University of Pennsylvania Law Review
THE METAPHOR IS THE KEY: CRYPTOGRAPHY, THE CLIPPER CHIP, AND THE CONSTITUTION
A. Michael Froomkin [FNd1]
II. THE ESCROWED ENCRYPTION PROPOSAL-LEGAL, POLICY AND TECHNICAL PROBLEMS
The Clinton Administration introduced EES through a procedural back door that relies on market power to prevent a substantial increase in the communications privacy of Americans, an outcome not authorized by any statute. EES used a standard-setting procedure but failed to set an intelligible standard. The procedure violates the spirit, although not the letter, of the Administrative Procedures Act (APA).
The Administration is spending large sums of money on a controversial project in the absence of congressional authorization. This policy cuts out the legislature, and indeed the public, from the decision to proceed with EES. [FN220] Only Congress can intervene, because, as things currently stand, no one has standing to sue. The Administration's use of a standard-setting procedure to make substantive policy sets an alarming precedent of rule making with highly attenuated accountability.
A. EES: The Un-Rule Rule
1. FIPS 185: A Strange Standard
An appreciation of both the novelty and the danger of the Administration's regulatory approach requires some understanding of the regulatory device that NIST used to introduce EES. The Constitution gives Congress the power to “fix the Standard of Weights and Measures.” [FN221] NIST (formerly the Bureau of Standards) is the agency charged with this responsibility. Federal *765 Information Processing Standards (FIPS) are standards and guidelines intended to improve the federal government's use and management of computers and information technology, and to standardize procurement of those goods. [FN222] FIPS are also used to announce national norms in areas of changing technology where NIST believes industry would benefit from the existence of a standard. Officially, the only bodies required to conform to FIPS are agencies within the federal government (and in some cases government contractors), although in practice they are often adopted as de facto national standards by industry and the public. [FN223] The private sector finds FIPS attractive because they allow *766 conformity with, and sales to, the government, and because the standards themselves often have technical merit, or at least reflect a technical consensus of the many public and private interests that NIST routinely consults before it promulgates a FIPS. [FN224] EES is FIPS 185. [FN225]
One of the more serious complaints about FIPS 185 is that it fails to set a standard. One member of the NIST Computer Privacy and Security Advisory Board went so far as to submit a comment calling the FIPS “content-free.” [FN226] Most FIPS describe a conforming device or procedure in sufficient detail for the reader to understand what it is; FIPS 185 does not. Instead, it states, “Implementations which are tested and validated by NIST will be considered as complying with this standard.” [FN227] FIPS 185 requires the use of the SKIPJACK encryption algorithm and a LEAF creation method. [FN228] But the standard does not define those terms because the specifications for both are classified. Instead, FIPS 185 unhelpfully notes:
Organizations holding an appropriate security clearance and entering into a Memorandum of Agreement with the National Security Agency regarding implementation of the standard will be provided access to the classified specifications. Inquiries may be made regarding the Technical Reports and this program to Director, National Security Agency, Fort George G. Meade .... [FN229]
*767 Nor does the standard explain what sorts of devices it covers. It merely states that “[v]arious devices implementing this standard are anticipated. The implementation may vary with the application. The specific electric, physical and logical interface will vary with the implementation.” [FN230] Admittedly, FIPS 185 at least has the good grace to acknowledge that it is “not an interoperability standard. It does not provide sufficient information to design and implement a security device or equipment. Other specifications and standards will be required to assure interoperability of EES devices in various applications.” [FN231]
In sum, FIPS 185 says something to this effect: “Various electronic devices will contain classified components that will provide escrowed encryption using a classified algorithm. If you ask nicely, we may let you use one in your design, and we will tell you whether we approve of your device and whether we will let you produce it.” This is a strange sort of standard.
2. An End-Run Around Accountability
Such an unorthodox standard is the result of an even more unorthodox procedure. FIPS 185 is not just a standardless standard; it is an un-rule rule which seeks to coerce the public by wielding federal market power to generate a de facto standard without providing any real administrative accountability. Despite conforming to the notice and comment procedure of § 553 of the APA, [FN232] and being duly published in the Federal Register, [FN233] FIPS 185 is not a legislative rule because it does not seek, at least on its face, to bind the public. [FN234] Nor, despite being on its face an *768 announcement, is FIPS 185 a nonlegislative rule as the term is usually understood. [FN235] Familiar types of nonlegislative rules include interpretative rules, statements of policy and “publication rulemaking.” FIPS 185 fits into none of these categories. [FN236] Interpretative rules set forth an agency's understanding of a statutory provision, a judicial or administrative decision, or another rule, [FN237] and FIPS 185 clearly does not provide any of these. Nor is FIPS 185 an example of what Peter Strauss has called “publication rulemaking” [FN238] in which agency staff, acting pursuant to APA *769 § 552(a)(1)-(2), publish technical guidelines, staff manuals, or standards (such as IRS Revenue Rulings) that inform the public of the agency's likely position in future enforcement, application-and-approval, or benefit/reimbursement cases. [FN239] Nor is FIPS 185 a statement of policy. [FN240] Nothing within the four corners of FIPS 185 establishes or explicates a policy, unless giving federal agencies the option to purchase certain devices constitutes a policy. [FN241]
On its face, FIPS 185 is a minor internal housekeeping regulation. Whether anyone, inside or outside of the government, chooses to comply with it is entirely up to her, although FIPS 185 states that use of EES by nonfederal government organizations “is encouraged.” [FN242] In form, EES is a description of something, as well as a grant of permission for agencies to use that something instead of other things they are currently using. Yet despite explicitly disclaiming any intention of legally binding the public, FIPS 185 is part of a strategy to coerce the public by use of the government's market power to create a de facto national standard. At the same time that the Department of Commerce promulgated EES, the Department of Justice announced that it was buying 9000 Clipper-equipped telephones, using money from its Asset Forfeiture Super Surplus Fund, [FN243] a fund comprised of profits from RICO, *770 drug, and other asset forfeitures. [FN244] Expenditures from the Asset Forfeiture Super Surplus Fund require no congressional appropriations. The effect is to cut Congress out of the decision-making process on an issue which may eventually affect the privacy rights of most Americans. One need not be an opponent of EES to believe that a decision with significant potential effects on communication privacy should have been left to the legislature.
