Key Recovery

The tension between communications and privacy has fostered a myriad of customs, laws and technologies. Eavesdropping on others' conversations is considered a breach of etiquette; wiretapping someone's telephone can be a breach of law. Since time immemorial, techniques have been used to hide the content of communications from persons who were not intended to be party to the communication. These methodologies included the use of secret languages, manipulation of physical characteristics, and the development of the science of cryptology.

Examples of early efforts to hide the content and/or fact of communications include the "story of Histiaeus … told by Herodotus in the 5th century B.C., [which] describes how Histiaeus sent a message to his son-in-law Aristagoras by shaving the head of a slave and tattooing the message on the slave's bald scalp. When his hair had grown enough to conceal the tattoo, the slave was sent to Aristagoras who shaved the slave's head to receive the message, and went on to launch a revolt. The slave was told that all this rigmarole was a cure to restore his eyesight."  (Bennett Falk, UNIX *, "Steganography: Hiding Messages In Plain Sight", http://www.microtimes.com/155/unix.html, November 21, 1997)

Since then, the art of hiding information has continued to be used by both good guys and bad guys, by spies and by law enforcement, by merchants and by thieves. The desire to hide information has given birth to microdots and invisible ink, one-time pads and watermarks. It seems as if there is no limit to the imagination of how communications can be hidden.

This trend has become more automated as our world becomes electronically internetted with sophisticated computing machines available for every desktop. The complexity of executing and managing the hiding of information has been simplified to a few keystrokes on a computer. Challenges still remain, but the capabilities supported by the technology are available to the ordinary person on a scale previously unthinkable. Now, instead of requiring special training or complicated mechanisms, all that is required is a piece of software that is small, runs on a desktop computer, and may even be free.

The reaction to the widespread availability of cryptologic capabilities has been an unleashing of a war of words, some innuendo, some plain spoken, all over the balance between threat and promise inherent in promiscuous privacy. After all, it is not just law abiding citizens who can use these products for privacy -- so can criminals.

How should a free society respond to what on one hand appears to be a technological windfall for criminal elements, but what on the other hand appears to be the normal course of technological progress providing augmented capabilities for ordinary citizens in all aspects of their lives, even as their lives expand into and through cyberspace? The tradeoffs to be considered include not only trust and civil society, but also the future of commerce, international competitive structures and the fundamental rights of privacy.

A standing joke holds that prostitution is the oldest profession. If that is true, then surely hiding the fact of infidelity became a necessity shortly thereafter.

It is not known when the need for hiding information became apparent, giving rise to nascent attempts at cryptography. It is known, however, that cryptology is a very old science and one that has been improved upon continuously over time. Cryptology is the study of secret writing. Within this area of study is included cryptography, which is the making of codes, and cryptanalysis, which is the breaking of codes. There are three basic methods of protecting information with cryptology: by using concealment devices, by transposing the order of symbols, and by substituting or replacing symbols.

The preceding example featuring a tattoo on a slave's head is an example of concealment and is most properly characterized today as steganography, a science which includes invisible inks and other methods of hiding information within other information. (Bennett Falk, UNIX *, "Steganography: Hiding Messages In Plain Sight", http://www.microtimes.com/155/unix.html, November 21, 1997)

Transposing the order of symbols is simply a way of scrambling the text so that it becomes very difficult to decipher what the meaning of the text is. An easy way to do this is by using a key word -- based on the assigned order of the letters in the key word, a block of letters comprising a message can be scrambled into nonsense. An example is shown here using the keyword COMPUTER to hide the message "meet me at the front door of the Hilton Hotel at 9 pm.":

As is apparent, it requires knowledge of how the transposition was accomplished as well as the order of the transposition in order to unscramble the message.

In substitution ciphers, the original symbols (in this case, letters of the alphabet) are substituted for other symbols. The simplest way of doing this is to use an offset alphabet. An example of that is shown here:

Encrypting a message with this substitution cipher would result in the following:

The key to deciphering this encrypted message is knowing how the substitution is accomplished. This is clearly a very powerful way to hide a message, and it can be made even more powerful by using other tricks, like using multiple alphabets for each letter in the cipher code. This methodology gave birth to such divergent efforts as the cipher wheels widely used by European Courts of the renaissance era and the secret decoder rings hidden in boxes of cereal.

