home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker Chronicles 2
/
HACKER2.BIN
/
1108.CLIPPER1.TXT
< prev
next >
Wrap
Text File
|
1994-02-22
|
11KB
|
164 lines
"The Data Security Furor"
*Information Week* Magazine Feb. 14, 1994
BUSINESS FIGHTS THE CLINTON ADMINISTRATION'S PROPOSED DATA
ENCRYPTION POLICY
Big Brother is watching but he's not satisfied with the view. The
Clinton admisistration, in a move that has infuriated everyone from Wall
Street information system executives to Internet cyberpunks, is attempting
to set a new data encryption standard for the United States.
The standard is to be based on the "Clipper chip," a microprocessor
that when linked to a telephone or data terminal can scramble a conver-
sation or document so it can be deciphered only by the intended
recipient -- and the government. That's because the Clipper chip
contains a "back door" that permits federal agents to unscramble
coded messages.
And that has everyone from Congress to Silicon Valley up in arms.
Sen Patrick Leahy (D-Vt.) is planning hearings on the matter, and at least
three other members of Congress are preparing legislation to overturn
aspects of the Clinton encryption policy. Some 10,000 Internet users
have already signed an online petition opposing Clipper, and about 1,000
signatures a day are being added. Meanwhile, officials from eight top
software copmanies have sent the administration a letter opposing key
aspects of its data security program.
Federal officials say that by requiring law enforcement officers to
present a court order to two separate agencies to get permission to decode
Clipper-encrypted transmissions, they will prevent security breaches and
maintain current legal protections against unlawful wiretapping.
SECRET LISTENING POSTS
But, according to National Security Agency expert James Bamford,
U.S. businesses have reason to worry. particularly if they have offices in
other countries. The NSA operates under a law that protects U.S.
citizens and U.S. corporations from surveillance unless there is a
connection with a foreign entity.
"To target a U.S. company, the NSA needs a warrant from a secret
court, the Foreign Intelligence Surveillance Court," Bamford says.
"This court has been in existance for 20 years and has issued only
one public document. In its entire history, this little-known court
has never turned down a request. It is very easy to present a case
that impresses these judges, and very hard for the government to lose.
Although the agency refuses to comment publicly on such matters,
Bamford and others say the NSA already operates secret listening posts
across the country, including one in Sugar Grove, VA., where international
telephone signals are intercepted and then shipped by cable or microwave
to NSA headquarters in Fort Meade, MD.
But it's not just the possibility of government interference that has
the business community angry. It's also that business doesn't want to
trust a technology it didn't develop and can't test. "We're not sure
how secure it is," says Brian Moir, an attorney who represents telecom
users opposed to the policy.
The Clinton administration counters that the new encryption standard
is voluntary for the private sector. But that's ridiculous, respond
opponents, who point to the U.S. government's enormous buying power. That,
they say, combined with an export ban on most encryption devices, will
dictate which encryption technology is available to everyone.
Law enforcement and security officials claim that the Clipper standard
and the export controls are necessary to maintain law enforcement and
national security standards. The Clinton administration, citing national
security concerns, feels confident that if has struck a balance. "Our
policy is designed to provide better encryption to individuals and
businesses while insuring that the needs of law enforcement and national
security are met," declares Vice President Al Gore.
But few outside the administration are convinced. In public
comments, only a handful of corporate and legal representatives favored
the policy, while more that 300 were vehemently opposed. Almost 40
security and privacy experts signed a letter of opposition addressed
directly to President Clinton. And the CEO's of Mircrsoft, Lotus,
Novell, and Apple pleaded with Gore to lift the export ban on encryption.
The restrictions cost the software industry some $9 billion in annual
sales, says the Business Software Alliance.
The financial services industry, the largest commercial user of
encryption technology, is concerned that government efforts to force a
new encryption standard could hurt its ability to compete abroad.
"The banking industry has deep concern about the feasibility of this
standard for our worldwide customer base," says Michael Packer, managing
director of financial services technology at Bankers Trust New York Corp.,
the nation's seventh-largest bank. "You can't use a different standard
just inside the U.S.," adds Steve Katz, former chairman of the American
Bankers Association's Data Security Commitee. Both Katz and Packer also
believe that it could be very difficult and costly to adopt the Clipper
standard.