The Department of Defense, too, is considering buying millions of EES-compliant devices, [FN245] although this purchase may require congressional approval. The government's market power as a bulk purchaser suggests that, all other things being equal, producer economies of scale will allow EES-compliant devices to be the lowest-cost hardware-based civilian cryptography products available. In addition, EES products will have the significant advantage of being able to communicate with the government's telephones, something that any competing technology will lack. [FN246]
The Clinton Administration also announced that it will exempt EES products from the export ban in the ITAR. [FN247] If the ITAR *771 are revised in this manner, EES products will become the only U.S.-made exportable products offering strong encryption, disadvantaging U.S-based competitors further. [FN248] These efforts have already had an effect: the day that the Administration announced its plans for Clipper, AT&T announced that its new secure telephone, the 3600, would not use a DES device as originally announced, but would use Clipper instead. [FN249]
The current Administration makes no secret of its hope that the combination of federal standard-setting, federal purchasing power, and fine-tuning of export control will allow it to impose a de facto standard on the public, even though there is no statutory authority for the standard, and even though Congress has never appropriated a penny to support the standard. In so doing, NIST has pioneered a new type of un-rule. It is a rule that the Administration indeed hopes and intends to have a “practical binding effect,” [FN250] but not because the rule announces to the public how the agency will act in the future, nor because the agency intends to act in compliance with the rule, nor because the rule describes safe harbors for compliance *772 with existing rules. [FN251] Rather, by issuing the rule (if a rule it be), the agency hopes to set in motion a train of events that will coerce the public's compliance.
NIST's use of a FIPS in this manner is an interesting reversal of the usual circumstance of a nonlegislative rule that an agency intends to be binding. [FN252] In the ordinary situation, an agency has chosen not to use the notice and comment procedure that characterizes informal rule making under APA § 553, and has simply issued the rule, perhaps labeling it “interpretative” or “policy guidance.” A party seeking to challenge the rule attempts to demonstrate that the rule is actually legislative and thus invalid without notice and comment. The aggrieved party argues that it was entitled to be consulted on the rule and that the agency may not deprive the party of its right to make comments. Once the comments are duly docketed, the agency has a duty to take them seriously and may not reject them without giving nonarbitrary reasons. [FN253] In the classic case, the agency responds by denying the substantive import of its rule and arguing that, because the rule breaks no new ground, notice and comment are not necessary.
With FIPS 185, NIST has turned this process on its head. A proposed version of FIPS 185 was published in the Federal Register, and NIST solicited comments. [FN254] It received hundreds. [FN255] NIST accepted a few, but rejected many others on the disingenuous grounds that because the standard was entirely voluntary, it could cause no harm. [FN256] NIST thus invoked the formally voluntary *773 nature of the FIPS as justification for dismissing the concerns of commentators who saw FIPS 185 for what it was, and what NIST itself surely understood it to be: an attempt to coerce the public through market means. NIST simply failed to address the merits of many important complaints, including those challenging the security, necessity, or wisdom of its proposal, with the result of significantly devaluing the opportunity to comment. [FN257] Yet, unlike most agencies that fail to address the merits of comments received on a proposed rule, NIST likely has little to fear from judicial review of its decision because there appears to be no one with standing to challenge its actions.
Even a competing product manufacturer would be unlikely to have standing to protest a procurement order for products conforming to FIPS 185. [FN258] As a plaintiff, such a competitor might be able to argue that had it not been for the permission to purchase the items granted in FIPS 185, the procuring agency might have purchased the plaintiff's devices instead. Such a claim would, however, be risky at best. The plaintiff would have to mount a convincing case regarding causation, somehow demonstrating that but for FIPS 185, the plaintiff's products would have conformed with the agency's requirements; [FN259] the plaintiff would also need to *774 show that the agency would have been unable to obtain a waiver from the preexisting requirement that it use a DES product to protect sensitive information. [FN260] Without an extraordinarily good factual basis, this barrier is probably insurmountable, leaving the would-be plaintiff without the direct personal stake in the case necessary for standing.
One other possible strategy for the plaintiff would be to claim “reputational” injury to its product or firm on the grounds that the FIPS would cause customers other than the government to reject its nonconforming products. Those employing this strategy could then try to invoke Meese v. Keene [FN261] to overturn the no-standing-to-challenge-a-FIPS rule of Control Data Corp. v. Baldridge. [FN262]
Otherwise, it is very difficult to imagine who might have standing to sue to overturn FIPS 185. A party seeking relief would have to argue that the FIPS was not as harmless as NIST claimed, and that the replies to comments were therefore defective. Just as NIST was able to ignore critical comments on its draft FIPS by saying that the standard was optional and hence harmless, [FN263] so too could it argue that because the standard is nonbinding, no one has a legal right to demand that a court review it. [FN264]
Should the Administration's attempt to combine technical standard-setting authority with market power succeed, however, *775 many parties will be justly aggrieved. Makers of competing products will lose market share, and perhaps may be driven out of their market altogether. Individuals who might have preferred non-escrowed encryption, if it could be obtained at or near the same price as an EES device, may find that option closed to them. Such a policy will establish a new and undesirable process by which the government will likely be able to avoid the APA in a small, but significant, class of cases. [FN265] Current law does not recognize any of these injuries, save perhaps the claim of lost market share, as legally cognizable. [FN266] A major decision as to the degree of privacy to be afforded to U.S. citizens will have been made without effective congressional or popular participation.
