Clinton, clipper and crypto
Those of us involved in the “Crypto Wars” in the mid-90s are suffering from a bad case of digital deja vu. Back then, when I was on the White House staff and working with Vice President Gore on digital issues, we argued about encryption “backdoors.” On one side, the FBI had scary scenarios about how terrorists, pedophiles, and drug dealers would be able to hide their crimes using strong encryption. On the other side, privacy advocates and the computer industry argued that the widespread use of encryption was essential if Internet users were to enjoy the full benefits of digital communications. After years of arguments and multiple policy proposals, we learned that intentionally weakening encryption is a bad idea.
Back in 1993, AT&T was eager to sell a telephone that would give businesses military-grade encryption, but U.S. law limited export of such technologies. To prevent encrypted phones from being used by criminals while allowing AT&T to export the phone globally despite export restrictions, in the last months of the first Bush administration, the National Security Council had developed a proposal for AT&T to use the Clipper Chip. This chip would provide encryption with a unique escrowed key for each chip that law enforcement could use to wiretap criminals using the AT&T phone. This key would only be used with proper judicial authorization. Gore created an inter-agency group to assess the economic and security implications of such an approach.
{mosads}Of all the technology issues I worked on in four years at the White House, this was by far the most difficult and contentious. The FBI, the NSA, and the Commerce Department had very different priorities—and much of the information needed to get a complete picture was highly classified. But in the end, we decided to promote use of the Clipper Chip as one way to help U.S. companies meet their customers’ security needs. So the White House announced that Clipper Chip devices would not be subject to export controls and that the U.S. government would buy thousands of the phones for its own use.
The only problem: no one else bought the devices. Why? The same reasons that the proposals for encryption with backdoors that we are hearing today from the FBI and U.S. intelligence agencies–and from the UK and other governments–would be misguided and ineffective.
The biggest problem with the Clipper Chip was that it would have hindered development of better encryption solutions. The chip was expensive and power-hungry and manufactured by just one small company. Limiting the global market for strong encryption to devices using this one technology would have held back a wide range of innovative services and limited the growth of the Internet.
Another key problem—then and now—is a lack of trust. The Clipper Chip was based on a proprietary algorithm and only a handful of the world’s encryption experts were allowed to test it. This led to suspicions that there might be a back door to the back door that could be used by intelligence agencies to decrypt foreign communications wholesale. Such suspicions limited the market for Clipper Chip devices, ironically, to the U.S. government.
It was also unclear whether and how the U.S. government would help foreign governments when they wiretapped criminals using Clipper Chip encryption. Would the U.S. government share escrowed keys with other countries, and under what criteria? Privacy advocates in other countries were concerned that the U.S. government, not their nation’s privacy laws, would be determining who was entitled to privacy protection.
Unfortunately, the people advocating for encryption backdoors today seem to have learned few of the lessons of the Clipper Chip story. They are proposing to limit innovation and force IT companies to rely on government-approved solutions. They are not explaining how backdoors or “golden keys” could work, or why anyone should trust them. And they provide no assurance that foreign countries would not abuse their access to encryption keys. And neither these proposals and nor the Clipper Chip proposal would prevent sophisticated criminals from using strong encryption. After all, math is just math and the consumer software for effective encryption are widely available. It is impossible to force consumers to use a specific technology if they can easily install apps that meet their needs better.
While the Obama administration seems not to have learned the lessons we learned in the Clinton White House, Apple, Google and other companies have. Their phones and online services are providing the strong encryption that their customers around the world need. They know that strong encryption is needed more than ever to address the growing number of cyber-attacks against everyone from the Pentagon to Sony to small businesses. They also know that the Internet provides many other tools besides wiretapping to help governments track down illegal activities. Rather than sticking with a 20-year-old approach, the FBI should be redoubling its efforts to work with industry to develop new crime-fighting tools that don’t limit the ability of billions of law-abiding citizens to protect their data and their privacy.
Nelson works on public policy for CloudFlare, a web security and web performance company and was a senior technology official in the Clinton administration.
Copyright 2024 Nexstar Media Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed..