It Came From Planet Clipper: The Battle Over Cryptographic Key "Escrow"

Published at page 15 of the 1996 Law of Cyberspace issue of the University of Chicago Legal Forum. Cite as: 1996 U. Chi. L. Forum 15.

© A. Michael Froomkin, 1996. All rights reserved. Send comments to froomkin@law.miami.edu.
Links to author's official homepage and unofficial homepage.

A. Michael Froomkin^{1}

Introduction

The emergence of cryptography as an integral part of modern communications and data storage creates dilemmas for government policy makers. The national interest is clearly well served when citizens have access to secure telecommunications and data storage.^{2} The increased use of computers and computer-aided communications such as local area networks ("LANs") and the Internet means that digitized data plays an increasing role in modern life. This digitized data--which can be anything from business's most valuable trade secrets to copyrighted music to intensely personal information--is particularly vulnerable data: it is easy to copy, and often relatively easy to access also. Routine use of encryption means that businesses are better protected against industrial espionage by competitors and foreign governments.^{3} It reduces information theft and attacks by "hackers" or saboteurs that could theoretically disrupt banking and finance, utilities including telecommunications and the power grid, and even components of the national defense.^{4} Encryption also enhances the ability of citizens to protect their privacy against intrusions ranging from illegal government investigations to nosy relatives.

The greatest dilemma arises from the fact that techniques that protect against illicit eavesdropping and data theft also threaten to prevent licit access to communications and data by law enforcement and intelligence agencies.^{5} The policy dilemma is especially acute in the United States because widespread encryption imposes a particularly severe cost on U.S. intelligence-gathering capabilities. (I use "capability" throughout this Article to mean physical ability, not legal ability. Thus, for example, anyone with a gun who can get within range has the capability of shooting me. That doesn't mean they legally can, morally should, or likely will.) U.S. electronic- intelligence capabilities are presumed to be the best in the world; if so, the U.S. has the most to lose from a move towards a world in which communications traffic is routinely protected with encryption so strong that it cannot be decrypted easily, and perhaps not at all. Widespread high-quality encryption not only lessens the U.S. government's ability to eavesdrop on foreign communications, but threatens to make it difficult, perhaps impossible, to conduct traffic analysis. Where once an encrypted message stood out, suggesting that the sender had something important to hide, now these critical messages risk being camouflaged in a sea of encrypted data.

Encryption policy also involves a subtle interrelationship between domestic and foreign policy. Although there are no legal controls on the production or use of strong cryptographic products by U.S. citizens or residents within the U.S., these products cannot be exported or sold to foreigners. Export control likely retards the spread of cryptography in the U.S.^{6} Conversely, efforts to preserve the domestic wiretapping and data-search capabilities of law enforcement by technical means such as the Clipper chip would risk hampering the sales of U.S. products if comparable local products that are not wiretap-ready are available abroad.

At its deepest level, the encryption dilemma implicates profound questions about the relationships among citizens, and between the citizen and the state. The fundamental issues revolve around trust: whether citizens should be asked to trust the state with the means of acquiring the citizens' secrets, and whether the community and the state^{7} feel they can afford to allow citizens, as well as foreign citizens and foreign states, access to technologies that enhance secret-keeping to the point that police or intelligence agencies might find it impossible to monitor communications or search a computer's hard drive.

This Introduction will briefly sketch the export-control regime as it applies to cryptography, and discuss the evolving goals of U.S. cryptography policy. The three main sections of this paper are each devoted to a phase of the U.S. government's recent attempts to keep the cryptography genie in the bottle in the face of increasing commercial and political pressure to loosen or abolish cryptographic export control. Part I offers a quick summary of the late, unlamented Clipper chip initiative.^{8} Part II describes the Clinton Administration's proposal for software-based key "escrow." Part III, the longest part, begins in section A by discussing recent technical and political changes that make the current export control policy increasingly difficult to maintain. Section B examines the Administration's cryptographic "White Paper" which proposes legislation to require that the national information infrastructure be designed to ensure that any communication, and any transaction, that it facilitates is exposed to possible government monitoring. Section C briefly surveys international initiatives, at least welcomed and perhaps orchestrated by the United States government, that might result in transnational controls on the use of strong cryptography by both citizens and enterprises. Part IV, the conclusion, returns to the subject of trust and discusses Congress's role in the formation of a national cryptography policy. A postscript added shortly before this Article went to press offers a preliminary anlysis of some features of the Clinton Administration's October 1996 encryption proposal.

Overall, this Article aims to describe the issues in a rapidly changing and complex legal and technical debate. It also identifies significant legal and technical issues that current government proposals do not resolve. Rather than attempt to prescribe the content of a solution, however, the prescriptive portion concentrates on policy-formation procedures likely to be conducive to a resolution of the debate.

A. Goals and Challenges for U.S. Crypto Policy

For the past two decades or more, a major goal of U.S. cryptography policy--to the extent that the U.S. has had one^{9} --has been to prevent strong mass- market cryptography from becoming widely available abroad, with export controls being the primary tool used to achieve this end. Primary responsibility for determining export-control policy fell to the National Security Agency, which determined policy in part in consultation with other participants in the Coordinating Committee for Multilateral Export Controls ("COCOM") group.^{10} At home, the government has pursued a more schizophrenic policy, seemingly torn between embracing the benefits of cryptography for domestic security and the national economy,^{11} while simultaneously being unwilling to accept that the natural consequence of this policy is a reduction in the wiretapping and electronic investigatory powers of the law enforcement and intelligence agencies. These conflicting goals culminated in an unsuccessful attempt to convince the public to accept the Clipper chip, a device that offered the user superior encryption capabilities at the price of ensuring continued government access to encrypted communications.^{12}

Although the Clipper chip failed to catch on, the long-term policy of which it is a part seems to have accomplished at least its objective of playing for time. Export control rules have had an effect on the domestic market for products with cryptographic capabilities such as e-mail, operating systems, and word processors. Largely because of the ban on export of strong cryptography, there is today no strong mass-market standard cryptographic product within the U.S. even though a considerable mathematical and programming base is fully capable of creating one. Windows 95, for example, does not come with cryptographic capabilities.

There are many cryptographers and computer hardware and software vendors outside the U.S., but U.S. companies such as Microsoft have large and often dominant market shares in important world markets; notably operating systems, word processors, e-mail systems, spreadsheets, and groupware.^{13} A policy that affects the U.S. software industry thus has world-wide consequences which are felt at home as well as abroad. Export controls are ostensibly aimed only at foreigners. There are no legal restrictions on the domestic purchase or use of strong cryptography by U.S. citizens and permanent residents.^{14} But by preventing the export of strong cryptography, the government slows its domestic use because many U.S. software vendors are reluctant to produce different domestic and export versions of their products.^{15} Most manufacturers profess to believe that foreign customers will resent, and perhaps reject, a "crippled" export version of a product and say they therefore choose to have one standard version for all countries.^{16} Software makers wish to minimize the number of versions of their products so as to make maintenance and upgrading as simple as possible. As a result of these commercial and practical constraints, the U.S. mass market has ended up with the same relatively weak cryptography that the U.S. government permits to be exported.

Cryptographic algorithms ordinarily use a key to encrypt a message. Standard, single-key, ciphers use the same key to encrypt and decrypt a message. Some modern public-key ciphers use two keys, each of which encrypts messages that can only be decrypted by the other. All other things being equal,^{17} the strength of a secure cryptographic algorithm is proportional to the length of the key used to encrypt messages, a figure that is usually expressed in bits. Data Encryption Standard ("DES"), the official U.S. encryption standard, which is not freely exportable but has for some time been the de facto international standard also, uses fifty-six-bit keys, although there is reason to doubt that DES is sufficiently strong to prevent a reasonably determined attacker with a fast computer from decrypting a DES message in minutes.^{18} The domestic versions of Netscape World Wide Web browsers use one hundred twenty-eight-bit keys when in secure mode. In contrast, the export versions of Netscape use relatively weak, forty-bit encryption because longer keys would require an export license.^{19}

B. Export Control: The ITAR

The export of strong cryptographic tools from the US is governed by the International Traffic in Arms Regulations ("ITAR").^{20} The ITAR control the export of items listed on the U.S. Munitions List (USML), and are administered by the Office of Defense Trade Controls in the Department of State. The Commerce Department administers the Export Administration Regulations ("EAR"), which regulate the export of so-called "dual-use" items listed on the Commerce Control List (CCL).^{21} Products offering data authentication, password protection, and access control are usually listed on the CCL. As an initial matter, products capable of encrypting a message are listed on the USML unless the product is restricted to financial uses such as ATMs. However, the State Department has the authority to transfer jurisdiction over export applications for any encryption product to the Commerce Department, and sometimes does so in a Commodity Jurisdiction (CJ) determination, if it determines that the product no longer needs case-by-case review. Products that fall under the EAR can be exported under a general license; products that fall under the ITAR need a separate license application and review which ordinarily involves a referral to the Defense Department and the National Security Agency. The State Department routinely transfers jurisdiction over cryptographic products that use keys of forty bits or less to the Commerce department "after a one-time review to ensure that the algorithm is implemented properly."^{22} Exactly why the threshold is set at forty bits is unclear. "Most likely, it was the result of a set of compromises that were politically driven by all of the parties involved."^{23}

Under the current ITAR regime, applications to export cryptographic software designed to encrypt messages with keys stronger than forty bits are generally denied, although authentication products that cannot be adapted for encryption, or which are designed for specific favored applications such as banking, tend to receive official export clearance.^{24} Applications to export DES,^{25} which uses fifty-six-bit encryption, are also often denied.^{26} Applications for stronger products are considered to have little chance of approval. In theory, export controls are intended to prevent foreigners from acquiring cryptographic systems that are strong enough to create a serious barrier to traffic analysis, or that are difficult to crack.^{27} In practice, although the ITAR have failed to prevent the spread of strong cryptography--algorithms and software created in the United States routinely and quickly find their way abroad, and foreigners create their own--the ITAR are widely considered to have prevented the emergence of a mass- market, international standard, cryptographic product.^{28}

Indeed, uncertainty as to whether a given cryptosystem would be approved for export discourages software manufacturers from including strong cryptography.^{29} The conventional wisdom in the highly competitive software industry holds that any delay may be fatal to a new product's marketability.^{30} Routine export applications are approved quickly, but an ambitious application can meander though the administrative appeals process.^{31} Since the government's objection to the export of products using keys in excess of forty bits, for other than specified exceptions such as banking or data authentication, is well known in the industry, many firms do not bother even to apply, and simply produce products they know can be exported.^{32} U.S. producers of cryptographic software have become so cynical about the government's export policy that many declined to respond to a government survey designed to measure the extent of their concern about export control "because they were skeptical of efforts by the Government to accomplish anything of value related to encryption."^{33}

The ITAR are controversial, and suits to have them declared unconstitutional as applied to the export of cryptographic source code have been filed in district courts in California and Washington, D.C. The California court held that an algorithm expressed in source code is protected speech,^{34} a ruling that seems to lead inexorably to a decision that the ITAR are unconstitutional. The D.C. court dismissed a similar claim on political question grounds, and the decision is currently being appealed to the D.C. Circuit.^{35}

While challenges to the ITAR wend their way towards the Supreme Court, technical and political developments are conspiring to make current U.S. export-control policy obsolete. The ever-increasing speed and number of computers make it increasingly cheap and easy to use brute-force methods to decipher messages encrypted with any given key length. Longer and longer keys are thus needed to achieve consistent levels of security, making the forty-bit limit on freely exportable cryptography increasingly obsolete. The accelerating digitization of the world increases the importance of information security. Meanwhile, U.S. dominance of the supply of strong cryptographic hardware and software may be about to disappear.

Against this background, the Clinton Administration has labored mightily to preserve what it can of the data acquisition capabilities of law enforcement and intelligence agencies.

I. The Clipper Chip: Technical and Bureaucratic Innovation

With the Clipper chip the United States government hoped it had solved the encryption policy dilemma. The government introduced Clipper with an inventive strategy to manipulate information-processing standards, circumvent both Congress and the Administrative Procedure Act ("APA"), and rig the market for encryption devices. Despite this, the strategy failed when the public refused to buy or use the product. A companion product, the Capstone Chip implemented in the Fortezza card,^{36} has fared somewhat better, but is far from market dominance.

In an effort to ensure the continuation of its law- enforcement-related searching and wiretapping abilities and its espionage-related electronic eavesdropping capabilities, the government devised the Clipper chip^{37} for secure telephones and the Capstone Chip- based Fortezza PCM-CIA card^{38} for secure e-mail and file encryption. Use of the chips was and is voluntary: U.S. citizens remain free to use any cipher they wish, so long as the software or hardware remains in the U.S. In February 1996, about two years after the Administration originally promised to promulgate a personal use exception, it became legal to take strong cryptographic programs abroad, on a laptop computer for example, for personal use.^{39} It continues to be illegal to give or sell strong cryptography to foreigners without first obtaining an export license, which can be difficult or impossible to obtain.^{40} However, U.S. law currently imposes no restriction on sending encrypted messages abroad, regardless of the strength of the encryption. The ITAR prohibit the export of the means to encrypt messages, not the messages themselves.

In both Clipper and Capstone, the government offered the public a carrot and a catch. The carrot was that both chips use SKIPJACK, a classified symmetric-key^{41} encryption algorithm^{42} with an eighty-bit key. SKIPJACK is certified as reliable by the NSA and is probably stronger than any alternative using a comparable key length; given its longer key length, SKIPJACK is certainly much stronger than the most widely used symmetric-key cipher, fifty-six-bit DES.^{43} Market pressure for a substitute for DES is building because the cipher is now widely believed to be too weak for high-security applications due to advances in computer processing power,^{44} although DES remains appropriate when very top- quality security is not required.

The catch in Clipper/Capstone was that the government would keep a copy of the keys--the unique codes belonging to each chip- -thus allowing it to retain the ability to intercept every message sent using the chip. The government set out relatively elaborate procedures that it said would reduce the risk that the keys would be released to law enforcement agencies without legally sufficient justification, such as a valid wiretap authorization,^{45} but the long-term efficacy of these procedures was debated. Whatever their technical merits, the government's proposals for safeguarding the keys remained vulnerable to a change in administration policy. The procedures were not based on any specific legislative authorization. The agencies that issued the relevant rules described them as procedural rules, not substantive rules, and issued them without APA notice and comment. As a result, the government retained the absolute right to change the rules at any time, perhaps without public notice.^{46}

The Clipper/Capstone proposal was notable for both technical and bureaucratic innovations. The two most important technical innovations, other than SKIPJACK itself, were the reliance on "tamperproof"^{47} hardware to make it difficult to reverse engineer a chip and construct rogue Clipper telephones or Fortezza PCM-CIA cards,^{48} and the construction of "escrow" protocols for the Clipper and Capstone chips. The bureaucratic innovations were at least as significant. In the process of bringing forward the Clipper proposal the federal government defined a federal information processing standard that didn't describe a standard, circumvented both Congress and the Administrative Procedure Act, and attempted to use government market power to create a de facto standard because no statute gave it the authority to create a mandatory standard.

A. Key "Escrow" in Clipper

The Clipper chip makes it possible for the government to decrypt a telephone call encrypted with a Clipper telephone by putting essential information into "escrow." The use of the term escrow is a misnomer, since the "escrow" is for the benefit of law enforcement, not the parties to the communication, but the term has achieved wide currency, and we seem to be stuck with it.^{49}

Escrow in Clipper works as follows.^{50} Every Clipper chip bears a unique serial number and has a unique encryption key (the "chip-unique key") that is burnt in by the manufacturer under secure conditions.^{51} The chip-unique keys are split into two pieces with each half held by an "escrow agent." Currently the two escrow agents are NIST, in the Department of Commerce, and the Treasury Department's Automated Systems Division.^{52}

When Alice initiates a secure Clipper communication with Bob, the two Clipper chips first agree on a one-time session key^{53} for the communication. They then exchange Law Enforcement Access Fields ("LEAFs"), a stream of bits that carries the data law enforcement would need to get access to the session key for that telephone call. To prevent "rogue" encryption, Clipper chips will not communicate with each other until they exchange valid LEAFs.^{54}

Clipper would be worthless if unauthorized users could use the LEAF to defeat the Clipper chip. To prevent this, the session-key data in the LEAF is itself buried under two layers of encryption. First, the chip encrypts the session key with the chip-unique key. Then the chip appends its unique serial number and a checksum, and re-encrypts the entire data set with the family key, a key common to all Clipper chips, but--in theory-- known only to authorized law enforcement personnel.

Suppose that Louis, an FBI agent, has a Title III^{55} judicial wiretap authorization^{56} to monitor Alice's telephone calls. After recording the call and determining it to be Clipperized, Louis must obtain a special decrypt processor that has the family key. Louis can then use the processor to recover Alice's Clipper chip's serial number and the encrypted session key. Armed with the serial number and the appropriate legal authorization,^{57} Louis can request that the two escrow agents give her the halves of Alice's chip-unique key; by putting these keys together, Louis is finally able to decrypt the session key and then decrypt the conversation.