Placing all FIPS, or all standard-setting relating to high technology, under the APA would be one way of ensuring that the executive branch can never again use standard-setting to manipulate the market for high technology items, at least not without judicial review for reasonableness. Although this change would vaccinate against the disease, it would also have undesirable side-effects. Neither nonbinding national technical standards nor the government's internal procurement standards should be litigated. [FN267] If a manufacturer is dissatisfied because a national or procurement standard more closely conforms to a competitor's product than its own, the proper place to fight that battle is the marketplace, not a court. EES is a special case because the technology at issue has social implications far beyond the ordinary FIPS, and because the government is seeking to use its purchasing power to coerce the market to achieve an end other than reliability, ease of use, or technical excellence. It would be a pity if prevention of such special cases were to force so disruptive a change on a system which ordinarily seems to work reasonably well. [FN268]
*776 Trying to find an avenue for judicial review of a coercive but formally voluntary FIPS is probably more trouble than it is worth. [FN269] The greatest procedural problem with FIPS 185 is not the absence of judicial review but the attempt to evade congressional participation in a decision that may have major social consequences for many years. The solution to this problem is logically, if not politically, simple. If the executive branch did not have funds available with which to purchase thousands of EES-equipped devices, it would have to go to Congress for the money. Congress could then debate the issue and, regardless of what it decided, the process would conform with the values of openness, explanation, and representative democracy which the un-rule rule undermines. To prevent further abuses of the FIPS procedure, either the Justice Department's Asset Forfeiture Fund should be returned to the Treasury, or its terms should be narrowed to make it clear that its proceeds cannot be used to attempt to influence product markets. [FN270]
* * *
*782 4. Who Should Hold the Keys?
The Administration does not intend to give the escrow agencies the sort of permanence or legal authority that derives from legislation, much less the autonomy that attaches to an independent agency or a nongovernmental actor. [FN301] This decision is very unfortunate given the crucial role that the escrow agents play in generating and safeguarding the keys. As ordinary administrative agencies within the executive branch, the escrow agents fall within the regular civilian chain of command and have no recourse if legally ordered to grant access to the keys to the NSA, the FBI, or future White House “plumbers.” The heads of both escrow agencies serve at the pleasure of the President. The absence of any formal regulations that would impose delays, along with the absence of publicity as the rules are changed, prevents even a delaying action of the kind contemplated in Nader v. Bork [FN302] and United States v. Nixon. [FN303] Under current rules, the terms under which the escrow agents work can be modified, waived, or amended at any time without public notice, although the public might be able to find out about unclassified changes or waivers after the fact via the Freedom of Information Act. [FN304]
Ideally, the escrow agents would be as incorruptible as possible, possessed of a clear charter setting out their positive and negative duties, insulated from pressure from the law enforcement and intelligence communities, and outfitted with secure facilities to store the list of key fragments (which may, if EES catches on, become one of the most valuable items of information held by the U.S. government).*783 They must also be trusted by the public, or the public will not participate in the EES scheme. With the exception of the secure facilities, the list of necessary attributes describes a body resembling the federal judiciary. Not surprisingly, some noted cryptologists have suggested that the judiciary hold the keys. [FN305] No doubt the judiciary could acquire the technical competence and equipment required to generate and secure the keys.
Whether judges could constitutionally hold one or more key fragments is a close question. [FN306] It is clear that Congress could not hold the keys, nor could any congressional agent. [FN307] Holding keys is an executive function. It would involve judges in the law enforcement process at a time when there is no case or controversy and, as regards the large majority of the keys, no prospect of one.
Because holding keys is an executive function, the judiciary (or an agency such as the Administrative Office of the U.S. Courts, which is responsible only to judges) can constitutionally hold the keys only if the function is “incidental” to its Article III functions. [FN308] If the task is more than “incidental,” then the principle of separation of powers requires that it be undertaken by the executive branch or by private citizens. [FN309] The court taking *784 custody of the keys would be in a position reminiscent of Hayburn's Case, [FN310] which has long stood for the proposition that neither the legislative nor executive branches may assign duties to the judiciary “but such as are properly judicial, and to be performed in a judicial manner.” [FN311] Unlike Hayburn's Case, however, the judges would not be asked to decide anything until the government was granted a search warrant. The court would presumably disclose the key fragment(s) along with the ex parte order granting the warrant.
