FOIA Results For Clipper Chip Development from the NSA
by John Gilmore
Here are some FOIA results from J. Gilmore on Clipper for anyone who missed
them. Expect to see many more Clipper revelations over the future.
If anyone has other FOIA responses this is an excellent forum to post them.
please do so!
Other FOIA requests by CPSR confirmed that NSA dominated the DSS (digital
signature standard) process in spite of congressional intent. They also show
how NSA classified major aspects of their proposals only cleared to `high
level officials'. (This is paralleled in the FOIA documents below.) For
someone who isn't even allowed to be there, NSA has an extremely coercive and
manipulative approach (to say the least) in skewing what is supposed to be
an open and impartial process of selection.
The major revelations in these documents: at one point the terminology
`required' is noted, suggesting a mandatory encryption scheme was conceived
from the start (although some question the Defense Department involvement).
Interestingly, it is absent in the memorandum passed lower in the chain of
command. Why was it removed?
Also, NSA is hiding various `classified' reasons for use of Clipper, and
is *not* commenting on their ability to read it routinely. This is extremely
ominous, because they don't even attempt to make any vague promises like
`NSA has no advantage over other listeners in decrypting Clipper by its
design.' That is, they do *not* rule out a designed-in weakness.
First is a bit of J. Gilmore's commentary followed by the actual FOIA
documents. The first message came via Bernard Galler via Dave Farber. The
second was posted to the cypherpunks mailing list by Gilmore.
I'm esp. interested in Gilmore's attempt to get the supposed Presidential
Directives that endorsed Clipper, because (1) Clipper was definitely developed
by the initiative of NSA (not any president) in defiance of laws restricting
their domestic role, (2) this happened starting with the Bush administration
despite the Clipper announcement, (3) I would be rather surprised if any
such `directives' actually exist. (Visions of some desperate NSA bureacrat
trying to figure out how to pre-date a freshly cooked document and get Clinton
to sign it.) Either that, or we will have some vague echoes from people
who claim not to be associated with NSA "But..." think it is irrelevant
whether the President *requested* it, the only relevance is that the
president *endorses* it, and any initial directives are implicit. Well,
perhaps so, but then the Clipper announcement (and these memorandums)
is an *admitted* lie.
If anyone has questions, please feel free to email.
---
The FOIA suits that Lee Tien and I filed re Clipper are starting to bear
fruit. Lee, thanks for forwarding this material.
The 20? Apr 1993 memorandum for the acting asst secry defense says,
paragraph 2, "The law enforcement and national security communities
... propose that cryptography be made available AND REQUIRED which
contains a ``trapdoor'' that would allow law enforcement and national
security officials, under proper supervision, to decrypt enciphered
communications." (emphasis mine)
Also note that it says, bottom of 2nd page, "The President has also
directed that the fact that law enforcement officials will have access
to the keys will not be concealed from the public. National security
officials are not mentioned."
Other documents from NIST reveal:
Can NSA read mesasge encrypted with this device?
It is not our policy to comment on our analytic capability.
Will NSA have access to the keys?
NSA could seek access to the keys only if it can satisfy the
key holders that it needs access to carry out its foreign
intelligence mission and that the surveillance is lawful and
authorized. Because NSA's mission is limited to the
collection of foreign intelligence, we believe the
likelihood NSA will seek access to escrowed key [sic] is remote.
In short, NSA will not say whether they can read encrypted data,
but it is unlikely that they will try to get acces to escrowed keys
to do so.
Also:
Functions specified by NSA; logic designed by
MYKOTRONX; chip fabricated by VLSI, Inc.: manufactured
chip programmed (made unique) by MYKOTRONX to security
equipment manufacturers willing to follow proper
security procedures for handling and storage of the
programmed chip; equipment sold to customers;
This confirms a suspicion Whit Diffie had, based on the CCEP, that not
everyone will be able to get the chips, only companies that agree to
(secret) conditions on how they use them.
Lee,
Please scan in the documents from the office of the asst secretary of
defense, into ASCII.
Please also appeal their denial of portions of the documents. Also
indicate that not all responsive documents may not have been provided,
since the released documents refer to others under the control of the
office of the asst. secry. of defense (e.g. in the May 3 "Executive
Summary", paragraph 1: "In response to DEPSECDEF's tasking of 21 Apr
93 (TAB A) information is provided." We don't have a copy of the
tasking in TAB A.