The manual means for producing hidden messages has, over the course of time, given way to automated means. Expressing the fundamentals of cryptology as mathematical expressions gave easy access to programs to perform encryption and decryption upon command when computers arrived on the scene. These modern programs combine elements of transposition, substitution and even concealment in very intricate schemes to disguise the information hidden within. In some cases, even the fact of communication can be hidden or concealed. For example, information can be hidden within a digital picture which has meaning in its own right. The picture can posted on a web site, but only the person who knows about the message hidden within can both know to access the information and how to access the information. Thus both the fact of the communication is hidden and the content of the communication is hidden.

Of these automated programs, there are essentially two classes of cryptologic products available today. One is symmetric cryptography, where the same key is required to decrypt the message as was used to encrypt it. This is shown in the following diagram:

The second category of cryptologic product available today is asymmetric cryptography, which was invented by Mssrs. Diffie and Helman in 1976 and which uses sophisticated mathematics to generate two related but independent keys, either of which may be publicly known without endangering the strength of the protection. One of the keys may be used for encrypting the text; the other must be used to decrypt the text. This is shown as follows:

Because of this characteristic, the requirements for managing the distribution and secrecy of keys are greatly alleviated. People can publicly post their "public" keys on a server or have their public keys printed on the back of their business cards. Then, if someone wanted to send them a secret message, all that person would have to do is use that public key to encrypt the message. The recipient would then use the private key to decrypt the message.

How this would work in practice is that Julie would encrypt a message to Frank using Frank's public key. Having done that, only one person can then decrypt the message: Frank. The reason for that is because Frank's private key is the only key that will decrypt the message. If Julie had, for example, used her private key to encrypt the message, then anyone knowing Julie's public key could decrypt the message.

The fact that either of the two keys may be publicly known safely has led to the keys being called the public key and the private key, and the resulting capability "public key cryptography." A magic enabled by public key cryptography is the non-repudiatable digital signature. Harking back to the previous paragraph, a message sent by Julie encrypted with Julie's private key is an easy way for Julie to avow to the world that she in fact originated the message sent. However, there is no way to limit who has access to that message. If, however, Julie created a message that she first encrypted with her own private key and then encrypted it again but this time using Frank's public key, a transaction is created that defines a demonstrable path. Only Frank can decrypt the outer layer of the message, using his private key. This ensures that Frank alone is able to receive the message. Then, Frank can decrypt the inner layer using Julie's public key, which gives him confidence that she in fact sent the message.

Because of the widely available nature of cryptography today within the pervasive telecommunications environment, it has become a key enabling technology for many uses. One of the premiere applications that cryptography enables is electronic commerce. The ability to conduct market transactions over telecommunications networks has long been a dream. It would reduce the amount of inventory any market would have to keep on hand, it would allow customers to go directly to manufacturers, and it would speed up the overall pace of transactions. However, the implementation details of online transactions have been a stumbling block. How do you, the consumer, know that some nefarious hacker is not stealing your credit card number? How do you, the service provider, know that the credit card offered belongs in fact to the person who is offering it? These are among the issues that concern those hoping to implement electronic commerce on a wide scale. The use of cryptography can alleviate those concerns, particularly with a mixture of symmetric and asymmetric cryptography.

Another critical application for cryptography is in political activism. In repressed areas or in highly sensitive or emotional issues, persons associated with a cause may have very good reasons for not having their identity easily discovered. Fear of reprisals ranging from ostracism to arrest or death can dampen the fervor of even the most courageous activist. Being able to use cryptography over the public switched network to hide identities and communications gives enormous power to those who are laboring against brutal regimes.

One man's brutal regime is another man's benevolent dictatorship, however. What is seen as political activity on one side can easily be viewed as criminal activity from the other side. The use of cryptography to hide criminal activity from a legal government protecting its citizens can cause a government enormous concern, particularly if the political activists are given to blowing up school buses or massacring people at will. The slide into other areas of criminal activity, such as kidnapping, thievery, bank robbery, blackmail, smuggling, and narcotics trafficking rightfully has law enforcement organizations everywhere worried about their ability to deter crime and prosecute criminals.