Judges already do a number of things that come close to holding a key fragment, but each is distinguishable. Courts and their adjuncts have for many years exercised a wide variety of ancillary powers such as rule making, and the appointment and supervision of court personnel, which are “reasonably ancillary to the primary, dispute-deciding function of the courts.” [FN312] Courts have also supervised grand juries for many years. [FN313] More recently, Congress has given the judges and courts additional responsibilities, including membership on the Sentencing Commission, [FN314] and the selection and supervision of independent counsel. [FN315] Indeed, the granting of warrants (and the record-keeping which follows) are ex parte proceedings, clearly within the Article III jurisdiction of the courts. Taking custody of a key in advance of any adversary or even any ex parte proceeding, with the knowledge that most keys will never be subject to such a proceeding, goes beyond any of these precedents. Perhaps the closest analogy is the court's marshal who is instructed to keep order even though there is no reason to believe *785 that any particular person will seek to disrupt the court's functioning. Even the marshals are an imperfect parallel, however, because their activities impinge only on persons who come into contact with the court or with court personnel; holding key fragments could affect the privacy of many who have no other contact with the judicial system.
Whether the functions of protecting keys from disclosure and disclosing keys to facilitate wiretaps are sufficiently ancillary to the judicial function of issuing wiretap orders and warrants as to be constitutional is ultimately a matter of taste. The existence of the FISA court, [FN316] whose sole jurisdiction is to receive and rule on petitions for foreign-intelligence-related surveillance, adds some support to the argument that holding a key fragment would be incidental to Article III functions, because the act of holding the keys is only a little more ancillary to traditional judicial functions than are the FISA court's actions. [FN317]
As a quick fix, the Secretary of Commerce and the Secretary of the Treasury should each immediately issue separate regulations, published in the Federal Register, defining the role of the escrow agents in their respective agencies and making clear that the escrow agents have a legal duty to protect the keys from all release except as specified in the rules. In the longer term, Congress should pass legislation vesting the escrow function in independent agencies specifically created for that purpose. [FN318] Although opinions differ as to the degree of tenure in office that the Constitution allows Congress to confer on the heads of independent agencies, [FN319] there *786 is no debate that independent agency status represents an attempt to shield a function from political manipulation, and that the officers of an independent agency have at least political insulation from dismissal by a President who finds them insubordinate.
Alternate structures, in which EES-product users can choose to lodge their keys with any one of a number of private escrow agents, might provide even greater security to users, but at the price of some additional complexity. One can imagine a system in which private escrow agents would apply to the Attorney General for certification as suitably secure and perhaps post bond to ensure that they would deliver up keys when legally ordered to do so. Although this system might satisfy both the user's desire for security and the government's desire for certain access, it introduces practical problems. The government will still need to keep a master list of chip serial numbers in order to know which escrow agent has the key. Furthermore, a private escrow agent would have to charge a fee, to be paid either by the chip user or the taxpayer. There is also no particular reason to believe private escrow agents would be less corruptible than the Justice Department, although if key fragments were distributed among many different escrow agents, the harm caused by compromise of any given database would be lessened. [FN320]
* * *
C. Voluntary EES Is Constitutional
Even if EES is unreasonable either on general principles or as the term is used in the context of the APA, it is still not unconstitutional. The Constitution allows many unreasonable things, [FN347] and actions that might violate the APA if made by rules within its purview are not necessarily unconstitutional if achieved by other means. So long as it remains purely voluntary, EES creates no fundamental constitutional problems.
EES involves five distinct government actions. First, the government launched the program by making the classified SKIPJACK algorithm available to a manufacturer of EES-compliant products. Second, the government announced FIPS 185. [FN348] Third, it is purchasing large numbers of EES-compliant products for its own use. Fourth, it is encouraging others to use EES products. Fifth, it is setting up the two escrow agents who will hold the keys. As a group, these five actions amount to attempting to create a voluntary national key escrow system. Individually and collectively these activities are constitutional.
The NSA controls access to the SKIPJACK algorithm and the details of the LEAF. [FN349] To date it has made the design of the chips available to one manufacturer, Mykotronx, Inc. [FN350] FIPS 185 indicates that only organizations already holding security clearances need apply for access to the classified specifications for SKIPJACK. A party lacking such a clearance might have a legitimate grievance if she were unable to obtain such clearance for the purpose of *794 manufacturing EES-compliant microcircuitry. [FN351] Indeed, if potential competitors to the NSA's chosen manufacturer were denied access to the information they needed to compete with Mykotronx, they could plausibly allege an equal protection violation or a violation of procedural due process. The government has no obligation, however, to make the algorithm available to anyone who asks. [FN352]
The government is free to purchase goods and services to meet its needs. [FN353] Choosing to purchase EES-compliant devices does not, in itself, create any constitutional issues. Such purchases are constitutional even if they work as an indirect subsidy to producers who are able to lower their unit costs. The government could constitutionally provide direct subsidies if Congress chose to do so. [FN354] Nor is the denial of market share to non-EES products unconstitutional, even if it has the effect of raising their costs.
The government's cheerleading for EES is also constitutionally permissible. So long as no one is threatened with sanctions for failing to adhere to EES, the government is entitled to make its case to the nation for why we would all benefit if we accepted a limit on our privacy. [FN355]
*795 The government has the authority to act as an escrow agent, [FN356] although there is some question from where the money to pay for the escrow agents would come. Preliminary estimates put the cost of the escrow agents' activities at $16 million per year. [FN357] These expenses may require a separate appropriation by Congress, although both NIST and the Justice Department have funds which arguably might be tapped for this purpose. [FN358]
Nor is the program as a whole unconstitutional. Even if EES becomes widespread, everyone in the U.S. remains free to use any alternative, subject only to restrictions on his or her ability to export the cryptosystem to foreign correspondents. [FN359] It remains feasible and legal to preencrypt a message with an ordinary, non-escrowed cipher, feed it to an EES-compliant device, and make even EES communications potentially unintelligible to eavesdroppers armed with the chip unique key. [FN360] Indeed, the very ease with which EES *796 can be circumvented raises the possibility that the government might some day require key escrow as the price of using strong cryptography.
