[This Voorhees Report is redistributed with permission. Please do not cut off copyright and contact info at the end.] WHY CARE ABOUT CLIPPER Civil Liberties Aside, The Govt's Coding System Will Be Bad For Business, Electronic Commerce You're not a card-carrying member of the ACLU and don't wake up in cold sweats with visions of the surveillance state dancing in you head. You think the U.S. government should fight narco-terrorism and all other evils with vigor. You believe in law and order, police powers, and the constitutionality of wiretaps. You are, in other words, a likely supporter of the controversial Clipper chip, the new government encryption technology. Don't buy it for a second. Clipper is bad for business. The most spirited opposition is coming from civil liberties and privacy advocates and the computer elite in the Silicon Valley and along Route 128. But the biggest losers will be any business that cares about electronic commerce, automation, and re-engineering. Say what? What do secret codes have to do with the world of business? Everything. The paperless office will never come to pass without an ironclad way of knowing that electronic documents are authentic. The best way to guarantee authenticity is cryptography. And the type of cryptography that the U.S. government wants business to use is Capstone, the spiritual ancestor of Clipper. But any business that looks seriously at Clipper and Capstone will be reluctant to use them. The National Security Agency, the cloak-and-dagger government force behind Clipper, is no friend of the privacy and sanctity of business communications. The Computer Security Act of 1987 was passed to clip the wings of NSA on domestic matters. Congress had found evidence that NSA and other surveillance agencies wanted to turn their attention to domestic activities, including monitoring usage of on-line data bases. The NSA and others tried to "restrict or monitor the use of unclassified, private sector computerized data bases such as LEXIS and NEXIS," says the congressional report that accompanies the 1987 law. Even if the U.S. government won't pry into your secret communications, it's hard to have the same confidence in the habits of foreign governments, which will also likely have the Clipper and Capstone keys to unlock private communications. Of course, Clipper is a voluntary standard for use within the government. Businesses are free to pick a competing technology, like RSA, for example. But it is nearly always preferable to have a single standard when contracts, bills, and large sums of money are at stake. And the U.S. government is doing everything in its powers to make sure that standard will be Clipper and Capstone. LAY OF THE LAND Clipper is simply a chip that the government wants to put in computers, telephones, and fax machines. It will enable users to encrypt conversations or data messages. With the issuance of a court order, it will also allow the government to decode those conversations and messages. Without Clipper, the government argues, it will be unable to tap into the conversations of mobsters and terrorists using digital communications. Clipper does not enhance government's ability to eavesdrop but simply allows it to do what it has always done, say supporters. That response is technically correct. However, as e-mail and video conferencing replace postal mail and face-to-face encounters, the pie of potential communications subject to intrusion grows larger. Further, Clipper allows government officials to monitor communications traffic, which does not require court authority, more effectively. From the perspective of business, the most important fact about Clipper is that it is just an interim, half-way step on the way to Capstone. In addition to the capabilities of Clipper, Capstone will also have digital signature and time-stamping functions. There is also a so-called key-exchange protocol, which gives users the confidence that their cryptographic tools are not vulnerable to tampering. Even better, Capstone will be built on a PCMCIA card that can slip in and out of computers with ease. It is user-friendly cryptography you can put in your pocket and travel with. These are the precise needs of the business community, forgetting for a moment that no legitimate business needs to be subject to eavesdropping. Businesses want to know an electronically delivered contract or bill, for example, is authentic. That is where digital signatures come in. They need to know that their method of scrambling and unscrambling is tamper-proof, which is what key exchange does. Finally, they want simplicity, such as the PCMCIA card. The debate over Clipper has largely obscured the grand scheme of government policy. And that is to blanket not just the country but the world with cryptography that the government can live with, regardless of business needs. Clipper has narrowed the focus to a law-and-order versus-civil liberties gaze. But that was largely unintentional. Clipper would have never existed except that AT&T developed a telephone that would allow users to scramble conversations in 1992. The government was unlikely to let AT&T export this industrial-strength product. AT&T did not want to use Capstone technology, which was then under development. Clipper, a dumbed-down version of Capstone, was the solution. GOING GLOBAL The Computer Security Act of 1987 gave authority to the National Institute of Standards and Technology to develop cryptographic standards. Congress deliberately stripped that power from NSA and gave it to a civilian agency. The law was passed in response to an order signed by then President Reagan in 1984 giving the Department of Defense and NSA responsibility for setting cryptographic standards in the civilian sectors of government and the private sector. Under the color of that authority, NSA began to approach private companies such as Mead Data Central about voluntarily providing information on usage of its Lexis and Nexis data bases. Private industry rose in arms. Even such establishment stalwarts as Aetna Life and Casualty Company recognized the danger and opposed the initiative. "The challenge facing our government and our people is to strike a balance between the need to protect national security and the need to pursue the promise that the intellectual genius of America offers us," says the report accompanying the 1987 law. Because of the NSA's long history in cryptography, Congress gave it an advisory role to NIST in the development of standards. The Capstone and Clipper projects, however, are NSA creations issued under the name of NIST. This a Cold War era hook wrapped in civilian bait. Given the history of the NSA, its involvement in Clipper and Capstone should worry any business. NSA, for example, is now going around to foreign countries promoting these cryptographic standards. It is trying to export cryptography in which government holds a locker key to the rest of the world. Even assuming that the U.S. government will not abuse its authority, it defies common sense and history to believe that foreign nations won't engage in industrial espionage against U.S. companies through the backdoor of Clipper and Capstone. U.S. companies would be crazy to use consider Clipper. It's a madcap affair. -- March 25, 1994 | Mark Voorhees | voorhees reports | | 411 first street | 636-8931 MCI Mail | brooklyn, ny 11215-2507 | | 1-718-369-0906 (voice) | markvoor@phantom.com | 1-718-369-3250 (fax) Copyright 1994 Mark Voorhees