Also, a memo from Daniel J. Ryan contains "Comments on PRD-27/NSA
Draft", and refers to "your proposed memorandum to Jim Lweis,
Department of State". We do not have either that draft or the
proposed memorandum.
The Dan Ryan and Ray Pollari memos say, "The President has also directed
that the fact that law enforcement officials will have access to the keys
will not be concealed from the public." We do not have a copy of this
directive from the President.
The justification for appealing the denied material is that, as the
released documents themselves indicate, "A full-scale public debate is
needed to ascertain the wishes of U.S. citizens with regard to their
privacy and the impact on public safety of preserving privacy at the
expense of wiretapping and communications intercept capabilities of
law enforcement and national security personnel. It is not clear what
the public will decide." We obviously cannot have a full-scale debate
without a full public airing of all parties' concerns. For example,
the denied paragraph in Ray Pollari's memo is immediately followed by
"Despite these concerns, ...". The public interest in knowing all
sides of the issue, as the citizenry makes a decision that will have a
long-lasting impact on personal privacy, national security, and
orderly enforcement of laws, overrides the government's desire to keep
its concerns secret from the public. Documents classified under Cold
War secrecy laws should not hide the government's legitimate national
security concerns from this public decision-making process, when the
issues being decided are of this magnitude.
The copies that I got of this material have off-center xeroxing that
is missing words in the right hand margin of the page mentioned above,
and in the left margin of the last page (signed by Ray Pollari). If
this is just a defect in your xeroxing them for me, please send me
better ones; if it's in the originals you have, please ask them in the
appeal to provide better originals.
John
---
Lee Tien and I have submitted a pile of FOIA requests about Clipper.
Here is scanned-in text from some of the more interesting results,
courtesy of Lee. Search for "required", for a mention of the proposal
to require the use of Clipper. Also note that the role of the
"national security community" has been deliberately withheld from the
public statements (search for "mentioned").
Most agencies have not yet responded with documents. FBI is claiming
it will take them a year, and we are preparing to file suit to force
them to do it within 10 days like the law requires. (Our NSA suit over
the same thing, is continuing through the gears of the court process.)
John Gilmore
[This page originally XXXXXXXXXXXXXXX TOP SECRET; now UNCLASSIFIED]
OFFICE OF THE ASSISTANT SECRETARY OF DEFENSE
WASHINGTON, DC 20301-3040
COMMAND CONTROL COMMUNICATIONS AND INTELLIGENCE
MEMORANDUM FOR MS. JOANN H. GRUBE, NSA REPRESENTATIVE/NSC PRD-27 EXPORT CONTROL
WORKING GROUP
SUBJECT: Comments on PRD-27/NSA Draft (U)
(U) Following are comments concerning your proposed memorandum to Jim Lewis, Department of State:
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXX blacked out via FOIA (b)(1) exemption. XXXXXXXXXXXXXXXXXXX
(U) The assertions in this draft are merely unsupported
statements. Recommend that the memorandum provide more
empirical evidence to back up its assertions, and that the above
comments be reflected in its contents.
(signed)
Daniel J. Ryan
Director, Information Systems Security
CLASSIFIED BY: OASD(C3I)/DIR, ISS
DECLASSIFY ON: OADR
[This page originally XXXXXXXX SECRET; now UNCLASSIFIED]
OFFICE OF THE ASSISTANT SECRETARY OF DEFENSE
WASHINGTON DC 20301-3040
COMMAND, CONTROL, COMMUNICATIONS AND INTELLIGENCE
30 APR 1993 (stamped)
MEMORANDUM FOR THE ACTING ASSISTANT SECRETARY OF DEFENSE (C3I)
Subject: PRD/NSC-27 Advanced Telecommunications and Encryption (U)
(U) Advances in telecommunications have created the
opportunity for public use of encryption to ensure the privacy and
integrity of business and personal communications. These same
advances threaten the capabilities of law enforcement and national
security operations that intercept the communications of
narcotraffickers, organized criminals, terrorists, espionage agents
of foreign powers and SIGINT targets. Diverse interests are in
diametric opposition with regard to industry's right to sell and the
public's right to use such capabilities. A highly-emotional, spirited
public debate is likely.