Four aspects of this escrow procedure are particularly notable. First, both escrow agents must cooperate in order for Louis to be able to decrypt Alice's telephone call with Bob. So far as we know,^{58} possession of the family key and half of the chip-unique key^{59} is of no value in decrypting Alice's message. Second, once Louis has Alice's chip-unique key, she can use it to decrypt all of Alice's subsequent Clipperized telephone calls, overhearing both parties,^{60} regardless of who Alice is talking to or which party initiated the conversation. Third, although the security of Alice's Clipperized telephone calls is permanently^{61} compromised, Bob's communication security is unaffected, except when he talks to Alice, because Louis does not at any time have access to Bob's chip-unique key. Fourth, the federal escrow agents respond only to requests from authorized state or federal law enforcement or intelligence agencies. Even Alice herself cannot get access to her key if she needs it for some reason.^{62}

B. Key "Escrow" in the Fortezza Card and the "Pile of Keys" Problem

The mechanics of key escrow in Fortezza have received considerably less attention than have the mechanics of Clipper. This is a pity because while Clipper has been reduced to a curiosity,^{63} the Capstone-based Fortezza card has been adopted as the standard of the Defense Messaging System, giving it a projected installed base of two million users.^{64} Capstone-based PCM-CIA cards are in production and available for purchase by U.S. residents.

Fortezza and Clipper are similar in that both have a device- unique key that is used to generate a LEAF containing an encrypted version of the session key. This chip-unique key can be recovered from escrow by authorized government agents. But Fortezza has significant differences from Clipper because the Capstone Chip is designed to do different things from Clipper. While Clipper is exclusively for real-time encryption in telephones, a Fortezza PCM-CIA card inserted into a computer can generate pseudo-random numbers, encrypt e-mail, and produce digital signatures.^{65} In addition to the symmetric chip-unique key used by SKIPJACK to generate the LEAF, Fortezza also has other public/private keys that can be used for e-mail or for transmitting a SKIPJACK key to a correspondent. These public/private keypairs are not escrowed with the government but may be escrowed with a private company.^{66}

The similarities between Fortezza and Clipper mask a substantial difference. If Louis, an FBI agent, has a Title III judicial wiretap authorization to monitor Alice's e-mail, she goes through steps identical to a Clipper request^{67} to get access to Alice's outgoing e- mail. This procedure is of no value, however, if Louis wants access to Alice's incoming e-mail as well. The reason for this is a little complex, but it is important. When two Clipper chips want to communicate in real time, they agree on a session key,^{68} which they both use for that telephone call. The LEAF-generation scheme used in Clipper relies on both chips knowing the session key, and on having both chips exchanging different LEAFs, each containing the session key. Thus, if Louis has a warrant allowing her to hear Alice's phone calls, Louis can recover the session key from either LEAF. Because the two Clipper chips work in synch, Alice's chip- unique key suffices to hear both sides of the conversation. E- mail doesn't work like that. When Bob sends an e-mail to Alice, his Capstone chip is not in direct communication with Alice, and his chip must therefore select the encryption key on its own.^{69} As a result, although Bob's chip may send out a valid LEAF, it is not synchronized with Alice's chip, and Louis cannot be certain of making Alice's chip emit a LEAF containing the session key when she reads Bob's e-mail. It follows that unless Louis can somehow get access to Alice's private key the only way that she can read Bob's message is to also get the escrow agents to give her Bob's chip-unique key. If Alice gets lots of e-mail, Louis may end up compromising a large number of Capstone chips' security, leading to the "pile of keys" problem.^{70}

In summary, as in the Clipper chip case, both escrow agents must cooperate in order for Louis to be able to decrypt Alice's Capstone-encrypted e-mail. Also like Clipper, the federal escrow agents respond only to requests from authorized state or federal law enforcement or intelligence agencies. Unlike Clipper, Louis's possession of Alice's chip-unique key allows Louis to decrypt Alice's outgoing mail only, although it also gives Louis the ability to decrypt any messages Alice may have sent before the effective date of the intercept authorization if Louis can find copies of them. Unlike Clipper, in which both sides of the conversation could be heard, none of Alice's incoming mail is automatically affected. Unless Louis can get Alice's private key, which is not escrowed in the Fortezza scheme, the only way Louis can read Bob's encrypted e-mail to Alice is to get the escrow agents to give her Bob's chip-unique key. As a result, if Bob sends just one e-mail to Alice while she is the target of an investigation, Louis may be able to acquire his chip-unique key if the legal system allows her to get it from the escrow agents, which then gives Louis access to all of Bob's e- mail.^{71} As with Clipper, Alice herself cannot get access to her key if she loses or damages her Fortezza card. Since e-mail is sometimes stored for long periods of time, this could be a more serious problem for Alice than was the exclusion of user access in Clipper.

C. Bureaucratic Innovation in the Clipper Plan

The Clipper chip affair produced a number of significant bureaucratic innovations. Each of these innovations appears to have derived from a common source: the absence of Congressional authorization for Clipper combined with a reluctance on the part of the executive branch to involve Congress in the cryptographic policy-making process.

Wielding market power to make policy. A stroke of bureaucratic genius lay at the heart of the Clipper strategy. Congress had not, and to this date has not, given the executive branch the power to control the private use of encryption. Congress has not even given the executive the power to set up an escrow system for keys. In the absence of any formal authority to prevent the adoption of unescrowed cryptography, Clipper's proponents hit upon the idea of using the government's power as a major consumer of cryptographic products to rig the market. If the government could not prevent the public from using nonconforming products, perhaps it could set the standard by purchasing and deploying large numbers of escrowed products. People who wanted to interoperate with the government's machines would naturally buy the same equipment. The existence of a large functioning user base would create further incentives for others to buy the same equipment, as would the existence of the federal government's imprimatur in a Federal Information Processing Standard ("FIPS").^{72} Furthermore, bulk purchases by the government might drive down unit costs to the point that nonescrowed products might find it hard to compete.

Strange FIPS. Clipper was announced by means of a Federal Information Processing Standard, FIPS 185. FIPSs are standards and guidelines that are ordinarily intended to improve the federal government's use and management of computers and information technology, and to standardize procurement of those goods.^{73} Formally, FIPSs apply only to the federal government and some contractors. A FIPS normally describes the device it covers in sufficient detail for the informed reader to distinguish a conforming device from a nonconforming device; indeed, FIPSs exist to provide that guidance. FIPS 185 was unusual in that rather than describing the essential, classified parts of the SKIPJACK encryption system or the LEAF creation method, FIPS 185 stated that conforming devices would be certified by the NSA.^{74}

APA avoidance. Notice of a proposed FIPS is usually published in the Federal Register, with a request for public comments. The final version is also published in the Federal Register. FIPS 185 was no exception. Notice and publication are not, however, required by statute.^{75} The government argues that a FIPS is not with the class of rules to which the notice and comment procedure of section 553 of the APA^{76} applies, and that was particularly true of FIPS 185 since it was, by its own terms, completely voluntary, even for federal agencies.^{77} The formally voluntary nature of the standard was also used to justify the government's decision to refuse to address the concerns of commentators who understood that FIPS 185 was an attempt to coerce the public through market means.

It was a clever strategy. Nevertheless, the Clipper plan was unpopular from its inception and soon withered in the face of public opposition. Capstone on the other hand has had at least some success, albeit not enough to achieve the FBI's goal of ensuring that cryptography imposes no obstacle to law enforcement's legal efforts to acquire the content of electronic communications and stored data.

II. Software Key Escrow

Even as Clipper was being unveiled in 1994, Vice President Gore suggested that the proposal might be modified to allow the export of cryptosystems in which keys were deposited with certified private escrow agents rather than directly with the government.^{78} As it became increasingly clear that the Clipper plan would fail, the administration began to consult industry and other groups about a new proposal linking limited relaxation of export control with modified key escrow. The government called this revised plan "software key escrow,"^{79} or sometimes "commercial key escrow" ("CKE"),^{80} but opponents dubbed it "Son of Clipper" or "Clipper II." Unlike Clipper, which relied on SKIPJACK, the software key escrow plan did not specify any particular encryption algorithm. Instead, the plan contained performance criteria designed to limit applications to at best medium-quality ciphers and to ensure that keys would be accessible when the government presented a lawful request. By mid-1996, however, several technical and political developments cast serious doubt on the viability of the proposal.

The software key escrow proposal combined the functions of key archiving, in which the owner of a key has emergency access to a backup copy of a lost key, with key "escrow," in which the government ensures that someone other than the keyholder has a copy of the key. If Bob has a copy of Alice's key, the government can serve a subpoena on Bob without tipping off Alice that she is the target of an investigation. Ensuring that the key is available from Bob means that the government has a way to decrypt Alice's data that is much easier than subjecting it to a "brute-force" decryption.^{81}

One might ask why a foreign customer would be interested in a cryptographic product designed to be vulnerable to eavesdropping by the U.S. government. The government's proposal suggested that if suitable agreements could be negotiated with foreign governments, the escrow agents could be located abroad, under the control of a foreign government.^{82} Although the proposal itself was silent on the likely content of foreign rules, it was possible to imagine circumstances in which a foreign government would favor escrowed encryption products, or even ban unescrowed encryption, in order to retain its eavesdropping capabilities. Customers in such countries might have no choice but to buy an escrowed product if they wanted relatively strong, legal encryption.

In any event, nothing in the proposal would have allowed the export of products strong enough to defeat brute force decryption by a determined government. The proposal contemplated allowing the export of products using ciphers with a key length of sixty- four bits or less, and only if the product also complied with other onerous criteria designed to prevent users from tampering with it to use unapproved algorithms. Each of these policies imposed significant burdens on the potential marketability of any product in addition to the fundamental problem that users would know they were buying a product designed to allow government access to their secrets. In particular, software makers desiring export clearance for products using encryption between forty and sixty-four bits would be required to:

(1) Refuse to publish their source code. This requirement is a significant obstacle to the sale of a security product because it means that outside experts are unable to verify the implementation of the algorithm. The proposal would have allowed firms to publish their algorithm and to publish input-output tables allowing users to check that the product really used the advertised algorithm, but these concessions were far from sufficient. There is much more to evaluating the security of an encryption system than merely proving that it uses DES instead of a simple letter substitution routine. For example, Netscape browsers were recently found to have a bug in their random number generators that resulted in predictable patterns in the numbers used to encrypt communications.^{83} No test using an input-output table could detect this kind of error, but it is no less fatal.

(2) Build in tamper-resistance. The software would have to be designed to fail to run if users changed it in any way. This might have made upgrades more difficult.

(3) Design a means of preventing multiple encryption. The rationale for this requirement was to prevent a DES system from being used to produce 3-DES. In 3-DES a message is encrypted with DES using one key, decrypted with DES using a different key, and then re-encrypted using either the original key or a third key. 3-DES is considered much stronger than ordinary DES and is gradually replacing DES as a de facto international standard for high security civilian encryption.^{84}

(4) Ensure that the product refuses to communicate with unescrowed systems. This feature alone would probably be enough to make the product uncompetitive unless unescrowed systems were very rare or unreliable.

Despite these enormous obstacles to commercial viability, the software key escrow plan was founded on the accurate observation that if businesses began to encrypt their data with strong ciphers, they would need some means to access that data in emergencies. Security professionals call this "key management," but they mean something that is not identical to key escrow. Wise key management involves ensuring access to copies of keys used in the course of business.^{85} For a corporation encrypting its information, fail-safe access to critical data is essential. However, not all keys are equal. Access to the keys that safeguard corporate records might be more important than access to an employee's e- mail, although one could imagine circumstances, such as litigation, in which access to e-mail was necessary to reconstruct a transaction. Keys encrypting telephone conversations might be less important still, although even they might be useful if the firm imagines that it, or the police, might need to eavesdrop on employees in the course of an investigation of fraud or theft.

The software key escrow proposal extended to all keys used in communications, including telephones, but it did not involve the "escrow" of keys used in digital signatures. Indeed, escrow of digital-signature keys would be a very bad idea. For one thing, businesses would have little need to ensure emergency access to keys that give employees the power to do something because a well-designed key management system allows the appropriate authorities to revoke and create individuals' authorizations at will. For example, a corporation might issue digitally signed certificates authorizing the holder of a digital-signature key to sign things in the corporate name or to transact up to a defined dollar limit.^{86} Each digital-signature key is unique, and identifies the persons involved in the transaction just as much as it authenticates them as legitimate corporate representatives. A supplier presented with an employee's digital signature would ordinarily check to ensure that the certificate backing up that signature was valid before relying on it. This authentication usually requires a real-time check on the continuing validity of the corporate certificate.^{87} If the employee's authorization lapsed for any reason, the corporation could easily revoke the certificate, making continuing authentication of the employee's digital signature impossible. As a result, a business using certificated digital signatures in its transactions would never need to forge an employee's digital signature, and would not want to create this capability for anyone else. The company retains control over delegated powers without needing to be able to pretend to be the employee.

Worse, "escrow" of a digital-signature key would tend to undermine one of the most important and useful features of a digital-signature system. So long as the user keeps control of her key, a message digitally signed by the user's key demonstrates beyond almost any doubt that the message was actually sent by that person and that it has not been altered in any way since it was signed. Admitting any challenge to the uniqueness of the signature would introduce a destructive element of doubt to this assurance, and would elevate the claim that a digital signature had been forged from the incredible to the conceivable. To its credit, the Administration recognized this and sought to exclude digital-signature keys from its key escrow proposal.^{88}

Overall, the software key escrow plan sought to expand users' evident need for some sort of key archive in two directions that were less obviously in tune with users' interests. First the plan would have applied to encrypted communications, such as telephone conversations, as well as to stored data, although it was far from obvious that many would have chosen to archive keys used for communication rather than storage. Some companies might reasonably feel that they benefit from having the ability to eavesdrop on their employees. Some companies might reasonably conclude that they are better off if the government can easily investigate employees suspected of misdeeds. For these corporations, fraud prevention might be more important than employee and corporate privacy. Other companies might feel differently. Whatever the corporate view, individuals derive no direct personal benefit from making it possible for the government to tap their telephones, although society as a whole might gain some benefit from the increased effectiveness of law enforcement.

A. Who Holds the Keys

Because the person holding the "escrowed" key is capable of undermining the very security that a cryptographic security system is designed to create, the identity and duties of that keyholder are of paramount importance to anyone whose key is being held in this manner.

As originally formulated, the software key escrow plan appeared to assume that keys would be "escrowed" with an outside party.^{89} Because one of the public objections to the Clipper proposal had been that the government would hold the keys, software key escrow contemplated that someone other than the government--a private escrow agent or the designer of the software--would be allowed to select a private "escrow agent." The plan was silent on critical questions, however, including:

 what security precautions commercial archives or commercial escrow agents would be required to offer;

 the liability of "escrow agents" in the event of

 the loss of a key;

 the compromise of a key, such as where the escrow agent's database is hacked or an employee is discovered to have sold key data;

 the good faith compliance with a facially valid but actually invalid warrant;

 under what circumstances a user could serve as his own escrow agent.

The liability issues were particularly difficult to deduce from the software key escrow proposal because it was unclear to what extent a user's participation in key escrow was truly voluntary. The more that the participation appeared coerced, the further the user-"escrow agent" relationship moved away from simple contract towards state action, and the murkier the liability questions became.

Indeed, the earlier Clipper proposal was notoriously silent on the duties and liabilities of the government escrow agents, leading all too easily to the conclusion that they would be difficult if not impossible to sue in the case of key compromise, and might effectively be accountable to no one. The Attorney General's escrow procedures for Clipper and Capstone state that they "do not create, and are not intended to create, any substantive rights for individuals intercepted through electronic surveillance."^{90} In effect, the government disclaimed any reliance interest that a user of a Clipper telephone might have in the government's promise to keep the key secret.^{91} A victim of an illegal wiretap would have a cause of action under Title III against the wiretapper,^{92} but, it seemed, no remedy against the escrow agents, even if the escrow agents acted negligently or failed to follow their own procedures. If nothing else, this precedent suggested that liability rules should be of concern to potential users of key escrow.

Some of the concern over liability might have been alleviated by having private escrow agents take on contractual responsibilities; other answers might have resided in tort law, and still others might have emerged if the courts had considered the escrow agent to be a bailee or a trustee for the key's owner. In the absence of many functioning escrow agents, and in the complete absence of case law, there was at least considerable uncertainty as to what law governed an escrow agent. Worse, from the point of view of a business contemplating the use of an escrowed product, there was no reason to believe that an escrow agent would have sufficient assets to compensate the victim of unauthorized key disclosure for the potentially enormous damage that could be caused by the release of jealously guarded trade secrets and other corporate data.

Some businesses, especially smaller ones without their own security professionals, would likely have felt that they had less risk of unauthorized disclosure if they entrusted their backup keys to outside professionals. Other firms, especially large multinationals with their own security staffs, might have made a different calculation and preferred to hold their own keys; they made this clear to the government when it published its first software key escrow proposal and asked for comments.

The government's response to these comments, unveiled in December 1995, was to clarify its objectives regarding the selection and certification of escrow agents. While agreeing that it would be "beneficial" to criminalize the "abuse of the escrowed key by the escrow agents or others,"^{93} the proposal concentrated on the primary government objectives of "assuring the availability of escrowed keys for properly authorized government officials" in a reliable and timely manner that would not tip off the subject of the investigation.^{94} Recognizing that some organizations or people would want to be their own escrow agents, the proposal required that agents undertake to hold keys securely, and set out general requirements for the secure storage and transmittal of keys. More controversially, the proposal required that each escrow agent:

 employ one or more persons with a "SECRET" clearance;^{95}

 provide a Dun & Bradstreet/TRW number or equivalent credit report pointer and authorization;^{96}

 carry an errors & omissions insurance policy^{97}

 be primarily owned by U.S. citizens if located in the U.S.^{98}

The draft candidly admitted that "[w]e have not yet addressed conditions under which users can be the sole repository of the keys for their system,"^{99} although government speakers at the December NIST meeting indicated that they intended to allow suitable organizations able to comply with all the escrow-agent criteria to hold their own keys. In addition, although the government held out the possibility of foreign escrow agents, at least for foreign users, this possibility was contingent on negotiating appropriate agreements with each foreign government involved.

