by
the FBI. These allegations proved to be correct.{84} Indeed, the U.S. government has an
unfortunate recent history of intrusion into private matters.
During the 1970s, the FBI kept information in its files covering
the beliefs and activities of more than one in four hundred
Americans;{85} during the 1960s, the U.S. Army
created files on about 100,000 civilians.{86} Between 1953 and 1973, the CIA opened and
photographed almost 250,000 first class letters within the U.S.
from which it compiled a database of almost 1.5 million names.{87} Similarly, the FBI opened tens of
thousands of domestic letters, while the NSA obtained millions of
private telegrams sent from, to, or through the United States.{88}
Although the Constitution guarantees a
high degree of political freedom and autonomy, "[t]he
Government has often undertaken the secret surveillance of
citizens on the basis of their political beliefs, even when those
beliefs posed no threat of violence or illegal acts on behalf of
a hostile foreign power."{89}
Certainly, neither
statutory nor constitutional prohibitions have proved
consistently effective in preventing civil liberties abuses. For
example, U.S. Census data is supposed to be private, and that
privacy is
guaranteed by law. Nevertheless, during World War II the
government used census data to identify and locate 112,000 [Page 733]Americans of Japanese
ancestry who were then transported to internment camps.{90} Similarly, the CIA repeatedly violated the
prohibition on domestic intelligence contained in its charter.{91}
One need not believe that such excesses are routine to sympathize with those who fear that another such excess is foreseeable. Indeed, whether one considers these operations to have been justified, to have resulted from a type of a bureaucratic rationality that rewards results regardless of legal niceties,{92} or to have been a form of security paranoia, this history could cause a reasonable person to fear she might someday be swept up in an investigation.{93} The passage of Title III of the Omnibus Crime Control and Safe Streets Act of 1968 (Title III),{94} designed to define standards for the use of wiretaps, appears to have reduced greatly the amount of illegal wiretapping by police. Nonetheless, illegal wiretapping by police has not been completely eliminated.{95}
Not all governmentintrusion into privacy is centrally organized, but that hardly makes it less intrusive. During the past five years the IRS has caught hundreds of its employees snooping into the tax records "of friends, neighbors, enemies, potential in-laws, stockbrokers, celebrities and former spouses."{96} Authorized users of the FBI's National Crime Information Center have used its databases to check up on friends and neighbors and to check backgrounds for political purposes.{97} It is an article of faith for many Americans that postal workers read the postcards they process and not without reason when postal workers are heard to say that they "pass the really good ones around the office."{98}
A reasonable person may also be concerned about surveillance by nongovernmental actors. For instance, political campaigns are notorious for dirty tricks, including the bugging of opponents;{99} the yellow pages in any major city contain numerous advertisements for detective agencies and investigators;{100} and eavesdropping and bugging devices are readily available in stores.{101}
In light of this history of public
and private intrusion into personal privacy and the growing
interconnection of computers and communications envisioned by the
National Information
Infrastructure, it is impossible to dismiss the desire for
personal communica[Page
735]tions and records security as pure paranoia. It
may, in fact, be very sensible.
B. The U.S. Data Encryption Standard (DES) Is
Increasingly Vulnerable
While the need for communications security grows, the
officially sanctioned tools for providing that security are
beginning to look dated and vulnerable.
[Page
736]In 1977, after several years of acrimonious public
debate among professional cryptologists, the NBS selected an
algorithm developed by IBM that the NSA had certified as
"free of any statistical or
mathematical weaknesses."{105} It is
now known as the Data Encryption Standard (DES).{106} DES is a single-key cipher: the sender
and the receiver use the same key to encrypt and decrypt the
message. DES keys are fifty-six bits (about eight ASCII
characters) long.{107} This means that
there are seventy-two quadrillion (actually
72,057,594,037,927,936) different possible keys.{108} DES is approved for use by the government
for its sensitive
information, but
not for classified information.{109}
The
designation of DES as the U.S. standard was controversial,
foreshadowing the current controversy over Clipper. An earlier
version of the IBM project used a key with well over one hundred
bits.{110} The key
shrank to fifty-six bits by the time it became the U.S. standard.
