The metaphor is the key: cryptography, the Clipper Chip, and the Constitution.

• Author: Froomkin, A. Michael

TABLE OF CONTENTS

INTRODUCTION 712 I. MODERN CRYPTOGRAPHY: PRIVATE SECURITY, GOVERNMENT

INSECURITY 718

1. Who Needs Cryptography? 718

   1. Banks, ATM-Users, Electronic Transactors 719 2. Businesses with Commercial and Trade Secrets 722 3. Professionals 724 4. National ID Cards and Data Authentication 725 5. Criminals 727 6. Users of Telephones, Electronic Mail, Faxes, or Computers 728 a. Cellular Telephones 728 b. Standard Telephones 729 c. Faxes 729 d. E-mail 729 e. Personal Records 730 7. Dissidents and Others 730

2. The U.S. Data Encryption Standard (DES) Is Increasingly

   Vulnerable 735 1. How DES Became a Standard 735 2. DES Is Vulnerable to Attack 738 3. How to Achieve Better Security 740

3. The Escrowed Encryption Standard (EES) 742

   1. Why the Government Wants EES to Replace DES 743 a. Domestic Law Enforcement 744 b. Intelligence Gathering 747 c. Failure of Laws Designed to Prevent the Spread of Strong Cryptography 748 i. Export Control: The ITAR 748 ii. "Classified at Birth" 751 2. How Clipper Works 752 a. A Tale of Three Keys 753 b. The Escrow Agents' Critical Role 759 c. Limited Recourse for Improper Key Disclosure 762 II. THE ESCROWED ENCRYPTION PROPOSAL--LEGAL, POLICY, AND

   TECHNICAL PROBLEMS 764

1. EES: The Un-Rule Rule 764

   1. FIPS 185: A Strange Standard 764 2. An End-Run Around Accountability 767 3. Did NIST's Cooperation with the NSA over FIPS 185 Violate the Computer Security Act of 1987? 776 4. Who Should Hold the Keys? 782

2. Unresolved Issues 786

   1. Requests from Foreign Governments 787 2. Clipper Abroad? 788 3. What Level of Protection Do LEAFs Have Under the Electronic Communications Privacy Act? 789

3. Voluntary EES Is Constitutional 793

4. Voluntary EES Is Unlikely to Displace Un-Escrowed

   Cryptography 796 1. Why EES Worries People 798 a. Preserving the Status Quo Prevents a Return to the Status Quo Ante 798 b. EES Does Not Preserve the Status Quo 800 c. The Status Quo May Not Be Stable 802 2. Spoofing EES: The LEAF-Blower 806

5. What Happens If EES Fails? 808

   3. WOULD MANDATORY KEY ESCROW BE CONSTITUTIONAL? 810

1. First Amendment Issues 812

   1. Compelled Speech 813 2. Chilling Effect on Speech 815 3. Anonymity and the Freedom of Association 817 4. The Parallel to Antimask Laws 821

2. Fourth Amendment Issues 823

   1. The Fourth Amendment Does Not Give the Government an Affirmative Right to an Effective Search 826 2. Mandatory Escrow of a Key Is a "Search or Seizure" 827 3. Mandatory Key Escrow as a "Regulatory Search" 830

3. Fifth Amendment Issues 833

   1. The Chip Key as a Private Paper 834 2. Is a Chip Key or a Session Key "Incriminating"? 836

4. Privacy Issues 838

   1. The Right to Autonomous Choice Regarding Nonintimate Matters 838 2. The Right to Be Left Alone 839 3. The Right to Autonomous Choice Regarding Intimate Matters 840

5. What Next? 843

   4. IDEAS ARE WEAPONS 843

1. Caught Between Archetypes 846

   1. Big Brother 847 2. The Conspirator 850 a. Panics over Plotters 851 b. Modern Incarnations: The Drug Kingpin and the Terrorist 856

2. Mediating the Clash: A Metaphoric Menu 859

   1. Focus on Communication 862 a. "Car"--How Messages Travel 863 b. "Language" 865 2. Focus on Exclusion 870 a. "Safe" 871 b. "House"--Where Messages Come from 874

3. The Power to Choose 879

   CONCLUSION 882 TECHNICAL APPENDIX: BRUTE-FORCE CRYPTANALYSIS, PUBLIC-KEY ENCRYPTION, AND DIGITAL SIGNATURES 885

1. Brute-Force Cryptanalysis 887

2. Public-Key Cryptography 890

3. Digital Signatures 895

   INTRODUCTION

   Without the ability to keep secrets, individuals lose the capacity to distinguish themselves from others, to maintain independent lives, to be complete and autonomous persons.... This does not mean that a person actually has to keep secrets to be autonomous, just that she must possess the ability to do so. The ability to keep secrets implies the ability to disclose secrets selectively, and so the capacity for selective disclosure at one's own discretion is important to individual autonomy as well.(1)

   Secrecy is a form of power.(2) The ability to protect a secret, to preserve one's privacy, is a form of power.(3) The ability to penetrate secrets, to learn them, to use them, is also a form of power. Secrecy empowers, secrecy protects, secrecy hurts. The ability to learn a person's secrets without her knowledge--to pierce a person's privacy in secret--is a greater power still.

