[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
No Subject
I'm happy to say that there were 225 letters offering comments on the
proposed key escrow system sent to the [email protected] address. They were
printed out and delivered today.
Many thanks to all who responded to the call for action. I've gotten
really positive responses to the post and our electronic mail mechanism.
If you think that this sort of notice helped you to be informed and
participate in policy, please drop me a note at [email protected]. Let me
know if you think that this is an important service that EFF can provide
for the online community.
Below is the text of the comments that EFF filed with NIST today.
================================
September 27, 1993
National Institute for Standards and Technology
ATTN: Proposed FIPS for Escrowed Encryption Standard
Technology Building, Room B-154
Gaithersburg, MD 20899
To The Director:
The Electronic Frontier Foundation (EFF) writes in strong
opposition to the Proposed Federal Information Processing Standard (FIPS)
for an Escrowed Encryption Standard, docket # 930659-3159. We believe that
NIST's guidance in setting technical standards for security and privacy
protection is a critical part of the growth of the National Information
Infrastructure, but any action on the proposed escrow technical standards
must await the resolution of several fundamental policy issues. Thus, at
this time, we oppose the proposed FIPS in all of its parts. Well over 200
EFF members are also critical of the Proposed FIPS. We believe this
demonstrates the depth of public concern about the implementation of key
escrow systems.
EFF is a nonprofit, public interest organization whose public
policy mission is to ensure that the new electronic highways emerging from
the convergence of telephone, cable, broadcast, and other communications
technologies enhance free speech and privacy rights and are open and
accessible to all segments of society.
Introduction
Widespread, affordable cryptography is vital for the protection of
individual privacy in the Information Age. As more and more personal
information flows around electronic networks, we all need strong encryption
to safeguard information from unwanted intrusion. Personal information,
such as health care records, private communications among friends and
families, and personal financial transactions, will also travel over this
information infrastructure. The business community can only make full use
of the infrastructure if it is assured that the data it transmits is secure
from unauthorized interception. In short, if communications in the new
infrastructure are vulnerable, all of our lives and businesses would be
subject to both damaging and costly privacy and security losses.
Resolve Policy Issues and Objectives Before Promulgating Technical Standards
EFF has been in ongoing dialogue with NIST, the White House, and
Congress regarding the very complex public policy choices raised by
cryptography policy. We are hopeful that this dialogue will result in a
positive, comprehensive set of cryptography and privacy policies. But
until these issues are resolved, we believe any approval of technical
standards is premature. Among the public policy issues to be resolved are
the following:
1. Guaranteed Continued Legal Use of All Forms of Encryption
When the Clinton Administration announced the Clipper Chip, it
assured the public that this would be a purely voluntary system. We must
have legal guarantees that Clipper is not the first step toward prohibition
against un-escrowed encryption. Yet the Administration has not offered any
such guarantees, either in the form of proposed legislation or even agency
rules.
2. Identity of Escrow Agents
When Clipper was first proposed, some in the Administration
suggested that one of the two escrow agents would be a government agency
and the other a private, non-governmental organization. Now it appears
that plans for a private escrow agent have been dropped in favor of NIST
and the Department of Treasury, though there is still no final designation
of agents. We are unable to comment on the security or reliability of
escrow procedures proposed here when we do not know who will be
administering the escrow databases. We also note that there is active
consideration of having more than two escrow agents. This option should be
explored from a policy perspective before a technical standard is adopted.
3. Legal Rights of Escrow Users
If individuals do choose to deposit their keys with the government,
or any other escrow agent, they must have some legal recourse in the event
that those keys are improperly released. However, the most recent draft of
escrow procedures specifically states:
"These procedures do not create, and are not intended to create, any
substantive rights for individuals intercepted through electronic
surveillance, and noncompliance with these procedures shall not provide the
basis for any motion to suppress or other objection to the introduction of
electronic surveillance evidence lawfully acquired."
Leaving users with no recourse will discourage use of the system and
provides little disincentive against unscrupulous government behavior.