The requirement that escrow agents employ someone with a SECRET clearance--which had not been stated in the original software key escrow proposal--quickly engendered the greatest controversy, although taken as a group the other requirements were sufficiently burdensome to make it unlikely that any but a good-sized corporation could be its own escrow agent. Critics attacked the SECRET clearance requirement as a device the government could use to manipulate who it would allow to be an escrow agent. Others worried that the requirement could become a means by which the government could control agents' behavior, since agents could be threatened with a loss of their clearance if they did not do what the government wanted.

From the government's viewpoint, however, the SECRET clearance requirement was a necessary element of the key escrow strategy once it became clear that some escrow agents would be outside the government. Under federal regulations, wiretap and other orders issued by the FISA court are classified.^{100} Thus, for example, federal law requires that telephone companies have someone on their staff with a SECRET clearance to receive and comply with FISA court-ordered wiretaps.^{101}

B. Un-Commercial Key Escrow?

By late 1995, the software key escrow proposal had evolved to differ from Clipper in three important respects. First, the plan would allow the export of strong software encryption products, which made it broader and more acceptable to industry than the original Clipper proposal, which had been limited to hardware. Second, rather than allowing the export of the classified SKIPJACK algorithm provided for Clipper, which had an eighty-bit key, software key escrow products would be limited to sixty-four bit products.^{102} The choice of algorithm was welcome, but the sixty-four-bit limitation made the proposal considerably less popular than it might otherwise have been. Third, the government would no longer demand that it hold the keys itself; instead, it offered to certify others to serve as private escrow agents in its stead. As we have seen, however, this offer soon proved to be less open-ended than it first appeared.

As with Clipper, the carrot held out to the software industry, and to users, was that the government might relax export controls. This was a powerful inducement since the ITAR regime imposed a de facto ban on the rapid export of encryption with more than forty-bit keys, and an all but impermeable ban on the export of ciphers stronger than fifty-six-bit DES. The stick was that the government demanded a computationally trivial, if not necessarily legally or procedurally trivial, means of gaining access to information encrypted by an exportable cipher by requiring that decryption keys, or the key fragments needed to reconstruct a key, be deposited with approved escrow agents.

Viewed from a charitable perspective, the software key escrow proposals floated in 1995 were simply cautious. Key escrow would guarantee the government access to encrypted information when it had a lawful order authorizing that access. As the government could get a copy of any escrowed key, it should have been indifferent to the key length. Despite the elaborate system designed to provide the government with the key, it continued to limit exportable cryptosystems to sixty-four bits. When asked why, government representatives would say only that they wanted to proceed with care, since they were not certain that parts of their proposed system, notably the attempt to design tamperproof software, would necessarily work in practice.

Viewed from a less charitable perspective, the conditions in the software key escrow proposal were onerous and uncommercial. The idea of escrow itself was loathed in some quarters. The sixty-four-bit limit was felt to be restrictive, especially when compared to 3-DES^{103} and to IDEA, an increasingly popular 128-bit Swiss cipher. The requirement that escrow agents have a SECRET clearance was not perhaps as restrictive as it appeared, since these clearances are relatively easy to obtain, but the requirement tended to solidify the opposition of those suspicious of the escrow concept to begin with. Most, albeit not all, of the attendees at the NIST meeting in December 1995 who represented businesses wishing to export security products stated that they did not think the rules would allow them to export a commercially viable product.^{104}

III. The Undeath of Key Escrow

Undaunted by the failure of Clipper and the rocky reception accorded software key escrow, the U.S. government returned to its strategy of looking for a lever with which to encourage or force the use of escrowed encryption. Using government market power to set a Clipper standard had failed. Using the carrot of relaxed export control to get software escrow did not seem to be taking the market by storm. Formally, both strategies remain in place, but neither seems likely to resolve the encryption dilemma. The new strategies for key escrow are, if anything, more subtle. On the one hand, the U.S. government now proposes to build escrow into the sinews of emerging networks of electronic commerce; on the other hand, the U.S. government is actively engaged with--or, some say, leading--foreign governments to set up international agreements that promote or require escrow as a condition of allowing transnational use of strong cryptography. The distinction between encouraging escrow and forcing escrow is significant, but the current policy is both evolving and opaque, making it unclear whether encouraging or forcing is the better word to describe the Administration's policy.

A. Evolution of the Key Escrow Debate

Four of the arguments frequently used by supporters of cryptographic export control were weakened, perhaps refuted, in the debates sparked by Clipper and software key escrow. The argument that existing rules allow the export of adequately strong cryptography was undermined by a report by a group of respected cryptographers. The argument that cryptographic export control imposes at most a minor burden on U.S. industry was challenged by a Department of Commerce study. The same study undermined the validity of the assumption that there are no serious foreign competitors for U.S. cryptographic products, as did the announcement of several new foreign sources of brand-name cryptography. Perhaps most importantly, the argument that there are good reasons, known only to those with access to highly classified information, why cryptography needs to be controlled, was decisively repudiated by the National Research Council's cryptography study.

1. Key length

As computers become more powerful, longer and longer keys are needed to provide a consistent level of protection against brute-force attacks. This fact, more than any other, has created pressure to relax the ITAR. A recent report signed by seven leading cryptographers,^{105} Minimal Key Lengths for Symmetric Ciphers to Provide Adequate Commercial Security, estimated that the forty-bit keys allowed by the ITAR "offer virtually no protection" today, that fifty-six-bit DES "is increasingly inadequate," and that "adequate protection" against "serious threats" requires at least seventy-five-bit keys.^{106} The cryptographers calculated that a standard $10,000 computer could break forty-bit keys in an average of twelve minutes; a standard $10 million machine could do it in an average of less than a second; and optimized single-purpose machines could do the same job even faster and cheaper.^{107}

Whether or not the Minimal Key Lengths conclusions are exactly right,^{108} they are likely to be widely believed. As a result, the Minimal Key Lengths study is likely to shape the perceived security needs of commercial buyers of security products. These users will not be satisfied with fifty-six-bit DES for long, if at all, and are likely to demand key lengths in the seventy-five-bit range suggested by the report in the near future. As a result, the government's willingness to relax the forty-bit limit to sixty-four-bits-plus-escrow in the software key escrow plan is likely to appear quite ungenerous.

2. Effect on Commerce

Encryption is becoming big business, with worldwide sales of encryption products estimated at $1.8 billion for this year. U.S. sales alone are estimated at just under $1 billion. Since a good fraction of this number is sales of hardware products, the software component represents only a small, but rapidly growing, part of the $77 billion world market for packaged software products.^{109}

The Commerce/NSA study confirmed that foreign suppliers of encryption products are selling products advertised to use stronger algorithms, e.g. DES, than can be freely exported from the U.S.^{110} Although the details were not released in the unclassified version of the report, the study suggested that these foreign implementations of DES were "not as secure as some U.S. products." Even so, the report stated, their existence "can have an effect on U.S. industry's competitiveness. . . . Some foreign encryption vendors reportedly use the existence of U.S. export controls on strong encryption to differentiate their products and capture markets from U.S. firms."^{111}

While the foreign demand for encryption is still small, it is growing. The Commerce/NSA study demonstrated that U.S. firms were badly positioned to exploit this market despite dominance in the software industry, in large part because of export control or their self-censoring reaction to the controls. The conclusion that U.S. export controls can give foreign firms a competitive advantage was hardly surprising, but it added weight to the political case for relaxation of export control being mounted by the software industry.

3. Foreign Sources of Encryption Technology

As we have seen, the de facto dominance of the U.S. computer industry has served as a critical component of the twin export- control and escrow advocacy policies of the U.S. government. Although foreign cryptographic products exist, none has been incorporated into a U.S.-made mass-market product. Furthermore, some of the best-known cryptographic products, such as the RSA encryption algorithm,^{112} are themselves produced in the U.S. The absence of familiar brand names abroad has no doubt contributed to the slow spread of strong cryptography.

The cozy assumption that marketable cryptography does not breed outside the U.S. is suddenly less credible than it appeared to be even a year ago. First, reputable non-U.S. manufacturers such as Nippon Telephone and Telegraph have announced that they intend to produce strong cryptographic devices.^{113} Second, U.S.-based companies have announced that they plan to import foreign cryptosystems and sell them under their own label.^{114} Once in the U.S., strong foreign cryptography is no more exportable than the home-grown variety, but some U.S. companies apparently believe that they can structure their production so that non-U.S. clients would be served from offshore production sites and the goods would never fall within U.S. jurisdiction. Third, U.S. companies such as RSA are forming alliances with foreign cryptographers in which the U.S. tradename will be licensed to the foreign supplier.^{115} The foreign product can be either indigenous or an indigenous implementation of a algorithm published in the U.S. since, at least at the moment, it is not an export-control violation to send encryption algorithms abroad in the form of equations printed on paper.^{116}

4. The CRISIS Report

On May 30, 1996, the National Research Council released a prepublication draft of Cryptography's Role in Securing the Information Society ("CRISIS"), emphasizing the cost to the United States of not having strong, widely deployed cryptography in an age of large information-security vulnerabilities that could affect important civilian applications. The Committee that authored the report was drawn from leaders in national security, law, foreign relations, communications, and computer science. The Report is unusually thorough, containing a wealth of information on cryptography and cryptography policy, and its conclusions are likely to shape the cryptography debate.

Indeed, the Report's most important achievement may be that its existence legitimates debate. One argument sometimes heard in defense of key escrow and other controls on cryptographic technology is that "if you knew what we knew, you would agree with us."^{117} The CRISIS Report decisively neutralizes that argument when it states that "the cleared members of the [National Research Council's Committee to Study National Cryptography Policy] (13 of its 16 members) concluded that the debate over national cryptography policy can be carried out in a reasonable manner on an unclassified basis."^{118}

The Committee's first recommendation is that "No law should bar the manufacture, sale, or use of any form of encryption within the United States."^{119} As the committee noted, this recommendation conforms to current Administration policy, although this is an area where no administration can bind its successors.

On the question of whether the gains to national security from secure communications and data storage outweigh the losses to law enforcement and national security, the Report concludes that, "on balance, the advantages of more widespread use of cryptography outweigh the disadvantages."^{120} The Report does not, however, recommend that the application of the ITAR to cryptography be discontinued. Instead, it recommends that export controls on cryptography "should be progressively relaxed but not eliminated,"^{121} with most export control on fifty-six-bit DES being removed immediately so long as the products cannot be used to generate 3-DES.^{122}

The decision to draw the line at DES has all the earmarks of a political compromise. The report lists six advantages of DES:

 DES offers a higher level of confidentiality than common forty-bit ciphers, one "adequate to promote broader uses of cryptography."

 DES is certified as secure by the U.S. government. The U.S. government's certification is due to expire in 1997,^{123} and the Report notes that "future certification cannot be assured."^{124}

 DES has been subjected to public scrutiny for more than twenty years and no one has found significant weaknesses in the algorithm.

 DES is in the public domain.

 DES has "high name recognition."^{125}

 U.S. exporters need DES to be on a level playing field with foreign suppliers.

Notably absent from this list is any assertion that DES represents the user's optimal tradeoff between security on the one hand and financial and computer processing cost on the other. Instead, the Committee says DES is "`good enough' for most information security applications and is likely to be good enough for the next decade, because only the most highly motivated and well-funded organizations will be capable of sustaining brute- force attacks on DES during that time."^{126}

In short, fifty-six-bit DES is a lot better than the forty- bit ciphers freely exportable today and was, in the Committee's judgment, the most that one could get. The Report forthrightly admits that "a replacement for DES will eventually be needed," but balances this with the statement that a move to widespread use of DES "may have a negative impact on the collection of signals intelligence"^{127} albeit one that "has well-known and well- understood characteristics."^{128} What this suggests about the U.S. government's ability to do brute-force decryption of DES messages is left to the reader's imagination.

As for encryption products stronger than DES, the CRISIS Report says that they should be allowed to approved end-users, but only when the end-user is willing to "provide access to decrypted information upon legally authorized request."^{129} The recommendation leaves it open to the end- user to determine how to do this, although it notes that "many of them may well choose to use escrowed encryption products."^{130}

The CRISIS Report also proposes that the U.S. government explore using escrowed encryption for internal purposes to "better understand how escrowed encryption might operate,"^{131} and that the U.S. government should "work with other nations" in order to "address the critical international dimensions of escrowed communications."^{132} Despite recommending that the U.S. government work out international escrow agreements and itself serve as an escrow testbed, the NRC committee concluded that "aggressive promotion" of escrowed encryption to the private sector "is not appropriate at this time."^{133} It gave four reasons: First, too little is known about how to implement escrowed encryption to rely on it for a large-scale deployment. Second, because it is too easy to circumvent escrowed encryption schemes, it is unclear how valuable it would be. Third, technologies are changing so rapidly that imposing any system on the market would greatly distort progress in these areas. Fourth, it is unclear whether the market would accept escrow.^{134} This conclusion--neither a rejection nor an endorsement of key escrow--has already proved controversial, as it pleased neither the proponents of escrow^{135} nor its opponents.^{136} It also had no effect on the Administration, which is forging ahead with its plans for escrowed systems.^{137}

The CRISIS Report also makes a number of suggestions as to how the U.S. government could "assist law enforcement and national security to adjust to new technical realities of the information age." In particular it proposes that the U.S. government encourage the use of cryptography for user authentication, document authentication (digital signatures), and secure time stamps.^{138} Each of these suggestions should be uncontroversial.

B. "Clipper III": a Proposal for an (Escrowed) Key-Management Infrastructure

At the close of the December 1995 Key Escrow Issues Meeting, NIST predicted that it would issue new guidelines setting out a relaxation in the export rules for software key-escrow products within a few weeks. The guidelines were then to be turned over to the State Department to implement, either as modifications to the ITAR regime or in some other manner.

More than six months later, neither a new FIPS nor a final draft of the interagency guidelines has yet appeared, suggesting that the interagency group directing export policy--which includes representatives from the FBI, NSA, NIST, and the Executive Office of the President--has been unable to agree on a firm policy. Instead, In May 1996, the Interagency Working Group on Cryptography Policy issued yet another trial balloon, in the form of a draft paper, Enabling Privacy, Commerce, Security and Public Safety in the Global Information Infrastructure (the "White Paper").^{139} Its critics quickly dubbed it "Clipper III."

The policy sketched in the White Paper represents a significant departure from Clipper and software key escrow, and not only because for the first time the government made it clear that it was prepared to allow "export of products of any bit length" to foreign markets whose governments have legislated escrow requirements that are at least as comprehensive as the ones proposed for the U.S.^{140} The White Paper also promises to allow self-escrow--but only for corporations, not individuals, and only so long as the escrow facility meets rigorous performance standards. The self-escrow standards repeat those proposed earlier for other escrow agents,^{141} with the additional requirement that there be some guarantee that the person who would be replying to a request for keys would be someone other than the likely target of an investigation.

The most significant element of the new plan, however, is that instead of attempting to define standards for key escrow in hardware or software, the White Paper suggests that the government may attempt to require that escrow be built into the information infrastructure needed for secure electronic commerce. To fully appreciate the significance of the White Paper's attempt to use electronic commerce as the lever to promote key escrow requires some familiarity with public-key cryptography^{142} and its use in electronic commerce.^{143} In a public-key cryptosystem, messages encrypted with one key can be decrypted only with a different key, and vice-versa. A strong public-key system is one in which possession of both the encryption algorithm and one key gives no useful information about the other key and thus no clues as to how to decrypt the message.^{144} The system gets its name from the idea that the user will publish one key, but keep the other one secret. The world can use the public key to send messages that only the private-key owner can read; the private key can be used to send messages that could only have been sent by the key owner.

Secure communications are a prerequisite to the exchange of sensitive commercial or financial information. Public-key cryptography allows Alice and Bob to establish a secure line of communication over an insecure medium, such as the Internet. First, Alice and Bob exchange the plaintext of their public keys. Then, Alice and Bob can each encrypt their outgoing messages with the other's public key and decrypt their received messages with their own secret, private key. All Alice and Bob need to communicate securely, therefore, is compatible encryption software and a secure means of consummating the initial exchange of public keys.

Alas, without some source of independent confirmation, Alice has no way of knowing whether an e-mailed key purporting to be from Bob is from Bob or from an imposter. ^{145} (Bob has the same problem regarding Alice.) Thus, if Alice is prudent she will demand some assurance that she is not e-mailing the details of a tender or the PIN to her online bank account to a malicious stranger who might seek to profit at her expense; this need for assurance is one of the largest obstacles to widespread Internet-based electronic commerce.^{146}

One means of providing assurance that a public key labeled as Bob's really belongs to him and no one else is to set up one or more secure registries of public keys, known as Certification Authorities ("CAs").^{147} A CA might, for example, agree to list public keys in its secure registry only if the person supplying the key provides some identification to authenticate her claims about her identity;^{148} otherwise, someone might be tempted to deposit a public key in the name of Bill Gates and then try to purchase something expensive. Once the CA accepts Bob's identification (and, in most scenarios, charges Bob a small fee), the CA undertakes to supply a cryptographically unforgeable electronic certificate^{149} attesting that "Bob's key" is really his.