Critics charged that the shortened key was designed to be long
enough to frustrate corporate eavesdroppers, but short enough to
be broken by the NSA.{111} Some critics
also feared there might be a "back door,"{112} an implanted weakness
in a key[Page 737]part of the
encryption algorithm known as S-boxes, that would allow the
agency to use computational shortcuts to break the code.{113}
The problem was exacerbated by the unwillingness of DES's creators to explain why they had chosen the particular, seemingly arbitrary, method of mixing up bits that they had selected. Cryptology is a field for the truly devious, and many cryptologists were concerned that there might be a mathematical vulnerability intentionally inserted by the cryptographers who designed the DES cipher. The search for such back doors in government-sponsored ciphers such as DES has been a popular pastime among suspicious cryptologists since the NBS proposed DES, yet no back door has been reported. Recently, however, academic cryptologists determined that DES's unusual algorithm is peculiarly resistant to a newly discovered mathematical attack called "differential cryptanalysis"a technique which had not been discovered, at least in unclassified form, at the time DES became the U.S. standard. DES's inventors have since stated that they were aware in 1974 of DES's resistance to differential cryptanalysis, but kept quiet to protect national security.{114}
Export of DES is controlled by the State Department as if it were a weapon like a tank or fighter plane.{115} Financial institutions and the foreign offices of U.S.-controlled corporations routinely receive clearance to export DES if they show a need, but the State Department presumably acting under the advice of the NSA usually refuses to allow others to export it.
Although U.S. law ordinarily prevents Americans from selling
DES-equipped encryption products to foreigners, DES is found
around the world and freely sold by foreign corporations in many
countries. It may be "the most widely used cryptosystem in
the [Page 738]world."{116} A full specification
of DES is available in books sold in the United States,{117} the export of which
is not controlled,{118} presumably on
First Amendment grounds.{119}
Given that computer processors become cheaper every day, brute-force searches for DES keys are now well within the reach of relatively affordable, massively parallel machines.{121} A recent paper describes a brute-force attack on DES as "alarmingly economical," estimating that for $1 million one could build an optimized machine that would try fifty million keys per second and would crack a DES key in an average of 3.5 hours.{122} An investment of $10 million would produce a machine that would be expected to crack A DES key every twenty-one minutes.{123} DES-cracking remains beyond the means of the casual snooper, but is now within the means of many corporations and every government.
[Page 739]The security
problem is compounded by the probabilistic nature of a brute-
force key search. The strength of an algorithm is expressed in
the amount of time it would take to be certain of finding
the key by trying every possibility. The expected (average)
amount of time per key is only half that amount. If, however, an
attacker is engaged in a routine program of successively trying
to break keys, and knows how often they are changed, the attacker
will inevitably get lucky. This can be a serious threat in
situations where one piece of luck will garner the attacker a
large return.
Suppose, for example, that a bank which becomes concerned about the vulnerability of its DES keys decides to change the key used for interbank financial transactions every day. Does this give it security? If an attacker has a machine that is certain to break A key in a year, then the attacker has over a 0.01% chance of breaking the new key in an hour, and a 0.27% chance of breaking it in a day.{124} In plain English, the attacker has just better than a one in ten thousand chance of breaking each key in the first hour; she has a chance of about one in 370 of breaking each key before it is changed. The attacker thus can hope for a large electronic funds transfer to her bank account about once a year.{125}
Worse, the attacker does not need
special computers so long as she has several of them. An
attacker armed with only one 100Mhz Pentium computer would have a
minuscule daily chance of success. If she links a group of 500
Pentium computers on a university network, however, her chance of
cracking DES in a day rises to just above one in 40,000.{126} These are not bad odds for a lottery in
which
the payoff can be in the millions, and the cost of a ticket idle
[Page 740]time on computers
in A university network may be zero to the user.