Clearly, there are both good uses and bad uses to which cryptography can be put to.

A fundamental aspect of cryptography is that information is hidden. There are only two ways to discover the information: one is if you have the key to decrypt it, the other is if you are able to crack the code.

Tales of breaking ciphers have long been a favorite of historians and novelists. Stories such as The Key to Rebecca by Ken Follett  (Ken Follet, The Key To Rebecca, New York: Signet, 1980) and "The Adventure of the Dancing Men" by Arthur Conan Doyle  (Arthur Conan Doyle, "The Adventure of the Dancing Men" The Strand Magazine London December 1903 Vol. 26 No. 156, http://etext.lib.virginia.edu/cgibin/browse-mixed?id=DoyDanc&tag=public&images=images/modeng&data=/lv1/Archive/eng-parsed, November 22, 1997)  stimulate the imagination with tales of extraordinary bravery and intellect in discovering and cracking encryption schemes. In The Key To Rebecca, the secrets hidden by the cipher pertain to enemy actions during World War II -- the ability of the allies to penetrate the code and decipher the contents became a critical linchpin in the success of the war operations in Northern Africa in the campaign against Rommel. In "The Adventure of the Dancing Men," Sherlock Holmes deciphers a cryptogram and thus is able to save a lady's life, catching the criminal in the process. These two stories illustrate the national security and public safety reasons for wanting an assured methodology to decipher hidden messages at will.

One can imagine that the reason that these stories so excite both the authors and the readers is that the information hidden in the cipher stands on the brink between being known and unknown. Between the state of being hidden and being discovered lies a universe of opportunity. In some cases, the fate of political course of events far removed from the immediate situation has been altered by the outcome:

The ability of unauthorized people to crack the codes that hid critical information has long spurred the development of more sophisticated and secure encryption algorithms. Today's algorithms are so secure that it takes supercomputers to crack encrypted messages that use keys of any reasonable length. The following table from Bruce Schneier's Applied Cryptography puts the issue in perspective:

(Schneier, Bruce "Applied Cryptography Second Edition: Protocols, Algorithms, and Soucrce Code in C", John Wiley & Sons, New York, N.Y., 1996, page 153)

The key length of the currently standard encryption algorithm, DES, is 56 bits. As noted in the above table, in 1995 it was possible to crack a message encrypted using 56 bit DES in 35 hours if you were able to spend $100,000 getting the appropriate equipment. If you were willing to spend a million dollars, you could reduce that time to a mere 3.5 hours.

In response to such potential weakness in protective power in the face of a determined foe, other solutions can be used. One of these is what is known as triple DES, which is simply encrypting a message three times with DES, using different keys of course. This not only magnifies the protection, it also magnifies the problem if any of the keys should be lost.

Because, while data is hidden from unintended recipients, it is also hidden from intended recipients who don't have the correct key(s) to decrypt the message. Keys have been known to be lost -- people simply forget what the key is. Keys have also been known to have gotten lost, when the sole repository of the key was lost. Say, for example, Fred is working on a highly sensitive piece of work for the company. Just before he leaves work for the day, he encrypts his work, stores it on a disk, locks the disk in a safe, clears his operating buffers and cache space using a special purpose utility program, and then goes home. That night, tragically, over dinner, Fred has a heart attack and dies. The only person who knew the key to decrypt the file is now unable to tell anyone (except a medium).

That highlights a real problem using cryptography: death, memory loss, and even maliciousness can sabotage the efforts of keeping private information private.

There are policy solutions that can alleviate the problems with lost keys. Fred could have, for example, stored his key in a sealed envelope in a separate safe. That would have allowed his work to be recoverable in case of accident or misfortune.

Policy solutions, however, require active management and education of all personnel in an operational environment in order for them to be effective. If there had been a policy requiring Fred to maintain a recoverable copy of his key, it would have been necessary for Fred to abide by the policy. If he simply ignored it or forgot to follow it in the rush of going home at night, the result would have been the same: a lost key.

