[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: NSA's Baker to debate key escrow live on AOL, May 26
Date: Thu, 19 May 1994 03:03:31 -0700
From: Phil Karn <[email protected]>
In article <[email protected]>, you write:
|> I've heard Baker. He's not particularly articulate, especially when
|> confronted by another lawyer (viz Karl Auerbach at Interop). He tends
I missed that session, opting to head for the airport before the rush.
What exactly did Auerbach say? Sorry I missed the fun.
I missed it too, so I bought the tapes. This is transcribed from the
tape of the Networld+Interop "The Clipper Chip Controversy" debate
between Baker of the NSA and Weitzman of the EFF. Karl Auerbach was
the first questioner:
Auerbach: Okay, well, my name is Karl Auerbach, and first a
calibration tone. I grew up reading the cases of Sacco and Vanzetti,
and Julius and Ethel Rosenberg, and I remember Kent State, and things
like that. So, do I trust my government? No.
Certain things. First, a technical question. You said that you sent
the chip off to the national labs for reverse engineering. Did anyone
sent it to Taiwan? <audience chuckles> Next thing.
Baker: Are these all going to be hypothetical?
A: Did you really try giving it to the experts? I mean, is it really
reasonable to expect that someone isn't going to try to reverse
engineer this thing?
B: I think it's quite reasonable to buy devices with the chip in it
and sent it to whomever you'd like. I don't necessarily believe that
I share your belief that you know who has the best technology for
doing this because the people at the national labs get to practice against
someone besides Intel and Motorola. <audience chuckles> Just a response,
A: I'd like to see them have a try. Anyway, getting more to the legal
matters, If I have a clipper phone, it's used by lots of people. And,
does that increase the expectation of privacy which is recognized by
the supreme court and what happens to other people -- are we going to
enact parallel legislation that restricts the further use of just
ancillary conversations on the phone by a third party. To make this
work, we're going to have to enact legislation that prohibits the use
of superencryption like pgp. Are we going to do that? And also
A: And also, are we going to allow PGP then? And we're going to
superencrypt it. So that means that your total system is dead.
B: <splutter> I have to ask myself, what is the value to you of
A: So you can't read it!
B: Yeah, that's right <audience laughs, applauds> Of course, but
A: If you want to do police work, get the police to find the key that
the pedophile used to encrypt his file. Get your warrant to look for
that key. He kept it somewhere. It was just sloppy police work that
didn't get the key he's got somewhere <audience applauds>. And I
don't know what piece of information you had that led you to know that
that encrypted file had what you thought was in it. Can you point,
can you specifically articulate reasons that would give you probably
cause to think that that information was in those files? And I might
remind you, the Supreme Court requires that. <audience murmurs,
B: I'm trying to figure out which of your points to address first.
Let me start with the suggestion that superencryption somehow makes
this pointless. I agree that if the government said that the only
kind of encryption you can use is clipper, that superencryption would
be a way of evading some kind of enforcement mechanism designed to
ensure that only clipper encryption was on the system.
A: So if I use PGP then you'll have probable cause to get a warrant?
B: No. First, there's no suggestion, hasn't been a suggestion, you've
got denials left and right, that this is going to be a required
system. If it's not a required system, what's the point of adding PGP
to clipper? You can encrypt with PGP if you want to, and you get
whatever strength PGP gives you. You add to that clipper and the
government has probably cause to decrypt your clipper conversations,
what you have is a single PGP-encrypted conversation, which is as good
as not having bothered going through the clipper encryption at all.
A: No, what I was expecting was that you're going to make the argument
that if we've got clipper, and we find that someone is using PGP in
addition to clipper, that therefore they've got something to hide, and
we'd better go after them.
B: Yeah, I think that's a paranoid suggestion.
A: Well, I'm paranoid, but the government... <baker chuckles> And the
other thing is, we saw an earlier slide that says that this will only
be available to the federal government. Now, if my statistics memory
is right, most criminals are investigated by state governments. So is
this somehow, what's going to happen with the states? Are they going
to have access to this, or are we going to create more magistrates?
Are we going to deputize all the local police as federal agents?
B: About 37 states have wiretap authority. If they encounter
A: So the first slide lied.
B: I don't think so.
A: So those state police are now federal employees. So this is more
than federal wiretapping, this is state wiretapping as well then? And
I bet there's far more, how many state wiretaps are there per year?
B: I think the 900 includes that. And the wiretapping proceeds in
this country pursuant to federal law. It's regulated by federal law
even when it's done by state authorities. That, probably, is the
answer to the other point you had suggested, which is that we need
some special law to protect third parties who might have conversations
with people. In fact, there are already requirements on the books
that, after all, if you're conducting a wiretap, of John Gotti, you're
always going to get two people in those conversations. There's not
much point in wiretapping him when he's not talking to somebody.
Consequently, if he calls somebody to order pizza, or if his daughter
orders pizza, or talks to her friends, there are already legal
requirements that you cease the recording of those conversations when
they're plainly not related to the crime.
A: And finally in respect to the escrows, since this is personally
identifiable information, I assume that under the privacy act, I have
access to it.
<someone else>: Karl, it's not personally identifiable in the sense
that what the escrow agents maintain is a chip id and an encryption
key and there is not a mapping maintained in the system in general, at
any point, of who bought which device with chip id, so if that's what
you were referring to, I don't think it qualifies as you described it.
<someone else yet>: Let me just add that unfortunately there's a law
enforcement exception to the privacy act, so I think it's an
interesting question whether it is personally identifiable or not, but
either way, there is an exception for on ongoing investigation.
I heard somebody made a good crack to Baker about how he must have
worked for the tobacco companies. Was that Auerbach?
No, that was the person who spoke after him. It was "Mr. Baker, I
just have a very simple question about your position on all this. Do
you ever feel like a cigarette industry executive?" <audience
B: Let me turn that around a little, and I'll ask that about the EFF.
I wonder whether they don't ever feel like the NRA, because in fact,
<audience laughs> the analysis we hear of this issue, and the stuff,
you've all heard it, "they'll get my crypto key when they pry it from
my dead, cold fingers". All that stuff is a deliberate invocation of
the same kind of analysis that gave us the gun policy that we have in
this country. And so I guess if you like the gun policy that the NRA
gave us, I think you're going to love the privacy consequences of the
policies that the EFF is urging on us.
<other>: Isn't that what the United States Constitution says, though?
B: <splutter> I don't think the constitution requires either of these
-russ <[email protected]> ftp.msen.com:pub/vendor/crynwr/crynwr.wav
Crynwr Software | Crynwr Software sells packet driver support | ask4 PGP key
11 Grant St. | +1 315 268 1925 (9201 FAX) | Quakers do it in the light
Potsdam, NY 13676 | LPF member - ask me about the harm software patents do.