Privacy Law and Policy Reporter
Dorothy E DenningThis is an edited version of a longer paper presented at the Australia/OECD Conference in February 1996. The paper has been edited where noted, mainly in relation to technical details. The full paper can be found at http://www.nla.gov.au/gii/dd.html - Editor
A few years ago, the phrase `crypto-anarchy' was coined to suggest the impending arrival of a Brave New World in which governments, as we know them, have crumbled, disappeared, and been replaced by virtual communities of individuals doing as they wish without interference. Proponents argue that crypto anarchy is the inevitable -- and highly desirable -- outcome of the release of public key cryptography into the world. With this technology, they say, it will be impossible for governments to control information, compile dossiers, conduct wiretaps, regulate economic arrangements, and even collect taxes. Individuals will be liberated from coercion by their physical neighbours and by governments. This view has been argued recently by Tim May.
Behind the anarchists' vision is a belief that a guarantee of absolute privacy and anonymous transactions would make for a civil society based on a libertarian free market. They ally themselves with Jefferson and Hayek who would be horrified at the suggestion that a society with no government control would be either civil or free. Adam Ferguson once said `Liberty or freedom is not, as the origin of the name may seem to imply, an exemption from all restraints, but rather the most effectual applications of every just restraint to all members of a free society whether they be magistrates or subjects.' Hayek opens The Fatal Conceit, The Errors of Socialism (The University of Chicago Press, 1988, ed W.W. Bartley III) with Ferguson's quote.
Although May limply asserts that anarchy does not mean lawlessness and social disorder, the absence of government would lead to exactly these states of chaos.
I do not want to live in an anarchistic society -- if such could be called a society at all -- and I doubt many would. A growing number of people are attracted to the market liberalism envisioned by Jefferson, Hayek, and many others, but not to anarchy. Thus, the crypto anarchists' claims come close to asserting that the technology will take us to an outcome that most of us would not choose.
This is the claim that I want to address here. I do not accept crypto anarchy as the inevitable outcome. A new paradigm of cryptography, key escrow, is emerging and gaining acceptance in industry. Key escrow is a technology that offers tools that would assure no individual absolute privacy or untraceable anonymity in all transactions. I argue that this feature of the technology is what will allow individuals to choose a civil society over an anarchistic one. I will review this technology as well as what it will take to avoid crypto anarchy. First, however, I will review the benefits, limitations, and drawbacks of cryptography and current trends leading toward crypto-anarchy.
Take this as a starting assumption and, in this respect, have no disagreement with the crypto-anarchists.
Less recognised are cryptography's limitations. Encryption is often oversold as the solution to all security problems or to threats that it does not address.
(The limitations of encryption in providing system security are then discussed - Editor)
The drawbacks of cryptography are frequently overlooked as well. The widespread availability of unbreakable encryption coupled with anonymous services could lead to a situation where practically all communications are immune from lawful interception (wiretaps) and documents from lawful search and seizure, and where all electronic transactions are beyond the reach of any government regulation or oversight. The consequences of this to public safety and social and economic stability could be devastating. With the government essentially locked out, computers and telecommunications systems would become safe havens for criminal activity. Even May himself acknowledges that crypto-anarchy provides a means for tax evasion, money laundering, espionage (with digital dead drops), contract killings, and implementation of data havens for storing and marketing illegal or controversial material. Encryption also threatens national security by interfering with foreign intelligence operations. The US, along with many other countries, imposes export controls on encryption technology to lessen this threat.
Cryptography poses a threat to organisations and individuals too. With encryption, an employee of a company can sell proprietary electronic information to a competitor without the need to photocopy and handle physical documents. Electronic information can be bought and sold on `black networks' such as Black-Net  with complete secrecy and anonymity -- a safe harbour for engaging in both corporate and government espionage. The keys that unlock a corporation's files may be lost, corrupted, or held hostage for ransom, thus rendering valuable information inaccessible.
When considering the threats posed by cryptography, it is important to recognise that only the use of encryption for confidentiality, including anonymity, presents a problem. The use of cryptography for data integrity and authentication, including digital signatures, is not a threat. Indeed, by strengthening the integrity of evidence and binding it to its source, cryptographic tools for authentication are a forensic aid to criminal investigations. They also help enforce accountability. Because different cryptographic methods can be employed for confidentiality and authentication, any safeguards that might be placed on encryption to counter the threats need not affect authentication mechanisms or system protocols that rely on authentication to protect against system intrusions, forgeries, and substitution of malicious code.