The idea of networks of computers harnessed together to crack A DES password may sound like science fiction, but something similar is already happening. A group of computer scientists and mathematicians recently used the Internet to harness computer time donated by 600 volunteers. Using a total of about 5000 MIPS-years{127} of processing time to make 100 quadrillion calculations over an eight month period, the group solved a problem equal in complexity to breaking a 129-digit RSA key.{128} RSA is a commercial public-key cryptosystem{129} and its keys are not precisely comparable to DES keys, but even so the problem was far harder than breaking DES's 56-bit key.{130}
[Page
741]compatible with regular DES.{131} The advantage of using triple-DES rather
than a single 56-bit encryption is that messages remain more
compatible with existing equipment; the disadvantages are a loss
in speed, a need to revise existing software and hardware,
inelegance, and some lingering uncertainty as to its safety.{132} NIST has been silent on the security (or
lack
thereof) of triple-DES. The NSA has not disclosed whether it
considers triple-DES insecure, too secure, or neither.{133} It may be that the
NSA has been silent on triple-DES in the hopes that it will be
elbowed out of the market by "escrowed" encryption
products such as Clipper. Triple-DES is probably very hard to
break; breaking through Clipper's protections will involve no
(computational) effort for authorized persons because the
government will keep a copy of the keys.{134} [Page
742]A second solution, applicable only to time-
sensitive information, is to change DES keys very frequently. If
a new DES key is used for every message, by the time the attacker
figures out the old key, it is too late. Of course, this
solution does not work for things that need to be kept secret for
long periods of time. It also requires that parties to
communication have some way to agree on a continuing supply of
new keys which, by definition, they cannot do on the insecure
channel which requires the encryption in the first place.{135}
A third solution is to abandon DES,
in whole or in part, and try something new. The U.S. government
has selected a replacement for DES that involves escrowed
encryption using a new algorithm called SKIPJACK. The government
has indicated that it hopes U.S. users of cryptography will adopt
this option.
C. The Escrowed Encryption Standard (EES)
The industrialized world is in the opening stages of an
"ongoing telecommunications revolution with still undefined
potential to affect the way we communicate and develop our
intellectual resources."{136} These
changes can be liberating, and they can
be painful; some have distributional consequences affecting
relative power as well as access to information.
The increases in personal privacy and communications security
promised by cryptography come at the expense of those who benefit
from insecure communications. If every telephone call is
routinely encrypted, domestic law enforcement agencies, such as
the FBI and local police forces, will find wiretapping harder or
even
impossible. If information on computers is routinely encrypted
police may find evidence inaccessible or incomprehensible. When
sophisticated encryption technologies are used abroad,
intelligence agencies such as the NSA, which routinely seek to
penetrate the communications of foreign powers, find their
missions complicated. To the extent [Page 743]that American citizens are
better off because wiretaps help catch and convict criminals, and
to the extent that communications
intelligence protects the national interest from foreign threats,
developments that impede legitimate wiretaps may make us all
worse off.
The fear of losing electronic surveillance capabilities because
of advances in encryption technology has produced a three-pronged
reaction from the law enforcement and intelligence communities.
First, their spokespersons have begun a public relations
offensive designed to explain why these capabilities matter.{137} Second, they have
sought legislation requiring that telephone networks and other
similar communications channels be designed in a manner that
facilitates wiretapping.{138} Third, they
have designed and supported EES,
best known in its most famous implementation, the Clipper Chip,
which enables the government to keep a copy of the key needed to
decrypt all communications using EES. These activities share the
premise that it is reasonable for the government to request, and
in some cases require, that private persons communicate in a
manner that makes interception by the government at least
practical and preferably easy.
The Administration{140} makes two types
of arguments in favor of EES.
In its hard sell, the Administration, primarily through the [Page 744]FBI, paints a lurid
picture of law enforcement stripped of an essential crime-
detection and evidentiary tool wiretapping while pornographers,
drug dealers, terrorists, and child molesters conspire via
unbreakable ciphers, storing their records and child pornography
in computers that become virtual cryptographic fortresses.
Meanwhile, the
intelligence agencies, primarily the NSA, quietly murmur that
existing policies have proved ineffective in preventing the
increasing use of unescrowed encryption, and suggest that their
proposals should be adopted to prevent developments that might
(or might not, they won't say) undermine the nation's
communications intelligence capabilities.
