Uncle Sam's crypto road show

  • Published on
    05-Jul-2016

  • View
    218

  • Download
    0

Embed Size (px)

Transcript

  • Network Security March 7 998

    Uncle Sams Crypt0

    Road Show Wayne Madsen

    State Department documents released to the Electronic Privacy Information Center (EPIC) illustrate the extensive travels of Ambassador David Aaron, President Clintons former Special Envoy for Cryptography, during 1996 and 1997. On 6 November 1996, Aaron became the Under Secretary of Commerce for international trade. Aaron was charged by the Clinton administration with selling the concept of the unpopular key escrow/key recovery initiatives to governments around the world. This was in addition to his other duties as Permanent Representative to the Organization for Economic Cooperation and Development (OECD) in Paris.

    Contrary to statements by Aaron and other administration officials, the newly-released documents indicate that many foreign governments were either opposed to the US encryption initiatives, reluctant to make any quick decisions to adopt key escrow, or were not sufficiently informed on the matter to make a decision at all. Even before Aaron was appointed Clintons Special Envoy for Cryptography, US State Department messages indicate that the US was making overtures to various countries via American embassies around the world. These include the diplomatic posts in Canberra, London, Tokyo, Ottawa, Tel Aviv, Paris, Bonn, The Hague and Moscow. One message to these posts announced the revised US cryptography export policy - the key recovery within two years or no export rule (the public announcement was made on 1 October 1996).

    Following the receipt of the message, the US Embassy Economic Officer in Ottawa

    8

    briefed Lynda Watson, the Canadian Director of the Export Controls Division of the Department of Foreign Affairs and International Trade (DFAIT), on 2 October 1996. In a message to the State Department classified Sensitive But Unclassified (SBU), it is stated that Watsons reaction to the proposed cryptography policy was one of mild surprise. Watson said that Canada had not expected this outcome at this time. When the Economic Officer asked Watson to provide a list of senior officials for an, at the time, unnamed senior American official to meet, Watson declined, saying that would depend on the rank of the US official.

    Diplomatic protocol, it seems, actually became a stumbling block to a quick commitment by Canada to readily accept US key recovery proposals. Watson also had a list of questions for the Americans to pose to their Government concerning key recovery, including the reasonable question of when the

    new American policy was to come into effect. Although the Economic Officer seemed to indicate to Watson that US- Canadian meetings would be coordinated through her, he provided copies of the message outlining the new US key recovery plan to embassy representatives of the National Security Agency (NSA), the FBI and US Customs Service. They were directed to contact their Canadian counterparts directly to seek out Canadian officials who might meet with the unnamed senior US official.(l)

    In a further embassy message to Washington, MS Watson is reported to not have received a timely response to her questions about US intentions. In the message (subject: US Cryptography Policy: Canadians reiterate their questions), an embassy official reports that Watson, on 29 October 1996, asked him whether the embassy had received answers to her previous questions on US cryptography policy and the identity of the senior official who would be coming to Canada. The message states:

    The GOC (Government of Canada) would like to be in a position to have a meaningful discussion at a senior level, Watson said. But the lack of any information from the USG (US Government) in the three weeks since the embassy originally approached DFAIT about the potential visit of a senior USG official has made it difficult for DFAIT to prepare for such a meeting. It was essential, she said, that the GOC be given more than just seven to 10 days advance notice to prepare for the visit of the senior official. If DFAIT did not have this information well in advance, Watson said,

    0 1998 Elsevier Science Ltd

  • March 7 998 Network Security

    the senior officials visit to Ottawa risked being less productive than both sides would like. (2)

    US Government officials had often cited Canada as one of the US allies that was supportive of US cryptography initiatives. Revelations from these released diplomatic cables do not seem to support that contention. The announcement by the White House that the senior US official would be David Aaron was not made until 15 November 1996. State Department message traffic reveals that further US diplomatic posts were brought into the cryptography picture. These include the posts in Budapest, Buenos Aires, Mexico City, Prague, Pretoria, and Seoul as well as American consulates in Strasbourg (the headquarters of the Council of Europe) and Marseilles. They also included the OECD collective address of All OECD Capitals. (3) This prompted the US Embassy in Bern to inquire as to whether they were supposed to arrange meetings between Aaron and officials of the Federal Office of Communications (BAKOM), the lead agency for cryptography issues in domestic legislation. (4)