Because the CA's certificate is digitally signed with the CA's private key, but is delivered by e-mail or via a World Wide Web page, Alice will need a reliable copy of the CA's public key to authenticate the certificate that certifies to the authenticity of Bob's public key. In effect, the problem of relying on Bob's key is transformed into the comparable problem of relying on the CA's key. This problem, however, is easier to solve because a CA, as a repeat player, will have a much greater interest than Bob in providing an out-of-channel means of authenticating its key. The CA might publish the text of its public key in the newspaper,^{150} or the CA might arrange to have its public key delivered by a trusted intermediary. A list of public keys authenticated by the telephone company might, for example, be inserted into every telephone bill.

Another way for a CA to give Alice the confidence she needs is to have an identifying certificate from a second CA, certifying the first CA's key. CAs that certify other CAs are said to participate in a certificate chain, with a root certificate at the bottom of the tree.^{151} Unfortunately, this just shifts the problem again, onto the validity of the root certificate. Unless a source can be found for the root certificate that gets its trust from outside the insecure network, it is turtles all the way down.^{152}

The White Paper's escrow proposal contemplates the federal government issuing the root certificate for a national Public-Key Infrastructure ("PKI"). CAs that meet licensing requirements would be rewarded with government certification of their keys. These CAs in turn would issue certificates to other CAs, and so on.^{153} That the government might issue the root certificate is not especially controversial,^{154} although it may or may not be of enormous practical significance unless backed by legislation if users prefer flatter certification hierarchies. Many certificates in the private sector might be self-signed or supported by at most one outside organization. The smaller the number of CAs involved in checking the validity of a certificate, the less effort required to confirm the validity of a certificate.^{155} Of course, if participants in the government- certificate hierarchy receive valuable benefits, for example reduced exposure to liability for erroneous certificates,^{156} every CA may want to have its key in a certification chain with the government at its root whatever the increased overhead costs. If federal legislation required that CAs be licensed and that a CA be in the government-backed certificate chain to be eligible for a license, then the government's prediction that users will choose a multilevel hierarchy would become a self-fulfilling prophecy.

Some analysts suggest that as much as 15 percent of all consumer purchases may be electronic by the turn of the century,^{157} but this is unlikely without an information infrastructure that enables secure communication and transactions.^{158} Thus, the Interagency Working Group's suggestion that access to the PKI might be denied to users of unescrowed cryptography is of critical significance. In its starkest form, this proposal could amount to saying that any U.S. resident who refuses to submit to key escrow will be cut out of the emerging electronic market.

Whether the government intends such a stark result is uncertain, both because the White Paper is only a draft and because the report itself is unclear at key points. The White Paper offers principles that it asserts "need to be accepted by government, industry, and other users."^{159} Some of these proposed principles are vague; others are certain to be controversial.

The White Paper proposes that the government promote the development of a PKI, but it makes key escrow the price of admission:

To participate in the network a user needs a public key certificate signed by a CA which "binds" the user's identity to their public key. One condition of obtaining a certificate is that sufficient information (e.g., private keys or other information as appropriate) has been escrowed with a certified escrow authority to allow access to a user's data or communications. ^{160}

The italicized portion of this assertion is unique to the White Paper. No other proposal for a public-key infrastructure currently being discussed in the U.S. requires that all users divulge their private keys to a CA or anyone else.^{161} On the contrary, while other proposals anticipate that users seeking an identifying certificate will have to give the CA evidence of their identity so that the CA can issue the certificate in good faith, they also make it clear that the user has a duty to safeguard the secrecy of her private key.^{162} The White Paper blurs the difference between showing a CA a passport or a corporate resolution granting signature authority to an individual, and giving an outside authority the ability to intercept all of one's communication.

The White Paper qualifies its general assertion that private keys must be divulged to the CA or an escrow agent with a footnote stating that it "applies only to keys used for confidentiality purposes and not keys used for signing purposes."^{163} Indeed, no legitimate law enforcement or intelligence purpose could be served by giving the government or anyone else access to the digital signature private keys belonging to either citizens or corporations.^{164} A digital signature is appended to the cleartext of a message and uniquely identifies the author while unforgeably authenticating the text to anyone who possesses the corresponding public key. Giving Bob or Uncle Sam access to Alice's digital-signature key would allow them to impersonate Alice. As digital signatures become integrated into electronic commerce, a possessor of Alice's private digital-signature key will be able to empty her bank account, sign her name to contracts, and affix a signature she will be hard-put to disclaim to the most detailed "confession" of horrible crimes.^{165}

The Interagency Working Group ("IWG") should be commended for recognizing that, whatever one thinks of the needs of law enforcement and others for access to the contents of encrypted communications, giving anyone a means of access to digital signature keys would undermine confidence in the uniqueness of the digital signature. Oddly, the IWG does not seem to have recognized that this essential caveat creates a technical problem that threatens to undermine the idea of an escrowed PKI. While it is true that some digital signature keys can be used only to sign documents, other algorithms including the RSA algorithm,^{166} which is the de facto industry standard, use keys that are equally effective for signing or encrypting documents.^{167} The Interagency Working Group is left with a Hobson's choice. Either it plans to require escrow of every certificate-backed long, strong, key that can be used either for signing or encryption--and in so doing plans to reduce confidence in the uniqueness of signatures with RSA, one of the most widely used encryption algorithms--or it will allow the PKI to host nonescrowed digital-signature keys that can easily be used to subvert the escrow procedure.

A similar uncertainty as to the Interagency Working Group's actual goals emerges from the principle in its report that should be the least controversial: "Participation in the [key management infrastructure] will be voluntary."^{168} Unfortunately, in the context of the entire White Paper it is difficult to understand whether the Interagency Working Group means anything more than the truism that no one will be forced to use public-key cryptography. It is particularly unclear whether the Interagency Working Group contemplates allowing alternate certificate hierarchies using strong cryptography to exist, and what burdens it hopes to place on any alternatives that survive.

The Interagency Working Group seems to believe that the nongovernmental, escrow-free certificate hierarchies currently being deployed by various private firms should not be allowed to exist beyond a transition period in which "legacy equipments which do not support key recovery"--that is, key escrow--"can be used to communicate with users" of the escrowed PKI.^{169} Apparently, although the report never says so in so many words, the Interagency Working Group believes that after the transition period is over nonescrowed keys will be excluded from the PKI, and the PKI will be designed so that cryptographic products that do not require escrow are prevented from communicating with it.

Exactly how this might be achieved is not explained. One possibility is that the Administration might seek legislation imposing licensing requirements for CAs that require key escrow. The Interagency Working Group states that "Certificate authorities will operate within performance standards set by law"^{170} and that "CAs must meet minimum standards for security, performance, and liability. A Policy Approving Authority (PAA) certifies CAs for operation. The PAA sets rules and responsibilities for . . . setting CA performance criteria to meet law enforcement needs."^{171} This statement could mean that escrow- equipped CAs will have to demonstrate they are ready, willing, and able to provide keys or key fragments, when required to do so. Or, it might mean something more, for example that the PAA will not certify CAs that refuse to escrow their subscribers' private keys and that these CAs will be ineligible for whatever liability safe harbor the rules offer. A third possibility is that CAs that refuse to escrow keys will not be allowed to operate at all. This last version sits oddly with the idea of voluntary participation in the PKI. Even if the PAA is benign, its ability to prescribe policies, and the consequences for CAs of noncompliance, would give the PAA the ability to implement restrictive requirements if a new administration were to decide upon a more restrictive policy.^{172}

The most perplexing statement in the White Paper may be that "Products that operate with an escrowed [public key- management infrastructure] need to be developed with industry taking the lead."^{173} Industry is already "taking the lead" in developing a national key management infrastructure without key escrow.^{174} The Interagency Working Group apparently hopes that it can change this behavior by allowing escrowed products with strong encryption to be exported; if that fails, the threat in reserve is that the national PKI will not communicate with products that do not escrow keys. Neither of these inducements appears sufficiently powerful to produce much of a groundswell for escrow in the face of customer resistance. Export controls matter less to the utility of a PKI than to cryptosystems in general, since the certificates can be freely exported even if the software that produces them cannot. Admittedly, foreign users will not be able to check the validity of a certificate unless they are able to secure a foreign supply of compatible encryption software or hardware. This possibility, however, seems increasingly likely, and means that even foreign users will be able to use U.S. certificates (or that U.S. users will end up buying a foreign product). The domestic market may in any case become large enough to support a large, unescrowed PKI. Similarly, the absence of a government root certificate may be of only marginal consequence so long as nonmembers of the escrowed PKI are otherwise able to compete on a level playing field with CAs that escrow. The domestic market appears capable of growing its own public-key infrastructure--indeed, several competing ones--without a government-approved authority to supply a root certificate. Netscape, for example, includes a certificate option in version 3.0 of its browser software and allows the user to select which of several types of certificates she wishes to accept.^{175} So long as the government does not require them to conform to its policies, private CAs may not care whether they are excluded from the official PKI. On the other hand, if only licensed, escrow-compliant CAs benefit from safe harbors from liability, noncompliant CAs may face significant competitive disadvantages.

The White Paper contemplates a federal role in designing a national public-key infrastructure. Several states, including Utah, Washington, Florida, and California, have already passed digital signature legislation of varying degrees of precision, and other states are considering following suit.^{176} The Utah and Washington acts provide safe harbors from liability for CAs that comply with relatively strict rules regarding bonding, auditing, and performance; CAs that do not comply are left to the tender mercies of the common law.^{177} The Interagency Working Group proposes national legislation "establishing liability protection for certificate authorities who exercise due prudence in the fulfillment of their performance obligations",^{178} but its report does not address the federalism issue. If, however, it becomes federal policy to disadvantage CAs that are insufficiently attentive towards the federal interest in key escrow, the federal law may need to preempt existing and anticipated state efforts to create a hospitable legal climate for CAs. Whether or not it preempts state law, national legislation might encourage standardization among CAs' policies, which could tend to have a healthy effect on electronic commerce.^{179}

Any PKI-based escrow scheme would require federal legislation to determine a number of issues, including:

 the extent of a Title III exemption for escrow agents;

 liability rules for escrow agents; and

 the establishment of the PAA as a federal agency.

Indeed, the Interagency Working Group acknowledges that legislation may be needed to ensure that if an organization acts as its own escrow agent, the person holding the keys is prohibited from tipping off a target that it is the subject of an investigation.^{180} The draft report also notes that legislation should criminalize the unauthorized disclosure or use of an escrowed key and create a civil remedy for an aggrieved keyholder.

C. Possible Moves Towards Global Escrow

International efforts to restrict unescrowed cryptography may be growing just as the domestic pressure increases to relax export control. Indeed, the phenomena may be related in either of two ways. The combination of the ITAR with the U.S. dominance of the mass-market software industry allowed foreign governments to avoid the cryptography issue. In effect, US export control also functioned as import control for foreign governments. Other countries had less need for an explicit ban on strong consumer cryptography because US firms' dominance of the market for operating systems and other potential applications of cryptography tended to stifle the growth of indigenous competitors.^{181} As it becomes increasingly likely that the ITAR will be relaxed, or possibly even eliminated,^{182} foreign governments may feel increased pressure to grapple with the cryptography issue.^{183} Alternately, the increased interest of some foreign governments in sponsoring international controls on strong cryptography might be the result of a U.S. government effort to jumpstart domestic escrow policy by orchestrating an international clamor for a domestic policy that otherwise would be more difficult to sell.

Foreign governments have expressed interest in controlling the use of strong cryptography within their borders. France "has the most comprehensive cryptologic control and use regime in Europe, and possibly worldwide,"^{184} although these laws are generally not enforced.^{185} France recently passed legislation to relax its currently strict control on the domestic use of encryption products--but only if a key to the product is escrowed in France with one of a small number of escrow agents certified by the French government.^{186} Russia has not yet embraced escrow, but Russian President Boris Yeltsin issued a decree banning unauthorized encryption.^{187} The edict bans the development, import, sale, and use of unlicensed encryption devices, as well as "protected technological means of storage, processing and transmission of information."^{188}

In contrast, the current UK policy statement begins with the promise that it "is not the intention of the Government to regulate the private use of encryption"^{189} although it goes on to describe a system of licensing and regulation for trusted third parties so as to "engender trust" in them while balancing "the commercial requirement for robust encryption services," the need to protect users, and the need of "intelligence and law enforcement authorities to retain the effectiveness of warranted interception."^{190} Japanese policy appears to be moving even further in the direction of decontrol. Former NSA General Counsel Stewart Baker describes a market-driven "emerging Japanese consensus" that encryption is a major technology essential to "Japan's penetration of the Global Information Infrastructure" and warns that unless Japanese policy alters as a result of participation in international policy discussions it "could pose a major challenge" to U.S. escrow policy.^{191}

At the international level, the European Community ("EC") has proposed a project to establish a European network of trusted third parties under the control of member nations that seems to resemble the UK proposal. In the EC scheme users may choose to deposit their keys with trusted third parties, in which case the keys are subject to subpoena, but the EC proposal does not suggest that escrow should be mandatory.^{192} In 1995 the Council of Europe resolved that member nations' criminal procedure laws should be "reviewed with a view to making possible the interception of telecommunications and the collection of traffic data in the investigation of serious offenses against the confidentiality, integrity and availability of telecommunications or computer systems."^{193} The same resolution also advised that "[m]easures should be considered to minimise the negative effects of the use of cryptography on the investigation of criminal offenses, without affecting its legitimate use more than is strictly necessary."^{194} Where the line should be drawn, and whether governments should do more than "consider" the measures, the resolution does not say.

The Organization for Economic Cooperation and Development ("OECD") intends to negotiate multilateral cryptography guidelines by the end of 1996.^{195} OECD deliberations are not open to the public, and there appears to be no public information about the likely shape of the guidelines. The OECD did, however, hold public meetings with outside experts in Canberra, Paris, and Washington, D.C. Some participants in those meetings report that the OECD seems to be considering an escrow-based system,^{196} but another says that the governments did not appear to be in agreement: Scandinavian countries were "prominent among the doubters," and "Japan also showed little interest in controlling encryption."^{197} The official U.S. government position is that "We are encouraged . . . by recent discussions we have had at the Organization for Economic Cooperation and Development (OECD) that are leading to international cryptography management principles which support [key escrow]."^{198}

Whatever it decides, the OECD resolution is likely to be influential. If the OECD member nations were to unite in favor of escrow, it would greatly aid the U.S. government's attempt to make key escrow the norm. The lack of reliable information about the OECD proceedings highlights a key point about the OECD as a forum for deciding social policy. It is not a democratic organization. The executive branch of the U.S. government selects the U.S. delegation; the U.S. delegation will presumably reflect existing U.S. policy. The executive branch is committed to escrow, although there is little evidence that Congress has a considered view of the issue. Nor is there much evidence that the issue has popular salience, although the U.S. escrow policy has a small and, it seems, growing band of opponents drawn from the software industry and the civil liberties lobby. As a result, the executive branch is selling, and helping to shape, an international policy that does not have wide support at home.

The OECD has no legislative power of its own. Any OECD resolution would need to be implemented by appropriate U.S. legislation or regulation. The ITAR (to the extent that they are constitutional) derive from valid statutes, but neither Clipper, software key escrow, nor the White Paper approach have been approved or authorized by Congress. It is unlikely to have escaped U.S. policy makers that one way to sell escrow to a potentially skeptical Congress is to present it as the considered fruit of an international consensus against a common threat of lawlessness or terrorism. Those who believe the escrow policy is right are likely to call this statecraft; those who disagree would probably use a different term.

IV. The Trust Deficit

The struggle over encryption policy is bound up in hopes and fears. The government warns of projected crime waves and feared losses to intelligence gathering. Neither, so far as one can tell, has yet to come to pass. Nevertheless the Administration apparently considers the risk sufficiently great to justify complex maneuvers to shape the development of a nascent industry. Meanwhile, would-be producers and exporters of cryptographic products forecast immense sales, and suggest that cryptography will be built in to any important commercial or social activity that involves a computer. To date, however, the dollar value of cryptographic sales remains fairly low. For their part, cyber- savvy civil libertarians suggest that encryption is a tool that, deployed sufficiently widely, can protect citizens against unwarranted government and corporate intrusions into personal lives. So far, however, a sufficiently large critical mass of users has yet to appear. Thus, each of these perspectives involves an extrapolation. Each vision projects a future in which different hopes or fears predominate. Each vision, however, shares a common supposition that cryptography's importance to society will increase dramatically.

The "widespread [nongovernment] use of cryptography in the United States and abroad is inevitable in the long run."^{199} The Chairman of the National Research Council's cryptography-policy study committee, Kenneth Dam, is surely correct when he describes the response to this reality as being more a policy crisis than a technology crisis.^{200} As the committee stated,

National cryptography policy should be developed by the executive and legislative branches on the basis of open public discussion and governed by the rule of law. Only a national discussion of the issues involved in national cryptography policy can result in the broadly acceptable social consensus that is necessary for any policy in this area to succeed. A consensus derived from such deliberations, backed by explicit legislation when necessary, will lead to greater degrees of public acceptance and trust, a more certain planning environment, and better connections between policy makers and the private sector on which the nation's economy and social fabric rest.^{201}

This is a tall assignment. The key-escrow debate is a particularly acute product of a trust deficit that is national in scope and extends far beyond cryptography. Secrets are most appealing when trust is lacking. Rational citizens concerned about state intrusions into their privacy will be more likely to clamor for the type of protection that cryptography offers as their trust in the state decreases. In a democratic society where many citizens' trust in government and other institutions has been badly bruised, if not shattered,^{202} only the most democratic, straightforward, and open process of policy formation could hope to persuade people that the government deserves to have the means to hear every conversation and read every document--even when the government requires legal process to do so. The number of lawful wiretaps is increasing annually,^{203} and one can expect even more rapid increases if computer-aided speech and voiceprint recognition improve to the point that expensive human interventions can be decreased.^{204}

The more that citizens feel they cannot trust the state, the more reason the state may have to fear its citizens. The more that the state fears its citizens, the more citizens may come to believe that they have something to fear from the state. Perceptions can become as important as realities. The state may seek expansive surveillance capabilities because it is sincerely concerned about a foreign threat, or about domestic terrorism. Once citizens engage in "threat analysis" of their government, however, they may see themselves as possible targets of surveillance.

The Administration's hopes of persuading the nation that the government should be trusted with the means of acquiring the people's secrets have been undermined by differences in opinion within the Administration. As a result, the Administration has been unable to speak with one voice. For example, soon after the White House announced that the Administration had no plans to restrict the use of cryptography within the U.S., FBI Director Freeh commented that "[i]f five years from now . . . what we are hearing is all encrypted material that the FBI is unable to decipher, then the policy of relying on voluntary compliance with [escrowed encryption] will have to change."^{205}

The Administration has also been hampered by the inconsistency and lack of clarity that characterize its proposals. First the Administration seeks to manipulate markets to achieve its objects. Then it celebrates the role of "industry taking the lead" in developing escrowed products. Then it proposes a new agency, a PAA,^{206} with a vague mandate to regulate an important segment of industry. Meanwhile, agencies such as NIST and the Interagency Working Group organize elaborate consultation processes, solicit input from affected industries and the public, and then ignore most of what is said.

One can wonder whether any process of policy formation could be equal to the challenge of persuading fin de siècle America to trust the government with its secrets. So far the process has certainly not been up to the job. Instead of being part of a carefully framed national cryptography policy, Clipper, software key escrow, and the White Paper represent hastily designed, if nonetheless technically and bureaucratically elegant, stopgaps in the face of a worldwide cryptographic upheaval. Although the Administration's actions have remained carefully within the letter of the law, its tactics have been too manipulative to have any hope of seeming legitimate. Clipper sought to use government standard-setting and buying power to rig the encryption market. Software key escrow sought to hitch escrow to business's need for data security. Now, the White Paper proposes that escrow be built in to the sinews of electronic commerce.

Clipper was rejected, and software key escrow is unlikely to have a major effect on the market even if it is not abandoned. It is too soon to tell what will happen to the attempt to build escrow into the PKI proposed by the White Paper, but the number of unanswered questions, and the inherent tension between the White Paper's emphasis on control and its emphasis on market solutions, suggest this policy too will either evolve or die (or both). Whether any of these policies would be publicly acceptable is perhaps open to debate; none deserves to win public acceptance without a Congressional imprimatur.

The past few years have seen cryptographic policy being formed in a semiopen manner. Policies have been developed in secrecy and without consultation,^{207} but they have then been announced openly before they went into effect. Public meetings have been held to discuss them--even if afterwards it was often unclear whether the meetings had any significant effect on the results. Information about the government's plans may not have sufficed to cure the trust deficit, but it did allow those opposed to the Administration's proposals to learn what they were and thus to organize their response. In this sense, the move to policy formation at the international level just when the national policy is being contested risks being a retrograde and undemocratic step.

The Administration's concession in the White Paper that legislation will be needed to establish a domestic cryptography-control policy represents a quiet turning point in the U.S. cryptography debate, and may provide the means of defusing the crisis. Until now the Administration has worked hard to keep Congress out of the policy loop. Clipper was designed to be formally voluntary and to work through market manipulation. It could be implemented without any legislation. Software key escrow required at most technical legislation to regularize the rights and duties of private escrow agents. Most of the policy could be implemented administratively, by issuing a FIPS and by modifying the administration of the ITAR. Again, the Congressional role was minimized.

The White Paper proposes policies that cannot be implemented without Congressional approval. It does so at a time when Congress seems, for the first time, to be focussing serious attention on the cryptography policy debate although no consensus has yet emerged. Some legislators have proposed bills that would decontrol cryptography^{208} ; others suggest imposing domestic cryptography controls.^{209} The publication of the National Cryptography Study not only removes an excuse for further Congressional delay, but provides middle-of-the-road proposals around which at least a temporary compromise might be fashioned.^{210}

The entry of Congress into the field of debate is surely a healthy development. Its participation should add democratic legitimacy to whatever policy is decided, a legitimacy that the executive's creations could never attain alone. That said, it is difficult to be sanguine about the chances that Congress will add much to the quality of the policy being formed. Congress's track record in this area is far from stellar, both on substantive and procedural grounds. The Digital Telephony Act, which requires that all telephone switching networks be made wiretap-friendly if the government pays for the modifications, was rushed through both houses of Congress with next to no debate shortly before the end of the 1994 legislative session.^{211} The next Congress, however, balked at appropriating the half a billion or more dollars it would have taken to implement the retrofitting required by the act.

The publication of the National Research Council's report, Cryptography's Role in Securing the Information Society, is the most encouraging development in the cryptography debate. The report emphasizes that national security is enhanced by the widespread use of encryption to secure personal and corporate data and to protect computer-controlled operations, such as electricity generation and power supplies. The report makes clear that these gains deserve to be weighed in the balance. Because widespread cryptography is inevitable, the only loss to U.S. law enforcement and intelligence-gathering capabilities is the short-term, but immediate, loss from abandoning efforts to stem the tide. Given this forecast, the report concludes that the gains from allowing free export of DES outweigh the short term losses suffered above the inevitable long-term losses.^{212}

Reasonable people may differ with some of the National Research Council's recommendations,^{213} but they form a solid starting point for an informed debate. On July 12, 1996, however, the Administration announced that its fundamental commitment to an escrow policy remained unchanged.^{214} The battle over cryptographic key "escrow" is only beginning to heat up.

Postscript: The October 1996 "Initiative"

The White Paper bore its first fruit in the Clinton Administration's October 1996 cryptographic policy initiative. Although no formal actions had been taken at the time this article went to press -- neither executive orders nor proposed or final regulations had been issued -- the Administration let it be known that it planned to implement the new policy by executive order in early 1997.

The October policy initiative had two major parts. First, the Administration proposed to transfer primary jurisdiction over cryptographic control from the U.S. Munitions List (USML) administered by the traditionally more cautious State Department to the Commerce Control List (CCL), administered by the traditionally more export-oriented Commerce Department.^{215} Second, the Administration proposed to allow temporary export of 56-bit encryption products -- i.e. of DES, the de facto global standard commercial encryption product -- but for no more than two years, and only so long as the exporters promised "to build and market future products that support key [escrow]," albeit with an option to have keys held by approved private parties rather than the government.^{216} Grants of export permission would be for six months at a time, and would be contingent on "commitments from exporters to explicit benchmarks and milestones for developing and incorporating key recovery features into their products and services, and for building the supporting infrastructure internationally."^{217} In other words, companies that promise to build key escrow products (for domestic use as well as international?) will be allowed to export DES, but others will not. And all exporters will be on a short leash to ensure continued compliance.

A rigorous analysis of the revised policy is impossible before the implementing regulations are issued, but some initial points stand out. By allowing the virtually unlimited export of DES products via the CCL list, the Administration would effectively concede that additional exports of DES are not, in and of themselves, a serious incremental threat to the national security. In addition, by limiting export permission to firms that prove they are on board and contributing to the Administration's desire for an escrow-enabled infrastructure, the policy also concedes the bankruptcy of the claim that industry spontaneously is "taking the lead"^{218} in developing escrowed products in response to consumer demand.

The proposal to ration export licenses according to the business plans or practices of applicants is especially troubling. Ordinarily (although, as discussed below, not at this moment), the federal authority to control exports arises from two statutes, the Export Administration Act (EAA)^{219} and the Arms Export Control Act (AECA).^{220} Neither of these statutes was intended to give the executive branch the authority to direct the industrial policy of the United States, and neither act has ever been understood by anyone involved in export control as giving the government that power.^{221} The government might argue that national security would in fact be improved by accelerating the development of strong escrowed products. Or, more subtly, the government might even argue that only the acceleration of development can mitigate the harm caused by exports of DES products, on the theory that foreign consumers will migrate to the stronger albeit escrowed products, leaving the unescrowed DES products as a transitional nuisance. Even if one were to embrace these arguments, however, it in no way follows that either the EAA or the AECA gives the government the authority to implement a preferential export policy by which one's right to export one product depends on one's plans to develop another. These are export control statutes, not a blank check to conduct industiral policy.^{222}

A further aspect of the initiative is also disturbing. The EAA expired in August 1994. President Clinton immediately declared a national emergency and issued Executive Order 12,924 extending the EAA "[t]o the extent permitted by law".^{223} The only authorities noted in Executive Order 12,924 are the President's inherent constitutional authority and the International Emergency Economic Powers Act (IEEPA).^{224} Assuming that the President does not have inherent constitutional authority to block exports in peacetime, the authority for this action is IEEPA, which by its own terms applies to "any unusual and extraordinary threat, which has its source in whole or substantial part outside the Untied States ... if the President declares a national emergency with respect to such threat."^{225} While Executive Order 12,924 refers to the danger of "unrestricted access of foreign parties to U.S. goods, technology and technical data," it seems that the real "unusual and extraordinary" threat consists of Congress's failure to renew the EAA. Indeed, the President's most recent renewal of the state of emergency admits that the state of emergency must be extended "[b]ecause the Export Administration Act has not been renewed by the Congress."^{226}

While this is far from the first time that the EAA export control regime has been continued by executive order after a lapse in statutory authority,^{227} there is nevertheless something unsavory about a state of emergency being used for more than a very short time to cover a Congressional refusal to re-enact a statute. An emergency of this sort that lasts more than one Congress is suspect indeed. Others have suggested that IEEPA should be amended to prevent the existence of "perpetual emergencies,"^{228} and as it wears on they may find in this "emergency" more evidence of the need for a reform.

Given, however, that IEEPA provides the current authority for the continuance of the EAA regime, and that the Clinton Administration proposes to move DES, however temporarily, off the USML and onto the CCL, a creation of the EAA,^{229} it seems reasonable to ask to what extent IEEPA authorizes the October Initiative and to what extent parties aggrieved by the new regulations will be able to challenge them. Several challenges seem possible. Indeed, as set out in more detail below, there is a strong argument that IEEPA does not give the government the authority to control the export of cryptographic software once it has been removed from the USML. Since the October Initiative involves moving DES from the USML to the CCL, this may have the unintentional result of allowing unlimited export of DES-based software.

First, while its terms are indeed sweeping, IEEPA is no more a grant of the power to conduct industrial policy than is the EAA. Second, IEEPA lacks the prohibition on judicial review in the EAA. License denials premised on IEEPA can thus be challenged under the APA, even if the IEEPA authority is being used to extend the rules originally developed under the more restrictive review provisions of the EAA.^{230} It might even be possible to argue in the context of an IEEPA challenge that the extension of the EAA licensing regime contemplated in the October Initiative exceeds the powers granted in the EAA -- even though that claim would be difficult, albeit not impossible,^{231} to bring under the EAA itself.

Third, it may be significant that IEEPA imposes in 50 U.S.C. Sec. 1702 a limit on the President's authority designed to protect the free flow of ideas: "The authority granted to the President by [the part of IEEPA that grants sweeping power to control exports during a national emergency] does not include the authority to regulate or prohibit, directly or indirectly... the exportation to any country, whether commercial or otherwise, regardless of format or medium of transmission, of any information or informational materials, including but not limited to microfiche, tapes, compact disks, CD ROMs, artworks and news wire feeds."^{232} In turn, this restriction on the President's sweeping authority to control exports under IEEPA is itself subject to an exception: "The exports exempted from regulation or prohibition by this paragraph do not include those which are otherwise controlled for export under section 5 of the Export Administration Act of 1979[^{233} ], or under section 6 of such Act[^{234} ] to the extent that such controls promote the nonproliferation or antiterrorism policies of the United States..."^{235}

There are two ways one might read this. On the one hand, IEEPA's reference to the EAA could be an incorporation by reference. In this reading, the President's IEEPA powers are unaffected by subsequent changes in the EAA. Indeed, it matters not whether the EAA is amended or expires -- whatever powers were contained in the EAA when the relevant portion of IEEPA was last enacted^{236} remain reserved to the President. This reading is buttressed by the so-called "Lazarus Rule"^{237} under which specific references to a statute survive that statute's repeal.^{238} Any other rule, the Supreme Court explained in Kendall v. United States, would create uncertainty "as to what was the law; and would be adopting prospectively, all changes that might be made in the law."^{239}

Alternately, IEEPA's reference to the EAA could be understood as a Congressional decision that its protection of the free flow of ideas is not intended to disrupt the export controls scheme "otherwise" authorized by the EAA, and that if there is no such scheme then there is no IEEPA exception either. In this reading, if the EAA were amended to increase the government's authority to impose export controls, the President's IEEPA authority would automatically increase as well. On the other hand, if the EAA lapses or is repealed, the President's IEEPA authority shrinks accordingly. While this might seem to lead straight to the evil that the Supreme Court warned against in Kendall it is important to note that the statutes at issue there referred to the laws of foreign jurisdictions. When Congress makes reference to its own laws, the justification for the "Lazarus Rule" is considerably reduced because the danger of prospective adoption of rules of unknown content under the control of other sovereigns is eliminated.^{240} Furthermore, the dangers of uncertainty and unintended consequences seem tenuous indeed when Congress is amending laws which are well cross-indexed.

Both the word "otherwise" and the structure of IEEPA suggest that the purpose of the limitations in Sec. 1702 was to ensure that the President has no power to restrict the exchange of information and ideas, while leaving intact regulations promulgated pursuant to the EAA. Since the EAA has lapsed by its own terms, the legislative intent behind the EAA, and arguably IEEPA also, might best be effectuated by a finding that IEEPA does not allow the government to restrict the export of "information or informational materials," a term that would probably include DES software,^{241} once those come off the USML. There are, however, no cases of which I am aware which address this issue, and it is likely to be the subject of litigation unless and until Congress renews the EAA.

Endnotes

1. © A. Michael Froomkin, 1996. All rights reserved. Associate Professor, University of Miami School of Law. Internet: froomkin@law.miami.edu. Caroline Bradley, Carl Ellison, Tim Philp, Mark Rotenberg, and Willis Ware made helpful comments at the outline stage; Dorothy Denning and Carl Ellison provided helpful technical information; Brooks Fudenburg, Patrick Gudridge, Adam Smith made helpful comments on an earlier draft; none should be assumed to necessarily agree with my analysis or conclusions. Thank you to SueAnn Campbell and Nora de la Garza for library support and to Rosalia Lliraldi for secretarial assistance.

I am grateful to Larry Lessig and the University of Chicago Legal Forum for inviting me to participate in the Law of Cyberspace symposium. I particularly want to acknowledge the editors of the Legal Forum for tolerating my desire to present an up-to-date account of a rapidly changing subject. Thus, although a preliminary draft was delivered in Chicago on Nov. 4, 1995, unless otherwise noted this Article attempts to reflect legal, political, and technical developments as of July 15, 1996.

