THE METAPHOR IS THE KEY: CRYPTOGRAPHY,
THE CLIPPER CHIP, AND THE CONSTITUTION

A. Michael Froomkin

Document information and copyright notice


To table of contents

Notes for Part II, Sections C, D, and E

347. See, e.g., Corn Exch. Bank v. Coler, 280 U.S. 218, 223 (1930) (allowing seizure of absconding husband's property without prior notice); Henry P. Monaghan, Our Perfect Constitution, 56 N.Y.U. L. Rev. 353, 396 (1981) (arguing that, contrary to arguments of "due substance" theorists, the Constitution does not protect some external concept of morality and does not guarantee perfect government). Back to text

348. The legal issues raised by publication of FIPS 185 are discussed above, see supra parts II.A.1-3, and will not be repeated here. Back to text

349. See FIPS 185, supra note 14, at 6004 ("The National Security Agency maintains these classified specifications and approves the manufacture of devices which implement the specifications."). Back to text

350. The only members of the public who have had access to the inner workings of SKIPJACK are a committee of five outside experts who were asked to examine SKIPJACK so that they could opine on its security. See SKIPJACK Interim Report, supra note 187. Back to text

351. See, e.g., Greene v. McElroy, 360 U.S. 474, 508 (1959) (holding that absent explicit authorization from either the President or Congress, an executive agency may not create a security program that deprives a civilian of employment without an opportunity to challenge an adverse determination of security clearance); Adams v. Laird, 420 F.2d 230, 235, 238-39 (D.C. Cir. 1969) (finding no due process violation when an applicant for security clearance is afforded a noncustodial interview and is able to cross-examine witnesses supplying adverse testimony, and when the agency follows clearly enunciated standards and makes adequate findings with respect to such standards), cert. denied, 397 U.S. 1039 (1970). Back to text

352. See, e.g., 18 U.S.C. § 793 (1988) (criminalizing the unauthorized disclosure of cryptographic information). Back to text

353. See, e.g., Reeves, Inc. v. Stake, 447 U.S. 429, 439 n.12 (1980) (describing the government's "`unrestricted power . . . to fix the terms and conditions upon which it will make needed purchases'" (quoting Perkins v. Lukens Steel Co., 310 U.S. 113, 127 (1940))). Back to text

354. Congress thus far has made no such choice in this case. Congress has given the Attorney General discretion to spend monies in the Asset Forfeiture Super Surplus Fund. See supra note 244 and accompanying text (describing the Fund). Conceivably, a court might imply a limit to this delegation and might find that the attempt to determine industrial policy in its use of the Fund exceeded the implicit limit. Because there appears to be no one with standing to sue, this must remain speculation. Back to text

355. See Meese v. Keene, 481 U.S. 465, 479-80 (1987) (holding that government labeling of environmental films as "political propaganda" is permissible government speech); Thomas I. Emerson, The System of Freedom of Expression 699-708 (1970) (stating that government has the same freedom of speech as individuals);[**PAGE 795**]Mark G. Yudof, When Government Speaks: Politics, Law, and Government Expression in America 301 (1983) (stating that courts "create more problems than they solve" when they attempt to limit government expression); Steven Shiffrin, Government Speech, 27 UCLA L. Rev. 565, 622 (1980) (encouraging application of a balancing test when analyzing government subsidies such as election funding and free speech); Mark G. Yudof, When Governments Speak: Toward a Theory of Government Expression and the First Amendment, 57 Tex. L. Rev. 863, 917 (1979) (arguing for legislative rather than judicial control of government speech); cf. Beth Orsoff, Note, Government Speech as Government Censorship, 67 S. Cal. L. Rev. 229, 234 (1993) ("[A]ll government criticism carries with it an implied threat. Thus, the test should be whether the average reasonable person receiving the government criticism would perceive it as a threat, not whether the government official can legitimately execute the threat."). By this standard, cheerleading for Clipper seems to be permissible, although I have qualms about speaking for "the average reasonable person." If, however, the government pressured AT&T into abandoning its plans to manufacture a DES-based secure telephone and to substitute a Clipper telephone instead, then the cheerleading stepped over the line to impermissible coercion. Back to text

356. See, e.g., 15 U.S.C. § 272(c)(22) (1988) (catchall provision for authorized NIST activities). Back to text

357. See FIPS 185, supra note 14, at 6000. Back to text

358. The Justice Department has available the Asset Super Surplus Forfeiture Fund. See supra note 244 and accompanying text (describing the Fund). NIST has a cost recovery fund and a working capital fund. See 15 U.S.C. § 278b (1988). Back to text