The concept of a technological solution for the key recovery problem gets around relying on humans to abide by policy. This technological solution is known as key recovery or key escrow. The purpose of key recovery or key escrow schemes is very straightforward: it is to allow the recovery of encrypted information without the key(s).

There are a variety of implementations that have been proposed for key recovery. One of the best known is the Clipper chip solution. As described by the White House announcement on April 16, 1993:

The two parts of the Law Enforcement Access Field, of LEAF, associated with the Clipper Chip were to have been escrowed with National Institute of Standards and Technology (NIST) and the Department of the Treasury.

The Clipper Chip scheme employed a hardware element with associated identification backdoors that allowed an authorized person to get access to the encrypted information. The controls of having two separate parts of the master key escrowed at two different agencies was an essential part of the design that would limit accidental exposure or misuse. Other schemes could be developed that would only have one master key.

The furor that erupted over the Clipper Chip served to bring a robust debate of the issues to the foreground. The most vociferous complainants invoked the image of Big Brother and a lack of privacy anywhere. It was repeatedly pointed out that the stated goals of law enforcement were misleading in the extreme -- why would a criminal use an encryption tool that the Government could break into at will? The acrimonious debate highlighted these concerns at the same time it identified real reasons for a key recovery system.

On one hand, the elements of Government, from Federal to State to Local, have an interest in being able to archive all communications associated with the business of governance. These elements could, therefore, mandate that all communications with them be done either in the clear or using a key recoverable system.

Similarly, business and industry have an interest in making sure that company proprietary information is not accidentally or maliciously lost. They are not, however, interested in having that data recoverable by an outside agency either now or 50 years from now. The time independence of the recoverable aspect of the proposed key escrow scheme served to make some elements of society very nervous, particularly in reference to changing standards, potential hostilities, or other unpleasant possibilities. While business acknowledges a theoretical need for key recovery, they are adamantly opposed to a mandated key recovery system controlled by the government.

It is likely that other organizations, such as professional groups or social clubs, might at some point in time decide that a key recovery system would be useful for their membership and business transactions. Each of these organizations has a different perspective, different equities to protect and different implementation requirements.

The reasons for such groups to implement a key recovery system include wanting to

• maintain recoverable audits of communications and transactions;

• enable verifiable collection of revenues;
• protect interests;
• provide resiliency in system against errors and mistakes; and
• provide recovery capability against problems or accidents.

It is clear, therefore, that there are both reasons for and against use of a key recovery system and separable issues on the questions of how one is implemented.

Selected quotes from the Clipper Chip debate highlight the reaction and the response to this issue. The complaints ranged from market-oriented concerns to privacy issues. The persons weighing in on the issue ranged from Administration officials to Senators and Representatives of the U.S to private citizens. The result of the uproar was that the Clipper Chip scheme was relegated to government only use, although commercial sales were still nominally attempted, and the Administration went back to the drawing board for a policy regarding encrypted communications.

From a group of Senators and Representatives, concerned over industrial competition:

(Letter of October 15, 1996 to Michael Kantor, Secretary of Commerce from Senators and Representatives Conrad Burns, Ron Wyden, Trent Lott, Lauch Faircloth, Larry Pressler, Larry Craig, Barbara Boxer, Al Simpson, Craig Thomas, Pete Domenici, Patty Murray, Kay Bailey Hutchison, John Ashcroft, Don Nickles, Bob Goodlatte, Zoe Lofgren, Howard Cable, Bill Barr, Sonny Bono, Steve Chabot, and Tom Campbell. )

From a news article reporting on comments from the Director of the FBI:

(Maria Seminerio, "Is Government-Mandated Key Recovery 'Inevitable?'", ZDNN, July 10, 1997 1:29 PM PDT)

From a news article reporting on comments from Senator Hatch:

(Maria Seminerio, "Is Government-Mandated Key Recovery 'Inevitable?'", ZDNN, July 10, 1997 1:29 PM PDT)

From a paper published on-line reflecting on who would actually use escrowed encryption:

From the same paper, reflecting on the fairness aspects of the issue:

(http://shadow.res.cmu.edu/users/mhunter/Politics/encrypt1.html, November 21, 1997)

