
	Key escrow's efficiency against crime.	12 Nov -96
	==============================

(The reader is assumed to be familiar with the key escrow idea.)

There are two main reasons for building a global infrastructure where 
encryptionkeys can be  escrowed. 

It is National Security and International Organised Crime. If criminals 
encrypts their communication, they can't be wiretapped by the law 
enforcement. 

All the way back since 1993, when the Clipper chip was introduced, it has 
been argued back and forth, about whether key escrow really is efficient 
against crime. Before 1 October 1996, this was mainly a US-specific issue. 
But with the new plans to place key escrow's also in other countries, the 
arguments will be debated all over again. To ease that bigger global debate, 
we present a list of those three years most popular argument. 

We also present some new aspects that seem to be unknown for the broad 
public. Like:
- Why are 260 million americans released from key escrowing?
- Should Interpol or foreign intelligence perform wiretaps? 
- Criminals don't encrypt! Or do they?

	
How to avoid a key escrow scheme.

If the government enforces a special way to encrypt communication, there 
exists several ways to still continue to communicate in a non approved way. 
The reader might feel it's wrong to publish such a comprehensive list. But 
most of the methods comes from a similar list in a report from [NRC] National 
Research Council.  It was even necessary to change the wordings a bit, to 
avoid Copyright problems.

Criminals and cryptography.
1.  Criminals don't follow the law. (That's the definition of a criminal) Therefore 
they won't obey any restrictions or laws.
2. A criminal would rather take the punishment for non-approved encryption, 
than revealing his encryption key, which could render him a stronger 
punishment.
3 Software for non approved encryption can be downloaded from the Internet.
4. Talent for hire is easy to obtain. A criminal party could easily hire a 
knowledgeable person to develop needed software. For example, an out-of-
work or underemployed scientist or mathematician from the former Soviet 
Union would find a retainer fee of $500 per month to be a king's ransom. 

5a) Some non-approved ways to still communicate 
A criminal can use these ways to still keep on communicating. It is these 
methods that have been debated over and over for years. 

5b) Pre-encryption. 
Also called double encryption, is easy. Just encrypt a message with a non 
approved method, and then encrypt it again with the approved method. This is 
impossible to detect without large-scale monitoring and attempting to decrypt 
all escrow-encrypted traffic.

5c) Store information remotely
Store data on a remote computer known only to the user. It can be physically 
located anywhere in the world (and might even automatically encrypt files that 
were stored there). 

5d) Deposit fragments
Split a text or image that is to be concealed or protected into a number of 
different Internet-accessible computers. The plaintext (i.e., the reassembled 
version) would be reassembled into a coherent whole only when downloaded 
into the computer of the user.

5e) Stegonography
The art of hiding that there even exists an encrypted message. There is 
always some noise in the background of soundfiles, and in pictures. If we add 
an encrypted message and spread it out over the sound or the picture, it will 
be undetectable for our ears and eyes. It can only be proven that there is a 
low quality on the sound, or the picture. There exists free programs for 
stegonography on Internet. [NCR] par 7.2.1A, footnote 23,  describes it like 
this:

	"Stegonography is the name given to techniques for hiding a message 
	within another message. For example, the first word of each word in a 
	sentence or a paragraph can be used to spell out a message, or a 
	photograph can be constructed so as to conceal information. 
	Specifically, most black-and-white pictures rendered in digital form use 
	at most 2^16 (65,536) shades of gray, because the human eye is 
	incapable of distinguish more shades. Each element of a digitised 
	black-and white photo would then be associated with 16 bits of 
	information about what shade of gray should be used. If a picture were 
	digitised with 24 bits of a grayscale, the last 8 bits could be used to 
	convey a message that would never appear except for someone who 
	knew to look for it. the digital size of the picture would be 50% larger 
	than it would ordinarily be, but no one but the creator of the image 
	would know"

5f) Use Codephrases
Or speak another language such as Navajo. The use of secret code phrases 
is described in many spies and detective novels. Since it does not require 
any encryption, it can be used with fax, ordinary mail, email or telephone 
conversation. The security relies on the shared secret language that the two 
parties have agreed upon. Only messages can be exchanged this way, so for 
other kind of information, like drawings, other methods must be used.

5g) Encrypted phonecalls 
These programs do also exist on Internet. Phonecalls are much more 
expensive to wiretap than email. First, the phonecall must be decrypted. Then 
a human ear must listen to the conversation and decide if it's important or 
not. And if there is something illegal going on, would it be categorised as 
illegal phonecall or Illegal encryption of a legal phonecall? 
Wiretapping email is much cheaper, because the message can be scanned 
by a computer for keywords, and alert the wiretapper if there is a hit. 
(computers are cheaper than humans)

5h) Posting diskettes 
A diskette with encrypted information can be posted to the recipient. For 
fastest delivery, find out where the mail is sorted, and post it there. As an 
example, in at least one of the capitol cities in Europe, the post is sorted at a 
central place, about 5 minutes walk from the central station. If you post a 
diskette there before 24.00 it will reach a recipient in the city the next working 
day.

