WASHINGTON, DC (CyberWire, July 20) The hardline coalition of federal agencies backing the Clinton Administration's controversial Clipper chip encryption standard has cracked, forcing the Administration to modify its call for a single, government-backed standard for scrambling private communications.
The crack in the "Clipper Coalition" came after the Administration and the agencies most responsible for the Clipper program -- the National Security Agency and the National Institute of Standards and Technology (NIST)--withered under a blistering fire of a nationwide anti-Clipper grassroots campaign waged by the U.S. software companies, Crypto-rebels, privacy and civil liberties groups.
According to Administration sources, more moderate forces within the Administration began to lobby for a less intrusive alternative to Clipper, a program that one Administration official has openly acknowledged is "the Bosnia of telecommunications," months ago when the full hit of the public debate began to weigh on Clinton policy makers.
Moderate forces, pushing for a change in the hard line approach backing Clipper, have had to fight turf battles with the spooks within the super-secret National Security Agency, the agency which impregnated the government's overall encryption policy with the Clipper seed. "The NSA lost a lot of ground and credibility when the news of [AT&T Bell Labs scientist Matt] Blaze's discovered flaw hit the streets," said one Administration source involved in the Clipper policy debate.
The flaw Blaze exposed dealt with a way to confuse a critical part of the Clipper algorithm which allowed law enforcement agents to gain access to serial numbers of each Clipper Chip. Without those serial numbers, Clipper scrambled messages can't be listened to or read, in the case of computer communications.
Having suffered public embarrassment over the "Blaze Flaw," the NSA backed down and was forced to compromise: Clipper would remain the method for scrambling telephone conversations, but when it came to all other encryption methods -- including those embedded in software for export --all efforts would be used to come up with an alternative to Clipper.
That compromise was unveiled late today (Wed.) in a letter from Vice President Al Gore to Rep. Maria Cantwell (D.-Wash.), an opponent of Clipper. Cantwell, who represents the district that's home to Microsoft, has been negotiating with the Clipper Coalition over export legislation. If Clipper remained the government's policy, Cantwell says, it would do grave damage to U.S. exports. If no other encryption schemes but Clipper were allowed to be exported, U.S. industry would suffer the backlash of foreign markets which refused to buy any device or software that came with a built-in snooping capability accessible only by agents of the U.S. government.
That study, Gore promises, will reassess the entire encryption program by entering into a "new phase of cooperation among government, industry representatives and privacy advocates with a goal of trying to develop a key escrow encryption system that will provide strong encryption, be acceptable to computer users worldwide, and address our national needs as well."
Gore acknowledges that Clipper is to be used only for telephones and not for computers or faxes. That's a big move away from what the government had wanted to use, the Tessera Card, which was a credit card sized device that used the same classified encryption program beating within the heart of Clipper. Gore promises that Clipper won't be used "for computer networks and video networks," and that because of this shift "we are working with industry to investigate other technologies for those applications."
NIST is currently heading up the effort to find these alternatives. It's working with several ad hoc groups to find solutions to government controlled key escrow agents, while trying to find a way to allow private encryption schemes to proliferate but not at the expense of national security or law enforcement.
Gore backs this up in his letter: "We welcome the opportunity to work with industry to design a more versatile, less expensive system. Such a key escrow system would be implementable in software, firmware, hardware, or any combination thereof, would not rely upon a classified algorithm, would be voluntary, and would be exportable."
Despite assurances from the Administration, congressional forces are taking no chances. "If this Administration fucked up so bad during the first round of this Clipper fiasco, what proof is there that they won't shoot themselves in the foot again," a congressional staffer said.
Earlier this month, Sen. Patrick Leahy (D-Vt.) took steps to hold the Administration responsible for its Keystone Kop approach to encryption policy. Leahy insisted that language be added to the Justice Dept. Appropriations Committee Report that would force the White House to make a full accounting of Clipper.
According to the Appropriations language, the White House has to provide answers to 9 pointed questions, including "How much fiscal year 1994 and 1995 funding will the Dept. of Justice and Dept. of Commerce spend to develop, implement, and maintain key escrow encryption programs and what outyear funding requirements are anticipated beyond fiscal year 1995?
(Without funding for the key escrow agents, the program dies from starvation... )
Other questions to be answered include:
And probably most important of all, the White House will have to the well and answer this one: "Is it in fact the President's position that no law, regulation, or procedure requires the use of the key escrow technology and the associated Escrowed Encryption Standard?"
In other words, tell us, once and for all, are we going to have a law that bans private encryption--forcing us to become a nation of crypto-outlaws--or is this Administration going to promise to stand by our current freedom to use any encryption technology we choose?
Meeks out...
Brock Meeks files his Dispatch articles from Washington, D.C. When he's not watching over Cyberspace, he's a reporter for Communications Daily.
Copyright © 1994 CyberWire Dispatch. Reprinted by permission.