From a letter by the Software Publishers Association, an industry consortium, to members of the Committee on Commerce:

(Letter of April 25, 1997, to Tom Bliley and Rick White, Committee on Commerce, House of Representatives, from the Software Publishers Association http://www.house.gov/white/press/105/19970425waschresponse.html, November 21, 1997)

From a group of the most distinguished cryptologists in the nation, commenting on feasibility aspects:

The US Government did not abandon the idea of key escrow with the massive failure of the Clipper Chip in the eyes of the public. On the contrary, convinced that national security as well as private safety was at stake, the Administration went back to the drawing board and attempted to negotiate some intermediary position that would address not only the public's concern over privacy but also the growing outrage from the US computer industry over export controls on encryption products while maintaining the Government's interests.

The various parts of the Administration have been very active in drumming up support, as documented by the following extracts. The first is a statement from the Administration on Commercial Encryption Policy given on July 12, 1996:

(http://csrc.ncsl.nist.gov/keyrecovery/admin.txt, November 22, 1997)

The second is a news item appearing eight months later in March 1997 on Domestic Encryption Controls reporting on the continuing Administration attempts to set up a large infrastructure to manage the introduction and administration of a key recovery system:

(http://www.cdt.org/crypto/admin_397_draft.html, November 22, 1997)

While this legislation was wending its way through the legislative process (unsuccessfully), members of Congress were probing into the extent of FBI activities under previously passed legislation:

(http://www.cdt.org/digi_tele/, November 22, 1997)

Finally, in November 1997, a commission studying critical issues relating to the protection of the infrastructure reported out, endorsing the need for a national key recovery system:

(http://www.cdt.org/crypto/pccip.html, November 22, 1997)

Clearly, neither side of the debate has given in or surrendered any ground to the other side.

The debate tends to be limited to those who have a near term specific interest in the outcomes of the argument. The individuals to date who have been most vocal have included Administration and Law Enforcement Community officials, cryptologists, computer industry executives, and non-profit policy think tank representatives. The arguments have tended to invoke emotional concerns, on one side, and highly technical concerns, on the other side.

The point remains, though: the US Government is currently debating whether to mandate key recovery for cryptography used in the United States and for dealings with all elements of the United States, including private citizens. The law enforcement and national security communities, who claim that it is necessary to protect the safety of citizens and to ensure a robust national defense, support this proposal.

The proposal is hotly criticized by industry and privacy advocates, who claim that it won’t work, will cripple the US software industry and will enable Big Brother.

This analysis will attempt to clearly identify the driving issues related to the Administration's proposal to mandate a key recoverable system in order to enable judgements between them.

The assumptions underlying this analysis include the following:

First, current trends will continue as predicted:

• Electronic commerce will continue to be pushed, for its obvious efficiencies and ability to expand existing markets as well as for its adaptability to the modern way of life;
• Internetted communications, a djini out of the bottle, will continue to expand exponentially and the value of each network will rise exponentially with the addition of every node, thereby increasing the impetus to connect; and
• More customers for cryptography will arise out of the desire for security in communications, reliability in information and assuredness in transactions.

Second, more cryptographic products will be developed and marketed, here and abroad:

• Cryptography will become a distinguishing characteristic for electronic products and services due to the demand created by the elements of the first assumption;
• Cryptographic products will be increasingly integrated into software applications for ease of use as well as for product security issues, such as interoperability and correctness; and
• As cryptography becomes ubiquitous, it will become just one more option to check, essentially becoming invisible to the casual user while becoming a fundamental part of computer systems manufacturers' inventories.

And finally, that the use of cryptography will become a normal part of life:

• For secure electronic transactions;
• For digital signatures; and
• For private communications.

There are a variety of issues that are of concern in considering the Federal Government's proposal for key recoverable cryptography. Obviously, there is the issue of cost: how much will it cost to implement and operate such a system, and how does that cost compare to either benefits or detriments of the proposed system? But beyond that issue, there are other issues. First, there are the issues related to implementation. Second, there are the issues associated with competitiveness and enforcement. A brief discussion of these issues follows.