For industry, the cost of creating different systems for different
marketplaces "gets confusing," says BobBales, executive director of the
National Computer Security Association in Carlisle, PA. "There are a lot
of hidden expenses in coming up with a U.S. version, an exportable
version, and a multinational version of an [encryption] system."
VENDORS TAKE A BEATING OVERSEAS
Lotus, for example, already includes one of today's de facto
encryption standards -- RSA -- in Notes. Because of the export ban,
however, Lotus must make a separate version of Notes for overseas markets.
Other vendors have simply lost business. Digital Equipment says it lost
as much as $70 million in systems integration contracts one year because
of export restricions.
The effects of the export ban could be long-term. While adminis-
tration officials say they have no plans to outlaw other encryption
standards such as RSA, many think that will eventually happen. "The
government will put Clipper in place voluntarily for maybe five years,"
says David Sobol, counsel for the Computer Professionals for Social
Responsibility (CPSR). "Then they'll argue that no citizen should
have any problem with outlawing non-Clipper devices".
And there are doubts over how much security Clipper affords. For one
thing, in order to implement the plan, the government must build and
maintain two spawling databases. "There have been too many cases where
someone's paid a government employee 50 bucks," to breach security,
says David Banisar, a policy analyst with the CSPR.
There are also questions about just how badly security and law
enforcement agents need new access to tap into voice and data trans-
missions. For instance, according to documents obtained by the CPSR
under the Freedom of Information Act, no FBI field office has ever
reported any difficulties tapping digital telephone networks. "It's not
like we're talking about secret nuclear weapon command systems," Sobol
says. "It's the public telephone network."
-Mary E. Thyfault with John P. McPartlin and Clint Wilder
=========================================================================
SIDE BAR BY JOHN P. MCPARTLIN
=========================================================================
A Pretty Good Argument for Privacy
If the government wants to make Clipper an encryption standard, does
that mean other encryption alternatives may soon be outlawed? Phillip
Zimmerman certainly thinks so.
Zimmerman, president of Boulder Systems Corp. and developer of PGP
(pretty good privacy) electronic-mail encryption program, was visited last
February by two U.S. Customs Agents, who inquired in depth about PGP and
how it came to be published on the Internet. The agents had heard reports
that the program had been accessed over the network and copied by Internet
users in other countries. To the agents, this meant the program had been
exported. And because encryption technology is classified as munitions by
the government, the posting of the program on the Internet could be
construed as illegal.
According to Zimmerman, the government wants to limit the availability
of other encryption options, particularly robust ones, to promote the
Clipper standard. "If the government tries to outlaw encryption in the
U.S., that would be controversial," he says, "But the government regards
the export of encryption as less controversial. And since software
manufacturers don't like to make software they can't export, they won't
put heavy-duty encryption into their software and encryption development
will therefore be stalled."
Zimmerman says he created PGP in 1991 as freeware, when the government
was considering a mandate that all electronic devices be equipped with the
"back doors" for law enforcement access. He maintains that the creation of
a government-designed information infrastructure and the simultaneous
imposition of the Clipper chip standard could be a lethal combination
against civil rights. "We are at a crossroads now," he points out, "and
we have to decide if we are going to build an infrastructure that would
facilitate a police state."
Zimmerman, who has been lobbying in Washington in support of pro-
encryption bills, says he is amazed at how the Clipper chip has united
people from across the computer spectrum, from leftist cyperpunks to
Wall Street MIS executives. "What other political issue has that
broad an appeal?" he asks.
Zimmerman had no comment on the status of the Customs
investigation, and the agency itself could not be reached for comment
at press time.
For now, the latest version of Zimmerman's PGP for DOS, PGP23A,
is still accessible over the Internet and has quickly become a de facto
E-mail encryption standard. It is available via anonymous FTP at numerous
sites, including soda.berkeley.edu, in the /puiblic/cyberpunks/pgp
directory.
=========================================================================
=========================================================================