CDT Analysis of Clipper III Proposal

TO: Interested Parties
FROM: Center for Democracy and Technology
DATE: May 21, 1996
SUBJECT: Preliminary Analysis of "Clipper III" Encryption Proposal

The Administration's latest encryption policy proposal, already dubbed "Clipper III," would use a new government-sanctioned certification system as an incentive to virtually impose key escrow on domestic encryption users. The draft proposal, "Achieving Privacy, Commerce, Security and Public Safety in the Global Information Infrastructure," would establish a new "public key infrastructure" for encryption. Such a public key infrastructure would enable users of encryption to clearly identify the people they are communicating with, and is widely viewed as an important prerequisite for the widespread use of secure electronic communications. However, the Clipper III proposal would establish this infrastructure at a price: All users of the public key infrastructure would have to ensure government access to their encryption keys through an approved key escrow agent.

Clipper III will not meet the privacy and security needs of Internet users. While the proposal represents real progress by the Administration in recognizing the importance of encryption, in reality it provides few provisions to protect individual privacy. The proposal is hardly voluntary -- it makes key escrow a virtual precondition for participation in a secure GII. It targets domestic users of encryption, contains few guidelines for key exchanges with foreign governments, and encourages collection of highly sensitive private key information. Moreover, it contains none of the standards for key holder liability, limits on access to keys by law enforcement, or audit requirements that many have already identified as crucial to protecting individual privacy in even a voluntary key escrow system. For these reasons, CDT believes that the Clipper III proposal is another step in the wrong direction for U.S. encryption policy.

Overview of the Administration Proposal

Taking a nod from the European Commission's recent Trusted Third Party initiative, the Clipper III proposal would develop a needed public key infrastructure, couched in the language of privacy and security, and use it as an incentive for development of a de facto key escrow system. The Clipper III proposal:

Acknowledges the importance of encryption and the need for a public key infrastructure (PKI) -- The proposal reaffirms the importance of encryption and the emerging need for a system to certify public encryption keys. Such a "public key infrastructure" would allow users to certify to other users that their public keys in fact belonged to them, allowing the keys to be used and trusted for encrypted commerce and communication. Without such a system, "users cannot know with whom they are dealing on the network, or sending money to, or who signed a document, or if the document was intercepted and changed by a third party."¹
Establishes a complex new Key Management Infrastructure (KMI) -- The proposal would form a new public key infrastructure to tie encryption users to their public keys. The KMI would establish new certification authorities that would guarantee -- and be held liable for -- the identity of a public key. The new entities proposed under the Administration plan include:
- Certification Authorities (CAs) - to identify and issue certificates to users;
- Escrow Authorities (EAs) - to hold private key information as required; and
- Policy Approving Authorities (PAAs) -- overarching bodies, possibly under governmental control, responsible for certifying trusted escrow authorities.
Requires key escrow as a condition of participation in the new public key infrastructure -- In order to participate in the new Key Management Infrastructure, users would be required to ensure law enforcement access to encrypted information. "One condition of obtaining a certificate is that sufficient information (e.g., private keys or other information as appropriate) has been escrowed with a certified escrow authority to allow access to a user's data or communications."² The escrow agent could be the certification authority or another third-party, so long as they meet "minimum standards" including "performance criteria to meet law enforcement's needs." Self-escrow would also be allowed for entities that meet certain unspecified "necessary performance requirements."
Relaxes export controls for key escrow products as in Clipper II -- The proposal would "continue and expand" the NIST "Clipper II" export control provisions proposed this fall, allowing 64 bit software/80 bit hardware exports to any destination if keys are escrowed in the U.S. or if the U.S. has a bilateral escrow agreement. Other exports to certain markets would be considered, upon case-by-case review and under certain conditions. Key length limits would presumably expand as law enforcement confidence in the key escrow authorities grew.

Critique and Areas of Concern

Clipper III does represent a major step forward by the Administration in acknowledging the importance of encryption and public key cryptography: "Government can no longer monopolize state of the art cryptography. ... It is unrealistic to believe that government can produce solutions which keep ahead of today's rapidly changing information technology."³ The proposal goes on to note that, "[Public key cryptography features] are needed to support electronic commerce, public services, redefined business processes, and national security."

However, Clipper III is also a clear attempt to force the widespread adoption of key escrow by leveraging the need of encryption users to participate in a public key certification system. Major problems with the proposal include:

It makes key escrow a precondition for participation in the public key infrastructure - Other than law enforcement access, there is no reason the public key infrastructure must store private keys. On the contrary, the essential breakthrough of public key cryptography is the ability it gives users to share public key information and partake fully in authenticated, secure communications without revealing any private key information to third parties. Data recovery -- the ability to recover encrypted data if a private key is lost -- is the main rationale presented for key escrow. However, data recovery can be done independently of the public key infrastructure if desired, and in a more secure manner.
It is not voluntary -- Though participation is theoretically "voluntary," under Clipper III users will have no choice but to escrow their keys or forego participation in the Information Age economy. The proposal itself calls the key infrastructure a "basic and entirely essential foundation." To participate, users will need to escrow their keys; if they choose not to participate in the KMI, users will be unable to obtain the essential certifications that the Administration foresees as being the standard for secure electronic communications and commerce.
It targets domestic users -- While export controls have ostensibly been aimed at controlling the use of encryption by foreign users, the Clipper III proposal is clearly aimed at domestic users of encryption.
It leaves international key exchange problems unresolved -- Without a system of international agreements, interoperability is at risk. The same encryption and/or authentication scheme exportable to Germany or France