359. See supra text accompanying note 165 (discussing the prohibition of the export of cryptographic software and hardware). Back to text

360. Preencrypting a message with an ordinary, non-escrowed cipher, then feeding it to an EES-compliant device preserves the user's ability to make it appear that the message complies with EES while, in fact, partially subverting it. A casual inspection of the message will reveal a valid LEAF, and decrypting the LEAF with the family key will reveal a valid chip serial number. Decrypting the message with the session key obtained from the escrow agents, however, will reveal nothing more than a new ciphertext. Eavesdroppers remain able to do traffic analysis by logging the serial numbers of chips as they communicate, but they cannot hear or read the message [**PAGE 796**]without cracking the additional cipher.

FIPS 185 prohibits the postencryption of an EES message. Because FIPS 185 is only a nonbinding standard, it remains legal to postencrypt output from a Clipper or Capstone Chip, making the LEAF unintelligible to even a public servant armed with the family key. Although it is legal, it is also fairly pointless: if you are going to use another system on top of Clipper/Capstone, why bother using the latter at all? Because postencryption violates FIPS 185, an EES-compliant device will refuse to decrypt a postencrypted message, making postencryption of limited utility. Back to text

361. See supra text following note 139; supra text accompanying note 152. Back to text

362. See supra text accompanying note 141. Back to text

363. See supra text accompanying notes 242, 246. Back to text

364. Although forceful, this argument ignores the difference between illicit government surveillance that requires an intrusion into the home or office, and illicit surveillance that does not. If the White House "plumbers" who committed the Watergate burglary had been able to wiretap the Democratic National Committee from the outside, there would never have been a "third-rate burglary" detected by an alert security guard, and President Nixon would have completed his second term. Back to text

365. See supra text accompanying note 143. Back to text

366. "You shouldn't over estimate the I.Q. of crooks." Stewart A. Baker, Data Encryption: Who Holds the Keys?, Address Before the Fourth Conference on Computers, Freedom and Privacy 8 (Mar. 24, 1994) (transcript on file with author) [hereinafter Baker Talk]. Indeed, criminals often use ordinary telephones, which can be wiretapped. Back to text

367. As Stewart Baker, then the General Counsel of the National Security Agency, put it:

The concern is not so much what happens today when people go in and buy voice scramblers; it is the prospect that in five years or eight years or ten years every phone you buy that costs $75 or more will have an encrypt button on it that will interoperate with every other phone in the country and suddenly we will discover that our entire communications network, sophisticated as it is, is being used in ways that are profoundly anti-social. That's the real concern, I think, that Clipper addresses. If we are going to have a standardized form of encryption that is going to change the world we should think seriously about what we are going to do when it is misused.
Id. at 9. Back to text

368. See Denning, supra note 206, at 322. Back to text

369. See supra note 73 and accompanying text (describing how to get military-grade cryptography on the Internet). Back to text

370. A program called AquaFone (so named because the imperfect voice quality makes it sound as if the user is speaking under water) is now available from Cogon Electronics of Culpeper, Virginia. The program uses RSA encryption under license from RSA Data Security, Inc., and sells for $129. The hardware requirements are minimal, as the two parties to the conversation need only a personal computer, a sound card, and a modem. The company markets a demonstration disk via its 800 number.

Phil Zimmermann, the creator of the popular shareware encryption program PGP, and a development team are currently working on a voice version of the PGP encryption program, nicknamed "Voice-PGP." The program will be released early in 1995, although the actual name has not yet been selected. See Telephone Interview with Philip Zimmermann (Dec. 6, 1994) (notes on file with author). Back to text

371. The classic line, now almost a battle cry, is John Barlow's proclamation, "[Y]ou won't pry my fingers from its private key until you pull it from my cold dead hands." Steven Levy, Crypto Rebels (June 1994), available online URL http://wwn.cggnus.com/~gnu/crypto.rebels. html. Back to text

372. The VigenŠre cipher, which was well-known by the 17th century, was still considered unbreakable at the time of the American Revolution. See Kahn, supra [**PAGE 799**]note 6, at 214-21. Indeed, Scientific American wrongly described the cipher as uncrackable as late as 1917. See id. at 148. For a fascinating discussion of Thomas Jefferson's creation of a cryptosystem still good enough to be used by the U.S. Navy in 1967, see id. at 192-95. Back to text