At the request of the National Research Council I reviewed an early draft of its report on cryptography policy, which is discussed in this article, and submitted comments to the Committee. Back to text at note 1

2. See Kenneth Dam and Herb Lin, eds, Cryptography's Role in Securing the Information Society I-3 to I-29 (National Research Council, forthcoming 1996), available online URL http://www2.nas.edu/cstbweb/2646.html (hereinafter "CRISIS" Report). Citations in this article to the CRISIS Report are drawn from the May 30, 1996 prepublication copy which is marked "Subject to Further Editorial Correction." The National Research Council is part of the National Academy of Sciences. Back to text at note 2

3. National Counterintelligence Center, Annual Report to Congress on Foreign Economic Collection and Industrial Espionage 15 (1996). According to FBI Director Louis Freeh, the governments of at least 20 nations are "actively engaged in economic espionage." Louis J. Freeh, Address at the Executives' Club of Chicago 8 (Feb 17, 1994) (transcript available at the FBI), excerpts available on line at http://www.hotwired.com/clipper/fbi.quotes.html. Back to text at note 3

4. See CRISIS Report at ES-1 (cited in note 2; U.S. General Accounting Office, Information Security: Computer attacks at Department of Defense Pose Increasing Risks (May 1996) (GAO/AIMD-96- 84). Back to text at note 4

5. Not everyone accepts that the government should have the right to acquire the contents of personal communications and data. Nevertheless, in this article I will assume without argument that surveillance and information acquisition conducted pursuant to the rule of law, such as a valid warrant or other lawful government order, is the legitimate fruit of a legitimate policy choice in a democratic society. From this perspective--which is surely the perspective of policy makers who have the duty of executing those laws--legitimate national policy is frustrated when a wiretap is thwarted because the FBI cannot decode the conversation or a search warrant is unproductive because the police cannot decrypt the suspect's hard drive. Back to text at note 5

6. See part I.B. Back to text at note 6

7. Whether "the state" can usefully be personified, and once so reified can usefully be said to have interests of its own separate from and perhaps even inimical to the community, are problems I must gloss over in this essay. Back to text at note 7

8. For a fuller description of the Clipper chip and a discussion of the constitutional issues raised by any attempt to legislate domestic controls on the use of encryption, see A. Michael Froomkin, The Metaphor Is The Key: Cryptography, The Clipper Chip, And The Constitution, 143 U Penn L Rev 709 (1995). Back to text at note 8

9. The "goals of U.S. cryptography policy have not been explicitly formalized and articulated within the government." CRISIS Report at Part II (cited in note 2); see also id at preface, p xiv (statement by Kenneth Dam noting absence of national policy). Back to text at note 9

10. U.S. Dep't of Commerce & National Security Agency, A Study of the International Market for Computer Software With Encryption at II-2 (1996) (hereinafter "Export Study"). COCOM disbanded in 1994. Back to text at note 10

11. For example, in 1977 the U.S. government adopted the Digital Encryption Standard ("DES") as a cipher certified as sufficiently strong for domestic business use. DES, issued as FIPS 46 in January 1977, was reviewed, slightly revised, reaffirmed for federal government use in 1983 and 1987, and reissued as FIPS 46-1 in January 1988; on September 11, 1992, NIST announced a third review of FIPS 46-1, DES, and reaffirmed it for another five years as FIPS 46-2. See Revision of Federal Information Processing Standard (FIPS) 46-1 Data Encryption Standard (DES), 58 Fed Reg 69,347, 69,347-48 (1993). Export of DES remains controlled under the ITAR to this day, which means that anyone seeking to export a DES product needs permission. Banks and other U.S. corporations seeking export clearance for DES products for internal use routinely receive export permission.

Back to text at note 11

12. See Froomkin at 744 (cited in note 8). Back to text at note 12

13. See Export Study at ES-2 (cited in note 10) (noting that the "overwhelming majority (75%) of general-purpose software programs . . . available on foreign markets today are of U.S. origin"). Back to text at note 13

14. The Arms Export Control Act requires manufacturdqs of "munitions" (which are defined to include cryptography) to register with the State Department. Back to text at note 14

15. See Export Study at V-4 (cited in note 10). Back to text at note 15

16. "[T]he market reality is that a side-by-side comparison of two products identical except for their domestic vs. exportable encryption capabilities always results in a market assessment of the stronger products as providing a `baseline' level of security and the weaker one being inferior, rather than the weaker product providing the baseline and the stronger one being seen as superior." CRISIS Report at 8-18 n 6 (cited in note 2); but see remarks of Ray Ozzie, available online at http://www.lotus.com/notesr4/ ozzie.htm (describing "Differential Workfactor Cryptography" in which export editions of Lotus Notes are shipped with sixty-four- bit encryption enabled, but with twenty-four-bits encrypted in a LEAF-like data tag accessible to the U.S. government; as a result, the government need do no more brute- force work to decrypt the message than would be needed for a message using forty-bit encryption). Back to text at note 16

17. For a discussion of the things assumed away in this magic phrase, see generally Bruce Schneier, Applied Cryptography (2d ed 1996). Back to text at note 17

18. See, for example, Matt Blaze et al, Minimal Key Lengths For Symmetric Ciphers To Provide Adequate Commercial Security, available online at http:// www.bsa.org/bsa/cryptologists.html (stating "U.S. Data Encryption Standard with 56-bit keys is increasingly inadequate") (hereinafter Minimal Key Lengths). Back to text at note 18

19. CRISIS Report at 4-11 n 24 (cited in note 2); For a discussion of the forty-bit limit, and the various demonstrations of the amount of computer power required to brute-force decrypt messages encrypted with forty-bit keys, see The RSA Encryption Page, available online at http://www.library.carleton.edu/studentworkers/dan/ rsa.html. Back to text at note 19

20. See 22 CFR Sec. 121.1 (XIII)(b)(1) (1994). The statutory authority for the ITAR is the Arms Export Control Act, codified as amended at 22 USC Sec. 2778 (1988 & Supp IV 1992). For a thorough survey of the ITAR and associated regulations see Fred Greguras, Regulation Update on U.S. Software Exports, available online at http:// www.graphcomp.com/info/crypt/us_regs.html. Back to text at note 20

21. The statutory authority for the EAR is the Export Administration Act. The statutory authority for the EAR, the Export Administration Act of 1979, 50 U.S.C. app. Sec. 2401-2420 (1988 & Supp. IV 1992), lapsed on August 20, 1994. See 50 U.S.C.A. app. Sec. 2419 (West Supp. 1994). President Clinton issued an executive order requiring that the EAR be kept in force to þthe extent permitted by lawþ under the International Emergency Economic Powers Act (IEEPA), 50 U.S.C. Secs. 1701-1706 (1988 & Supp. IV 1992). See Continuation of Export Control Regulations, Exec. Order No. 12,924, 59 Fed Reg 43,437 (1994). President Clinton recently extended the state of emergency required to activate his authority under IEEPA, see Continuation of Emergency Regarding Export Control Regulations, 61 Fed Reg 42527 (August 15, 1996). Back to text at note 21

22. See Export Study at II-1 to II-2 (cited in note 10). Back to text at note 22

23. See CRISIS Report at 4-4 (cited in note 2). Back to text at note 23

24. See Office of Technology Assessment, Congress of the United States, Information Security and Privacy in Network Environments 154 (1994) (OTA- TCT-606); see also U.S. Gen. Accounting Office, Communications Privacy: Federal Policy and Actions 6-7, 24-28 (1993). Back to text at note 24

25. See Froomkin at part I.B.1 (cited in note 8) (discussing how DES became a standard in the United States). Exports to Canada are not controlled. Back to text at note 25

26. See, for example, Trusted Information Systems, Press Release, TIS Gauntletþ Firewall with 56-bit DES approved for U.S. Export online at http:/www.tis.com/ docs/corporate/press/vpnpr.html (stating that TIS is first company to get U.S. export permision for DES-based firewall product). Back to text at note 26

27. See Susan Landau et al, Association for Computing Machinery, Inc, Codes, Keys and Conflicts: Issues in U.S. Crypto Policy 25 (1994) (hereinafter "ACM Report"). Back to text at note 27

28. See Export Study at III-9 (cited in note 10); CRISIS Report at 4-8 (cited in note 2). Back to text at note 28

29. Export Study at V-4 (cited in note 10); CRISIS Report at ch 8: "mismatch" paragraph (cited in note 2). Back to text at note 29

30. See generally Tracy Kidder, The Soul of a New Machine (1981); Douglas Coupland, MicroSerfs (1995). Back to text at note 30

31. The record in Karn v U.S., 925 F Supp 1 (D DC 1996) (appeal docketed) provides one, perhaps extreme, example. Karn submitted his original export request on Feb 12, 1994 and did not emerge from the appeals process with a final decision until June 13, 1995. Id at 2-3. See also Export Study at V-4 (cited in note 10) (citing two year lead time to produce new products). Back to text at note 31

32. See Export Study at ES-4 (cited in note 10) (noting that companies "avoid [] applying for export licenses); id at V-4. Back to text at note 32

33. Id at V-1 (cited in note 10). Back to text at note 33

34. See Bernstein v. U.S. Dept. of State, 922 F Supp 1426 (D ND Cal 1996). Further information about this case is available online at http:// www.eff.org/pub/Privacy/ITAR_export/Bernstein_case/. Back to text at note 34

35. Karn, 925 F Supp 1 (cited in note 31). For full information, including all unsealed motions, pleadings and evidence, see online at http://www.qualcomm.com/ people/pkarn/export/. Back to text at note 35

36. Originally available only as a PCMCIA card, Fortezza now comes in an ISA variety as well. See Fortezza CryptoSecurity Products, available online at http://www.rnbo.com/PROD/CRYPTO.HTM. A Quicktime Movie of a "virtual Fortezza Card" is offered by Rainbow Technologies, available online at http://www.rnbo.com/FORTVR.HTM. Back to text at note 36

37. The Clipper chip is defined--to the extent it has ever been publicly defined--in the Escrowed Encryption Standard ("EES"). See Approval of Federal Information Processing Standards Publication 185, Escrowed Encryption Standard, 59 Fed Reg 5997 (1994) (hereinafter "FIPS 185"). I discuss the original Clipper chip proposal in Froomkin (cited in note 8). Back to text at note 37

38. See Froomkin at 715 n 16 (cited in note 8). Back to text at note 38

39. See 61 Fed Reg 6111 (Feb 16, 1996) (personal use exception to ITAR). The regulations, however, impose surprisingly extensive record keeping requirements on anyone who takes an encryption program to a foreign country. See id. Back to text at note 39

40. See text accompanying note 26. Back to text at note 40

41. In a symmetric-key system both sender and receiver use the same key to encrypt and decrypt messages. In public-key systems the sender encrypt messages with a key that permits decryption only by a different key. Symmetric-key ciphers tend to work much more quickly than public-key ciphers of equivalent key length, and are thus more suited to real-time applications such as telephones, or for long documents. Symmetric-key systems rely on users safeguarding the key--if an interloper gets hold of the key he can decrypt all the messages encrypted with it. In contrast, public-key systems are more flexible, since one half of the key pair is secret and the other half can be made public. A message encrypted with the public key can only be read by the holder of the private key; if a message is encrypted with the private key, anyone who has access to the public key can read it, but the fact that the public key successfully decrypted the message authenticates it as emanating from the holder of the private key. Back to text at note 41

42. An algorithm is a more formal name for a cipher. An algorithm is a mathematical function used to encrypt and decrypt a message. Modern algorithms use a key to encrypt and decrypt messages. The number of possible values of a key is called the keyspace. Back to text at note 42

43. See Gilles Garon & Richard Outerbridge, DES Watch: An Examination of the Sufficiency of the Data Encryption Standard for Financial Institution Information Security in the 1990s, Cryptologia 177 (July 1991) (stating that since its adoption in 1977, DES þhas become the most widely used cryptographic system in the worldþ). A panel of eminent cryptologists selected by the government concluded that SKIPJACK should remain secure against brute-force attacks, despite continual increases in computing power, for at least thirty years. See Ernest F. Brickell, et al, SKIPJACK Review Interim Report: The SKIPJACK Algorithm 1 (July 28, 1993), available online at http://www.quadralay.com/www/Crypt/ Clipper/skipjackþreview.html (hereinafter "SKIPJACK Interim Report") (þ[T]here is no significant risk that SKIPJACK will be broken by exhaustive search in the next 30-40 years.þ) The panel never issued a final report. Back to text at note 43

44. See, for example, Minimal Key Lengths (cited in note 18). Back to text at note 44

45. The procedures for creating and storing the chip keys in a secure manner are described in Dorothy E. Denning & Miles Smid, Key Escrowing Today, IEEE Comm 58 (Sept 1994), available online at http:// guru.cosc.georgetown.edu/~denning/crypto/clipper/Key-Escrowing- Today.txt.

The three sets of procedures for disclosure of keys for use in authorized federal, state and national security-related wiretaps appear in Office of the Press Secretary, The White House, Key Escrow Encryption: Announcements-February 4, 1994 (Feb 15, 1994) (information packet accompanying press release) (on file with author) (hereinafter "Key Escrow Announce- ments"). Back to text at note 45

46. See Froomkin at 763 (cited in note 8). Back to text at note 46

47. See id at 753 n 187 (discussing tamperproof hardware). Back to text at note 47

48. The dependence of Clipper and other products on "tamper resistant" hardware has spawned a cottage industry of attempts to subvert such schemes. Notable efforts include Yair Frankel, & Moti Yung, Escrow Encryption Systems Visited: Attacks, Analysis and Designs in Advances in Cryptology--CRYPTO '95 Proceedings (1995), in which the authors describe a practical-sounding method of tricking a Clipper chip into using another chip's LEAF. Back to text at note 48

49. For a technical survey of the types of "escrowed" encryption systems developed see Dorothy E. Denning & Dennis K. Branstad, A Taxonomy for Key Escrow Systems, 39 Comm ACM 34, 36 (March 1996) (table entry for Fortezza card); Dorothy E. Denning, available online at http://www.cosc.goergetown.edu/~denning/crypto/appendix.html. Back to text at note 49

50. For a more detailed description of the Clipper chip's workings, see Froomkin at Sec. I.C.2.a (cited in note 8). Back to text at note 50

51. For details, see Denning & Smid (cited in note 45). Back to text at note 51

52. Key Escrow Announcements (cited in note 45). Back to text at note 52

53. A session key is the sequence of bits allowing decryption that will be used for only a single communication, one e-mail, or one telephone call. Each time the parties initiate a new conversation, they generate a new session key, which, though lasting for the entire conversation, is never repeated. See Froomkin at 754-55 (cited in note 8). Back to text at note 53

54. Matt Blaze's "LEAF-blower" exploited a vulnerability in the LEAF-checking algorithm to generate spurious approvals of counterfeit LEAFs. The method is too slow, however, to be of great practical value. See Matt Blaze, Protocol Failure in the Escrowed Encryption Standard, in Building in Big Brother: The Cryptographic Policy Debate 131 (Lance Hoffman ed, 1995). Back to text at note 54

55. Pub L No 90-351, tit III Sec. 802, 82 Stat 197, 211-25, reprinted in 1968 USCCAN 237, 253 (current version at 18 U.S.C. Secs. 2510-2521 (1988 & Supp V 1993) (Electronic Communications Privacy Act of 1986) (hereinafter "Title III"). Back to text at note 55

56. 18 USC Sec. 2516 (1988 & Supp V 1993). Back to text at note 56

57. Technically, Louis needs only to aver the existence of this authorization since the escrow agents have no obligation to make an independent confirmation of Louis's authority. They do, however, have an obligation to keep a record of who asks for what. See State Authorization Procedures at 1 (cited in note 45); Title III Authorization Procedures at 1 (cited in note 45); FISA Authorization Procedures at 1 (cited in note 45). The Department of Justice is required to ascertain, after the fact, that the legal authorization existed for Title III wiretaps and FISA wiretaps. See Title III Authorization Procedures at 2 (stating that the þDepartment of Justice shallþ ascertain the existence of authorizations for electronic surveillance); FISA Authorization Procedures at 2 (same). The Justice Department has no such obligation when the key segment is requested by a state or local police force. See State Authorization Procedures at 2 (stating that the þDepartment of Justice mayþ inquire into the authorization for electronic surveillance). Back to text at note 57

58. Since the SKIPJACK algorithm is classified, one cannot be more certain. Back to text at note 58

59. A half key is not useful information because the two halves are XORed together to produce the actual key. See Froomkin, 143 U Penn L Rev at 759 (cited in note 8). Back to text at note 59

60. Clipper does not work for conference calls. Back to text at note 60

61. The specifications for the decrypt processor call for it to delete keys when a warrant expires and to automatically send a confirmation message to the key escrow agents. The interim model in use by law enforcement organizations in 1994-95 relied on manual deletion, see OTA Information Security at 65 n 5 (Box 2-7) (cited in note 24) (citing presentation by NIST Security Technology Manager Miles Smid in June 1994), that is, it relied on trust. Back to text at note 61

62. Given that the Clipper chip is used only for communications, and not to archive stored information, this is not likely to be a serious problem for Alice; the application of the same rule is potentially significant for Fortezza escrow. Back to text at note 62

63. See, for example, Wall Street Journal A3 (Jan 31, 1995) (noting AT&T abandoning Clipper chip). Back to text at note 63

64. To date the NSA has issued solicitations for more than 750,000 Fortezza cards. Up to two million are expected to be in use by 2005. CRISIS Report at 5-7 (cited in note 2). Back to text at note 64

65. Public-key cryptographic systems allow users to append a digital signature to an unencrypted message. A digital signature encrypted with a private key uniquely identifies the sender and connects the sender to the exact message. Anyone who has the user's public key can then verify the integrity of the signature. Because the signature uses the plaintext as an input to the encryption algorithm, if the message is altered in even the slightest way, the signature will not decrypt properly, showing that the message was altered in transit or that the signature was forged by copying it from a different message. A digital signature copied from one message has an infinitesimal chance of successfully authenticating any other message. See Schneier at 35 (cited in note 17) (noting that a digital signature using a 160-bit checksum has only a one in 2160 chance of misidentification).