The crypto-anarchist position is that cyberspace is on a non-stop drift toward crypto-anarchy. Powerful encryption algorithms, including the Data Encryption Standard (DES), triple-DES, RSA, and IDEA are readily available at no charge through Internet servers as stand-alone programs or as part of packages providing file or electronic mail encryption and digital signatures. Among these, PGP, which uses RSA and IDEA for encrypting files and electronic mail messages, has become particularly popular. Software that will turn an ordinary PC into a secure phone is posted on the Internet for free downloading. These systems have no mechanisms for accommodating authorised government decryption. Export controls have little effect as the programs can be posted in countries that have no such controls.
In addition to the free encryption programs being distributed on the 'net, encryption is becoming a basic service integrated into commercial applications packages and network products. The IP Security Working Group of the Internet Engineering Task Force has written a document that calls for all compliant IPv6 (Internet Protocol, version 6) implementations to incorporate DES cryptography.
Anonymous remailers, which allow users to send or post messages without disclosing their identity or host system, have also become popular on the Internet. May reports that there are about 20 cypherpunk-style remailers on the Internet, with more being added monthly. These remailers allow unlimited nesting of remailing, with PGP encryption at each nesting level. Anonymous digital cash, which would provide untraceability of electronic payments, is on the horizon.
The potential harms of cryptography have already begun to appear. As the result of interviews I conducted in May 1995, I found numerous cases where investigative agencies had encountered encrypted communications and computer files. These cases involved child pornography, customs violations, drugs, espionage, embezzlement, murder, obstruction of justice, tax protesters, and terrorism. At the International Cryptography Institute held in Washington in September 1995, FBI Director Louis Freeh reported that encryption had been encountered in a terrorism investigation in the Philippines involving an alleged plot to assassinate Pope John Paul II and bomb a US airliner.
AccessData Corp, a company in Orem Utah, which specialises in providing software and services to help law enforcement agencies and companies recover data that has been locked out through encryption, reports receiving about a dozen and a half calls a day from companies with inaccessible data. About one-half dozen of these calls result from disgruntled employees who left under extreme situations and refused to co-operate in any transitional stage by leaving necessary keys (typically in the form of passwords). Another half dozen result from employees who died or left on good terms, but simply forgot to leave their keys. The third half dozen result from loss of keys by current employees.
In April 1993, as response to a rising need for and use of encryption products, the Clinton Administration announced a new initiative to promote encryption in a way that would not prohibit lawful decryption when investigative agencies are authorised to intercept communications or search computer files. Government agencies were directed to develop a comprehensive encryption policy that would accommodate the privacy and security needs of citizens and businesses, the ability of authorised government officials to access communications and data under proper court or other legal order, the effective and timely use of modern technology to build the National Information Infrastructure, and the need of US companies to manufacture and export high technology products. The goal was not to prevent citizens from having access to encryption or `to stigmatise cryptography as something only criminals would use'. As part of this encryption initiative, the government developed an escrowed encryption chip called the Clipper Chip.
Each Clipper Chip has a unique key that is programmed onto the chip and used to recover data encrypted by that chip. This key is split into two components, and the two components are held by two separate government agencies: the National Institute of Standards and Technology and the Department of Treasury Automated Systems Division. Clipper's data encryption algorithm, Skipjack, is a classified algorithm designed by the National Security Agency. It has a key size of 80 bits. The general specifications for the Clipper Chip were adopted in February 1994, as the Escrowed Encryption Standard (EES), which is a voluntary government standard for telephone communications, including voice, fax, and data. Implementations of the EES are required to use tamper-resistant hardware in order to protect the classified algorithms. The chip and associated key escrow system have been designed with extensive safeguards, including two person control and auditing, to protect against any unauthorised use of keys. Clipper's key escrow system does not provide user data-recovery services.
The National Security Agency also designed a more advanced chip called Capstone as part of the Multilevel Information System Security Initiative (MISSI). Capstone implements the EES plus algorithms for the Digital Signature Standard (DSS) and for establishing session keys. It has been embedded in the Fortezza card (a PCMCIA card) where it is used to provide the cryptographic services needed for communications and file security. The private keys used for key establishment and digital signatures, which are stored on the Fortezza card, are not stored in Clipper's key escrow system. They are, however, escrowed with the user's public-key certificate authority so that they can be recovered in case the card becomes corrupted. This allows encrypted files and previously received electronic-mail messages to be read. Fortezza cards are available with or without a modem capability. The modem cards allow encryption and decryption to be performed as part of the communications protocols or as independent service calls (for example, for encrypting the content of an e-mail message or file).