   People keep secrets for good reasons and for evil ones. Learning either type of secret gives an intruder power over another. Depending on the people compromised and the secrets learned, this power may be deployed for good (preventing a planned harm) or ill (blackmail, intimidation).

   This Article is about the clash between two types of power: the individual's power to keep a secret from the state and others, and the state's power to penetrate that secret.(4) It focuses on new conflicts between the perennial desire of law enforcement and intelligence agencies to have the capability to penetrate secrets at will, and private citizens who are acquiring the ability to frustrate these desires. This is an article about the Constitution and the arcana of secret-keeping: cryptography.(5)

   This is also a long article. It is long because it addresses three complex issues. First, it outlines some of the promises and dangers of encryption. Second, it analyzes the constitutional implications of a major government proposal premised on the theory that it is reasonable for the government to request (and perhaps some day to require) private persons to communicate in a manner that makes governmental interception practical and preferably easy. Third, it speculates as to how the legal vacuum regarding encryption in cyber-space shortly will be, or should be, filled.

   What fills that vacuum will have important consequences. The resolution of the law's encounter with cryptography has implications far beyond whether the government adopts the Clipper Chip or whether a particular cipher may be licensed for export. The resolution of this debate will shape the legal regulation of cyberspace and in so doing shape its social structures and social ethics.

   Cryptologists(6) use a few terms that may not be familiar to lawyers, and it is useful to define them at the outset of any discussion relating to encryption. Cryptography is the art of creating and using methods of disguising messages, using codes, ciphers, and other methods, so that only certain people can see the real message. Codes and ciphers are not the same. A code is a system of communication that relies on a pre-arranged mapping of meanings such as those found in a code book. A cipher is a method of encrypting any text regardless of its content.(7) Paul Revere's "[o]ne, if by land, and two, if by sea" was a code.(8) If the British had landed by parachute, no quantity of lanterns would have sufficed to communicate the message. The modern cryptographic systems discussed in this Article are all ciphers, although some are also known as electronic code books.

   Those who are supposed to be able to read the message disguised by the code or cipher are called recipients. "The original message is called a plaintext. The disguised message is called a ciphertext. Encryption means any procedure to convert plaintext into ciphertext. Decryption means any procedure to convert ciphertext into plaintext."(9) An algorithm is a more formal name for a cipher. An algorithm is a mathematical function used to encrypt and decrypt a message. Modern algorithms use a key to encrypt and decrypt messages.(10) A single-key system is one in which both sender and receiver use the same key to encrypt and decrypt messages. Until recently, all ciphers were single-key systems. One of the most important advances in cryptography is the recent invention of public-key systems, which are algorithms that encrypt messages with a key that permits decryption only by a different key.(11) The legal and social implications of this discovery figure prominently in this Article.

   Cryptanalysis is the art of breaking the methods of disguise invented with cryptography. Lawyers will recognize the cryptographers' terms for cryptanalysts who seek to read messages intended only for recipients: enemies, opponents, interlopers, eavesdroppers, and third parties.(12) In this Article, however, cryptanalysts who work for U.S. law enforcement or intelligence organizations such as the FBI or the National Security Agency (NSA) will be called public servants. Key escrow refers to the practice of duplicating and holding the key to a cipher--or the means of recreating or accessing the key to a cipher--so that some third party (the escrow agent) can decrypt messages using that cipher. As used in the Clipper Chip debates, the term "escrow" is something of a misnomer because the escrow is primarily for the benefit of the government rather than the owner of the key.

   Part I of this Article describes advances in encryption technology that are increasing personal privacy, particularly electronic privacy, but reducing the U.S. government's ability to wiretap telephones, read e-mail surreptitiously, and decrypt computer disks and other encrypted information. To ensure the continuation of the wiretapping and electronic espionage capabilities that it has enjoyed since soon after the invention of the telegraph and the telephone,(13) the government has devised an Escrowed Encryption Standard (EES),(14) to be implemented in the Clipper Chip(15) and other similar devices.(16) In Clipper and related products the government proposes a simple bargain: In exchange for providing the private sector with an encryption technology certified as unbreakable for years to come by the NSA,(17) the government plans to keep a copy of the keys(18)--the codes belonging to each chip--which, the government hopes, will allow it to retain the ability to intercept messages sent by the chip's user. The government's proposal includes procedures designed to reduce the risk that the keys would be released to law enforcement...