5i) Fooling traffic analyse
It requires much personnel, and computer power to gather, decrypt and 
interpret every message. Therefore it's reasonable to analyse the traffic, and 
only select those messages that come to, of from, a preselected email, or 
computer address. So, the obvious way is to send a message from a 
completely different place. Those Internet cafe's that are now being 
established all over, are a good place to send from. Since it's a public place, 
it's more difficult for the law enforcement to get wiretap permission. Even if 
there was such a permission, the cafe must be manually survailenced to 
know who sent a specific message, at a specific time. It also requires some 
means to identify every person that uses the computers on every cafe. 

5j) Anonymous remailers
Another way to gather information about a suspect is to find out whom he is 
communicating with. Make a chart over his contacts, and trace those who are 
sending messages to him. To avoid such tracing, the sender can use so 
called anonymous remailers. This method might be unknown for some of the 
readers, so here's a quick description.

There's many computers spread out on several countries and continents. 
Their only job is to forward mail in such a way, that they protect the senders 
address from trafficanalyze. The sender is thus completely anonymous, and 
he can write hints to journalists, or tips to the law enforcement without having 
to reveal his identity. This total anonymity can also be used by criminals. It's 
like cryptography; two side's of a coin.

It works like this.
The sender fetches a list of remailers that are up and running when he wants 
to send his mail. Anyone can put up such a remailer without any help or 
approval from the system administrator. The remailer is now incorporated in 
a network of other reamailers whose only purpose is to forward mail. The 
sender chose by random, let's say, 10 remailers from the list-of-the-day, and 
can even choose the order in which the message should be sent between the 
selected remailers. 

When the message has reach the first remailer, it's re-encrypted, and 
forwarded to the next remailer in the list that the sender has chosen. The first 
remailer knows where the message originated from, but not it's destination. 
The next remailer doesn't know from where the message originated from, and 
not who the end recipient is. The message is now re encrypted again, and is 
forwarded to next remailer on the list. The message is in this way re 
encrypted several times on its way between different countries, continent, a a 
few laps around the globe. 

Finally the massage has reach the last remailer on the list, and is sent to the 
real destination. The last remailer only knows who the recipient is, and 
nothing about the origin of the message. 

The reamailers are totally automatic programs and don't saves any logs. 
Only a globally co-ordinated traffic analyse of all reamailers would make it 
possible to trace the message. 
That is why the list of reamailers is constantly changing, and the sender is of 
course selecting  remailers in several different countries. And since the 
message itself is encrypted by the sender, no remailer can read the content. 
Therefore it's useless to become a remailer to infiltrate the chain of 
remailers. An infiltrating remailer might not even be included in the random 
selection the sender made. 

In this text, we just point on the fact that these remailers exist, and that the 
programs are out there for free. The question about whether they should be 
there at all, is outside the scope of this text. (but if you are curious, it boils 
down to whether anonymity should be outlawed)

More details about remailers can be found at:
www.cs.berkeley.edu/~raph/remailer-list.html
www.obscura.com/~loki/index.cgi
www.eskimo.com/~joelm/pi.html


The report from [NRC] summarises the situation like this.

	"Given so many different ways to subvert a ban on the use of
	unescrowed cryptography, emergence of a dedicated subculture
	is likely in which the nonconformists would use coding schemes
	or unescrowed cryptography impenetrable to all outsiders."

Source: [NRC] section 7.2.1 "A Prohibition of the Use and Sale of 
Cryptography Lacking Features for Exceptional Access" 

And indeed, there already exists such subculture that call themselves 
cyberpunks. 

		New aspects

All the methods above shows that it would require an enormous amount of 
work to put a plug in all holes that can be used for criminal exchange of 
messages. As if that would not be enough to create headache, we here 
present some political signals that are hard to interpret.

Why are 260 million americans released from key escrowing?
All american citizens are excluded from the key escrow plan. A statement 
from the white house, say:

	"Domestic use of key recovery will be volontary, and any American
	 will remain free to use any encryption system domestically,"

Source: http://csrc.nist.gov/keyrecovery/vp.txt, 1 Oct, 1996 

This means that all 263 millions (263 000 000) americans are by definition 
rised above all suspicion for criminal activities, and thus don't have to 
escrow their keys. 

There is a widespread believe, (that I shared myself) that non approved 
encryption methods, as a consequence, must be prohibited. But surprisingly, 
that's not the case. The [NRC] report,   explain it like this:

	"The Clinton administration has stated that it has no intention of 
	outlawing unescrowed cryptography, and has repeatedly and explicitly 
	disavowed any intent to regulate the domestic use of cryptography. 
	However, no administration can bind future administrations (a fact 
	freely acknowledge by administration officials)." 

