Nervous System: Clipping the Wings of the Clipper Chip
In this month's look at the history of cybersecurity, David Kalat examines the government's efforts to come to a consensus with government access to encrypted technologies, only for outside forces to get in the way.
September 03, 2019 at 07:00 AM
6 minute read
With the aggressive pace of technological change and the onslaught of news regarding data breaches, cyber-attacks, and technological threats to privacy and security, it is easy to assume these are fundamentally new threats. The pace of technological change is slower than it feels, and many seemingly new categories of threats have actually been with us longer than we remember. Nervous System is a monthly blog that approaches issues of data privacy and cybersecurity from the context of history—to look to the past for clues about how to interpret the present and prepare for the future.
As assistant deputy director of the National Security Agency (NSA), Clinton Brooks had watched with growing alarm the rise of strong cryptography. Part of the NSA's mission was to eavesdrop on foreign spies, but widespread use of encryption threatened to put it out of business. Brooks' "Eureka!" moment came in 1992. He had a crazy idea to solve the problem—an idea so crazy, it just might work, he thought, hopefully.
Brooks realized the problem was a fundamental tension between two competing public needs. On the one hand, an increasingly digital economy needed reliably secure communications; on the other, legitimate law enforcement needed the ability to conduct wiretaps. For years, the government had tried—ineffectively— to restrict the sale and distribution of cryptographic tools. Once cryptographic technologies began to circulate, they proliferated on their own outside the reach of regulations. Brooks proposed an "if you can't beat 'em, join 'em" solution that would actively encourage people to use encryption—but with a catch. Instead of each user owning her own unique keys, the government would keep a spare set of keys.
Brooks observed that the community most in favor of cryptography consisted of privacy advocates fearful of government surveillance. That community would never accept simply including a backdoor for government surveillance. So Brooks planned to include two enticements. First, this new NSA-approved cryptographic technology would be significantly more powerful than anything already on the market, and thereby would offer a material upgrade in privacy protection. Second, the government's key would be broken into halves, to be held in escrow by two separate agencies (the Treasury Department's Automated
Systems Division and the Commerce Department's National Institute of Standards and Technology). If, for example, the NSA wanted to take advantage of the back door and decrypt a user's communications, it would first have to get court approval directing both agencies to share that user's key with the NSA for a specific, limited purpose. Unauthorized, warrantless wiretapping would be impossible. For most users, the escrow-based system would offer the highest level of security then available.
Both sides had to buy-in to have any hope of success. The law enforcement agencies had to stand in unison, and the idea had to be presented compellingly to the public. This would take a monumental act of public relations and a slow, prolonged public debate to develop mutual trust between governed and government. To Brooks' chagrin, events outside his control soon short-circuited that public relations campaign and all but ensured the plan would fail.
NSA technicians had developed a secure algorithm, called Skipjack, on which the new system would be based. To execute the complicated technical aspects in the most secure way, it was decided that Skipjack would be managed through tamperproof computer chips to be installed by manufacturers. All parties to any given encrypted communication would have to have these chips installed, and the chips would exchange critical information needed to establish and maintain the cryptographic channel, while also keeping a path open for the escrowed key to be deployed if authorized.
As the country approached the 1992 presidential election, however, no one's list of priorities included introducing a complicated debate about computer privacy. The creators of Skipjack expected to wait for the election to play out first.
Then came the surprise announcement that AT&T had developed a new encryption algorithm of its own, to be installed in new secure phones that were expected to sell in huge volumes to privacy-seeking customers. By the time the Skipjack chips were actually released, however far into the future, they would be an afterthought to a public already happily secure from government snoops.
The Federal Bureau of Investigations (FBI) was concerned that the AT&T phones would all but close off wiretapping options in the future. What self-respecting criminal wouldn't outfit themselves with one?
After some hasty engineering shortcuts to make stripped-down chips available quickly, FBI Director William Sessions personally called AT&T CEO Robert Allen to persuade him to retool the AT&T phones with these rush-order encryption chips, called Clipper Chips. AT&T agreed—so long as the key escrow provision became a national standard, for which AT&T would be a market leader.
Brooks' hope for a thoughtful national debate immediately fell by the wayside. There was no time to carefully build up public support. Instead, government policy had to follow an artificial timetable created by AT&T's production schedule.
Newly elected President Bill Clinton and Vice President Al Gore supported the Clipper Chip but were unprepared for the immediate and intense public opposition that the proposal met. No effort had been made to persuade consumers or businesses that this was a superior cryptographic solution, and the new administration had not rallied any influential voices to rally around the fundamentally problematic concept at its core. As Jerry Berman of the Electronic Frontier Foundation put it, "The idea that government holds the keys to all our locks, even before anyone has been accused of committing a crime, doesn't parse with the public."
Meanwhile, Matthew Blaze, a young computer scientist in AT&T's cryptology division, obtained access to prototype Clipper Chips for testing and discovered fairly quickly an easy, inexpensive hack that disabled the escrow key. In the rush to engineer the chips, some sloppy technological corner-cutting had left a critical vulnerability. The error was fixable, but a New York Times front-page story washed away the last slivers of public trust the Clipper Chip had enjoyed.
The passing of the Clipper Chip left agencies like the NSA and the FBI exactly in a world they had most feared—where the private use of encryption increasingly secured communications from government eavesdropping. It was a pointed lesson that the needs of law enforcement do not outweigh individual liberties, even in the digital age.
David Kalat is Director, Global Investigations + Strategic Intelligence at Berkeley Research Group. David is a computer forensic investigator and e-discovery project manager. Disclaimer for commentary: The views and opinions expressed in this article are those of the author and do not necessarily reflect the opinions, position, or policy of Berkeley Research Group, LLC or its other employees and affiliates.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1Appellate Division Greenlights State Bar's Leadership Diversity Initiatives
- 2SEC’s Latest Enforcement Actions Fuel Demand for Big Law
- 3Sterlington Brings On Former Office Leader From Ashurst
- 4DOJ Takes on Largest NFT Scheme That Points to Larger Trend
- 5Arnold & Porter Matches Market Year-End Bonus, Requires Billable Threshold for Special Bonuses
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