In its soft sell, the government argues that if the NSA has
designed a cryptographic system that it is willing to certify as
secure and make available to the American public, the government
has an obligation to take steps to prevent that cipher from being
used against it by criminals and foreign governments. In fact,
the current national standard cipher, DES, is strong enough that
the U.S. government has sought to prevent its export and may
indeed regret having let the algorithm become publicly
available.{141} EES, the argument
goes, just maintains the status quo. Even if everyone used A
Clipper-equipped telephone, telephone conversations would be no
less secure against legitimate government wiretapping than they
are today, while being more secure against illicit
eavesdropping.{142}
a. Domestic Law Enforcement
According to FBI Director Louis Freeh, electronic intelligence,
especially wiretapping, is crucial to effective law enforcement:
if the FBI and local police were to lose the ability to tap
telephones because of the widespread use of strong cryptography,
the "country [would] be unable to protect itself against
terrorism, violent crime, foreign threats, drug trafficking,
espionage, kidnapping, and other crimes."{143}
From the statistics available, it is
difficult to determine how [Page
745]much difference wiretaps actually make.{144} The FBI estimates that wiretaps play a
role in an average of 2200 convictions per year,{145} but it is unclear how
many of these convictions could have been obtained without
wiretaps. Despite an almost 50% increase since 1983, court-
ordered wiretaps are still relatively rare: only 919 were
authorized in 1992 for all federal, state, and local police
forces.{146} Of these, only 141
wiretap orders covered electronic devices such as faxes, digital
display pagers, voice pagers, cellular phones, or electronic
mail. In 1993, the 976 active court-ordered wiretaps allowed
police to hear approximately 1.7 million conversations involving
nearly 94,000 persons. The listeners described about 20% of the
conversations as incriminating.{147} The law
enforcement community suggests that wiretaps make the biggest
difference in the largest cases because wiretaps have been used
to gather evidence in 90% of the terrorism cases brought to
trial.{148} The average cost of a
wiretap was $57,256 in
1993,{149} so it may be
that the biggest cases are the only ones in which the expense of
monitoring a telephone line seems justified.{150}
Statistics aside, it seems only
logical that the spread of strong, user-friendly cryptography
would increase the risk that evil people will be able to
frustrate law enforcement attempts to crack their computers or
bug their telephones. Whether the risk has yet [Page 746]manifested itself is less
clear. For all its predications of disaster in the making,
"the FBI has not been able to point to a single instance to
date [(September 1994)] where encryption has hampered [its]
investigation of a case."{151}
Nevertheless, the fear that rogue cryptography might allow
"terrorists, drug dealers, and other criminals"{152} to evade law enforcement seems to supply a
large part of the motivation for the Administration's support for
EES. One can only sympathize with officials who were, no doubt,
asked whether they wished to go down in history as the
individuals responsible for letting loose A technology that might
someday hamper the investigation of A terrorist threat to a large
population center.{153} Faced with the
FBI's
Manichaean vision of, on the one hand, a world of rampant
cryptography in which the bad guys remain impregnable behind
cryptological walls and, on the other hand, an ambitious plan to
return to the status quo ante in which the police remain able to
intercept and understand most if not all electronic
communication, it is not surprising that the Clinton
Administration opted for what must have appeared to be the safer
course.
[Page 747]b.
Intelligence-Gathering
The communications intelligence capabilities of the United
States are a subject "characterized by secrecy even greater
than that surrounding nuclear weapons."{154} Unclassified discussion of the effect of
strong private cryptography on the capabilities of intelligence
agencies quickly becomes conjecture. We do know, however, that
two of the most important functions of the NSA are to acquire and
decrypt foreign communications, and to conduct traffic analysis
of foreign and international communications.
The two functions are related, but different. Acquisition and decryption of foreign communications are the stuff of headlines: listening to the Soviet President's telephone calls made from his limousine or breaking German codes during World War II. Traffic analysis is more subtle, but no less important. It is the study of the sources and recipients of messages, including messages that the eavesdropper cannot understand. In wartime, traffic analysis allows intelligence agencies to deduce lines of command. Changes in the volume and direction of traffic can signal the imminence of operations.{155}
Widespread
foreign access to even medium-grade cryptography makes it more
difficult for U.S. communications intelligence to select the
messages that are worth decrypting, or even worth reading.{156} Worse, it makes
traffic analysis much more difficult. So long as most electronic
communications are unencrypted, intelligence agencies are able to
sort messages in real time, and identify those of interest, or
those which warrant further attention.{157} [Page
748]Furthermore, if most traffic is plaintext, then
ciphertext cries
out for attention here is someone with something to hide. Even
if the message cannot be decrypted quickly, the source can be
flagged for traffic analysis, which enables the intelligence
agency to build up a picture of the persons with whom the source
communicates. If everyone is using strong cryptography, then the
most secret messages no longer stand out.