Source: The [NRC] report,  par. 7.2.1A, "Concerns about personal freedom" 

Later in the same paragraph the report continues about the Legal and 
Constitutional Issues. It writes:

	"...a legislative ban on the domestic use of unescrowed encryption 
	would raise constitutional issues. ... The government would have to 
	show that the public interests were jeopardised by a world of 
	unrestrained availability of encryption, and that these interests would 
	have to be weighed against the free speech interests sacrificed by the 
	ban."	

This leads to the assumption that those countries that introduce key 
escrowing, might have a weaker constitution than US. Or the citizens in those 
countries don't defend their constitution as strong as the americans do. 

Let's also look at some side effects.
 - If key escrowing really works against criminals, they will move their 
activities to US to continue their encrypted communication.
 - The law enforcement in US remains at the same spot as before. They still 
cannot wiretap criminals that choose to encrypt their traffic. 
 - If the law enforcement in another country has traced criminal activities to 
US, then they are in the same situation as the law enforcement within US. 
Neither of them can decrypt any traffic. 

The exception of all americans cannot be based on logic, so it must be a 
strategic political decision. That leads us to the next question. 

Since the key escrow plan is initiated by US, it is unclear how they with any 
creditability can argue for a plan whose legibility is questioned in their 
country.  It is also unclear why the political representatives for other 
countries would introduce key escrowing into their countries. Do they hope 
that all criminals would emigrate to US?

And what about the americans themselves? Why would they buy escrowing 
encryption programs if they don't have to? The [NRC] report, has no answer to 
that. It says:

	"Whether users would abandom nonconforming products in favour of 
	new products with escrowing features - knowing that they were 
	specifically designed to facilitate exceptional access- is open to 
	question."

Source: [NRC] report, par. 7.2.1A "Economic Concerns" 

One trend could however be expected. It's expensive to maintain two 
versions of a program.  Encryptionprogram could be sold with different 
pricetags depending on if it includes the escrow function or not. That is way to 
find out if there is a broad demand for a non-escrow versions, or if the price 
more important. That answer is an important feedback for future decisions.

Should Interpol or foreign intelligence perform wiretaps?
Interpol, the International Policeorganisation,  co-ordinates since several 
years police resource across borders. Since it's a non political organisation, 
it would be natural to let them also co-ordinate the requests for encryption 
keys for international criminal activities. The countries in EU/OECD do mainly 
have the same common view of the definition of heavy criminals. But due to 
the silence from what's happening at the discussions at EU/OECD we do not 
know who will be the co-ordinating organisation for international crime. 

But we do know who would be the co-ordinator if those countries would adopt 
the US key escrow plan. One of the US requirements, for key escrow's are:

	"An Escrow agent entity shall employ one or more persons who 
	posesses a SECRET clearance for purposes of processing classified 
	(e.g., FISA) requests to obtain keys and/or key components"

Source: "Key Escrow Agent Criteria". 
http://csrc.nist.gov/keyrecovery/agent-criteria.txt

A manufacture of key escrow products explains this in more detail.

	"Key Escrow Feature 

	3. The product's key escrow cryptographic functions' key(s) shall be 
	escrowed with escrow agent(s) certified by the U.S. Government, or 
	certified by foreign governments with which the U.S. Government has 
	formal agreements consistent with U.S. law enforcement and national 
	security requirements. On December 5, 1995 the Justice Department 
	laid out detailed requirements for escrow center operation, the most 
	serious of which being a requirement for an escrow operator to have at 
	least one employee who holds a U.S. SECRET clearance. The 
	justification for this was that since FISA (Foreign Intelligence 
	Surveillance Act) orders for foreign service interceptions were almost 
	always classified, the government could not give FISA orders to non-
	cleared people, since the identity of the target of the interception, as 
	well as the existence of the order, are both secrets."

Source: http://www.tis.com/docs/products/cke/sysdesc.html

This means that countries that adopt the US scheme will have personnel that 
follow secret orders from the US intelligence, to protect US National Security. 
The target country gives away the control, and don't even have the right to 
know if, when, why, or what keys, that are interesting for the foreign 
intelligence service.

If it really was criminals that where the target for key escrow, then a foreign 
intelligence is surely not what most of us would expect for conducting the 
wiretapping.

(but for those who wants to some research, can perhaps find clues in 
"Information Warfare - Chaos on the Electronic Superhighway" by Winn 
Schwartu. ISBN 1-56025-080-1. 1994. If  you are in a hurry, jump to chapter 
15.)

Criminals don't encrypt. Or do they?
A  manufacture for key escrow products, say that criminals are not disciplined 
or smart enough to use god encryption. That's confusing, because then there 
is no need for key escrow's.