A critical issue relating to the overall issue of key recoverable cryptography is the implementation details. As with any piece of equipment or tool, how the tool is used fundamentally affects its usefulness. With computer equipment, how the software and hardware are implemented and managed have fundamental implications to the overall utility and security of the system. The difficulties relating to implementing a key recoverable system on the order of magnitude envisioned by the US Government are neatly summarized by a distinguished group of cryptologists who spent several years studying and analyzing the issue. They reported to the world in a document finalized in May 1997. The following is an extract from that document, pointing out the costs, both in terms of money and in terms of security, of such a system:

(Hal Abelson, et al, "The Risks of Key Recovery, Key Escrow, and Trusted Third-Party Encryption", 27 May 1997, http://www.crypto.com/key_study/report.shtml, November 22, 1997)

Implicit in this critique are the assumptions of methodology and processes that have been developed over the course of time in the practice of cryptography.

First and foremost of these practices is the ability to inspect the implementing algorithms. The algorithm implemented in the Clipper Chip was not made publicly available and thus was not available for inspection. Cryptologic mathematicians consider the algorithm to be separable from the actions of the algorithm: in other words, the security of the end product must not be subversible by weaknesses in the algorithm. Therefore, they like to really scrub down algorithms to make sure they are robust and not exploitable through inherent flaws.

Further, the existence of the master key(s) in a key recoverable system must not weaken the security of the system. This is almost oxymoronic, in that the existence of master key(s) by definition introduces additional risk into the overall system. Thus, proving that the security of a system is not weakened by the existence of master key(s) or the ability to recover keys is a very high hurdle to get over.

Quite obviously, the master key(s) or other mechanisms enabling key recovery must themselves not be easily recoverable or exploitable and the algorithm itself must not be exploitable by virtue of the recoverable aspect.

Another issue relating to implementation is identifying who gets to hold the master key(s). There are several choices here, including a neutral third party whose integrity is unimpeachable. Finding such an entity would be a tremendous feat indeed, particularly in the international arena.

Following on this issue is the question of how protections are ensured once an implementation scheme has been decided on and an escrow agent has been agreed to. There must be controls in the key recovery scheme that provide checks and balances for protections and there must be legal structures to ensure due process and redress. Furthermore, liability and negligence issues must be defined and legislated.

A highly controversial issue that must be addressed is what the recovered keys could be used for. The arguments to date have essentially focused in on public safety, specifically the LEA ability to "wiretap" in case of criminal activity. However, it is not infeasible that key recovery could be used by other agencies of the government, such as the IRS, who could use it to audit financial transactions, or Customs, who could use it to audit compliance with treaties and tariffs. Once the cat is out of the bag with key recovery for law enforcement purposes, the extent to which laws can be enforced using key recovery should be specifically addressed.

Converse to this point of view is the issue of citizen self-protection and privacy. Having the ability to protect oneself could be incurably damaged by virtue of negligence or incompetence in the management of the key management infrastructure.

Orthogonal to these policy issues are the issues relating to practical aspects of everyday life, such as computer industry competitiveness and how to enforce a mandated key management infrastructure.

In terms of market share and industry dominance, there are issues relating to the legality of export controls on encryption products, which are currently controlled as munitions, and the increasing off-shore development and lead in encryption products (see footnote 13). The stock market consternations of this year have underscored the interconnectedness of the economies of the world and the fact that one economy cannot act unilaterally without affecting other economies. As electronic commerce continues to grow and the transparencies of borders continues to become more apparent by the ease of connectedness over the internet, the wisdom of limiting competitiveness in an area of tradition American strength may come into question.

The accessibility of strong cryptography for illicit purposes is undeniably an issue. The elements of this issue include how bad guys can get strong encryption products and what limits can be enforced upon them. The assumption is that these same bad guys will use the encryption products to further their illegal activities. This issue is complicated by the fact that the fundamental math supporting cryptology is well documented and available at any bookstore, including Amazon.com, the on-line bookstore. Further, the overseas development of encryption products referred to before gives these elements ready access to strong encryption products right now. Additionally, if someone were to attempt to take strong encryption to the bad guys, such smuggling activities could be undetectable (particularly if the software were encrypted). It should not be ignored that weak encryption, passing the export controls, can be used in ways that makes it stronger when applied appropriately. And finally, hidden encryption, such as steganography, can bypass controls easily.