373. See Nelson, supra note 138, at 1139-42 (describing preliminary draft of digital telephony legislation, requiring the alteration of electronic communications equipment to enable the government to maintain its current wiretapping capabilities). Back to text

374. The individual's right to remain silent harms the prosecution; England recently abridged the right for that reason. See Criminal Justice and Public Order Act, 1994, ch. 33, §§ 34-37 (Eng.) (providing that courts may draw adverse inferences from the silence of suspects). As a result of this legislation, the warning to be given to suspects upon arrest has been tentatively redrafted to read:

You do not have to say anything. But if you do not mention now something which you later use in your defence the court may decide that your failure to mention it now strengthens the case against you. A record will be made of anything you say and it may be given in evidence if you are brought to trial.
Jason Bennetto, New Police Caution Alarms Legal Experts, Independent (London), Aug. 20, 1994, at 4 (quoting the draft text of the revised caution to suspects). Whether this change will ever take effect--or survive judicial review if it does--is open to question because the European Court of Human Rights recently ruled that the right to remain silent is guaranteed under the European Convention on Human Rights (formerly known as the Convention for the Protection of Human Rights and Fundamental Freedoms), Nov. 4, 1950, art. 6(1), 213 U.N.T.S. 221. See Funke v. France, 256 Eur. Ct. H.R. (ser. A) at 8 (1993) (holding that Article 6(1) of the European Convention on Human Rights guarantees the right against self-incrimination); Ying H. Tan, Use of DTI Interviews Unfair, Independent (London), Sept. 30, 1994, at 30 (reporting the decision of the European Commission of Human Rights in Saunders v. United Kingdom). Back to text

375. The important difference between the 18th and 20th centuries is that rapid communication is possible over much greater distances. Back to text

376. See, e.g., PGP(TM) User's Guide, supra note 73 (maintaining that the encryption habit increases the supply of privacy, a public good, to everyone). Back to text

377. "It is very important to change keys frequently to minimize" the problem of key compromise. Schneier, supra note 12, at 27. In a software-based cryptographic system, changing the key is as easy as pressing a button. The Clinton Administration has repeatedly said that it would be pleased to consider software-based escrow systems if they could be designed in a way that prevented users from using non-escrowed keys. Back to text

378. See 18 U.S.C. § 2518(8)(d) (1988) (requiring that "[w]ithin a reasonable time but not later than ninety days after" the termination of a wiretap, the persons named in the wiretap order and "such other parties to intercepted communications as the judge may determine in his discretion that is in the interest of justice," must be given notice of the wiretap and of the fact that communications were intercepted; and providing that upon the filing of a motion, the judge has discretion to allow access to such portions of the intercepted communications for inspection as the judge believes to be warranted by the interests of justice).

There is no comparable notification duty for those wiretaps governed by the Foreign Intelligence Surveillance Act of 1978. See 50 U.S.C. §§ 1801-1811 (1988). The EES proposal requires no additional reporting to the subjects of such wiretaps. Back to text

379. In practice, replacement is likely to require getting a whole new telephone because one of the aims of the EES program is to make it difficult to obtain chips to reverse engineer. Back to text

380. Upon the expiration of the authority for a wiretap, the public servants are supposed to destroy the key information stored in the Decrypt Processor. See Denning & Smid, supra note 194, at 68. Back to text

381. Capstone is the e-mail version of Clipper, based on the Fortezza chip. Capstone provides both encryption and digital signatures. See supra note 16. Back to text

382. See Capstone Chip Technology, supra note 16. Back to text

383. See 18 U.S.C. § 2518(8)(d). Back to text

384. See Letter from Dorothy Denning, Professor and Chair, Computer Sciences Department, Georgetown University, to Michael Froomkin 3 (Sept. 17, 1994) (stating that the Tessera/Fortezza card stores separate keys for signatures) (on file with author). Back to text

385. "[I]t must be presumed that federal officers will adhere to the law . . . ." Sanchez-Espinoza v. Reagan, 770 F.2d 202, 208 n.8 (D.C. Cir. 1985). Back to text

386. Threat analysis is a long-established intelligence approach in which one assumes the worst about everyone and attempts to measure their capabilities for harm without regard to their likely or actual motives. See, e.g., Andrew Cockburn, The Threat: Inside the Soviet Military Machine 6 (1983) (describing American threat assessment of the Soviet Union's military capabilities). Back to text