D. Voluntary EES Is Unlikely to Displace Un-Escrowed Cryptography
As we have seen, the Administration's stated motives for EES are not entirely consistent. The government's “hard sell” depicts non-EES encryption as a threat that needs to be avoided. [FN361] By contrast, the “soft sell” treats EES as part of a package deal that the government offers to those who desire government-certified encryption. [FN362] EES is officially voluntary, yet has been introduced in a manner which the government hopes will induce, even coerce, the public to choose an EES system over any alternative. [FN363] In the Administration's view, it is unreasonable to object to a plan that protects users from communications interception by everyone except the government. At worst, the Administration argues, under EES the user bears no greater risk of government interception (authorized or not) than do unencrypted callers. [FN364] Supporters also point to the need to help law enforcement in the fight against dangers such as terrorism. [FN365]
Perhaps the most often repeated objection to EES is that because people remain free to use alternatives, EES can never achieve its stated objective of maintaining law enforcement access to private encrypted communications. Clipper's critics suggest that it can catch only stupid criminals. The government has had three responses to this argument. The least subtle response has been that *797 criminals are often dumber than one thinks. [FN366] A more subtle response is that Clipper may at least postpone the perhaps inevitable adoption of an alternative cryptosystem that the government cannot easily decrypt. [FN367] The most subtle response notes that a secure communication requires compatible equipment on both ends of the line. [FN368] If Clipper becomes the de facto standard, the existence of a few other devices on the margin will have a negligible effect on the government's ability to monitor electronic communication when it feels required to do so.
The government's policy centers on its hope that EES will become the market standard. Yet EES will not likely triumph in the marketplace, even with the advantage of massive government orders, because many people find something deeply distasteful about being asked to buy a product that comes ready-made to be wiretapped, even if the wiretapping is designed to be conducted only in limited circumstances by duly authorized bodies. In light of likely technical developments, a “threat assessment” of the government's potential surveillance capabilities makes the thought of wiretap-ready communications even more disturbing. This is especially true considering the history of government abuse of civil rights and the possibility, however remote, that government policy might change even as escrowed chip keys remain fixed. In any case, for e-mail, alternatives to EES already exist which are cheaper, more flexible, and appear to offer more complete privacy. [FN369] Non-EES *798 voice products are also becoming available. [FN370]
1. Why EES Worries People
In addition to the fundamental objection that the government should not expect Americans to facilitate the decryption of their private communications, opponents of EES have raised numerous technical and practical objections to the plan. Critics of EES take what appears to the government to be an absolutist stand, refusing to trust anyone with the key needed to decrypt their communications. [FN371] To these critics, the government's protestation that EES adds nothing to current authority because federal law enforcement agencies need the same court order to obtain a wiretap on an EES-equipped phone as on an ordinary telephone, makes no impression. The critics believe either that current rules provide insufficient privacy or that the government cannot be trusted to follow the rules.
a. Preserving the Status Quo Prevents a Return to the Status Quo Ante
The status quo that EES seeks to preserve was not always the status quo. At the time Americans adopted the Bill of Rights, private communications were far more secure than they are today. Before the invention of the telephone, the radio, and the long-distance microphone, one could have a secure conversation by going for a quiet walk in an open field. Correspondents could encrypt letters in ciphers that no government could break. [FN372] Modern *799 communications have expanded the circle of people to whom we speak, but this fact alone does not mean that communications should necessarily be more vulnerable. Only recently, it was difficult for the government to trace incoming calls, even pursuant to a court order, because the telephone company used slow mechanical tracing devices. Having overcome that problem, the FBI now seeks legislation to keep it from becoming difficult again. [FN373] Nor does the possibility that more criminals will avoid detection if the privacy available to individuals were to be increased necessarily mean that choosing to increase privacy is unwise. The Bill of Rights already includes many provisions that prefer to provide protections to all citizens at the cost of providing benefits to the guilty. [FN374] What this means is that some value judgments must be made, and that someone will have to make them.
Where once people only had to worry about eavesdroppers they could see, today an eavesdropper could be anywhere that a telephone signal happens to reach. Modern encryption seems *800 poised to re-create the functional equivalent of the privacy available in the late 1790s and to apply it to devices like telephones and modems, which are increasingly replacing face-to-face contact and letter writing. [FN375] EES would prevent this return to the status quo ante, at least when the government is the eavesdropper.
Widespread adoption of Clipper and massive wiretapping ability would make traffic analysis more feasible for a hypothetical government oblivious to the need to obtain warrants. If Clipper is widely used, communications encrypted by other means signal that the user may have something to hide. Indeed, for this reason some privacy advocates encourage the routine use of strong cryptography in all communications in order to provide a cloaking effect for all personal communications. If everyone makes a habit of using strong cryptography, the presence of an encrypted message will never be probative of a guilty conscience or a need for secrecy. [FN376]
b. EES Does Not Preserve the Status Quo
EES is designed to be inflexible, and this inflexibility will impose costs on some users. Each chip's unique key is permanently branded onto it. If for some reason that key should be compromised, the user has no choice but to throw away the chip and buy a new one. This inflexibility is designed to make it impossible for users to select keys that are not held by the government. [FN377] Under Title III, the government must notify persons who were the subject of an authorized wiretap. [FN378] This duty is unaffected by EES, but *801 the consequences change. Previously there was little a citizen needed to do after receiving notice that her phone had been tapped, but now she must consider whether the disclosure to law enforcement officials of the chip unique key in her telephone means that she should replace it, at a cost, [FN379] or whether she should trust government assurances that all records of the key kept outside the escrow agents have been destroyed. [FN380]
Two telephones communicating via Clipper Chips use the same session key; thus, when Alice and Bob are talking, a public servant with a warrant for Alice's telephone does not need to know Bob's chip key to decrypt the conversation. Knowing Alice's chip key will suffice because Alice's LEAF will provide all the information needed. Except for the fact that he is overheard talking to Alice, Bob's security is unaffected by a wiretap of Alice's line.