(U) In its simplest construct, this complex set of issues places
the public's right to privacy in opposition to the public's desire for
safety. The law enforcement and national security communities
argue that if the public's right to privacy prevails and free use of
cryptography is allowed, criminals and spies will avoid wiretaps
and other intercepts and consequently prosper. They propose that
cryptography be made available and required which contains a
"trapdoor" that would allow law enforcement and national security
officials, under proper supervision, to decrypt enciphered
communications. Such cryptography exists, and while there are
many practical problems to be solved, this proposal is technically
possible to achieve.
(U) Opponents of the proposal argue that the public has a right
to and an expectation of privacy, that a trapdoor system would be
prone to misuse and abuse, and that the proposed solution would
not work in any practical sense. They assert that people who are
deliberately breaking much more serious laws would not hesitate to
use cryptography that does not have a trapdoor, and that secure
cryptography will inevitably be supplied by offshore companies.
Thus, freedom will be lost and many tax dollars spent to no effect.
(U) This situation is complicated by the existence of other
interests. For example, there currently exist strict controls on the
export of cryptography. The computer industry points out that it
has one of the few remaining positive trade balances and that it is
vital that the dominance of the American computer industry in
world markets be preserved. The industry fears that this will be
lost if offshore developers incorporate high-quality cryptography
into their products while U.S. industry either cannot do so or
suffers higher costs or delays due to requirements for export
licenses. The industry argues persuasively that overseas markets
(much less drug lords or spies) will not look with favor on U.S.
products which have known trapdoors when offshore products
which do not have them are available. In support of their
argument, they note that powerful public-key cryptography
developed and patented by RSA using U.S. tax dollars is free to
developers in Europe, subject to royalties in the United States, and
cannot be exported without expensive and time-late export
licenses. These charges are true.
(U) The national security community is especially interested in
preventing the spread of high-quality encipherment routines
overseas, and argues that more extensive use here at home will
inevitably result in such a proliferation. Actually, it is too late.
The Data Encryption Standard (DES) is already widely available
throughout the world in both hardware and software forms, and
DES software can be downloaded anywhere in the world from
public bulletin boards by anyone with a PC, a MODEM and a
telephone. In one recent experiment it took three minutes and
fourteen seconds to locate a source-code version of DES on the
INTERNET. Widespread availability of DES and RSA will enable
offshore developers to provide high-quality encipherment for voice
and data communications in competition with U.S. industry's
products.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXX blacked out via FOIA exemption (b)(1) XXXXXXXXXXX
(U) Despite these concerns, the President has directed that the
Attorney General request that manufacturers of communications
hardware use the trapdoor chip, and at least AT&T has been
reported willing to do so (having been suitably incentivised by
promises of Government purchases). The Attorney General has
also been directed to create a system for escrow of key material.
The Secretary of Commerce has been directed to produce standards
based on the use of the trapdoor chip.
(U) The President has also directed that the fact that law
enforcement officials will have access to the keys will not be
concealed from the public. National security officials are not
mentioned.
(U) The new administration is committed to the development of
an information superhighway and a National Information
Infrastructure in support of the economy. This worthy goal is
independent of arguments as to whether or not law enforcement
and national security officials will be able to read at will traffic
passing along the information superhighway. A full-scale public
debate is needed to ascertain the wishes of U.S. citizens with
regard to their privacy, and the impact on public safety of
preserving privacy at the expense of wiretapping and
communications intercept capabilities of law enforcement and
national security personnel. It is not clear what the public will
decide. In the meantime, DoD has trapdoor technology and the
Government is proceeding with development of the processes
needed to apply that technology in order to maintain the capability
to perform licit intercept of communications in support of law
enforcement and national security.