387. The Federalist No. 51, at 322 (James Madison) (Clinton Rossiter ed., 1961). Back to text

388. See Albert O. Hirschman, The Passions and the Interests: Political Arguments for Capitalism Before Its Triumph 30 (1977) (discussing Federalist No. 51, in which Madison justified the separation of powers as necessary to control the abuses of government). Back to text

389. So too, of course, is the counterbalancing impulse that government is pointless if it is not effective. See, e.g., McCulloch v. Maryland, 17 U.S. (4 Wheat.) 316, 421 (1819) (rejecting a strict construction of the Necessary and Proper Clause in favor of a construction recognizing broad discretion in the means Congress may adopt to achieve its legitimate ends). Back to text

390. Taking the keys out of escrow and using them might constitute a taking under the Fifth Amendment. In addition, if the government promises the public secure communications, and then attempts to go back on its promise, there may be grounds for arguing that the government violated the Due Process Clause of the Fifth Amendment by its bait and switch tactics. Back to text

391. "Key management is the hardest part of cryptography, and often the Achilles heel of an otherwise secure system." Schneier, supra note 12, at xvi. For examples of Cold War NSA security breaches, see Kahn, supra note 6, at 690-97. Back to text

392. See infra note 767 and accompanying text (discussing the cryptological community's mistrust of secret algorithms). Back to text

393. See Key Escrow Initiative Q&A, supra note 134, at 2-3. Back to text

394. The SKIPJACK algorithm was reviewed by a panel of five distinguished outside experts who gave it their interim seal of approval. See SKIPJACK Interim Report, supra note 187, at 1, 7. Back to text

395. See, e.g., Baker Talk, supra note 366, at 6-10 (noting that communications protected by SKIPJACK cannot be intercepted without access to the escrow keys). Back to text

396. See, e.g., Digital Privacy and Security Working Group, supra note 31, at 4. Back to text

397. See Robert Garcˇa, "Garbage In, Gospel Out": Criminal Discovery, Computer Reliability, and the Constitution, 38 UCLA L. Rev. 1043, 1053 (1991) (noting that "changes in technology are likely to increase the use of electronic eavesdropping significantly"). Back to text

398. See Steven Emerson, Where Have All His Spies Gone?, N.Y. Times, Aug. 12, 1990, § 6 (Magazine), at 16, 16, 19; see also Stephen Kinzer, German Lawmakers Back Steps to End Spy Taint, N.Y. Times, Oct. 18, 1991, at A6 (stating that the Stasi had "about 85,000 agents and several million part-time informers"). Back to text

399. See Emerson, supra note 398, at 19, 30. Back to text

400. See Ferdinand Protzman, German Overhaul Is Led by Phones, N.Y. Times, Mar. 11, 1992, at D1 (reporting 1.8 million telephones in East Germany before unification--one for every 10 citizens); see also 1993 U.S. Statistical Abstract, supra note 38, at 563 (reporting 141.2 million telephone lines in the United States and an average of 9.773 billion telephone conversations per day). Back to text

401. See 1993 U.S. Statistical Abstract, supra note 38, at 563. Back to text

402. In 1993, the average cost of installing and monitoring a wiretap on a single subject (including those who may have had more than one telephone) was $57,256. See Wiretap Report, supra note 145, at 5. Back to text

403. See Communications Assistance for Law Enforcement Act, Pub. L. No. 103-414, 108 Stat. 4279 (1994); supra note 138 and accompanying text. For a discussion of an earlier version of the Digital Telephony initiative, see Nelson, supra note 138. Back to text

404. The government has already connected the databases of the Customs Service, [**PAGE 806**]the Drug Enforcement Agency, the IRS, the Federal Reserve, and the State Department. In addition, the Counter Narcotics Center, based at CIA headquarters, "includes agents from the FBI, the DEA, the NSA, the Defense Department, the State Department, and the Coast Guard." Garcˇa, supra note 397, at 1065. For an alarming account of the sweeping information compiled by the Treasury Department for its Financial Crimes Enforcement Network (FinCEN) and the few legal controls applicable, see Bercu, supra note 90. The existence of a large, and linked, database is potentially alarming because the United States has relatively few data protection statutes along the lines of the European and Canadian models. See Paul Schwartz, Data Processing and Government Administration: The Failure of the American Legal Response to the Computer, 43 Hastings L.J 1321, 1324 (1992) (stating that from an international perspective, the American legislative response to computer processing of personal data is incomplete); see also Office of Technology Assessment, U.S. Congress, Making Government Work: Electronic Delivery of Federal Services 144 (OTA-TCT-578 1993) (warning that the "extensive use of computer matching can lead to a `virtual' national data bank, even if computer records are not centralized in one location"). Back to text