But if Alice and Bob are using e-mail to communicate and Capstone Chips [FN381] to do their encryption, both Bob and the public servant are in a different position. Capstone is designed to allow Alice and Bob to use public key encryption for their session keys. [FN382] Bob's Fortezza card knows Alice's public key, but not her private key or her chip key, so the only LEAF it is able to generate is one that relies on Bob's own chip key. This creates a lot of work for a public servant tapping Alice's line. Every time she gets an email from a new correspondent, the public servant must decrypt its LEAF with the family key and then go to the escrow agents and request the chip unique key for the new person. If Alice communicates with many people who use Fortezza cards, the public servant may wind up holding a large, and rather valuable, collection of chip keys.
Because the wiretap order mentions only Alice, the court that issued the order has discretion to decide whether each of the people whose session keys were disclosed should be notified of that *802 fact. [FN383] Although nothing in Title III or the Attorney General's rules requires it, Bob deserves to be told.
Bob's Fortezza card will provide his digital signature as well as encryption for his e-mail. Disclosure of the digital signature key to anyone who might even be tempted to sell or make use of it would represent an enormous risk to Bob. Anyone holding Bob's key to his digital signature could masquerade as him and authenticate any transaction or correspondence (for example, in a raid on Bob's electronic bank account) with a digital signature that Bob would be powerless to disavow. Fortunately, current plans for Fortezza call for separate keys for message encryption and for digital signatures. [FN384] Furthermore, although Bob is powerless to change the chip unique key used to encode his e-mail's LEAF, Fortezza will allow him to change the key to his digital signature. Thus, Bob's ability to uniquely identify himself remains secure.
c. The Status Quo May Not Be Stable
The biggest divide between the two sides to the EES debate concerns what they consider relevant. The Clinton Administration, as one would expect, operates on the assumption that government officials can be trusted to act legally. [FN385] The government therefore measures the social consequences of its proposals by the effect on the government's lawful powers and the citizen's lawful rights. Critics of EES, however, tend to discount this approach. Instead, they undertake a threat analysis of the EES proposal. [FN386] It may seem a little silly to conduct a threat analysis of a cryptographic proposal by a government that has the raw physical power to do far worse things than spying on its citizens, but in fact threat assessment enjoys a grand tradition. The Framers of the Constitution did *803 not assume that “men were Angels.” [FN387] They conducted a kind of threat analysis of government and decided that it could only be trusted if centralized power were divided in a manner that set interest against interest so as to protect the governed. [FN388] The impulse to rely as much as possible on structures that force proper behavior by government officials, and as little as possible on simple trust, is as old as the nation. [FN389]
Some of these threats to the status quo are political. For example, one glaring risk in the current EES proposal is that the escrow procedures exist entirely within the purview of the Attorney General, and could be changed at any time without any warning. [FN390]
Some threats consist of individual or official malefaction. In this age of spy scandals, it is always possible that the escrow agents, through negligence or corruption, may allow someone to acquire the full list of key segments. [FN391] The method by which keys are generated for the EES chips may lend itself to subversion of the escrow scheme from the moment the keys are generated. Although hedged with elaborate safeguards, all keys are generated by a single computer in a secure facility closed to public inspection. Because users are not in a position to monitor the key-generation procedure, they must trust that the published safeguards are being observed. Even if the risk of surreptitious subversion of the generation process were small, the risk to communications security would be greater than if the keys had never been escrowed.
*804 Some threats to the status quo are mathematical. Critics argue that a classified algorithm such as SKIPJACK-one that has not been exposed to merciless attack by academic cryptologists-is less likely to be secure than one subject to full peer review and thus might contain an intentional, or even unintentional, “back door” that would make it vulnerable to sophisticated mathematical attack. [FN392] The government's response is that SKIPJACK's security is certified by the NSA [FN393] and by independent outside experts. [FN394] The government classified SKIPJACK not out of fear that publicity might expose the algorithm to attack, but to prevent users from enjoying the fruits of its research and development while at the same time avoiding participation in its key escrow system. The Administration argues that SKIPJACK is so strong that, were people able to use it without escrowing their keys, they would undermine the goal of easy government access to encrypted messages that EES is designed to achieve. [FN395] Some critics remain unsatisfied by this explanation. They argue that because EES is voluntary, the government should not attempt to require compliance with the escrow procedure as a condition of using SKIPJACK. [FN396] The Administration's response is, in effect, that if users wish to use a government-certified algorithm, they should be prepared to take the bitter with the sweet.
Some threats, perhaps the most realistic, are technological. Changes in technology are likely to make electronic eavesdropping easier, more effective, and cheaper for the government. [FN397] All other things being equal, a rational government would react to these changes by increasing the use of electronic eavesdropping. As government eavesdropping becomes more affordable, the reasonable citizen's desire for countermeasures ought to become greater as well.
