[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CPSR "explains" why Cantwell bill doesn't matter much - a rebuttal



I'm finding myself, unfortunately, needing to respond to a widely
distributed article of sorts from the 3.05 issue of CSPR Alert.
The article was unsigned, so I can't address it to anyone by name.

The article states:

>Some people have been given the impression that the Cantwell bill is a
>response to the Administration's Clipper initiative and that passage of
>the legislation would effectively put the Clipper issue to rest.
>Because of the confusion surrounding this proposed legislation, we
>think it's important to provide some clarifying information.

Avoiding the passive verb structures, this can better be rephrased as
"Some people have assumed that..."  People are not given impressions, they
_form_ impressions themselves.

It is indeed important to clarify information.  However the attempt to do
so that I see here does not in fact clarify.

To wit:

>Indeed, there is no provision in H.R. 3627 that would in any way
>rescind the Administration's recent decision to adopt key-escrow
>Clipper technology as the government encryption standard. The
>legislation would do precisely what Rep. Cantwell said it would do --
>relax restrictions on the export of strong encryption products outside
>of the United States.

To my knowledge, no one in the know has suggested that the purpose of the
Cantwell bill is to "recind" the Clipper EES.  It is plain from a
reading of EFF's material on the subject, Cantwell's own commentary on the
bill, and, of course, the bill itself, that HR 3627 is not intended to
directly challenge Clipper (unlike Senator Leahy's proposed hearings, also
supported by EFF), but is intended to liberalize export restrictions,
pulling an important rug out from under Clipper/Skipjack's metaphoric feet.

If one cares to read the mass of Feb. 4 documents issued by the White
House, Dept. of State, and other agencies, it is abundantly clear that
clamping down export restrictions on all cryptographic products, except
those supporting the Administration's EES, is a major part of the proposed
Clipper deployment plan.  It's been more than adequately debated over the
last several months that the such a clampdown is necessary if Clipper is
to be a so-called success.  The measure is aimed at making it difficult
for any non-EES crypto application to compete with Clipper, thereby
establishing Clipper as a de facto standard.

Given this, _any_ attempt to reduce export restrictions is a positive move
for privacy-advocates to support, and serves as a strong, though indirect,
countermeasure against Clipper.

>Some have suggested that passage of the Cantwell bill would create an
>environment in which it is less likely that Clipper will become the de
>facto encryption standard within the United States. This view was
>expressed by the Electronic Frontier Foundation (EFF) and several large
>corporations in a letter to the President last December which expressed
>"tentative" support for Clipper on a "voluntary" basis. 

The writer of the message I am replying to here is well aware that this
entire matter has been thoroughly dealt with and fully explained.  I've
done this so many times, I am hesitant to do so again, but these recurring
misinterpretations leave me little choice but to clarify one more time:

From EFF's Dec. 8 Cryptography and Policy Statement:

>>[There] was a misunderstanding of what the DPSWG offered the
>>administration in this proposal [the letter referred to above], leading to
>>the belief that both the DPSWG (a coalition of over 50 computer,
>>communications, and privacy organizations and associations) and it's
>>principal coordinating organization, the Electronic Frontier Foundation,
>>have offered to ease their opposition to Clipper.
>>
>>We see it as a pragmatic effort to get the government to wiggle on
>>these issues: one step in the right direction, with many more to
>>follow.  This step is that we insist that use of Clipper and key
>>escrow must be completely voluntary.  It's not voluntary if users of
>>the Skipjack algorithm are forced to use key escrow.  It's not
>>voluntary if users who do choose escrow are forced to use the
>>government's choice of escrow agents.  It's not voluntary if
>>manufacturers such as AT&T are pressured into withdrawing competing
>>products.  It's not voluntary when competing products can't be sold in
>>a worldwide market.  It's not voluntary if the public can't see the
>>algorithm they are "volunteering" to use.  It's not voluntary if the
>>government will require anyone to use Skipjack or escrow, even when
>>communicating with the government.
>>...
>>But NSA is digging in, and a legislative fight looks more likely.
>>If diplomacy fails, EFF must fight for our rights.  Thus, we are
>>going to need all the allies we can find, from IBM, Apple, Lotus,
>>and Sun, to cryptographers, cypherpunks, and folks on the net.
>>
>>EFF wants the public and the Administration to know (as we have
>>frequently stated to them face to face) that the Electronic Frontier
>>Foundation would fight to the end any attempt by the Administration to
>>do any more than let companies use Clipper if they want and to let people
>>buy it if they want -- and only in a market which has other strong
>>encryption schemes available because export controls have been lifted.

If one actually reads this, one finds that our definition of "voluntary",
which has been made _very_ clear to the Administration in repeated
face-to-face meetings, stipulates:
  1) no forced key escrow, and no forcing of governmental-only escrow for
     even those that _want_ key escrow
  2) no governmental pressure on the marketplace
  3) no export restrictions
  4) no classified algorithm 
  5) no FIPS standard, and no forcing _anyone_, even govt. agencies, to 
     use it.