c. Failure of Laws Designed to Prevent the Spread of
Strong Cryptography
The United States has several long-standing laws and policies
designed to prevent strong cryptography from spreading abroad,
and even from being widely used at home. Although these may have
served to slow the spread of strong cryptography, ultimately they
have failed to stop it. The following is only a brief summary of
two exemplary policies and their effects.{158}
i. Export Control: The ITAR
U.S. export control is designed to prevent foreigners from
acquiring cryptographic systems that are strong enough to create
A serious barrier to traffic analysis, or that are difficult to
crack.{159} Two sets of
regulations govern the export of encryption software: the Export
Administration Regulations (EAR) govern "dual use"
technologies{160} and the
International Traffic in Arms Regulations (ITAR) apply to items
that the government considers inherently military in nature.{161} The EAR are generally less demanding, but
the ITAR take precedence.{162} Under the ITAR
regime, applica[Page
749]tions to export cryptographic software as strong
as (or stronger than) DES are routinely denied.{163} Only strong products that lack [Page 750]the capability of being
adapted for encryption, or which are designed for specific
banking applications, receive official export clearance.{164}
The ITAR have failed to prevent the spread of strong cryptography. The ITAR prohibit export of cryptographic software,{165} nevertheless software created in the United States routinely and quickly finds its way abroad. For example, when version 2.6 of PGP, a popular military-grade cryptography program, was released in the United States by graduate students at MIT as freeware,{166} a researcher at the Virus Test Center at the University of Hamburg, in Germany, received a copy within days from an anonymous remailer.{167} He then placed it on his internationally-known Internet distribution site.{168} As would-be sellers of cryptographic products have frequently testified to Congress, the major effect of the ITAR is to prevent U.S. companies from competing with those foreign companies that sell sophisticated cryptographic software abroad.{169}
[Page 751]Meanwhile,
enforcement of the ITAR has produced absurd results. The State
Department has refused to license the export of a floppy disk
containing the exact text of several cryptographic routines
identical to those previously published in book form.{170} The refusal was all
the more bizarre because the book itself was approved for
export.{171} The only reasons
given by the State Department for its refusal were that
"[e]ach source code listing has been partitioned into its
own file and has the capability of being compiled into an
executable subroutine,"{172} and that
the source code is "of such a strategic level as to
warrant" continued control.{173} The
State Department also concluded that the
"public domain" exception to the ITAR{174} did not apply and most bizarrely of all
that its decision was consistent with the First Amendment.{175}
ii. "Classified at Birth"
The Inventions Secrecy Act{176} gives
the Commissioner of Patents the authority to issue patent secrecy
orders. Even if the government has no ownership interest in the
invention, the orders block the issuance of a patent and place
the application under seal. If the Nuclear Regulatory Commission
or the Department of Defense states that publicizing the
invention would be detrimental to the national security, the
patent will be withheld "for such period as the national
interest requires."{177} Willful
disclosure of an invention covered by
a secrecy order is a criminal offense.{178} [Page
752]
While the application of the Inventions Secrecy Act to privately
created cryptographic devices has sometimes occasioned
publicity,{179} most devices covered
by secrecy orders are invented at government expense.{180}
The existence of a number of high- level cryptographic algorithms in public circulation, some patented,{181} some not, suggests that the Inventions Secrecy Act has been far from successful at preventing the spread of strong cryptography.{182}
"Here, here, here be my keys; ascend my chambers;The Escrow Encryption Standard is designed to provide users with communications that are secure against decryption by all third parties except authorized agents of the U.S. government. Before A Clipper Chip is installed in a telephone,{184} the government will permanently inscribe it with a unique serial number and A unique encryption key. The government will keep both of these numbers on file. In order to reduce the danger that the file might be stolen or otherwise compromised, the chip's unique encryption key will be split into two pieces, each held by a different "escrow agent." The escrow agents will be required to guard the segments and release them only to persons who can demonstrate they will be used for authorized intercepts. Reuniting the pieces of a chip's unique key gives the government the capability to decrypt any Clipper conversations.
search, seek, find out."{183}
[Page 753]
a. A Tale of Three Keys
From the user's point of view, the Clipper Chip is a black box:
pick up your Clipper-equipped telephone, dial another
Clipperphone, push a red button to initiate the security feature,
wait a few seconds for the two chips to synchronize, read off the
character string displayed on the telephone to the other party to
confirm the security of the conversation,{185} and start the conversation.{186} The conversation is
scrambled with a classified algorithm called SKIPJACK, which took
the NSA ten years to develop, and which the government certifies
as secure for the foreseeable future.{187} What [Page
754]happens during those few seconds before the
conversation begins, and why, are the essence of EES and the
source of controversy.