(signed)
Ray Pollari
Acting DASD (CI & SCM)
[This page originally SECRET; now UNCLASSIFIED]
ASSISTANT SECRETARY OF DEFENSE
WASHINGTON DC 20301-3040
May 3, 1993
COMMAND, CONTROL, COMMUNICATIONS AND INTELLIGENCE
EXECUTIVE SUMMARY
MEMORANDUM FOR DEPUTY SECRETARY OF DEFENSE
FROM: CHARLES A. HAWKINS, JR., ACTING ASD(C3I) (initialed C. Hxxx)
SUBJECT: Advanced Telecommunications and Encryption (U)
PURPOSE: INFORMATION
DISCUSSION:
(U) In response to DEPSECDEF's tasking of
21 Apr 93 (TAB A) this information is provided. Advances in
telecommunications have created the opportunity for public use of
encryption to ensure the privacy and integrity of business and
personal communications. These same advances threaten the
capabilities of law enforcement and national security operations that
intercept the communications of narcotraffickers, organized
criminals, terrorists, espionage agents of foreign powers and a broad
range of SIGINT targets. Diverse interests are in diametric
opposition with regard to industry's right to sell and the public's right
to use such capabilities. A highly-emotional, spirited public debate
is likely.
(U) The law enforcement and national security communities
argue that if the public's right to privacy prevails and free use of
cryptography is allowed, criminals and spies will avoid wiretaps and
other intercepts. They propose that cryptography be made available
to the public which contains a "trapdoor" that would allow law
enforcement and national security officials, under proper
supervision, to decrypt enciphered communications. Such
cryptography exists, and while there are many practical problems to
be solved, this proposal is technically possible to implement.
(U) Opponents of the proposal argue that the public has a
right to and expectation of privacy, that such a system would be
prone to misuse and abuse, and that the proposed solution would not
work in any practical sense. They assert that criminals and spies will
not hesitate to use secure cryptography supplied by offshore
companies. Thus, the loss of privacy would outweigh any
advantages to law enforcement or national security.
(U) The computer industry points out that it has one of the
few remaining positive trade balances and that it is vital that the
dominance of the American computer industry in world markets be
preserved. The industry fears that this will be lost if offshore
developers incorporate high-quality cryptography into their products
while U.S. industry either cannot do so or suffers higher costs or
delays due to requirements for export licenses because of strict
controls of export of cryptography. The industry argues persuasively
that overseas markets (much less drug lords or spies) will not look
with favor on U.S. products which have known trapdoors when
offshore products which do not have them are available.
CLASSIFIED BY: DASD(CI&SCM)
DECLASSIFY ON: OADR
[This page originally XXXXXXXX SECRET; now UNCLASSIFIED]
(U) The national security community is especially interested
in preventing the spread of high-quality encipherment routines
overseas, and argues that more extensive use here at home will
inevitably result in such a proliferation. This would increase the cost
of performing the SIGINT mission or decrease the amount of
intelligence, or both. The Data Encryption Standard (DES) is
already widely available throughout the world in both hardware and
software forms, and DES software can be downloaded anywhere in
the world from public bulletin boards by anyone with a PC, a
MODEM, and a telephone. Thus far, widespread availability has not
led to widespread use. However, widespread availability of DES and
RSA will make it possible for offshore developers to provide high-
quality encipherment for voice and data communications in
competition with U.S. industry's products.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXX blacked out under FOIA exemption (b)(1) XXXXXXXXXXXXXXXXXXXXX
(U) The President has directed that the Attorney General
request that manufacturers of communications hardware use the
trapdoor chip. The Attorney General has also been directed to create
a system for escrow of key material. The Secretary of Commerce
has been directed to produce standards based on the use of the
trapdoor chip. The President has also directed that the fact that law
enforcement officials will have access to the keys will not be
concealed from the public. National security officials are not
mentioned.
(U) The new administration is committed to the development
of an information superhighway and a National Information
Infrastructure in support of the economy. This worthy goal is
independent of arguments as to whether or not law enforcement and
national security officials will be able to read at will traffic passing
along the information superhighway. A full-scale public debate is
beginning which will ascertain the wishes of U.S. citizens with
regard to their privacy and the impact on public safety of preserving
privacy at the expense of wiretapping and communications intercept
capabilities of law enforcement and national security personnel. It is
not clear what the public will decide. In the meantime, DoD has
trapdoor technology and the Government is proceeding with
development of the processes needed to apply that technology in
order to maintain the capability to perform licit intercept of
communications in support of law enforcement and national security.
Prepared by: Dan Ryan/ODASD(CI & SCM)/x 41779/28 Apr 93/OSD
|