The government has not been alone in its pursuit of key escrow technology. Some type of key escrow is a feature or option of several commercial products including Fisher Watchdog®, Nortel's Entrust, PC Security Stoplock KE, RSA Secure[TM], and TECSEC Veil[TM]. Escrowing is done within the user's organisation and serves primarily to protect against data loss.
Several companies have proposed designs for commercial key escrow systems where the escrow agents could be trusted third parties that provide emergency decryption services for both registered users and authorised government officials. Such escrow agents might be licensed, with licenses granted to organisations demonstrating the capability to administer key escrow encryption and safeguard keys and other sensitive information. Some of the proposed systems have been designed with the objective of being suitable for international use.
One such example is a proposal from Bankers Trust for an international commercial key escrow system for secure communications. Trusted Information Systems (TIS) has proposed a commercial software key escrow system intended primarily for file encryption. National Semiconductor and TIS have jointly proposed Commercial Automated Key Escrow (CAKE) . The goal is an exportable, strong encryption alternative using accepted public encryption algorithms such as DES, triple DES, and RSA.
(Details of each of these commercial key escrow systems have been omitted - Editor)
Under current US export regulations, encryption products with key lengths greater than 40 bits are not generally exportable when used for confidentiality protection. One of the attractions of key escrow encryption is that by providing a mechanism for authorised government decryption, it can enable the export of products with strong encryption. For example, Clipper/Capstone devices are generally exportable, even though the encryption algorithm is strong and uses 80-bit keys. Commercial key escrow approaches that use some form of hardware token are good candidates for export as they can provide reasonable protection against modifications to bypass the key escrow functions. The Bankers Trust and National/TIS proposals take that approach. Fortress U & T, Ltd. also has proposed a token-based approach to key escrow.
Hardware encryption generally offers greater security than software. Nevertheless, there is a large market for software encryption. On 17 August 1995, the Clinton Administration announced a proposal to allow ready export of software encryption products with key lengths up to 64 bits when combined with an acceptable key escrow capability. This policy would allow export of DES, for example, which uses 56-bit keys, but not triple DES. Keys would be held by government-approved trusted parties within the private sector, where they would support both user data recovery and legitimate government decryption. The proposal, which is still undergoing refinement as of December, is expected to be implemented in early 1996.
Key escrow encryption has been a topic of growing interest in the research community. Most of this work is reviewed in Denning and Branstad.5 Silvio Micali's proposal for `fair cryptosystems' has influenced several designs including the Bankers Trust proposal. Karlsruhe University's TESS system uses smart cards for user-keys which are escrowed. A proposal from Royal Holloway integrates escrow with the trusted third parties that serve as certificate authorities.
Some type of escrow facility might be used to control anonymity services as well as encryption. For example, escrow could be used with digital cash and anonymous remailers to ensure traceability when there is a court order or other legal authorisation for information about the originator of a transaction. Ernie Brickell, Peter Gemmell, and David Kravitz propose a system for electronic cash that would incorporate trustee-based tracing in an otherwise anonymous cash system.
A third approach is link encryption. Communications are encrypted between network nodes but not across nodes. Thus, plain text communications can be accessed in the network switching nodes. One major advantage of link encryption is that it allows someone with a cellular phone to protect the over-the-air connection into the phone system without requiring that the other party have a compatible encryption device or, indeed, use any encryption at all. Global System for Mobile (GSM), a world-wide standard for mobile radio telecommunications, encrypts communications transmitted over the radio link, but they are decrypted before being transmitted through the rest of the network. The disadvantage of link encryption is that plaintext data are exposed in, potentially, many intermediate nodes. By contrast, key escrow encryption can support secure end-to-end encryption.
Several factors will facilitate the adoption of key escrow. Because key escrow products will be exportable, under appropriate conditions, vendors will have a strong incentive to adopt key escrow, as it will enable them to integrate strong cryptography into a single product line for both domestic and international sales. Currently, vendors must either install weak cryptography, which does not meet the needs of many customers, or develop two sets of products, which greatly increases costs and prohibits inter-operability between domestic and foreign customers. Users will have an incentive to purchase key escrow products, because such products will protect them against lost or damaged keys. The government's own commitment to key escrow will ensure a large market for escrowed encryption products. As the market develops, many users will choose key escrow products in order to communicate with those using such products. Concern over the social consequences of crypto-anarchy will also motivate some people to develop or use key escrow products. Finally, the adoption of key escrow might be facilitated by legislation that would specify the qualifications, responsibilities, and liabilities of government-approved escrow agents. This legislation could define unlawful acts relating to the compromise or abuse of escrowed keys (for example, deliberately releasing a key to someone who is not authorised to receive it). Such legislation could ensure that at least approved escrow agents satisfy the requirements of users and the government. It also could allay the privacy concerns of those using approved escrow agents.