In the Proposed FIPS, NIST also suggests an unusual and, we
believe, incorrect notion of what an escrow agent is. The Proposed FIPS
adopts the incomplete definition of an escrow system found in Webster's
Dictionary. The Proposed FIPS states:
To escrow something (e.g., a document, an encryption key) means that it is
"delivered to a third person to be given to the grantee only upon the
fulfillment of a condition." (Webster's Seventh New Collegiate
Dictionary).
This definition omits the very basic notion that an escrow agent has
responsibilities to those who deposit things of value in the escrow
account. Black's Law Dictionary, which we believe may be a more
appropriate source of information about escrow relationships, states that
an escrow contract is an:
Agreement between buyer, seller, and escrow holder setting forth rights and
responsibilities of each.
It is the general legal rule that one who deposits value with an escrow
agent is entitled to recover damages from the escrow agent in the event of
a breach of the agent's duty of care:
Depositor is entitled to recover damages sustained because of escrow
agent's unwarranted act, and where grantee participates in wrongful
delivery he also may be liable, but recovery is limited to damages actually
attributable to wrongful delivery. Collier v Smith (Mo App) 308 SW2d 779.
(See ANNOTATION: Who must bear loss resulting from defaults or peculations
of escrow holder. 15 A.L.R.2d 870.)
The notion of an escrow agent who is insulated from all liability to the
depositor is wholly alien to American law and custom. The government may,
of course, seek to establish escrow agents free of legal liability, but
this is fundamentally a policy choice, not a matter of technical standards.
Until there is some agreement on the real responsibilities of the escrow
agents, NIST is not in a position to set technical and operating standards.
4. Open, Trusted Standards:
A key goal of the Clipper Proposal is to promote widespread
encryption in the marketplace. Yet people will not use encryption unless
they trust it. Secret standards such as Clipper cannot be evaluated by
independent experts and do not deserve the public trust. Other parties,
including Whitfield Diffie of Sun Microsystems, have commented extensively
on this issue. EFF fully subscribes to those remarks.
Insufficient Technical and Operating Information Available for Comments
Even aside from the major policy issues left unanswered, the
Proposed FIPS itself lacks the detail necessary to allow full public
comment. First, the full operating procedures for the escrow agents has
yet to be issued. Public comment must be sought on the complete
procedures, not just the outline presented in the draft FIPS. Even the
government-selected algorithm review group has declared that it needs more
information on the escrow process. Second, asking for comments on an
algorithm that is classified makes a mockery of citizen participation in
government decision-making.
Action on the Proposed FIPS Must Be Delayed to Allow Completion of
Public-Private Consultation Mandated by Presidential Decision Directive
President Clinton's announcement of the Clipper initiative made
very clear that there should be "early and frequent consultations with
affected industries, the Congress and groups that advocate the privacy
rights of individuals as policy options are developed" (April 16, 1993
Press Statement). EFF and other organizations have invested significant
effort in dialogue and policy review with the Administration. We have made
some progress, but many issues remain unresolved. EFF believes that for
NIST to rush forward with a FIPS in advance of resolving the fundamental
policy issues cited above would prematurely curtail the dialogue that the
President ordered.
Finally, NIST will be involved in making many critical decisions
regarding the National Information Infrastructure. The next time NIST
solicits public comments, it should be ready to accept reply by electronic
mail in addition to paper-based media. Over 200 of EFF's members e-mailed
comments to our offices, which we then printed and hand-delivered to NIST.
We hope that in the near future, NIST and other federal agencies will be
prepared to accept comments directly via the Internet.
Respectfully Submitted,
Jerry J. Berman
Daniel J. Weitzner
Executive Director
Senior Staff Counsel
******************************
Sarah L. Simpson
Membership Coordinator
Electronic Frontier Foundation
1001 G Street, NW
Suite 950 East
Washington, DC 20001
202/347-5400 tel
202/393-5509 fax