    Although there was a name now associated with the US senior official, problems with Americas closest ally would continue. In a 22 November 1996 message to the State Department, the American Embassy in Ottawa reported that it shared the news of Ambassador Aarons appointment with Lynda Watson. However, Watson did not approve of the dates proposed for Aarons visit to Ottawa (lo- 11 December 1996). Watson said that some of the higher-level officials would be out of town that week and most of the DFAIT working-level officials were going

    0 1998 Elsevier Science Ltd

    to be in Vienna for a meeting of Waasenaar Arrangement nations.(5) It is surprising that Aaron would have proposed a trip to Ottawa during a meeting in which cryptography export controls were surely to be discussed!

    The United States would continue to have trouble with Canada. In a 19 December 1996 message from Aaron to the Department of State, the FBI, NSA. Justice Department and Commerce Department, the ambassador relays the content of a phone conversation he had the day before with John Tate, Coordinator of Security and Intelligence within Canadas Privy Council Office. Tate was responding to the imminent release of the Commerce Departments new encryption export regulations (which were released on 1 October 1996). Tate said that while Canada supported the thrust of the new US encryption policy, If the new regulations take effect on 1 January 1997. Canada will be obligated to lift its own export controls with no follow-up proposal to back it up. Aaron reported that Tate wanted the US to delay its new policy implementation for six months to a year. in the message, Aaron states *. . while I was sympathetic to Canadas position, our own domestic situation did not allow for an extended implementation period. (6)

    In a follow-up phone call with Tate, Aaron reports that the Privy Councilor reconfirmed, Canada would not be in a position to apply the same type of conditions to its own industryY(7) This indicates that Canada was not prepared to go along with the US proposal to have companies agree to take part in a key recovery programme in

    order to receive export licenses for cryptographic products.

    The US Embassy in Tokyo seemed rather strapped for cash in setting up meetings between Japanese Government officials and Aaron. For example, one message from the Tokyo embassy to the State Department cited the scarcity and expenses of interpreters for the meetings. Another said that in order to have an embassy car sent to Narita Airport for a 6:lO am pick up of Aarons party, the embassy would have to pay the driver $150 overtime pay - and it wanted money from Washington in advance. The embassy did suggest that Aaron and his crypt0 party could take the bus to their hotel from the arrival area outside of customs. This was at the bargain rate of $28. Optionally, the embassy said the Aarons four-member delegation could hop on a train from the airport to Tokyo station and then take a cab to the embassy. A truly amazing diplomatic reception for President Clintons personal envoy!(8)

    The Tokyo mission also reported reservations in Japan concerning US encryption proposals. In a 14 January 1997 message to Washington, the Tokyo embassy reports that Aaron should meet with Japanese industry representatives:

    A meeting with Japanese industry reps would be a useful opportunity to address some of the misperceptions and fears we have detected concerning US policy, and an opportunity to encourage Japanese industry to join our companies in developing a key-recovery infrastructure. (9)

    Given the close connection between Japanese industry and Government, it is certain that if

    9

  • Network Security March 7 998

    Japanese industry had reservations about key recovery, the Japanese Government shared these sentiments. Perhaps this was what was behind the request by the Japanese Government for Aarons trip to Tokyo to *be kept low-key. The Japanese also requested that there be no press activities regarding encryption policies, (10)

    In an October, 1996 Tokyo embassy message to Washington, it is reported that Ministry of Foreign Affairs Non- proliferation Officer, a Mr Sekiguchi, told US embassy officials, regarding domestic key recovery . . . the issue will have to be reconciled with the sensitive issue of privacy, which is strictly protected by the Japanese Constitution. The Ministry of International Trade and Industry also indicated it had reservations with the US approach. It asked a US embassy official to ask Washington, *Once use is made of a third-party key, wont all future communications of that user be compromised? The Ministry of Posts and Telecommunications and Ministry of Justice weighed in by rhetorically asking, What is to prevent people from creating their own encryption products based on publicly available algorithms? Ironically, the best question was posed by the National Police Agency, rumoured to be Washingtons only ally on encryption in Japan, How does the new US (encryption policy) affect the status of publicly posted encryption programs such as PGP?(ll)