International interest in key escrow will also contribute to its success. There is growing recognition on the part of governments and businesses worldwide of the potential of key escrow to meet the needs of both users and law enforcement. In addition to providing confidentiality and emergency backup decryption, escrowed encryption is seen as a way of overcoming export restrictions, common to many countries, which have limited the international availability of strong encryption in order to protect national security interests. With key escrow, strong exportable cryptography can be standardised and made available internationally to support the information security needs of international business. Key escrow could be a service provided by trusted parties that manage the public-key infrastructure and issue X.509 certificates. Some products and proposals for key escrow use this approach.
At a meeting sponsored by the Organisation for Economic Development (OECD) and the International Chamber of Commerce (ICC) in December 1995 in Paris, representatives from the international business community and member governments agreed to work together to develop encryption policy guidelines based on agreed upon principles that accommodate their mutual interests. The INFOSEC Business Advisory Group (IBAG) issued a statement of 17 principles that they believe can form the basis of a detailed agreement. IBAG is an association of associations (mostly European) representing the information security interests of users.
The IBAG principles acknowledge the right of businesses and individuals to protect their information and the right of law-abiding governments to intercept and lawfully seize information when there is no practical alternative. Businesses and individuals would lodge keys with trusted parties who would be liable for any loss or damage resulting from compromise or misuse of those keys. The trusted parties could be independently accredited entities or accredited entities within a company. The keys would be available to businesses and individuals on proof of ownership and to governments and law enforcement agencies under due process of law and for a limited time-frame. The process of obtaining and using keys would be auditable. Governments would be responsible for ensuring that international agreements would allow access to keys held outside national jurisdiction. The principles call for industry to develop open voluntary, consensus, international standards and for governments, businesses, and individuals to work together to define the requirements for those standards. The standards would allow choices about algorithm, mode of operation, key length, and implementation in hardware or software. Products conforming to the standards would not be subject to restrictions on import or use and would be generally exportable.
EUROBIT (European Association of Manufacturers of Business Machines and Information Technology Industry), ITAC (Information Technology Industry Association of Canada), ITI (Information Technology Industry Council, US), and JEIDA (Japan Electronic Industry Development Association) also issued a statement of principles for global cryptography policy at the OECD meeting. The quadripartite group accounts for more than 90 per cent of the worldwide revenue in information technology. Acknowledging the needs of both users and governments, their principles call for harmonisation of national cryptography policies and industry-led international standards.
Considering the explosive growth of telecommunications and the encryption market, it will be necessary to closely watch the impact of encryption on law enforcement. If government-proof encryption begins to seriously undermine the ability of law enforcement agencies to carry out their missions and fight organised crime and terrorism, then legislative controls over encryption technology may be desirable. One possibility would be to license encryption products but not their use. Licenses could be granted only for products that reasonably satisfy law enforcement and national security requirements for emergency decryption and provide privacy protections for users. The exact requirements might be those that evolve from the current efforts of the OECD and international business community to develop common principles and standards. The manufacture, distribution, import, and export of unlicensed encryption products would be illegal, but no particular method of encryption would be mandated. Individuals would be allowed to develop their own encryption systems for personal or educational use without obtaining licenses, though they could not distribute them to others. France and Russia have adopted licensing programs, though of a somewhat different nature. Both countries require licenses to use encryption.
Under this licensing program, commercial encryption products, including programs distributed through public network servers, would comply with government regulations. These products would not support absolute privacy or completely anonymous transactions. Mainstream applications would assure accountability and protect societal and organisational interests. Although non-compliant products might be distributed through underground servers and bulletin boards, such products would not interoperate with licensed ones, so their use would be limited.
Such an approach would not prevent the use of government-proof encryption products by criminals and terrorists. They could develop their own or acquire the products illegally. But an approach of this type would make it considerably more difficult than it is at present. Had such controls been adopted several years ago -- before programs such as DES and PGP were posted on the Internet -- the encryption products on the market today would support key escrow or some other method for government access. It would not be possible to acquire strong, government-proof encryption from reputable vendors or network file servers. The encryption products available through underground servers and the black market would most likely not possess as high a quality as products developed through the legitimate market. Underground products could have security vulnerabilities or be less user friendly. They would not be integrated into standard applications or network software.