For a discussion of digital signatures and their importance to electronic commerce and electronic authentication see A. Michael Froomkin, The Importance of Trusted Third Parties in Electronic Commerce, 75 Ore L Rev 49 (1996). Back to text at note 65

66. See Denning & Branstad, 39 Comm ACM at 36 (cited in note 49). Back to text at note 66

67. See text accompanying note 53. Back to text at note 67

68. See text at note 53. Back to text at note 68

69. If SKIPJACK is used to encrypt the e-mail, Bob needs a way to give the session key for that symmetric key system to Alice. He would probably use a public-private key system, in which he encrypted the session key with Alice's public key. When Alice receives the message, she will use her private key--which is not escrowed with the government--to decrypt the session key that SKIPJACK will accept as input 22

to the decrypt function. Back to text at note 69

70. Whether the security of an encryption chip is actually compromised by the release of the chip-unique key to authorized law enforcement is a subject that polarizes debates between security professionals and law enforcement. Security professionals presume that security is unacceptably lessened whenever it is theoretically possible for third parties to gain access to keys; law enforcement officials tend to presume that the public should trust them. Back to text at note 70

71. Using this access for anything other than mail to Alice without judicial authorization (or, perhaps, other authorization in the case of national security cases) would violate Title III. Back to text at note 71

72. Mitch Ratcliffe, Security Chips Trigger Alarm: Clipper and Capstone Open Digital Back Door, MacWeek 1 (Apr 26, 1993) (stating that FIPS often become de facto standards because the U.S. government is the largest computer customer in the world). Back to text at note 72

73. See Froomkin, 143 U Penn L Rev at Sec. II.A.1 (cited in note 8). Back to text at note 73

74. FIPS 185 at 6005 (cited in note 37). Back to text at note 74

75. See 40 USC Sec. 759(d)(1) (1988) (requiring publication in the Federal Register only if President disapproves or modifies a FIPS). Back to text at note 75

76. 5 USC Sec. 553(b)-(d) (1988). NIST has traditionally followed a notice and comment procedure for FIPSs while maintaining that no statute actually requires it. But see American College of Neuropsychopharmacology v Weinberger, Food Drug Cosm L Rep (CCH) Sec. 38,025 (D DC July 31, 1975) (holding that publication in the Federal Register combined with the complexity of the rules themselves meant that the rules in question were subject to the notice and comment procedures of section 553 of the APA). Back to text at note 76

77. FIPS 185 at 5998 (cited in note 37). Back to text at note 77

78. See Letter from Vice President Al Gore to Congresswoman Maria Cantwell (July 20, 1994), available online at ftp://ftp.eff.org/pub/EFF/Policy/ Crypto/Clipper/gore_clipper_retreat_cantwell_072094.letter. But see Statement of Patrick Leahy on Vice President Gore's Clipper Chip Letter (July 21, 1994), available online at ftp:// ftp.eff.org/pub/EFF/Policy/Crypto/Clipper/gore_clipper_retreat_ leahy.statement (stating that the Gore letter þrepresents no change in policyþ). Back to text at note 78

79. See Draft Software Key Escrow Encryption Export Criteria, available online at http:/ /csrc.ncsl.nist.gov/keyescrow/criteria.txt; Key Escrow Agent Criteria, available online at http://csrc.ncsl.nist.gov/ keyescrow/agent-criteria.txt. Back to text at note 79

80. See Draft Software Key Escrow Encryption Export Criteria (cited in note 79); Key Escrow Agent Criteria (cited in note 79). The term "commercial key escrow" was something of a misnomer, since the proposal was neither commercial nor escrow as the terms are understood by most lawyers and business people. It was "commercial" only in the sense that the keyholders might be private firms rather than the government. It was not "escrow" in any ordinary sense of the word: usually, something held in escrow is held for the benefit of the owner. In software key escrow, as in Clipper, the "escrow" was for the benefit of the government rather than the owner of the key.

"Commercial Key Escrowþ" (with capital letters) is a trademark of Trusted Information Systems. Back to text at note 80

81. For a discussion of brute- force decryption, which is little more than trying every possible key until you find one that works, see A. Michael Froomkin, The Metaphor Is The Key: Cryptography, The Clipper Chip, And The Constitution, 143 U Penn L Rev 709, 887-89 (1995). Back to text at note 81

82. Key Escrow Agent Criteria at  18 (cited in note 79). Back to text at note 82

83. See John Markoff, Security Flaw is Discovered in Software Used in Shopping, NY Times A1 (Sept 19, 1995); Netscape, Welcome to Netscape Navigator Version 2.01, available online at http:// partner.netscape.com/eng/mozilla/2.01/relnotes/unix- 2.01.html#Security (describing problem with implementation of random number generator and announcing bugfix). Back to text at note 83

84. See Froomkin, 143 U Penn L Rev at 740-41 (cited in note 81). Back to text at note 84

85. Since the person holding the keys can gut the security of the system if she does not hold the keys in a secure fashion, reasonable security may require that key fragments be distributed to two or more parties. In some systems the backup keyholders are not given the actual key to the cipher, but are instead entrusted with the key to a generic "data recovery field" encrypted into each message that contains the information needed to retrieve the key. The Clipper chip's LEAF, see note 53 and accompanying text, is an example of such a field. Back to text at note 85

86. For a definition of a digital signatures, see note 65 and accompanying text. For a discussion of a digital-signature infrastructure and the role of certificates, see generally A. Michael Froomkin, The Importance of Trusted Third Parties in Electronic Commerce, 75 Or L Rev 49 (1996). Back to text at note 86

87. See Froomkin, 75 Or L Rev at 82 (cited in note 86). Back to text at note 87

88. But see note 169 and accompanying text. Back to text at note 88

89. Key Escrow Issues Meeting, September 6-7, 1995, Discussion Paper #4, at Sec. 10, available online at http://csrc.ncsl.nist.gov/keyescrow/ september_issues_mtg/paper4.html. Back to text at note 89

90. Office of the Press Secretary, The White House, Key Escrow Encryption: Announcements-February 4, 1994 (Feb 25, 1994) (on file with the Legal Forum). Back to text at note 90

91. See Froomkin, 143 U Penn L Rev at 762 (cited in note 81). Back to text at note 91

92. See 18 USC Sec. 2520(a) (1994). Back to text at note 92

93. Key Escrow Agent Criteria (cited in note 79). Irritatingly, all the government memoranda distributed at the 1995 NIST meetings on key escrow were handed out without advance notice, on paper with no letterhead. The memos bore no indicia of authorship. Back to text at note 93

94. Id. Back to text at note 94

95. Id at para 7. Back to text at note 95

96. Id at para 13. Back to text at note 96

97. Id at para 14. Back to text at note 97

98. Id at para 18. Back to text at note 98

99. Key Escrow Agent Criteria (cited in note 79). Back to text at note 99

100. See 50 USC Sec. 1802(a)(4)(B) (1994) (authorizing Attorney General to classify fact of FISA order and to require that common carrier served with FISA order keep it secret). Back to text at note 100

101. See id. Back to text at note 101

102. Draft Software Key Escrow Encryption Export Criteria at para 7 (cited in note 79). Back to text at note 102

103. See note 84 and accompanying text. Back to text at note 103

104. A similar sentiment was voiced outside the meeting. See, for example, John Markoff, Industry Group Rebuffs U.S. On Encryption, NY Times D5, (Nov 8, 1995). Back to text at note 104

105. The cryptographers were Matt Blaze, Whitfield Diffie, Ronald L. Rivest, Bruce Schneier, Tsutomu Shimomura, Eric Thompson, and Michael Wiener. See note 106. Back to text at note 105

106. Matt Blaze et al, Minimal Key Lengths for Symmetric Ciphers to Provide Adequate Commercial Security (Jan 1996), available online at http://www.bsa.org/bsa/cryptologists.html Back to text at note 106

107. Id at para 3. Back to text at note 107

108. One might quibble with these conclusions on two levels. Some argue that they are "threat estimates" rather than descriptions of actual capabilities today. Despite relatively conservative estimates of the capabilities of various existing hardware devices, the paper made little allowance for some practical difficulties with running a brute-force cracking device. In particular, the cryptographers' estimates begin with the standard assumption of a "known plaintext." This often, but not inevitably, accurate assumption is that at least part of the plaintext message sought to be decrypted is known to the attacker, perhaps because the message follows a standard form (such as a TO and FROM line in a memo). An attacker who lacks a known plaintext must devote extra computing time to deciding whether the text of each possible decryption of the message has an alphanumeric distribution consistent with ordinary language. This does not make brute force decryption impossible, but it does slow it down.

Perhaps more telling, there is no public evidence that either businesses or law enforcement agencies have actually constructed a sophisticated brute force decryption engine, much less employed it routinely. If they had, one might expect the information to leak eventually. Compare US Cryptography Policy: Why We Are Taking the Current Approach, available online at http://csrc.ncsl.nist.gov/keyescrow/policy.txt (July 12, 1996) (suggesting that "operational reality" of government ability to decrypt messages greatly lags behind "mathematical theory").

Of course, anyone purchasing a security system today needs to build in sufficient security not just for the life of the system but, ideally, for the life of the data likely to be encrypted with that system. This requires a considerable margin for safety. Back to text at note 108

109. U.S. Department of Commerce and National Security Agency, A Study of the International Market for Computer Software with Encryption at III-1, III-6 (1996). Back to text at note 109

110. Id at IV-1. Back to text at note 110

111. Id at IV-3 to IV-4. Back to text at note 111

112. See generally RSA's Frequently Asked Questions About Today's Cryptography, available online at http://www.rsa.com/yrsalabs/faq/faq_rsa.html (1993). Back to text at note 112

113. See Testimony of RSA Data Security, Inc. President Jim Bidzos, before the Senate Committee on Commerce, Science & Transportation, Subcommittee on Science, Space & Technology, 1996 WL 10828659 (June 12, 1996) (stating that NT&T is shipping encryption chips with 1024-bit RSA). Back to text at note 113

114. For example, Sun Microsystems plans to import a Russian-built system for this reason. John Battelle, Sun's Codemaking Comrades, Wired 3.11 at 49 (Nov, 1995). Back to text at note 114

115. "RSA, which is based in Redwood City, Calif., plans to fund an effort by Chinese government scientists to develop new encryption software. The Chinese-developed software, based on RSA's general mathematical formula, may be more powerful than versions now permitted for export under U.S. laws, said James Bidzos, RSA's president." Don Clark, China, U.S. Firm Challenge U.S. On Encryption-Software Exports, Wall St J A10 (Feb 8, 1996). For RSA's version of its alliance, see RSA, RSA Data Security, Inc. and People's Republic of China Sign MOU on Encryption Technology and Joint Research, available online at http://www.rsa.com/rsa/ china_rsa.htm (Feb 2, 1996). Back to text at note 115

116. The State Department ruled that exports of the dead tree version of the book Applied Cryptography (1st ed) were not subject to the ITAR. Letter from William B. Robinson, Director, Office of Defense Trade Controls, to Phil Karn, available online at http://www.qualcomm.com/people/ pkarn/export/book-response.html (Mar 2, 1994). However, the US government's brief in Karn v. U.S., 925 F Supp 1 (D DC 1996), appeal docketed, suggested that this ruling might have been a mistake. Defendants' Memorandum of Points and Authorities at Sec. II B2i, available online at http://www.qualcomm.com/ people/pkarn/export/memorandum.html (Nov 15, 1995). Judge Richie's ruling in the Karn case was sufficiently broad as to give comfort to a government official thinking of toughening the policy. Back to text at note 116

117. Kenneth Dam & Herb Lin, eds, Cryptography's Role in Securing the Information Society ("CRISIS Report") xii (National Research Council, forthcoming 1996), available online at http://www2.nas.edu/cstbweb/2646.html. As the Report notes,

Such a position may be true or false, but it clearly does not provide much reassurance for those not privy to those secrets for one very simple reason: those who fear that government is hiding poorly-conceived policies behind a wall of secrecy are not likely to trust the government, yet in the absence of a substantive argument being called for, the government's claim is essentially a plea for trust.

Id. Back to text at note 117

118. Id at 8-5 (emphasis in original). Back to text at note 118

119. Id at 8-9. Back to text at note 119

120. Id at 8-6. Back to text at note 120

121. Id at 8-12. Back to text at note 121

122. CRISIS Report at 8- 16 (cited in note 117). On 3-DES, see note 84. Back to text at note 122

123. See note 10. Back to text at note 123

124. CRISIS Report at 8- 18 (cited in note 117). Back to text at note 124

125. Id at 8-18. Back to text at note 125

126. Id at 8-19. Back to text at note 126

127. Id at 8-19. Back to text at note 127

128. Id at 8-20. Back to text at note 128

129. CRISIS Report at 8- 20 (cited in note 117). Back to text at note 129

130. Id at 8-20. Back to text at note 130

131. Id at 8-28. Back to text at note 131

132. Id at 8-28. Back to text at note 132

133. Id at 8-29. Back to text at note 133

134. CRISIS Report at 8- 29 to 8-30 (cited in note 117). Back to text at note 134

135. See, for example, Dorothy E. Denning, Comments on the NRC Cryptography Report, available online at http://guru.cosc.georgetown.edu/~denning/ crypto/NRC.txt (June 11, 1996). Back to text at note 135

136. See, for example, EFF "Privacy-Crypto-Key Escrow & Govt. Access to Keys" Archive, available online at http://www.eff.org/pub/Privacy/Key_escrow/ ("Unfortunately, the report also calls for key `escrow', and buys into the government's wacky idea of a federally-controlled `Key Infrastructure', among other flaws"). Back to text at note 136

137. See note 141 and accompanying text. Back to text at note 137

138. CRISIS Report at 8- 25 (cited in note 117). Back to text at note 138

139. Bruce W. McConnell & Edward J. Appel, Co-Chairs, Interagency Working Group on Cryptography Policy, Draft Paper: Enabling Privacy, Commerce, Security and Public Safety in the Global Information Infrastructure ("White Paper") 23 (May 20, 1996), available from Office of Management and Budget, Executive Office of the President), and available online at http:// www.isse.gmu.edu/~pfarrell/nist/kmi.html.

The Administration reaffirmed its commitment to the policy outlined in the draft White Paper in a statement issued by Vice President Al Gore on June 12, 1996. See Statement of Vice President Al Gore, available online at http://csrc.ncsl.nist.gov/ keyescrow/admin.txt. See also John Markoff, Clinton Proposes Initiatives On the Scrambling of Data, NY Times 34 (July 13, 1996) (noting that administration was rejecting NRC recommendations); US Cryptography Policy (U.S. government policy paper issued July 12, 1996) (cited in note 108). Back to text at note 139

140. See White Paper at 7 (cited in note 139). Back to text at note 140

141. See notes 93-98 and accompanying text. Back to text at note 141

142. Very compressed explanations appear in notes 41 (contrasting public-key cryptography with symmetric-key cryptography) and 65 (describing use of public-key cryptography to create a digital signature). Fuller explanations appear in A. Michael Froomkin, The Metaphor Is The Key: Cryptography, The Clipper Chip, And The Constitution, 143 U Penn L Rev 709, 890-94 (1995), and Bruce Schneir, Applied Cryptography (John Wiley & Sons, Inc., 2nd ed. 1996). Back to text at note 142

143. On the use of cryptography in electronic commerce see generally A. Michael Froomkin, The Importance of Trusted Third Parties in Electronic Commerce, 75 Or L Rev 49 (1996). On electronic commerce and electronic cash, see generally A. Michael Froomkin, Flood Control on the Information Ocean: Living With Anonymity, Digital Cash, and Distributed Databases, 15 Pitt J L & Commerce (1996). Back to text at note 143

144. See Schneier at 284-85, 318-20 (cited in note 142) (stating that security of public-key systems depends on inability to factor large numbers rapidly or on the continuing inability of mathematicians to solve the longstanding problem of calculating discrete logarithms). Back to text at note 144

145. See Schneier at 48- 49 (cited in note 142) (describing "man in the middle" attack on secure communications). Back to text at note 145

146. See Froomkin, 75 Or L Rev 49 (cited in note 143). Back to text at note 146

147. In addition to binding identities to keys, CAs may issue certificates attesting to some fact about a key or a transaction, or timestamps proving that a document was in existence at a time certain. A more extensive treatment of these functions, and of the duties and possible liabilities of CAs appears in Froomkin, 75 Or L Rev 49 (cited in note 143). Back to text at note 147

148. The White Paper includes a misleading statement suggesting that the CA ordinarily would want or need to "escrow" the user's private key or other information that would allow access to the user's data or communications. In fact, none of the other models for a PKI include this feature. See note 163 and accompanying text. Back to text at note 148

149. A certificate is a computer-based record which (1) identifies the CA issuing it, (2) names, identifies, or describes an attribute of the subscriber, (3) contains the subscribers's public key, and (4) is digitally signed by the certification authority issuing it. Warwick Ford, Advances in Public-Key Certificate Standards, 13 SIG Security, Audit & Control Review at 9 (July 1995). See also Utah Digital Signature Act Sec. 103, Utah Code Ann Sec. 46-3-103(3) (1996). Back to text at note 149

150. A printed public key is likely to be a long string of gibberish. To make life easier for the user, the CA probably would publish a short alphanumeric string, sometimes called a "key fingerprint," which could be checked against the electronic form of the full key. See Schneier at 30-31 (cited in note 142). Back to text at note 150

151. Ford, Advances at 9-10 (cited in note 149). Back to text at note 151

152. The canonical law-review version of the turtle story goes as follows:

William James described a classic encounter between scientific truth and a commitment of faith. A prominent scientist had just given a brilliant lecture on the foundations of the universe. During the question period [a person] suggested that there was a problem with the professor's analysis. `What is that?' asked the professor cautiously. `It's all wrong,' [the person] replied, `because the universe actually rests on the back of a giant turtle.' The professor, taken aback, forced a smile and then countered: `If that's the case there is still the question, what is that turtle standing on?' The audience tittered, but [the person], undaunted, replied: `Another, much larger turtle.' `But . . .' objected the professor. `I'm sorry, professor, it's turtles all the way down.'