From the government's point of view, EES relies on three keys: the session key,{188} the chip key, and the family key. The session key is what SKIPJACK uses to encrypt and decrypt the conversation. Every conversation has a new session key, and any third party seeking to eavesdrop on the conversation would need to have the session key to decrypt the conversation. Oddly, the Clipper Chip does not select the session key; indeed, the Clipper Chips do not care how the telephones do this.
Suppose Alice wants to have a
secure conversation with Bob. Alice calls Bob, then pushes the
red button. At this point, the two Clipperphones have to agree
to a session key according to A method selected by the
manufacturer. The maker of the Clipperphone is free to use as
secure a method as she likes. The two
Clipperphones might, for example, use a supersecure method of
agreeing on the session key which is so safe that two strangers
who have never met before can agree on a session key in public
while being overheard, and yet anyone who overhears what they say
will still be unable to work out what the key is.{189} Assume that Alice
and Bob use telephones that have this supersecure selection
method built in. Once the two telephones agree on the session
key, each phone feeds the key to its Clipper Chip.{190} As soon as the Clipper Chips are [Page 755]told the session key, they
begin the Clipper telephone session. The first step in a Clipper
telephone session is to undermine the eavesdropper-proof creation
of the session key by transmitting the session key in encrypted
form for the benefit of any public servants who may be
listening.
At the start of every Clipper session, a Clipper Chip sends A
stream of data called a Law Enforcement Access Field (LEAF).{191} Unless Bob's Clipper
Chip receives a valid LEAF from Alice's chip, Bob's chip will not
talk with it.{192} As can be seen
from the Figure on page 756, the LEAF is built in layers. At the
center lies the session key. The chip encrypts the session key
with the unique chip key. It then appends the sending chip's
serial number and a checksum, then reencrypts the data with the
family key, which is a master key held by the government.{193}
[Page 756]
In short, eavesdroppers seeking access to the session key must
use two keys to decrypt the LEAF: the family key (which is
common to all chips) and the chip key (which is different for
every chip).
Assuming that the family key will be in fairly wide
circulation,{194} the security of
the
Clipper Chip stands or falls on the security of the master list
of chip keys. This list, or the two lists of key segments, would
be of enormous value to any attacker, such as a foreign
government bent on industrial espionage. The way in which the
keys are created, and the method by which they are held and
released, are critical elements of the user's security.
When a public servant engage in a lawful wiretap first comes
across a Clipper session, she records it, including the LEAF.
The public servant must now acquire the family key if she does
not already possess it. According to NIST, the family keys will
not be transmitted to law enforcement personnel, but will instead
be stored [Page 757]in
special circuit boards capable of being installed in ordinary
PCs.{195} Once decrypted with
the family key, the LEAF reveals the serial number of the Clipper
Chip and also reveals the encrypted session key. The public
servant must then contact the two escrow agencies, giving them
the chip's serial number and a legally valid reason for the
wiretap, usually in the form of a warrant from a state court, a
federal court, or the special Foreign Intelligence Surveillance
Act (FISA) court.{196} The requestor
must "certify that [the] necessary legal
authorization for interception has been obtained to conduct
electronic surveillance regarding these communications."{197} How this certification operates when the
legal basis [Page 758]is "exigent
circumstances" (which is determined by the same officer who
would be
requesting the key segment), is not explained,{198} perhaps because
warrantless wiretaps based on exigent circumstances are
relatively rare.{199} There
remains some doubt as to how the NSA and other agencies in the
national security community will obtain keys. It is notable that
in a recent meeting involving the FBI, the NSA, and AT&T's
Bell Labs, "the NSA did not answer a question as to whether
the national security community would obtain keys from the same
escrow mechanism for their (legally authorized) intelligence
gathering or whether some other mechanism would exist for them to
get the keys."{200}
The escrow
agents have no duty to make any independent inquiries as to the
adequacy of the certification before releasing the key
segments.{201} Once
satisfied that the wiretap request appears legitimate (in that it
comes from someone authorized to make a request and contains her
certification that adequate legal authority exists), the escrow
agents are required to disclose the key segments for the key for
which the serial number was submitted. The public servant
requesting the key fragments puts them together and uses [Page 759]the reconstituted chip key
to decrypt the session key. Armed with the decrypted session
key, the public servant can at last decrypt the conversation.