*805 The technological threat appears more ominous if one tries to forecast what the government may be able to do a decade from now. Currently, all the wiretapping technology in the world is useless if there is no one to listen to the conversations. The physical and economic limit of what is currently achievable is demonstrated by the East German Ministry for State Security, the Staatsicherheit or Stasi, which at its peak was probably the most sophisticated and far-reaching internal surveillance organization ever created. Out of a population of 17 million, the Stasi had 34,000 officers, including 2100 agents reading mail and 6000 operatives listening to private telephone conversations, plus 150,000 active informers and up to 2 million part-time informers. [FN398] Together they produced dossiers on more than one out of three East Germans, amounting to one billion pages of files. [FN399] There are fifty-nine times more telephones in the United States than there were in East Germany and about fifteen times as many people. [FN400] The people (and machines) in the United States make about 3.5 trillion calls per year. [FN401] Even if every telephone service provider in the United States were to record every conversation in the country, the government could not make use of the tapes because it lacks the human resources necessary to listen to them. Even if political constraints could not prevent the growth of an American Stasi, the financial constraints are currently insurmountable. [FN402]
The cost may soon shrink dramatically. EES, the Digital Telephony initiative, [FN403] and advances in computer power, combined with the increasing links among federal databases [FN404] and *806 advances in voice recognition protocols, suggest that soon the physical constraints on widespread, government-sponsored eavesdropping may disappear. Voice recognition already allows computers to pick out a particular speaker's voice from the babble of communications; [FN405] combined with the power to search for particular words in all messages, this advance in technology will provide a powerful surveillance tool to any government willing to use it. Computers can monitor communications twenty-four hours per day, and they do not collect overtime. In the absence of physical and economic constraints, the only constrictions on omnipresent automated telephone monitoring will be legal and political. [FN406]
* * *
E. What Happens If EES Fails?
The large number of government orders and the attraction of SKIPJACK for those who need the security of a government-certified cryptosystem means that EES is unlikely to disappear, especially in its incarnation as the Fortezza PCMCIA card. [FN415] It has, however, engendered enough opposition to put its future in doubt. [FN416] The existence of other well-regarded ciphers such as triple-DES [FN417] and IDEA, [FN418] combined with public distaste for wiretap-ready telephones, the many unanswered questions about the proposal, the cost premium for a hardware (as opposed to a software) cryptosystem, the inflexibility of EES, and the lack of interoperability with foreign cryptosystems will likely combine to render EES if not stillborn, then at least stunted.
It seems reasonable, therefore, to speculate as to how the government will react if EES fails to become the standard. Assuming the government does not come up with a wholly new system to replace EES, two options exist: [FN419] (1) do nothing; or (2) *809 forbid the use of unescrowed cryptography. The former option is implicit in the “soft sell” policy that describes EES as the price the private sector must pay for using SKIPJACK. If the private sector refuses EES, it forgoes SKIPJACK. That is its privilege, and no further government action would be needed.
The latter of the two approaches is implicit in the “hard sell” for EES. If widespread unregistered encryption can be used by “drug dealers, terrorists, and other criminals,” to quote the White House, [FN420] then the country cannot afford to do nothing. But with unregistered cryptography already widely available, the only option may be a “Digital Volstead Act.” [FN421]
The Clinton Administration considered banning unescrowed encryption, [FN422] but then concluded that it would “not propose new legislation to limit use of encryption technology.” [FN423] A future administration might, however, reverse this decision, particularly if an investigation into a high-profile crime, such as the terrorist bombing of a major building or the management of a child pornography ring, was found to have been seriously hampered by the use of advanced cryptography. The current Administration has carefully left that option open for its successors, noting that by forgoing a ban on unescrowed encryption it is not “saying that *810 ‘every American, as a matter of right, is entitled to an unbreakable commercial encryption product.”’ [FN424]
The government is clearly willing to require that communications be made wiretap-ready, at least when it knows that its dictates can be enforced. [FN425] It is also “apparent that the law enforcement community is still looking for a way to meet its surveillance needs in the age of digital communications.” [FN426] If EES fails, the law enforcement and intelligence communities, at least, will seek to preserve their capabilities. Legislation requiring that all strong cryptographic programs use key escrow may be the only remaining solution. As FBI Director Freeh commented, “If five years from now ... what we are hearing is all encrypted” material that the FBI is unable to decipher, then the policy of relying on voluntary compliance with EES will have to change. [FN427] “The objective is for us to get those conversations whether they are ... ones and zeros or wherever they are, whatever they are, I need them.” [FN428] As a result, Part III examines the legal problems that would flow from hypothetical legislation making key escrow mandatory.
III. WOULD MANDATORY KEY ESCROW BE CONSTITUTIONAL?
A prohibition on the use of unescrowed strong cryptography for telephone or electronic mail would require federal legislation. [FN429] Imagine a terrorist attack on a major public building in which the conspirators protected their telephone conversations with unbreakable encryption. Aroused by such evidence of the dangers of promiscuous private encryption, Congress might well pass a law requiring that anyone using a strong cryptosystem to communicate by any electronic means acquire a license from the government. Licensed users of cryptography would either have to escrow all *811 session keys or use a LEAF-equivalent so that the government could determine the session key without informing the parties to the communication that an investigation is in progress.
With a mandatory key escrow statute of this type, the government would be asking all citizens to surrender their collective right to technical countermeasures to the “progress of science in furnishing the Government with means of espionage.” [FN430] Mandatory key escrow could use a hardwired chip key like Clipper, or it could be implemented through software designed to resist tampering by the user. [FN431] Would such a statute be constitutional?