When considered logically, the issues derive to four basic categories, Cost, Performance, Risk, and Impact, which include relevant factors. These principle issues will be used in the process of the analysis.

• Cost Factors: implementation, operations, lost opportunities
• Performance: public safety, privacy, other uses (such as tax collection)
• Risk: security, cost, performance, negligence
• Impact: economic growth, international relations, crime, intelligence collection, politics, market share

Within the concept of key recovery, there are three alternatives that may be considered. The list of stakeholders and factors is extraordinary. This issue touches everyone's life, whether they realize it or not.

There are three basic alternatives that are available to be considered. These are:

1. No mandated key recovery system: Any key recoverable system manufactured would be a niche product and used in a manner dictated by the user
2. Key recovery system coexists with other encryption: Certain transactions would be required to be conducted using key recoverable system, such as government transactions, financial data transactions, international funds transfer, some forms of electronic commerce, while the rest would be unregulated
3. Key recovery system; all other encryption illegal: All transactions would be required to be conducted using a key recoverable system

From the preceding discussion, it is clear that everyone is a stakeholder, whether they understand that or not.

Within the US Government, all the Departments and Agencies from Commerce to Treasury to Defense are stakeholders.

State and Local Governments as well as Foreign Governments are stakeholders as well. Each of these entities has to address what it will mean to their operations if the US Government mandates an international key management infrastructure.

Non Governmental Organizations, ranging from human rights advocacy groups to environmental groups to democratic activist organizations, are stakeholders as well. Many of them do business with the United Nations, which is physically located in the city of New York. While the United Nations is not US territory, the city most certainly is.

All electronic commerce participants are stakeholders, particularly given the nature of the internet. With dynamic routing, knowing where your packets are going when you send them from your computer to a recipient computer is impossible. Given the hegemony of the US economy at this point in time, it is also highly probable that many dealings will take place with US entities.

Privacy advocates are clearly stakeholders, as are cryptologic mathematicians and other academics.

System manufacturers, who will be expected to implement the individual components of such a scheme are stakeholders, including both US and foreign companies.

Individuals are stakeholders, given that all communications are subject to monitoring in to be determined processes and constraints.

Both organized crime and disorganized crime are also stakeholders, wishing to not be further encumbered from accomplishing their goals.

To perform the analysis, the factors derived from the issues were considered in regards to both the alternatives available and with regards to the stakeholders.

In the following charts, the three Alternatives are identified as A1, A2 and A3. These charts show the judgements as to what impact each alternative would face in terms of the factors listed. For each chart, the value 10 reflects the best score -- showing either no impact, or best impact. The value 1 reflects the other side of the scale -- showing most or worst impact.

This first chart shows the factors associated with Cost. Clearly, there would be no implementation, operations or opportunity costs associated with A1, so that alternative was given 10s across the board. A3 would have substantial implementation and operations costs and would also incur opportunity costs as a fundamental repercussion of economics: when a solution is forced, an unknown number of alternative solutions and cascading events go unseen; additionally, the opportunity to market alternative products is lost both domestically and overseas. Therefore, A3 was given 1's across the board. A2 was found to be in a middle position: clearly there would be costs associated with implementing and operating this alternative, but they would not be as heavy as A3. This led to the choice of 5 for each of these two factors. The opportunity costs were judged to be somewhat more than A1, since a proportion of corporate and governmental assets would be diverted from other activities into this one, but not so severe as a moratorium on all other alternatives. Therefore, a 7 was given for that score.

Clearly, if cost alone is an issue, the best alternative would be A1 and the worst alternative would be A3.