Because the presence of the Clipper Chip has no effect on the
applicable constitutional and statutory rules, the public servant
remains obligated to minimize the intrusion.{202}
In summary, a public servant might decrypt an EES message as follows:
Public servant
(1) intercepts the message, including the LEAF (128-bit LEAF encrypted with the family key);
(2) decrypts the LEAF with the family key (32-bit chip ID, 80- bit session key encrypted with chip key, 16-bit checksum);
(3) contacts her escrow agents, reports the chip ID, and avers existence of the legal authority for the wiretap;
(4) receives two 80-bit key segments;
(5) XORs{203} the key segments to produce an 80-bit chip key;
(6) decrypts the encrypted session key with the chip key;
(7) decrypts the entire message with her decrypted session key.
[Page 760]they will be taken to a
secure, compartmented information facility,{205} which is the vault-like room that the
government uses when handling classified documents. Each of the
escrow
agents will provide a list of random numbers which, when
combined, will provide the numbers from which the keys will be
generated.{206}After the keys are generated, the escrow agents will be given A disk containing lists of chip serial numbers and an associated 80-bit number which represents half the information needed to recreate a chip's key. Both key segments must be combined to retrieve the chip key, and neither segment alone provides the holder with any information as to the chip key's contents.{207}
Although the escrow agents do not
check the bona fides of any requests for key fragments, they do
require a substantial amount of paperwork before releasing a key.
The escrow agents are also required to keep detailed records of
key segment requests and releases. The existence of this paper
trail should provide A significant disincentive to rogue
wiretapping requests by agents in the field. Similarly, NIST has
announced an elaborate system of safeguards to protect each
Clipper Chip's unique key. The scheme [Page 761]involves complex rationing
of information and mutual monitoring by the escrow agents from
the moment the Clipper Chip is created. Further security attends
the inscription of the key upon a Clipper Chip, its subsequent
division into two key segments, and ultimate
safeguarding by the two escrow agents.{208}
The security precautions introduced
by NIST in late 1994 are complex. To the nonspecialist they
appear sufficient to prevent security breaches at the time the
keys are "burned in" and to prevent surreptitious
copying or theft of the key list from the escrow agents. But no
amount of technical ingenuity will suffice to protect the key
fragments from a change in the legal rules governing the escrow
agents. Thus, even if the technical procedures are sound, the
President could direct the Attorney General to change her rules
regarding the escrow procedures. Because these rules were issued
without notice or comment, affect no private rights, and (like
all procedural rules) can therefore be amended or rescinded at
any time without public notice, there is no legal obstacle to a
secret amendment or supplement to the existing rules permitting
or requiring that the keys be released to
whomever, or according to whatever, the President directs.
Because the President's order would be lawful, none of the
security precautions outlined by NIST would protect the users of
the EES system from disclosure of the key segments by the escrow
agents. Nothing in the EES proposal explicitly states that the
NSA will not keep a set of keys; indeed, the only way to acquire
a set of EES-compliant chips is to have the device that
incorporates them tested and approved by the NSA. Similarly,
although the specifications for the decrypt processor call for it
to delete keys when a warrant expires and to automatically send a
confirmation message to the key escrow agents, the interim model
(there is only one) in use by law enforcement organizations
relies on manual deletion.{209}
[Page 762]
c. Limited Recourse for Improper Key
Disclosure
The escrow system lacks legal guarantees for the people whose
keys are generated by the government and held by the escrow
agents.
Indeed, the Attorney General's escrow procedures state that they
"do not create, and are not intended to create, any
substantive rights for individuals intercepted through electronic
surveillance."{210} In short, the
government disclaims in advance any reliance interest that a user
of an EES-equipped device might have in the
government's promise to keep the key secret.{211} A victim of an
illegal wiretap would have a cause of action under Title III
against the wiretapper,{212} but, it appears,
no remedy against the escrow
agents, even if the escrow agents acted negligently or failed to
follow their own procedures.{213} The
Attorney General's proce[Page
763]dures themselves are merely directives. They are
not even legislative rules, which might be subject to notice and
comment restrictions before being rescinded. A future
administration could, if it wanted, secretly{214} instruct the escrow
agents to deliver copies of the keys to an intelligence or law
enforcement agency, or even White House "plumbers,"
thereby violating no law or regulation (the plumbers, though,
would violate Title III when they used the information).{215} Because the chip-
unique keys were voluntarily disclosed to the government, the
chip's owner might lack a "legitimate" (that is,
enforceable) expectation of privacy in the information.{216}
If the intercepted communication were an e-mail or a file transfer, rather than a telephone call, the chip owner subject to an illegal or inadvertent disclosure by the escrow agents may be in a particularly weak position if the information ever makes its way to court: many Title III protections granted to voice communications do not apply to transfers of digitized data.{217}
Shortly before the 103d Congress
adjourned, Congressman George Brown introduced the Encryption
Standards and Procedures Act of 1994,{218} which would
have waived the sovereign immunity of the United States for
"willful" but unauthorized disclosures of key fragments
by its officials and excluded liability in all other
circumstances.{219} In the absence
of similar legislation, however, there [Page 764]may currently be no
monetary remedy even for a "willful" disclosure.
II. The Escrowed Encryption Proposal--Legal, Policy and
Technical Problems
The Clinton Administration introduced EES through a procedural
back door that relies on market power to prevent a substantial
increase in the communications privacy of Americans, an outcome
not authorized by any statute. EES used a standard-setting
procedure but failed to set an intelligible standard. The
procedure violates the spirit, although not the letter, of the
Administrative
Procedures Act (APA).
The Administration is spending large sums of money on A
controversial project in the absence of congressional
authorization.
This policy cuts out the legislature, and indeed the public, from
the decision to proceed with EES.{220} Only Congress can intervene, because, as
things currently stand, no one has standing to sue. The
Administration's use of a standard-setting procedure to make
substantive policy sets an alarming precedent of rule making with
highly attenuated accountability.
A. EES: The Un-Rule Rule
[Page
765]Information Processing Standards (FIPS) are
standards and guidelines intended to improve the federal
government's use and management of computers and information
technology, and to standardize procurement of those goods.{222} FIPS are
also used to announce national norms in areas of changing
technology where NIST believes industry would benefit from the
existence of a standard. Officially, the only bodies required to
conform to FIPS are agencies within the federal government (and
in some cases government contractors), although in practice they
are often adopted as de facto national standards by industry and
the public.{223} The
private sector finds FIPS attractive because they allow [Page 766]conformity with, and sales
to, the government, and because the standards themselves often
have technical merit, or at least reflect a technical consensus
of the many public and private interests that NIST routinely
consults before it promulgates a FIPS.{224} EES is FIPS 185.{225}One of the more serious complaints about FIPS 185 is that it fails to set a standard. One member of the NIST Computer Privacy and Security Advisory Board went so far as to submit a comment calling the FIPS "content- free."{226} Most FIPS describe a conforming device or procedure in sufficient detail for the reader to understand what it is; FIPS 185 does not. Instead, it states, "Implementations which are tested and validated by NIST will be considered as complying with this standard."{227} FIPS 185 requires the use of the SKIPJACK encryption algorithm and a LEAF creation method.{228} But the standard does not define those terms because the specifications for both are classified. Instead, FIPS 185 unhelpfully notes:
Organizations holding an appropriate security clearance and entering into a Memorandum of Agreement with the National Security Agency regarding implementation of the standard will be provided access to the classified specifications. Inquiries may be made regarding the Technical Reports and this program to Director, National Security Agency, Fort George G. Meade . . . .{229}
[Page 767]Nor does the
standard explain what sorts of devices it covers. It merely
states that "[v]arious devices implementing this standard
are anticipated.
The implementation may vary with the application. The specific
electric, physical and logical interface will vary with the
implementation."{230} Admittedly, FIPS
185 at least has the good grace to acknowledge that it is
"not an interoperability standard. It does not provide
sufficient information to design and implement a security device
or equipment. Other specifications and standards will be
required to assure interoperability of EES devices in various
applications."{231} In sum, FIPS
185 says something to this effect: "Various electronic
devices will contain classified components that will provide
escrowed encryption using a classified algorithm. If you ask
nicely, we may let you use one in your design, and we will tell
you whether we approve of your device and whether we will let you
produce it." This is a strange sort of standard.