405. See John Markoff, A Spy Agency Gives Contract to Cray Computer, N.Y. Times, Aug. 18, 1994, at D3 (reporting that Colombian police were able to track down drug-cartel leader Pablo Escobar Gaviria by programming U.S.-supplied computers to monitor cell-phone frequencies for his voice). Back to text

406. See Garcˇa, supra note 397, at 1056 n.39 (collecting sources that detail technological advances). Back to text

407. See Blaze, supra note 16 (manuscript at 131) (announcing the discovery of a method enabling cryptographic communication among EES processors without the transmission of a valid LEAF). Back to text

408. Spoofing has no effect on the security of the communication other than to block access by eavesdroppers armed with the family key and the chip unique key. See id. (manuscript at 138-39). Back to text

409. See id. Back to text

410. See supra note 193. Back to text

411. See Blaze, supra note 16 (manuscript at 141). Blaze cautions that the test machine was not optimized for speed. See id. (manuscript at 140). On the probabilistic nature of this trial-and-error approach, see supra text accompanying notes 123-24. Back to text

412. See National Inst. Standards & Technology, supra note 193, at 1. Back to text

413. See Posting from David Koontz to Cypherpunks Mailing List (Aug. 25, 1994) (on file with author). Back to text

414. This monitoring capability might become particularly significant in the event that the government attempts to make key escrow mandatory. Back to text

415. See supra note 245 (noting large Defense Department orders of EES-compliant devices). Back to text

416. In a poll of one thousand Americans, two-thirds found it more important to protect the privacy of phone calls than to preserve the ability of police to conduct wiretaps. When informed about the Clipper Chip, 80% said they opposed it. See Philip Elmer-Dewitt, Who Should Keep the Keys?, Time, Mar. 14, 1994, at 90. Doubt about the Clipper has already become part of popular culture. See, e.g., D.G. Chichester et al., Tree of Knowledge: Conclusion: Softwar, Daredevil, Sept. 1994, at 1, 5 (describing Clipper Chip as a "suspicious tool"); People Are Talking About: Big Donut, Vogue, Sept. 1994, at 172, 172 (asking: "How to cope?" with the Clipper Chip). Back to text

417. See supra text accompanying note 131. Back to text

418. See infra note 791. Back to text

419. In either case, the government may choose to augment the hardware-based EES [**PAGE 809**]with a software key escrow standard. A software key escrow system seeks to achieve the same ends as the Clipper Chip without requiring that users purchase expensive and potentially inflexible hardware. Software-based systems are potentially more vulnerable to reverse engineering, thus increasing the danger that the cryptosystem might be converted to non-escrowed uses. Although adding software key escrow would increase the consumer appeal of escrowed encryption, there is a good chance that even this would not suffice to create a widely used standard. Back to text

420. Office of the Press Secretary, The White House, supra note 292, at 1. Back to text

421. Hoffman et al., supra note 26, at 112 (comparing a ban on unescrowed cryptography to the prohibition of alcohol in the 1920s). Back to text

422. See, e.g., Brock Meeks, Cyberwire Dispatch (Feb. 22, 1994), available online URL gopher://cyberwerks.com:70/00h/cyberwire/cwd/ cwd.9402.22b (describing a classified April 30, 1993 memo from the Assistant Secretary of Defense stating that law enforcement and national security agencies "propose that cryptography be made available and required which contains a `trap door' that would allow law enforcement and national security officials, under proper supervision, to decrypt enciphered communications"); John Mintz & John Schwartz, Chipping Away at Privacy?, Wash. Post, May 30, 1993, at H1 (describing the Administration's contingency plan to ban unescrowed encryption). Back to text

423. Lance J. Hoffman et al., Cryptography: Trends in Technology and Policy 8 (1993) (quoting Memorandum from John Podesta, Assistant to the President and Staff Secretary, The White House, to Jerry Berman, Digital Privacy and Security Working Group on Key Escrow Encryption Technology (July 29, 1993)). Back to text

424. Office of the Press Secretary, The White House, supra note 292, at 2. Back to text

425. See supra note 138 and accompanying text (discussing the Digital Telephony initiative). Back to text

426. Digital Privacy and Security Working Group, supra note 31, at 8. Back to text

427. Louis Freeh, Keynote Luncheon Address at the International Cryptography Institute (Sept. 23, 1994) (excerpt on file with author). Back to text

428. Id. Back to text


To table of contents