"The Data Security Furor" *Information Week* Magazine Feb. 14, 1994 BUSINESS FIGHTS THE CLINTON ADMINISTRATION'S PROPOSED DATA ENCRYPTION POLICY Big Brother is watching but he's not satisfied with the view. The Clinton admisistration, in a move that has infuriated everyone from Wall Street information system executives to Internet cyberpunks, is attempting to set a new data encryption standard for the United States. The standard is to be based on the "Clipper chip," a microprocessor that when linked to a telephone or data terminal can scramble a conver- sation or document so it can be deciphered only by the intended recipient -- and the government. That's because the Clipper chip contains a "back door" that permits federal agents to unscramble coded messages. And that has everyone from Congress to Silicon Valley up in arms. Sen Patrick Leahy (D-Vt.) is planning hearings on the matter, and at least three other members of Congress are preparing legislation to overturn aspects of the Clinton encryption policy. Some 10,000 Internet users have already signed an online petition opposing Clipper, and about 1,000 signatures a day are being added. Meanwhile, officials from eight top software copmanies have sent the administration a letter opposing key aspects of its data security program. Federal officials say that by requiring law enforcement officers to present a court order to two separate agencies to get permission to decode Clipper-encrypted transmissions, they will prevent security breaches and maintain current legal protections against unlawful wiretapping. SECRET LISTENING POSTS But, according to National Security Agency expert James Bamford, U.S. businesses have reason to worry. particularly if they have offices in other countries. The NSA operates under a law that protects U.S. citizens and U.S. corporations from surveillance unless there is a connection with a foreign entity. "To target a U.S. company, the NSA needs a warrant from a secret court, the Foreign Intelligence Surveillance Court," Bamford says. "This court has been in existance for 20 years and has issued only one public document. In its entire history, this little-known court has never turned down a request. It is very easy to present a case that impresses these judges, and very hard for the government to lose. Although the agency refuses to comment publicly on such matters, Bamford and others say the NSA already operates secret listening posts across the country, including one in Sugar Grove, VA., where international telephone signals are intercepted and then shipped by cable or microwave to NSA headquarters in Fort Meade, MD. But it's not just the possibility of government interference that has the business community angry. It's also that business doesn't want to trust a technology it didn't develop and can't test. "We're not sure how secure it is," says Brian Moir, an attorney who represents telecom users opposed to the policy. The Clinton administration counters that the new encryption standard is voluntary for the private sector. But that's ridiculous, respond opponents, who point to the U.S. government's enormous buying power. That, they say, combined with an export ban on most encryption devices, will dictate which encryption technology is available to everyone. Law enforcement and security officials claim that the Clipper standard and the export controls are necessary to maintain law enforcement and national security standards. The Clinton administration, citing national security concerns, feels confident that if has struck a balance. "Our policy is designed to provide better encryption to individuals and businesses while insuring that the needs of law enforcement and national security are met," declares Vice President Al Gore. But few outside the administration are convinced. In public comments, only a handful of corporate and legal representatives favored the policy, while more that 300 were vehemently opposed. Almost 40 security and privacy experts signed a letter of opposition addressed directly to President Clinton. And the CEO's of Mircrsoft, Lotus, Novell, and Apple pleaded with Gore to lift the export ban on encryption. The restrictions cost the software industry some $9 billion in annual sales, says the Business Software Alliance. The financial services industry, the largest commercial user of encryption technology, is concerned that government efforts to force a new encryption standard could hurt its ability to compete abroad. "The banking industry has deep concern about the feasibility of this standard for our worldwide customer base," says Michael Packer, managing director of financial services technology at Bankers Trust New York Corp., the nation's seventh-largest bank. "You can't use a different standard just inside the U.S.," adds Steve Katz, former chairman of the American Bankers Association's Data Security Commitee. Both Katz and Packer also believe that it could be very difficult and costly to adopt the Clipper standard. For industry, the cost of creating different systems for different marketplaces "gets confusing," says BobBales, executive director of the National Computer Security Association in Carlisle, PA. "There are a lot of hidden expenses in coming up with a U.S. version, an exportable version, and a multinational version of an [encryption] system." VENDORS TAKE A BEATING OVERSEAS Lotus, for example, already includes one of today's de facto encryption standards -- RSA -- in Notes. Because of the export ban, however, Lotus must make a separate version of Notes for overseas markets. Other vendors have simply lost business. Digital Equipment says it lost as much as $70 million in systems integration contracts one year because of export restricions. The effects of the export ban could be long-term. While adminis- tration officials say they have no plans to outlaw other encryption standards such as RSA, many think that will eventually happen. "The government will put Clipper in place voluntarily for maybe five years," says David Sobol, counsel for the Computer Professionals for Social Responsibility (CPSR). "Then they'll argue that no citizen should have any problem with outlawing non-Clipper devices". And there are doubts over how much security Clipper affords. For one thing, in order to implement the plan, the government must build and maintain two spawling databases. "There have been too many cases where someone's paid a government employee 50 bucks," to breach security, says David Banisar, a policy analyst with the CSPR. There are also questions about just how badly security and law enforcement agents need new access to tap into voice and data trans- missions. For instance, according to documents obtained by the CPSR under the Freedom of Information Act, no FBI field office has ever reported any difficulties tapping digital telephone networks. "It's not like we're talking about secret nuclear weapon command systems," Sobol says. "It's the public telephone network." -Mary E. Thyfault with John P. McPartlin and Clint Wilder ========================================================================= SIDE BAR BY JOHN P. MCPARTLIN ========================================================================= A Pretty Good Argument for Privacy If the government wants to make Clipper an encryption standard, does that mean other encryption alternatives may soon be outlawed? Phillip Zimmerman certainly thinks so. Zimmerman, president of Boulder Systems Corp. and developer of PGP (pretty good privacy) electronic-mail encryption program, was visited last February by two U.S. Customs Agents, who inquired in depth about PGP and how it came to be published on the Internet. The agents had heard reports that the program had been accessed over the network and copied by Internet users in other countries. To the agents, this meant the program had been exported. And because encryption technology is classified as munitions by the government, the posting of the program on the Internet could be construed as illegal. According to Zimmerman, the government wants to limit the availability of other encryption options, particularly robust ones, to promote the Clipper standard. "If the government tries to outlaw encryption in the U.S., that would be controversial," he says, "But the government regards the export of encryption as less controversial. And since software manufacturers don't like to make software they can't export, they won't put heavy-duty encryption into their software and encryption development will therefore be stalled." Zimmerman says he created PGP in 1991 as freeware, when the government was considering a mandate that all electronic devices be equipped with the "back doors" for law enforcement access. He maintains that the creation of a government-designed information infrastructure and the simultaneous imposition of the Clipper chip standard could be a lethal combination against civil rights. "We are at a crossroads now," he points out, "and we have to decide if we are going to build an infrastructure that would facilitate a police state." Zimmerman, who has been lobbying in Washington in support of pro- encryption bills, says he is amazed at how the Clipper chip has united people from across the computer spectrum, from leftist cyperpunks to Wall Street MIS executives. "What other political issue has that broad an appeal?" he asks. Zimmerman had no comment on the status of the Customs investigation, and the agency itself could not be reached for comment at press time. For now, the latest version of Zimmerman's PGP for DOS, PGP23A, is still accessible over the Internet and has quickly become a de facto E-mail encryption standard. It is available via anonymous FTP at numerous sites, including soda.berkeley.edu, in the /puiblic/cyberpunks/pgp directory. ========================================================================= =========================================================================