In other words, if the entire Clipper scheme were reworked such that
Clipper was nothing more than the open, _truly_ voluntary, publicly
examinable successor to DES - a quite innocuous govt. crypto standard -
then and only then would EFF and the Digital Privacy and Security
Working Group offer it's "tentative" support.

Please keep in mind that, barring secret NSA backdoors, there is nothing
inherently "bad" or "wrong" about the Clipper/Skipjack encryption.  Only
the methodology involved is reprehensible and unAmerican.  

>CPSR dissented from this position in a subsequent letter to the President
>and expressed its opposition to the Clipper proposal under any
>circumstances.

Please note that EFF also signed this letter.  Any opposition to CPSR
being perceived here is 100% illusory.

At any rate, I'd also like to point out that the DPSWG letter and the EFF
'93 crypto-policy statement are at this point old history.  They are no
longer applicable (an example line: "It is December, the escrow system is
still uncertain, and the Administration is still drafting a report which
was due in July" - how timely does this sound?)  Dragging such a dead
horse out for another beating is quite unfathomable to me.  I sincerely
hope this will the very last time I have to clarify this matter, partly
because I'm tired of repeating myself, but mostly because this sort of
inter-organization baiting is counter-intuitive and counter-productive for
all organizations and individuals involved, and could cost us (by which I
mean those opposing Clipper, in general) a lot of credibility.

To continue with the present matter, however:

>While it is possible that the Cantwell legislation would make it less
>likely that Clipper will become the de facto privacy standard, such a
>result is by no means a certainty. It is, in fact, possible that
>passage of the legislation would provide better U.S. encryption
>products overseas than would be available within the United States --
>particularly if, as many fear, Clipper eventually becomes a mandatory
>standard in this country.

This is false on its face.  Please support the notion that crypto which,
somehow, becomes illegalized in this country would be allowed to be
manufactured for export purposes only.  That's absurd; it's like imagining
a "gun control" law that banned using firearms in the US, but encouraged
everyone to buy guns and ship them to other countries.  

At any rate, EFF intends to help see to it that Clipper does _not_ become
mandatory, nor that non-Clipper crypto is outlawed [pretty much the same in
effect].  No ifs, ands or buts about it.  Even beyond this, this scenario
is completely unrealistic, not least because the best crypto in the world
is _already_ available outside the US.  No amount of lawmaking is going to
stop it, short of destroying every computer, phone line, fax machine and
printing press in the country. Even this will not put the crypto genie back
in the bottle anyway.   Fact is, some of the best crypto in the world
wasn't even made in the US in the first place.  Ever heard of IDEA?

>We believe that the Cantwell bill is a step in the right direction, as
>it would remove current disincentives to the development of strong
>encryption products by U.S. companies. 

On this much I think we can be in complete agreement.

>But the proposed legislation is not a panacea --

Of course it isn't.  Please quote anyone saying that it is.

>it would not address the threat to privacy in the United States created by
>the Clipper initiative. Export controls on cryptography are a related
>issue, but they are not central to the Clipper controversy. The
>Administration's adoption of the key-escrow Clipper standard must be
>opposed and reversed.

Export control reform is indeed central to the issue.  Without export
controls, the major market-leverage crutch of the entire Clipper scheme is
ripped away, revealing the "poor lame beggar" act to be a scam.  Law
enforcement doesn't "need" the "protection from terrorists, drug dealers
and child pornographers" supposedly to be provided by Clipper, any more
than the American people need another hole in their privacy.  But you know
that.  If all you mean to say is that the Cantwell bill is not the only way
fight Clipper, and will not solve all of the problems, you'd be right.  But
why don't you just say so, instead of taking this as yet another opportunity
for grandstanding?  It's unbecoming of an organization on the same side as
the rest of us.

In closing, I'd just like to say that everyone realizes that Cantwell is
not the be-all and end-all of pro-privacy, anti-Clipper action.  You can
bet I added my signature to _your_ petition, and I hope everyone does,
whether it will work or not.  Better to have tried and failed that never
to have lifted a finger.  With that, I must ask you, have _you_ sent in
your letter of support for the Cantwell bill yet?  If not, it's real easy:
State your reasons for supporting the bill, and send them to
[email protected].  The results, already numbering in the thousands, are
regularly printed out and delivered to Rep. Cantwell personally.

With high regard, but a fair amount of exasperation,
S.McC.

"We must all hang together, or assuredly we shall all hang separately."
 - Benjamin Franklin, at signing of Declaration of Independence; July 4 1776

-- 
Stanton McCandlish * [email protected] * Electronic Frontier Found. OnlineActivist
F O R   M O R E   I N F O,    E - M A I L    T O:     I N F O @ E F F . O R G 
O  P  E  N    P  L  A  T  F  O  R  M     O  N  L  I  N  E    R  I  G  H  T  S
V  I   R   T   U   A   L   C  U   L   T   U   R   E      C  R   Y   P   T   O