<nettime> FW: Decoding the Crypto Policy Change

John Armitage on Sat, 18 Sep 1999 05:17:06 +0200 (CEST)
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
<nettime> FW: Decoding the Crypto Policy Change
To: "'nettime-l@bbs.thing.net'" <nettime-l@bbs.thing.net>
Subject: <nettime> FW: Decoding the Crypto Policy Change
From: John Armitage <john.armitage@unn.ac.uk>
Date: Fri, 17 Sep 1999 14:38:25 +0100
Sender: owner-nettime-l@bbs.thing.net
-----Original Message-----
From: Cyber Society [mailto:CyberSociety-owner@listbot.com] 
Sent: Friday, September 17, 1999 2:42 PM
To: Cyber Society
Subject: Decoding the Crypto Policy Change


Cyber Society - http://www.unn.ac.uk/cybersociety

Decoding the Crypto Policy Change
by Declan McCullagh 

3:00 a.m.  17.Sep.99.PDT
Why did the Clinton administration cave on crypto? What caused the
nation's top generals and cops to back down this week after spending the
better part of a decade warning Congress of the dangers of
privacy-protecting encryption products? 

Why would attorney general Janet Reno inexplicably change her mind and
embrace overseas sales of encryption when as recently as July she warned
Congress of the "rising threat from the criminal community of commercially
available encryption?" 

It can't simply be that tech firms were pressing forward this fall with a
House floor vote to relax export rules. National security and law
enforcement backers in the Senate could easily filibuster the measure.
Besides, Clinton had threatened to veto it. 

It could be the presidential ambitions of Vice President Gore, who just
happened to be in Silicon Valley around the time of the White House press
conference Thursday. Still, while tech CEOs can get angry over the
antediluvian crypto regulations Gore has supported, they regard Y2K
liability and Internet taxation as more important issues. 

Another answer might lie in a little-noticed section of the legislation
the White House has sent to Congress. It says that during civil cases or
criminal prosecutions, the Feds can use decrypted evidence in court
without revealing how they descrambled it. 

"The court shall enter such orders and take such other action as may be
necessary and appropriate to preserve the confidentiality of the technique
used by the governmental entity," Section 2716 of the proposed Cyberspace
Electronic Security Act says. 

There are a few explanations. The most obvious one goes as follows:
Encryption programs, like other software, can be buggy. The US National
Security Agency and other supersecret federal codebreakers have the
billion-dollar budgets and hyper-smart analysts needed to unearth the bugs
that lurking in commercial products. (As recent events have shown,
Microsoft Windows and Hotmail have as many security holes as a sieve after
an encounter with a 12-gauge shotgun.) 

If the Clinton crypto proposal became law, the codebreakers' knowledge
could be used to decipher communications or introduce decrypted messages
during a trial. 
"Most crypto products are insecure. They have bugs. They have them all the
time. The NSA and the FBI will be working even harder to find them," says
John Gilmore, a veteran programmer and board member of the Electronic
Frontier Foundation. 

Providing additional evidence for that view are Reno's comments on
Thursday. When asked why she signed onto a deal that didn't seem to
provide many obvious benefits to law enforcement, she had a ready
response. 

"[The bill covers] the protection of methods used so that ... we will not
have to reveal them in one matter and be prevented, therefore, from using
them in the next matter that comes along," the attorney general said. 

Funding for codebreaking and uncovering security holes also gets a boost.
The White House has recommended US$80 million be allocated to an FBI
technical center that it says will let police respond "to the increasing
use of encryption by criminals." 

Anther reason for the sea change on crypto is decidedly more
conspiratorial. But it has backers among civil libertarians and a former
NSA analyst who told Wired News the explanation was "likely." 

It says that since the feds will continue to have control of legal
encryption exports, and since they can stall a license application for
years and cost a company millions in lost sales, the US government has a
sizeable amount of leverage. The Commerce Department and NSA could simply
pressure a firm to insert flaws into its encryption products with a back
door for someone who knows how to pick the lock. 

Under the current and proposed new regulations, the NSA conducts a
technical analysis of the product a company wishes to export. According to
cryptographers who have experienced the process, it usually takes a few
months and involves face-to-face meetings with NSA officials. 

"This may be a recipe for government-industry collusion, to build back
doors into encryption products," says David Sobel, general counsel for the
Electronic Privacy Information Center and a veteran litigator. 

Sobel points to another part of the proposed law to bolster his claim: It
says any such information that a company whispers to the Feds will remain
secret. 

That section "generally prohibits the government from disclosing trade
secrets disclosed to it [by a company] to assist it in obtaining access to
information protected by encryption," according to a summary prepared by
the administration. 
Is there precedent? You bet. Just this month, a debate flared over whether
or not Microsoft put a back door in Windows granting the NSA secret access
to computers that run the operating system. 

While that widespread speculation has not been confirmed, other NSA back
doors have been. 

In the 1982 book The Puzzle Palace, author James Bamford showed how the
agency's predecessor in 1945 coerced Western Union, RCA, and ITT
Communications to turn over telegraph traffic to the feds. 

"Cooperation may be expected for the complete intercept coverage of this
material," an internal agency memo said. ITT and RCA gave the government
full access, while Western Union limited the number of messages it handed
over. The arrangement, according to Bamford, lasted at least two decades. 

In 1995, The Baltimore Sun reported that for decades NSA had rigged the
encryption products of Crypto AG, a Swiss firm, so US eavesdroppers could
easily break their codes. 

The six-part story, based on interviews with former employees and company
documents, said Crypto AG sold its security products to some 120
countries, including prime US intelligence targets such as Iran, Iraq,
Libya, and Yugoslavia. Crypto AG disputed the allegation. 

"It's a popular practice. It has long historical roots," says EFF's
Gilmore. "There's a very long history of [the NSA] going quietly to some
ex-military guy who happens to run the company and say, 'You could do your
country a big favor if...'" 

Could the security flaw be detected? Probably not, said Gilmore, who
during a previous job paid a programmer to spend months disassembling
parts of Adobe's PostScript interpreter. "Reverse engineering is real
work. The average company would rather pay an engineer to build a product
rather than tear apart a competitors'." 

Source: Wired News.



#  distributed via <nettime>: no commercial use without permission
#  <nettime> is a moderated mailing list for net criticism,
#  collaborative text filtering and cultural politics of the nets
#  more info: majordomo@bbs.thing.net and "info nettime-l" in the msg body
#  archive: http://www.nettime.org contact: nettime@bbs.thing.net
Prev by Date: <nettime> US crypto policy, dox and comments
Next by Date: <nettime> power of the line
Prev by thread: <nettime> US crypto policy, dox and comments
Next by thread: <nettime> power of the line
Index(es):
- Date
- Thread