This Part provides a whirlwind survey of relevant First, Fourth, and Fifth Amendment doctrines, as well as evolving conceptions of the constitutional right to privacy. The focus is analytic and predictive, rather than prescriptive. This Part attempts to sketch how courts, given the current state of the law, would be likely to rule on the constitutionality of a mandatory key escrow statute. It suggests that mandatory key escrow would reduce associational freedoms, chill speech, and constitute an intrusive search. The statute also might require a form of self-incrimination and would infringe personal privacy rights. Under existing doctrines, however, the analysis of the constitutionality of mandatory key escrow legislation would turn on the court's balancing of the potential costs to personal privacy against the perceived gains for law enforcement and national security. On balance, private, noncommercial users of encryption probably have a Fourth Amendment right to resist mandatory key escrow and might have a First Amendment claim as well. Whether commercial users or corporations would have such *812 rights under current doctrines is less clear. Even the vitality of the rights of private noncommercial users appears to be a distressingly close question given the current state of civil rights doctrine and the great importance courts accord to law enforcement and national security. A description of a more holistic, less myopic, view of the issue, as well as most recommendations, are deferred until Part IV.
The volume of relevant constitutional doctrine imposes a greater and more harmful constraint on this discussion than the need to summarize ruthlessly and put off (most) prescriptions until Part IV. Even though constitutional cases establishing a right to some form of privacy recognize that the right is grounded in the First, Fourth, and Fifth Amendments, [FN432] the four areas remain doctrinally distinct. Reflecting this separation for ease of exposition risks survey at the price of synergy and synthesis. It is important to remember that this is an area in which the whole is, or at least should be, greater than the sum of its clause-bound parts.
* * *
The courts, and to a lesser extent Congress, have yet to come to grips with the legal and social implications of consumer cryptography. As a result, this part of the legal landscape is relatively barren. Irrigation and settlement have begun, however, with the executive branch and the private sector as pioneers. The spacial metaphor itself may be inadequate to describe the information revolution of which consumer cryptography is only a part. In distributed networks such as the World Wide Web, in which information may be one mouse-click on a hypertext link away regardless of where it happens to be physically stored, traditional ideas of distance and mapping may prove greater impediments than guides to understanding. [FN759] Other concepts
, such as density of information, quality, reputation, or reliability may come to predominate.
The executive branch's primary concern has been to accommodate the interests of banks and others who require strong cryptography, while also preserving to the greatest extent possible law enforcement and intelligence capabilities. Noncommercial social implications of cryptography have received relatively little attention. *883 The private sector's motives are more difficult to summarize, but there has clearly been a demand for cryptographic products, and this demand is expected to grow rapidly. [FN760]
The executive branch's desire to maintain its ability to eavesdrop on electronic communications at will has driven it to abuse the technical standard-setting process. By manipulating the FIPS procedure, the Clinton Administration has achieved its initial objective of promulgating a standard that is insulated from any meaningful public comment and immune from judicial review. The Administration thus hopes to create a de facto rule where it lacks the statutory authority to create a rule de jure. Despite the seemingly underhanded aspects of the executive branch's behavior, there is no clear evidence that it has failed to comply with existing laws or the Constitution. There is, however, room for doubt, as some of the critical information regarding whether NIST retains its statutorily mandated independent judgment is classified. Congress would be well advised to reassure itself and the public that NIST has complied with the Computer Security Act's requirement that it not delegate decision-making to the NSA. If the NSA is calling the shots, firm persuasion, and perhaps corrective legislation, will be required.
The Administration hopes to coerce acceptance of an escrowed encryption product through its vast purchasing power, but whether this hope can be realized remains unclear. If this attempt fails, the next step may be to seek legislation requiring users of strong cryptography to allow the government some form of access to their cryptographic keys. If, despite what currently seems to be a prevailing opposition to even voluntary key escrow, such a bill were nonetheless to become law, mandatory key escrow would create serious constitutional problems that the courts would have to resolve.
Under current law, the judicial reaction to a hypothetical mandatory key escrow statute would be limited primarily to a balancing test analysis, although private noncommercial users would have a particularly strong Fourth Amendment argument on their side, and a good First Amendment argument as well. Recent history suggests, however, that the government's interest in national security or law enforcement often outweighs the citizen's right to privacy.
*884 By their nature, balancing tests almost demand that courts give some play to the judge's hopes and, especially, fears. A mandatory key escrow statute would evoke two conflicting sets of fears, one over control and the other over lawlessness, symbolized by the archetypes of Big Brother and the criminal cabal. In the end, the conflict may be decided by the way the courts characterize cryptography. Just as the cryptographic “key” is a metaphor, so too may the choice among possible metaphors determine how much constitutional protection an encrypted message gets. If the courts treat a ciphertext as if it had been written in a foreign language, it will trigger a First Amendment analysis that will result in giving cryptography more protection than if the courts focus on the place where the message is encrypted. If encryption is considered no more than the outer envelope in a message transmission system-essentially a “car” on the information superhighway-it is likely to receive the lowest level of protection.
Encryption has much to offer the commercial, professional, and personal users of telephones, computers, and computer networks. As these and other uses grow, they will breed conflict, some of which will inevitably be brought to the courts. The legal ecology of cyberspace is currently underpopulated, but not for long. Clipper and Capstone are only the first of many attempts by the government, and no doubt others, to protect the status quo from changes that upset long-established power relationships. The choices made in the next few years will shape the evolution of electronic communication, and society in general, for decades to come. It would be sad if cyberspace became the first place that the government required civilians, in peacetime, to structure their private communications to make hypothetical future eavesdropping by law enforcement easier.