Chances are you don’t remember much about then-President Bill Clinton‘s public encryption management directive — also known as the Clipper chip — whereby private encryption keys would be escrowed under mandate in order to allow third parties (including the US government and corporations) to access encrypted information on demand. You’re forgiven, this was back in the first half of 1993.
Clinton directed then-US Attorney General Janet Reno to request manufacturers of communications hardware employing encryption to install the Clipper chip in their products.
Within days, Computer Professionals for Social Responsibility (CPSR) filed 11 Freedom of Information Act (FOIA) requests for information related to President Clinton’s encryption initiative, the Clipper chip itself, and the underlying technology developed by the National Security Agency (NSA). CPSR was trying to determine if the NSA had violated the Computer Security Act of 1987 that explicitly limited the NSA’s role in the development of public encryption technologies to providing “advice and assistance.” Previously, the NSA had publicly stated that it had actively developed both the Clipper and Capstone chips. (Capstone was a superset of the Clipper chip designed to implement the Digital Signature Standard (DSS) to provide authentication through digital signatures.)
By October 1997, Clinton’s public encryption management directive had been defeated and he attempted to route around the perceived damage by setting off on a new tack, taking a market-driven approach to public cryptography. In short, the US government would purchase only equipment and systems that used escrowed key recovery. If your business wanted to communicate with the US government, you’d have to use escrowed key recovery.
This was before the attacks of 8:46-10:28AM on 11 September 2001. It was indeed A Different Time; one in which the US government could not simply ban strong encryption outright. Instead, it had to finesse the issue. Well, finesse as well as Clinton was capable. The events of 11 September 2001, of course, gave the government the necessary cover it needed to brazenly encroach the citizenry’s civil liberties rights.
The answer to Clinton’s Clipper Chip already existed in the form of Pretty Good Privacy (PGP). Introduced and published to the internet in June 1991, Phil Zimmerman‘s PGP was open source strong public key cryptography software that became the de facto standard seemingly within days. The US government claimed that publishing the software on the internet violated the ban on exporting cryptographic technology and launched an investigation of Zimmerman and his software. No charges have ever been filed.
Strangely, only now is the US government moving to shutter secure email services. Lavabit — the secure email service reportedly used by Edward Snowden — announced it was suspending operations on 8 August 2013. In an open letter, Lavabit Owner Ladar Levison implied he had received a national security letter:
“I have been forced to make a difficult decision: To become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit. After significant soul searching, I have decided to suspend operations. I wish that I could legally share with you the events that led to my decision. I cannot. I feel you deserve to know what’s going on — the first amendment is supposed to guarantee me the freedom to speak out in situations like this. Unfortunately, Congress has passed laws that say otherwise. As things currently stand, I cannot share my experiences over the last six weeks, even though I have twice made the appropriate requests.”
Hours later, Silent Circle, an east-coast secure communications service suspended its secure email operations. While it had not been served with a government order, the company “saw the writing on the wall.” Because the company stored its users private keys on its servers, it preemptively destroyed that data. One of Silent Circle’s founders was Phil Zimmerman.
As Mike Janke, Silent Circle chief executive, told Somini Sengupta writing for the New York Times:
“An ‘aggressive’ government, he said, can extract e-mail data from any company, no matter how good the company’s encryption tools. Keys to unlock its customers’ encrypted communications had been stored on the company’s servers. Silent Circle destroyed that data, the digital equivalent of a library setting fire to its membership records to keep the government from knowing who checked out what books.”
Both companies suspended operations rather than be forced to disclose customer data. For this, both should be applauded.
Levison summed up the current situation with regard to secure email services:
“This experience has taught me one very important lesson: Without congressional action or a strong judicial precedent, I would strongly recommend against anyone trusting their private data to a company with physical ties to the United States.”
Hushmail is a Canadian company that folds like a cheap suit when served with a court order to disclose the content of its customers email.
Related articles:
- Clipper chip
In mid-April 1993, President Clinton approved a directive on "Public - Now the surveillance cat’s really out of the bag
The latest cache of classified documents leaked by Edward Snowden - Unsolicited bulk email (“Spam”)
Unsolicited bulk email is widely known as spam in deference - NSA paid RSA US$10 million to include encryption back door
According to Joseph Menn writing for Reuters, The US National - President Clinton’s market-driven approach
Having seen all attempts to mandate a key recovery or
Use of the ARTS & FARCES internet RSS and Atom feeds are subject to syndication and copyright policies and are provided for individual, noncommercial use without license or fee. All other uses are prohibited without an appropriate license.
From Clipper chip to secure email shutdowns was originally published by ARTS & FARCES internet on Monday, 12 August 2013 at 6:29 AM CDT. Copyright © ARTS & FARCES LLC. All rights reserved. | ISSN: 1535-8119 | OCLC: 48219498 | Digital fingerprint: 974a89ee1284e6e92dd256bbfbef3751 (64.237.45.114)