    In additional communications. the US Embassy in Tokyo continued to report problems for US encryption proposals. In a 31 January 1997 message. the embassy reports:

    10

    *Over the past several months, there have been several articles in major newspapers (Nikkeiand Nikkei Sangyo) describing encryption and key recovery issues. According to these reports, Japanese firms are wary of participating in key recovery technology development for fear of appearing to support wiretapping. (12)

    The Embassy also reported problems that American firms were having meeting Japanese client demands for encryption (an issue which directly affects the US trade balance):

    A major US software company said it will have to use an NTT-developed product in a MITI-sponsored electronic commerce project it is involved in. Similarly, a recent report notes that WebTV, which has entered a joint venture with Fujitsu, has been forced to ask a Japanese company to develop encryption for its television set-top box, since it cannot export the 128-bit encryption it incorporates into its US product.(l3)

    A message from the US Embassy in Rome proposes that the US attempt to actually influence the Italian legislative process in developing an encryption policy for that country. In a 6 December 1996 message to the State Department, the embassy informed Washington, As Italy is currently formulating its encryption policy, we have a good opportunity to inform and influence the process. However, the message contains a warning:

    We were told that the encryption issue is being treated delicately since

    Italian authorities are concerned about a potential blowback on a matter which affects the privacy of personal data. The Justice Ministry is trying to establish principles which maintain the constitutional right to privacy but also allows effective action against criminal organizations by legal authorities, We were told that the Ministry is looking at a double keyapproach, similar to the US concept. (14)

    The message from Rome also identifies Italian Government officials who would be likely targets for an American lobbying effort on encryption policy. They are: Antonio Mirone (Justice ministry Undersecretary); Luigi Scotti (Justice Ministry Chief Legislative Officer); Gianfranco Anedda (Deputy, National Alliance Party(15) and Lower House Reader of the Law); and Senator Salvatore Senese (Democratic Party of the Left and the Senates Reader of the Law). A Rome embassy message to Washington dated 20 December 1996, suggests that Aaron meet with neo-Fascist deputy Anedda.(l6)

    The Netherlands seemed to hedge on any quick acceptance of US key escrow/recovery proposals. In an American Embassy The Hague message dated 11 December 1996, it is revealed that Dutch Ministry of Economic Affairs official Mark Hoevers had reservations about the efficiency of proposed consultations in the absence of an official US (and Dutch) encryption policy. (17)

    By early January 1997, it seemed that Aaron was not having too much luck convincing the big players to support US encryption

    0 1998 Elsevier Science Ltd

  • March 7 998 Network Security

    policy goals. In a 8 January 1997 message to US embassies in Copenhagen, Dublin, Helsinki, Moscow, Oslo, Seoul, Vienna and Wellington, Aaron requests those posts to identify representatives from the respective governments with whom he might hold informal bilateral discussions on the margins of the RSA Conference (San Francisco) scheduled for 28-29 January, (18)

    There was also a suspicious meeting on 12 November 1996 between Aaron and OECD official Jean Pierre Tuveri. Aaron discussed Tuveris recent trip to Estonia, Latvia, and Lithuania. The crypt0 envoy must have brought up the Baltics policies on the use of cryptography during that session, although Aarons released day book entries do not indicate cryptography was discussed. However, immediately following the meeting with Tuveri. Aaron, his assistant, and key embassy officers held a meeting on cryptography. Additionally, while in the midst of high-level cryptographic discussions in Paris, Aaron found time for a 27 November 1996 meeting with the counsellor of the Latvian embassy in Paris.

    The released traffic indicates that one of the strongest proponents for the US key escrow policy in Australia was Peter Ford of the Attorney Generals Office. Ford tried to get the Federal Minister of Communications Senator Richard Alston and Fords boss, Attorney General Daryl Williams, to meet with Aaron. However, the US embassy reported that the Attorney General was travelling to Perth during Aarons visit and was not available to meet with the US crypt0 ambassador. Alston apparently had other more pressin...