	"But Criminals Are Too Smart To Use Escrowed Encryption

	Some people have offered the proposition that organized crime and 
	terrorists are too smart to use escrowed encryption systems, that they 
	would employ their own crypto geniuses to formulate unescrowed 
	strong encryption and thus evade law enforcement. 

	But law enforcement officials say criminals are not that smart or
	disciplined. They use everyday tools, just as we do. If they were so 
	smart, why do criminals use telephones-even cellular phones-
	routinely? Why did the terrorists that blew up the World Trade Center 
	come back to ask for a refund of their truck deposit? Why did the 
	(alleged) Oklahoma City bomber drive away from Oklahoma City at 90 
	miles per hour, with no license plates and a not-so-concealed  
	concealed weapon that got him arrested on the spot by the traffic cop? 
	The answer is because they are human, just like us. Law enforcement 
	agencies of the US. Government tell us that if American industry
	provides strong unescrowed encryption, criminals and terrorists will 
	use it to our detriment. Conversely, if American industry provides 
	strong escrowed encryption, criminals will use it to their detriment, just 
	as they do telephones, credit cards, automobile rentals, airplanes, etc. 

	     In one famous case investigated by the FBI a few years back, a 
	number of Defence Department officials were convicted of graft and 
	corruption in defence contracting. These people were highly educated-
	all of them with STU III secure telephones on their desks which the FBI 
	could not have tapped and decyphered. Nevertheless, these officials 
	were caught because they used the plain old (unencrypted) telephones 
	that were next to the STU III phones on their desks, and the FBI was 
	able to tap those phones and get enough information to bring them to 
	justice. "

Source: www.tis.com/docs/products/cke/sysdesc.html

This quotation from [NRC] does not make us any wiser.

	"As a general rule, criminals are most likely to use what is available to 
	the general public, and the encryption available to and usable by the 
	public has to date been minimal. At the same time, sophisticated and 
	wealthy criminals (e.g., those associated with drug cartels) are much 
	more likely to have access to and to use cryptography.(13)"

	"(13) For example, police raids in Colombia on offices of the Cali cartel
	resulted in the seizure of advanced communications devices, including 
	radios that distort voices, videophones to provide visual authentication 
	of callers' identities, and devices for scrambling computer modem 
	transmissions. The Colombian defence minister was quoted as saying 
	that the CIA had told him that the technological sophistication of the Cali 
	cartel was about equal to that of the KGB at the time the Soviet Union's 
	collapse. See James Brooke, "Crackdown Has Cali Drug Cartel on the 
	Run," *New York Times*, June 27, 1995, p. A-1."

Source: [NRC] par. 3.2.4. 

Since the question about if criminals do encrypt or not, is still unanswered, 
we will instead try to interpret the quotations above.

Key escrowing in not needed for those criminals that use approved methods.

To catch the criminals that uses more advance cryptography methods, key 
escrowing are only useful if  these three events occur at the same time.
1) The criminals will sooner or later make a mistake, and send a message 
which can be readable.
2) At that moment, the wiretap is already in place to catch the message. 
3) That message must be enough to prosecute the whole league, because the 
criminals might not do the same mistake again.

Is it reasonable to build up a global infrastructure built upon these vague 
hopes.

Summary.
Wiretapping criminals is the main reason for key escrow's that is presented 
for the broad public. The views presented here shows that the world is not 
that simple. To justify the cost's it must be something more behind the key 
escrow plan. There is only one official reason left. National security. 
And of course, to rephrase [NRC] above, the plan could also be:
1) Don't outlaw anything today. Just build up the infrastructure.
2) When all parts are in place, it easier to take decisions which can't be taken 
today.

A final word. Don't blame US for this. Instead you must admit that US should 
be rewarded with a price for the worlds greatest marketing campaign that the 
world has ever seen. It fooled the politicians in G7, and most of the politicians 
in EU and OECD. Instead of blaming US, look at how the opinion in US made 
the Clipper chip to fall. If the citizens in other countries cannot do the same, 
then they get the key escrow they deserve. 

References

[NCR] 
National Research Council has written a report on several hundreds of pages 
that presents almost every aspect of the effects of cryptography. 
The title is: "Cryptography's Role in Securing the Information Society", 
 Library of Congress Catalog Number 96-68943 International Standard Book 
Number 0-309-05475-3. The report does also exist as a prepublication Copy 
on Internet.
http://www.replay.com.miror/nrc/nrc01.txt - nrc08.txt	(main text)
http://www.replay.com.miror/nrc/nrc0a.txt - nrc0n.txt	(appendix)
http://www.replay.com.miror/nrc/nrcd1.jpg - nrcd2.jpg	(pictures of tables)


--- end ---