Roger C. Cramton, Demystifying Legal Scholarship, 75 Georgetown L J 1, 1-2 (1986). Back to text at note 152

153. White Paper at Appendix I (cited in note 139). Back to text at note 153

154. For example, the Utah Digital Signature Act contemplates that the state government will issue the root certificate for CAs licensed in Utah. See Utah Code Ann Secs. 46-3-201(1) and 46-3-201

(2). Back to text at note 154

155. See Froomkin, 75 Or L Rev 49 (cited in note 143). Back to text at note 155

156. The White Paper proposes legislation ensuring that CAs "who exercise due prudence" receive "liability protection." White Paper at 10 (cited in note 139). In the absence of such legislation the liability of CAs for erroneous certificates is complex, uncertain, and potentially large. See Froomkin, 75 Or L Rev 49 (cited in note 143). Back to text at note 156

157. Where E-Cash Will Take off, Business Week 70 (June 12, 1995). Another estimate suggests more than $200 billion in Internet commerce within five years. See John Kavanagh, Purchases on the Internet Could Potentially Exceed $200bn by Year 2000, Fin Times FT-IT XII (Nov 1, 1995) (quoting wide variety of estimates). Internet purchases in 1994 were estimated at $240 million. Id. See also Edward Mozley Roche, Business Value of Electronic Commerce over Interoperable Networks, Paper Presented at Freedom Forum, July 6-7, 1995, available online at http://www.commerce.net/information/reference/roche.txt (projecting huge increases in internet commerce). Back to text at note 157

158. See generally Froomkin, 75 Or L Rev 49 (cited in note 143). Back to text at note 158

159. White Paper at 3 (cited in note 139). Back to text at note 159

160. Id at 5 (emphasis added). Back to text at note 160

161. Examples include the ABA digital-signature guidelines and the various state digital- signature legislation. See note 176 and accompanying text. Back to text at note 161

162. See id. Back to text at note 162

163. White Paper at 6 n 3 (cited in note 139). Back to text at note 163

164. See notes 86-88 and accompanying text. Back to text at note 164

165. See Froomkin, 75 Or L Rev 49 (cited in note 143) (describing proposals to shift burden of proof so that digital signatures backed by a valid certificate will be presumed to have been affixed by person identified in the certificate). Digital-signature keys "must be controlled solely by the immediate and intended parties to those applications" because "outside access to such keys could undermine the legal basis and threaten the integrity of these practices carried out in the electronic domain." CRISIS Report at 8-27 (cited in note 117). Back to text at note 165

166. See note 112 and accompanying text. Back to text at note 166

167. See CRISIS Report at 6-9 (cited in note 117). Back to text at note 167

168. White Paper at 3 (cited in note 139). Back to text at note 168

169. Id. Back to text at note 169

170. Id at 4. Back to text at note 170

171. Id at 6 (emphasis added). Back to text at note 171

172. See CRISIS Report at 8-29 (cited in note 117) (noting fears of critics of escrow that future administrations may change policy). Back to text at note 172

173. White Paper at 3 (cited in note 139). Back to text at note 173

174. See, for example, Verisign Homepage, available online at http:// www.verisign.com. Back to text at note 174

175. The current list offers users a choice among certificates issued by BNN, the U.S. Postal Service, VeriSign, Keywitness, Thawte Server, MCI Mall, Canada Post Corporation, GTE CyberTrust, AT&T Directory Services, and CommercNET. Back to text at note 175

176. See, for example, Utah Code Ann Sec. 46-3-103 et seq (1996). As of November 1995, no certification authorities had qualified under the Utah Act. See Introductory Commentary, History and Current Status of the Utah Act Sec. 1, available online at http://www.state.ut.- us/ccjj/digsig/dsut-int.htm. The state of California has passed a statute delegating to the Secretary of State powers to make rules regulating the use and verification of digital signatures. See 1995 Cal Legis Serv Ch 594, AB 1577, 1995-96 Reg Sess ch 594, 3584-85 (West). On March 29, 1996, Washington State approved a digital-signatures statute with an effective date of January 1, 1998. See Washington Electronic Authentication Act, 1996 Wash Legis Serv SB 6423, 1996 Reg Sess ch 250 (West). Back to text at note 176

177. See generally Froomkin, 75 Or L Rev 49 (cited in note 143). Back to text at note 177

178. White Paper at 10 (cited in note 139). Back to text at note 178

179. See Froomkin, 75 Or L Rev 49 (cited in note 143). Back to text at note 179

180. White Paper at 9 (cited in note 139). Back to text at note 180

181. Export controls have never been sufficiently well-policed to prevent individuals from carrying out software on disks or computers, or from e-mailing software across borders on the Internet. But, unless one is personally able to check the validity and implementation of an algorithm, one must take cryptographic software on trust. Most firms find it easier to trust something that comes in a box with a famous tradename on it than something illegally exported via the Internet. See Froomkin, 75 Or L Rev at nn 20-21 (cited in note 143). Back to text at note 181

182. See note 34 and accompanying text (discussing Bernstein decision). Back to text at note 182

183. See Stewart A. Baker, Summary Report on the OECD Ad Hoc Meeting of Experts on Cryptography, available online at http://www.us.net/~steptoe/ 276908.htm (1996). A survey of foreign laws relating to encryption can be found at Bert-Jaap Koops, Crypto Law Survey, available online at http://cwis.kub.nl/~frw/people/ koops/lawsurvey.htm (1996). Foreign laws on the exportation of cryptographic software are surveyed in Export Study (cited in note 109). Back to text at note 183

184. Export Study at II- 17 (cited in note 109). Back to text at note 184

185. CRISIS Report at G- 6 (cited in note 117). Back to text at note 185

186. See La loi sur les t‚lecoms met l'Internet en laisse, bulletin lambda 2.08 (June 10, 1996), available online at http://www.freenix.fr/netizen/ 208.html (describing Article 12 of new telecommunications law and noting passage of legislation in the dead of night); Jerome Thorel, As French Hang a Leash on the Net, Military Interests Surface, available online at http://www.tis.com/crypto/cke/ press/french.txt (June 14, 1996); Steptoe & Johnson, Proposed Statutory Trusted Third Party Rules for Encryption, available online at http://www.us.net/~steptoe/france.htm (analyzing proposed version of law). Back to text at note 186

187. Edict of the President of the Russian Federation On Measures to Observe the Law in Development, Production, Sale and Use of Encrypting Information, available online at http://www.us.net/~steptoe/ edict.htm (Apr 3, 1995). Back to text at note 187

188. Steptoe & Johnson, Russian Statutes Restricting Use of Encryption Technologies, available online at http://www.us.net/~steptoe/ cyber.htm (1996) (quoting Edict cited in note ). Back to text at note 188

189. UK Department of Trade and Industry, Paper On Regulatory Intent Concerning Use Of Encryption On Public Networks  8 (June 10, 1996), available online at http://www.coi.gov.uk/coi/depts/GTI/coi9303b.ok. Back to text at note 189

190. Id at  5, 7. Back to text at note 190

191. Stewart A. Baker, Emerging Japanese Encryption Policy, available online at http://www.us.net/~steptoe/276915.htm (1996). Back to text at note 191

192. See Denning (cited in note 135) (describing as-yet-unpublished EU proposals). Back to text at note 192

193. Concerning Problems of Criminal Procedure Law Connected with Information Technology, Council of Europe Recommendation No R (95) 13 at Appendix para 8, available online at http://www.privacy.org/pi/intl_orgs/coe/ info_tech_1995.html (Sept 11, 1995). Back to text at note 193

194. Id at Appendix  14. Back to text at note 194

195. White Paper at 8 (cited in note 139). Back to text at note 195

196. See CRISIS Report at G-15 to G-16 (cited in note 117) (stating that a "number of participants" favored trusted-third-party approach to escrow, although needs of national security "were not mentioned for the most part"). Steve Walker, the founder of Trusted Information Systems, a leading supplier of escrowed encryption systems, reported that,

The consensus of the [December 1995 Paris] meeting was that user-controlled key escrow provides the only workable solution to the long-standing dilemma between the private sector's need for encryption protection and governments' needs to be able to decrypt the communications of criminals, terrorists, and other adversaries. Other meetings will follow, but it appears that most major governments endorse the U.S. government's user- controlled key escrow initiative as the only practical way through the cryptography maze.

TIS--Building in Big Brother for a Better Tomorrow, available online at http://infinity.nus.sg/cypherpunks/dir.archive-96.02.22- 96.02.28/0114.html (e-mail from Steve Walker, Feb 2, 1996, quoted in e-mail from John Young, Feb 22, 1996 to cypherpunks@toad.com. Back to text at note 196

197. Stewart A. Baker, Summary Report on the OECD Ad Hoc Meeting of Experts on Cryptography, available online at http://www.us.net/~steptoe/ 276908.htm (1996). Back to text at note 197

198. US Cryptography Policy: Why We Are Taking the Current Approach (cited in note 108). Back to text at note 198

199. Kenneth Dam & Herb Lin, eds, Cryptography's Role in Securing the Information Society ("CRISIS Report") ES-4, available online at http://www2.nas.edu/cstbweb/2646.html (National Research Council, forthcoming 1996).

Back to text at note 199

200. Id at xiii. Back to text at note 200

201. Id at 8-10. Back to text at note 201

202. See A. Michael Froomkin, The Metaphor Is The Key: Cryptography, The Clipper Chip, and The Constitution, 143 U Penn L Rev 709, 732-34 (discussing abuses by law enforcement and intelligence agencies); Richard Morin & Dan Balz, Americans Losing Trust in Each Other and Institutions; Suspicion of Strangers Breeds Widespread Cynicism, Wash Post A1 (Jan 28, 1996) (describing poll showing that U.S. citizens have profound lack of trust in government and other institutions). Back to text at note 202

203. See Jim McGee, Wiretapping Rises Sharply Under Clinton, Wash Post A1 (July 7, 1996). Back to text at note 203

204. See Froomkin, 143 U Penn L Rev at 806 (cited in note ). Back to text at note 204

205. Louis Freeh, Keynote Luncheon Address at the International Cryptography Institute (Sept 23, 1994) (excerpt on file with the Legal Forum). Back to text at note 205

206. See note 173. Back to text at note 206

207. See CRISIS Report at 5-14 (cited in note ) (noting comments of relevant stackeholders who felt that policies were "sprung" on them). Back to text at note 207

208. See Encrypted Communications Privacy Act of 1996, S 1587, 104th Congress, 2nd Sess (1996); Promotion Of Commerce On-line In The Digital Era (PRO-CODE) Act Of 1996, S 1726 (1996); Security and Freedom Through Encryption (SAFE) Act, H R 3011 (1996). Back to text at note 208

209. Sen. Grassley introduced the Anti-Electronic Racketeering Act (June 27, 1995), which would prohibit distribution of unescrowed computer software "that encodes or encrypts electronic or digital communications to computer networks that the person distributing the software knows or reasonably should know, is [sic] accessible" to foreigners. For a discussion of the highly debatable constitutionality of a domestic ban on un-escrowed cryptography, see Froomkin, 143 U Penn L Rev at 810-43 (cited in note ). Back to text at note 209

210. The Report was attacked in surprisingly gentle terms by both partisans of escrow and partisans of complete decontrol. Compare note 135 and accompanying text with note 136 and accompanying text. Back to text at note 210

211. 47 USC Sec. 1001 et seq (1994). See 140 Cong Rec S14666 (Oct 7, 1994) (reporting the Senate's passage of the bill by voice vote); 140 Cong Rec H10917 (Oct 5, 1994) (reporting the House's passage of the bill by two- thirds vote). Back to text at note 211

212. CRISIS Report (cited in note ). Back to text at note 212

213. Indeed, I cannot resist noting that I strongly disagree with Recommendation 5.4: "Congress should seriously consider legislation that would impose criminal penalties on the use of encrypted communications in interstate commerce with the intent to commit a federal crime." CRISIS Report at 8-31 (cited in note ). Recommendation 5.4 is notably more tentative than any other in the Report, and deservedly so. The goal of discouraging the use of cryptography for illegitimate purposes is laudable, but the proposed statute is a bad idea, badly thought out. There is no evidence that such a statute would deter the use of cryptography in a world in which cryptography is seamlessly included in most e-mail and telecommunications. While it is unclear what the effects of such a statute would be once cryptographic tools become ubiquitous and invisible, the odds are that every federal crime involving a communication would also violate the statute. The two federal crimes would then be predicate RICO offenses, and so on . . . . Back to text at note 213

214. See Administration Statement on Commercial Encryption Policy, available online at http://csrc.ncsl.nist.gov/keyescrow/admin.txt (July 12, 1996). Back to text at note 214

215. On the "subtle but nonetheless significant" effects of this change see Stewart A. Baker & Peter Lichtenbaum, Cutting the Red Tape on Encryption, The Journal of Commerce, Sept. 27, 1996 at P. 9A. For a description of the mechanics of the administration of the two lists, see Ira S. Rubinstein, Export Controls on Encryption Software, in Coping with U.S. Export Controls 1994, at P. 401 (PLI Com. Law & Practice Course Handbook Series No. A-705, 1994). Back to text at note 215

216. White House, Office of the Vice-President, Statement of the Vice President, Oct. 1, 1996, available on line at http://www.cdt.org/crypto/clipper311/ 961001_Gore_stmnt.html. Back to text at note 216

217. Id. Back to text at note 217

218. See text accompanying notes 173 and 206 above. Back to text at note 218

219. See note 21. Back to text at note 219

220. See note 20. Back to text at note 220

221. A would-be exporter denied permission to export a DES-based product would seem to have a fairly strong case that the refusal to grant a licence under the EAA was arbitrary and capricious, and contrary to law. Unfortunately for the would-be exporter, decisions under the EAA are not subject to judicial review under the APA. See EAA, 50 U.S.C. App Sec. 2412(a) (1988 & Supp V 1993). Back to text at note 221

222. Cf. Industrial Union Dept. v. American Petroleum Inst., 448 U.S. 607, 644 (1980) (refusing to find that Congress delegated "unprecedented power over American industry" in the absence of a "clear mandate" in OSHA statute). Back to text at note 222

223. Continuation of Export Control Regulations, Exec. Order No. 12,924, 59 Fed Reg 43,437 (1994). Cf. Continuation of Emergency Regarding Export Control Regulations, 61 Fed Reg 42,527 (August 15, 1996). Back to text at note 223

224. 50 U.S.C. Sec. 1702. Back to text at note 224

225. IEEPA, Sec. 202(a), 50 U.S.C. Sec. 1701. Back to text at note 225

226. 61 Fed Reg 42527 . Back to text at note 226

227. The predecessor version of the EAA expired in September 1990, and was continued in effect by President Bush, see Exec. Order No. 12,730 (1990), 55 Fed Reg 40373 (Sept. 30, 1990). Similarly, President Reagan kept the CCL regulations in force for more than a year, from Executive Order No. 12470 (March 30, 1984), cite, unt il the repassage of the EAA in Pub. Law 99-64 (July 12, 1985). See Executive Order 12,525, 50 Fed Reg 28757 (July 12, 1985). Ex. Ord. No. 12444, Oct. 14, 1983, 48 F.R. 48215, which had provided for the continued effectiveness of the Export Administration Act of 1979 was revoked by Ex. Ord. No. 12451, Dec. 20, 1983, 48 Fed Reg 56563. Back to text at note 227

228. See, e.g., Harold Hongju Koh, The National Security Constitution 197 (1990). Back to text at note 228

229. See text at note 215. Back to text at note 229

230. See John Ellicott, et al, Judicial Review Under Export Laws in Coping with U.S. Export Controls 1994 at P. 353, 371 (Evan R. Berlack & Cecil Hunt, eds. 1994) (PLI Commercial Law and Practice Series A- 705). Back to text at note 230

231. See id. at 362-67; Bozarov v. United States, 974 F.2d 1037 (9th Cir. 1992), cert. den. 507 U.S. 917 (1993); Dart v. United States, 848 F.2d 217 (D.C. Cir. 1998). Back to text at note 231

232. 50 U.S.C. Sec. 1702(b). Back to text at note 232

233. Codified at 50 U.S.C. App. Sec. 2404. Back to text at note 233

234. Codified at 50 U.S.C. App Sec. 2406. Back to text at note 234

235. 50 U.S.C. Sec. 1702(b)(3). Back to text at note 235

236. As it happens, the most recent amendment of 50 U.S.C. Sec. 1702(b)(3) was April 30, 1994. See Pub. L. 03-226, Title V, Part A, Sec. 525(c)(1), 108 Stat. 474. Back to text at note 236

237. See Jeanelle R. Robson, Note, "Lazarus Come Forth. And He that Was Dead Came Forth." An Examination of the Lazarus Rule: Fischer v. City of Grand Island, 26 Creighton L. Rev. 221 (1992). Back to text at note 237

238. See, e.g. Kendall v. United States, 37 U.S. (12 Pet.) 524, 624-25 (1838). See also Robson, cited in note 236, at 228-29 (collecting authorities). Back to text at note 238

239. Kendall v. United States, 37 U.S. (12 Pet.) 524, 624 (1838). Back to text at note 239

240. See generally Robson, cited in note 236 (arguing that legislative intent should usually control). Back to text at note 240

241. Whether a program is "information or informational materials" as opposed to a mere device is debated. One court has held that cryptographic source code is speech, see Bernstein v. United States, 922 F. Supp. 1426 (N.D. Cal. 1996). But see, Karn v. United States, 925 F. Supp. 1 (D.D.C. 1996). The Karn decision is currently under appeal to the D.C. Circuit. Back to text at note 241