Key escrow encryption has emerged as one approach that can meet the confidentiality and data recovery needs of organisations while allowing authorised government access to fight terrorism and crime. It can facilitate the promulgation of standards and products that support the information security requirements of the global information infrastructure. The governments of the OECD nations are working with the international business community to find specific approaches that are mutually agreeable.
 May, `Crypto-anarchy and virtual communities,' Internet Security, April 1995, pp 4-12.
 Warren, `Is Phil Zimmermann being persecuted? Why? By whom? Who's next?,' Internet Security, April 1995, pp 15-21.
 Secure Computing Corporation, `Answers to Frequently Asked Questions About Network Security,' Roseville, MN, October 1994.
 Freeh, Keynote talk at International Cryptography Institute, September 1995. Available through http://www.fbi.gov/crypto.htm.
 For a description of the characteristics of key escrow encryption systems and different proposals, see Denning and Branstad, `A taxonomy of key escrow encryption,' Comm. of the ACM, to appear in March 1996. More detailed descriptions of 30 systems can be found through http://www.cosc.georgetown.edu/~denning/crypto. See also Dorothy E Denning, `Key escrow encryption: the third paradigm,' Computer Security Journal, Summer 1995 and Dorothy E Denning, `Critical factors of key escrow encryption systems,' Proc. National Information Systems Security Conf, October 1995.
 Statement by the Press Secretary, The White House, 16 April 1993.
 Thomas, `Can the FBI stop private cryptography?' Internet Security, April 1995, pp 13-14.
 Because the algorithm is classified and not open to public review, outside experts were invited to examine the algorithm and report their findings to the public. See Brickell, Denning, Kent, Maher, and Tuchman, `The SKIPJACK Review, Interim Report: The SKIPJACK Algorithm,' 28 July 1993; available through http://www.cosc.georgetown.edu/~denning/crypto.
 National Institute for Standards and Technology, `Escrowed Encryption Standard (EES),' Federal Information Processing Standards Publication (FIPS PUB) 185, 1994.
 For a technical description of the Clipper Chip and its key escrow system, see Denning and Smid, `Key escrowing today,' IEEE Communications, Vol 32, No 9, September 1994, pp 58-68. For a less technical description and discussion of some of the issues surrounding Clipper, see Denning, `The case for Clipper,' MIT Technology Review, July 1995, pp 48-55. Both articles can be accessed through http://www.cosc.georgetown.edu/~denning/crypto.
 Bankers Trust Electronic Commerce, `Private key escrow system,' presentation at the SPA/AEA Cryptography Policy Workshop, 17 August, and at the International Cryptography Institute 1995: Global Challenges, 21-22 September 1995.
 Walker, Lipner, Ellison, and Balenson, `Commercial key escrow,' to appear in Comm. ACM, March 1996. Also available from Trusted Information Systems Inc, Glenwood, MD, 1995.
 Sweet and Walker, `Commercial automated key escrow (CAKE): an exportable strong encryption alternative,' National Semiconductor, Power Business Unit, Sunnyvale, CA, 4 June 1995.
 Gressel, Granot and Dror, `International cryptographic communication without key escrow; KISS: Keep the Invaders (of Privacy) Socially Sane', presented at the International Cryptography Institute 1995: Global Challenges, 21-22 September 1995.
 Micali, `Fair cryptosystems,' MIT/LCS/TR-579.c, Laboratory for Computer Science, Massachusetts Institute of Technology, Cambridge MA, August 1994.
 Beth, Knoblock, Otten, Simmons, and Wichmann, `Clipper repair kit -- towards acceptable key escrow systems,' Proc. 2nd ACM Conf on Communications and Computer Security, 1994.
 Jefferies, Mitchell, and Walker, `A proposed architecture for trusted third party services,' Royal Holloway, University of London, 1995.
 Brickell, Gemmell, and Kravitz, `Trustee-based tracing extensions to anonymous cash and the making of anonymous change,' Proc. Sixth Annual ACM-SIAM Symp. on Discrete Algorithms, 1995, pp. 457-466.
 INFOSEC Business Advisory Group (IBAG) Statement. Available through http://www.cosc.georgetown.edu/~denning/crypto.
 EUROBIT-ITAC-ITI-JEIDA Statement. Available through http://www.cosc.georgetown.edu/~denning/crypto.