MA Research student at the Criminal Justice Studies of the Law Faculty of University of Leeds, Leeds LS2 9JT.
E-mail: email@example.com. Copyright © 1996 Yaman Akdeniz.
Please cite as Yaman Akdeniz, "Pretty Good Privacy & Clipper Chip & ITAR" August 1996, Cyber-Rights & Cyber-Liberties (UK) at http://www.leeds.ac.uk/law/pgs/yaman/pgp&itar.htm.
The purpose of this short paper is to explain what is PGP, Phillip Zimmerman's powerful encryption software and the US government's proposed encryption tool, the Clipper Chip. This will be helpful for the UK readers to understand the encryption debates in the United States. US export regulations are also examined with links to recent cases.
Pretty Good Privacy ("PGP") is a cryptography software which works on the same principle that public key systems use, but has many more features (1). PGP is the most used encryption tool by the Internet users because it is widely available on the Internet for free and it is considered for the present unbreakable. PGP is based on the RSA algorithm and it is by today's computing standards uncrackable. Philip Zimmerman, the creator of, PGP, explains it as:
"well featured, fast, with sophisticated key management, digital signatures, data compression, and good ergonomic design." (2)
In April 1993, while Zimmerman was preparing to release the initial version of PGP, the US government announced its own public key cryptographic software, the Clipper Chip. Zimmerman completed and released PGP hoping that it would be seen as a good alternative to the government's proposal but he had been under investigation for alleged violation of export regulations, with a grand jury hearing evidence for about 28 months, which ended in January 1996 (3). He was under investigation because the disclosure or transfer of cryptographic software to a foreigner constitutes export under the ITAR (4). But Zimmerman never exported the PGP, he created it, encouraged its use and distributed to friends and colleagues, one of whom posted it to an Internet Usenet discussion group (5). The Federal Government decided not to prosecute Mr. Zimmerman and did not explain why they dropped the investigation (6).
Clipper chip is an escrowed encryption project proposed by the Clinton Administration first time in April 1993. This Escrowed Encryption Standard ("EES") uses a classified symmetrical algorithm developed by the National Security Agency ("NSA"). Escrowed encryption means that two government agencies, the National Institute of Standards and technology ("NIST") and the Department of Treasury, each hold half of the encryption key. The Clipper chip is available on hardware and not on software and the US Government's initial idea was to install the chip in every telephone, fax machine and modem and make it a national standard. By creating a national standard on this basis the US law enforcement agencies would be able to decrypt any messages encrypted by using the Clipper Chip upon due authorisation. The Clipper Chip was opposed by many civil liberties groups on the ground that it would infringe the privacy of users by the fact that the government has access to the keys. The image and fear of an Orwellian (7) style Big Brother Watching emerged.
According to the FBI, wiretapping is crucial to effective law enforcement:
"If the FBI and local police were to loose the ability to tap telephones because of the widespread use of strong-cryptography, the country would be unable to protect itself against terrorism, violent crime, foreign threats, drug trafficking, espionage, kidnapping, and other crimes." (8)
The US Government in December 1995, presented a revised version of their Clipper Chip proposal which keeps in place the current export ban on strong encryption tools but allows for the export of moderately stronger, 64-bit key systems with key escrow systems (9). This new proposal known as Clipper II, does not go far away from the initial proposals.
In May 1996, the US Government came with a new proposal, "Achieving Privacy, Commerce, Security and Public Safety in the Global Information Infrastructure" (10) which would establish a new public key infrastructure for encryption. Such a public key infrastructure proposed by the new proposal already dubbed as Clipper III, would enable users of encryption to clearly identify the people they are communicating with, and is widely viewed as an important prerequisite for the widespread use of secure electronic communications. However, as the Center for Democracy and Technology argues, Clipper III will not meet the privacy and security needs of Internet users because all users of the new system would have to ensure government access to their encryption keys through an approved key escrow agent (11).
It will be difficult to find a foreign market and foreign users for these products with the key escrow system, whatever their length is, because Big Brother will be watching abroad as well (12). Clipper Chip proposal would also limit the survival of some dissident movements where anonymity is an essential feature (13). Cryptography allows unprecedented anonymity both to groups who communicate in complete secrecy and to individuals who use anonymous e-mailers over the Internet to hide all traces of their identity when they communicate (14). Key escrow and the clipper chip threatens this kind of anonymity on the Internet (15). The government agents will be able to identify the content of e-mails and the destination of the messages.
Export of cryptography software with encryption keys over 40 bits long generally cannot be exported from the United States for reasons of security under the Arms Export Control Act ("AECA") (18) and the International Traffic in Arms Regulation ("ITAR") (19). The AECA was enacted to permit the Executive Branch to control the export and import of certain items in order to further "world peace and the security and foreign policy" of the United States (20). Cryptography software is included in the United States Munitions List ("USML") (21). Section 121 XIII(b)(l) includes:
"Cryptographic (including key management) systems, equipment, assemblies, modules, integrated circuits, components or software with the capability of maintaining secrecy or confidentiality of information or information systems..."
The ITAR clearly considers cryptographic software as weapon whose export is illegal if not authorised by the American Department of State.
There has been a recent amendment to the ITAR provisions in February 1996. The new amendment establishes an exemption for the temporary export of cryptographic products for personal use. This would cover US citizens and lawful permanent residents who for example need or take their cryptographic software with them in their laptop computers when they go abroad for brief periods of time (22).
Senators Conrad Burns (R-MT) introduced the Promotion of Commerce On-Line in the Digital Era (Pro-CODE) Act of 1996 on May 1996 to relax the restrictions prohibiting the export of strong encryption technology.
"Any encryption software, or hardware incorporating such software, that is generally available (23), as is, and designed for installation by the user or purchaser, or that is in the public domain, would be exportable, regardless of key lengths."
Many of the popular web browsers, Pretty Good Privacy, or encryption in other widely available software would all be exportable with unlimited key lengths once made publicly available in the U.S.