For the factors associated with Performance, the analysis is shown in the following chart. The argument that Public Safety was a principle reason for pushing for key recovery seemed not to pan out here. When considered in all of its elements, the ability of a key recovery system to ensure public safety seemed less than obvious. For one thing, the ability of private citizens to take precautionary measures (analogous to not walking downtown on a dark night at 2 am) is somewhat lost. The requirement to use a single kind of encryption with a known key recoverable aspect would seem to be a very tempting lure for organized crime: the ability for a citizen to take steps to ameliorate that concern is evaporated under A3. Further, the stated goal of being able to wiretap criminals seems to be of limited use. For one thing, before a judge can grant the authorization to wiretap, the law enforcement community must already have enough evidence to convince the judge that it is not a fishing expedition. This means that there would already be significant evidence in place before the wiretap would occur. Given that less than one tenth of one percent of the wiretapping cases pursued in 1996 featured encryption (private conversation with FBI agent on 19 November 1997), this seems to offer at best a limited benefit to public safety and at a large cost to private deterrence of crime.

Privacy as a performance element was judged to be best in A1 and worst in A3, primarily for the reasons stated above: that the known ability to recover keys would be an irresistible attractant for criminal elements, including hackers, and that the ability of an individual to take steps to maintain his privacy would be greatly eroded. Further, the use of a mandated key recoverable system in an international key management system would provide a great deal of global exposure to the ability to recover the keys as a necessary aspect of global cooperation. These elements tend to limit privacy rather than enhance it, including not only the communications and the transactions but also the configuration information and detailed analytical data on data usage patterns that become available as a direct result of being able to tie a specific packet to a specific user. The threat to privacy was not seen as so draconian with A2, which allows for other systems to coexist, and was seen to be most protected by A1.

The potential for other uses, such as auditing transactions for tax collection or labor standards compliance, is clearly highest with the 3^rd alternative. This would take some additional effort, so it was not rated as a 10 but was given the score of 8. The potential for other uses was non-existent with A1 -- thus the score of 1 -- and moderate with A2, which would be able to use the system to monitor governmental transactions and perhaps derives some usage out of that information.

So the wrap-up for performance is a mixed bag, with A1 leading for public safety and privacy, and A3 leading for other usage potential.

With regards to risk, there seemed to be an extraordinary amount of risk associated with A3 across the board. No one has ever implemented such a large system with so many users, so many points of entry, so many threats to the security of the system, and with no ability to predict performance. Further, the risk of negligence in any aspect of the system is very high by virtue of the number of humans involved, the complexity of the interconnectivity of systems, the heterogeneity of systems that must coexist within the same infrastructure, and the international nature of the scheme. A2 incurred much of the same risk elements, but on a smaller scale and with backup potential from other systems that seemed to ameliorate some of the risk potential. A1 seemed to have the best risk profile, using the elements of the competitive marketplace and existing legal structure to regulate cost and performance as well as negligence.

An interesting notion related to risk is in the performance arena. This relates not only to the risk associated with the appropriate performance of each alternative, but also to the risk of enforcing compliance with the mandates, if necessary. Clearly there is an extraordinary amount of risk in getting criminals to actually use key recoverable encryption, particularly since the more successful the criminal is, the more sophisticated and aware he is bound to be. Further, there is the non-trivial risk that criminal elements could pretend to use the key recoverable system while hiding the real information using concealment methodologies, such as steganography. This would fully neutralize the utility of the key recoverable system.

With regards to risk, it is very clear that A3 carries with it enormous risk, while A1 carries with it little or no risk.

The elements of Impact covered the most ground. Here we see the second instance of A3 receiving a high score, in the area of intelligence collection. Clearly the impact of having a key recoverable system in place internationally would aid and abet the collection of intelligence -- unfortunately, not to the sole benefit of our government or national defense community. As the system would inevitably attract criminal elements, the system would be a gold mine for foreign intelligence activities, particularly those that already have robust cryptanalysis capabilities.

With regards to economic growth, a robust and competitive industry naturally produces the best elements for economic growth in a sector. Conversely, government mandated limits on the activities of a sector of the economy not only limits the energy and activity in that sector, but it also opens the door for off-shore competition, which moves into any neglected area. With the growing number of offshore encryption devices available, adopting A3 would be like handing the rest of the global market place to these competitors on a cake platter. There would, of course, be cascading effects in related industries, such as software and hardware manufacturers. This would be because of the assumption that encryption will become ubiquitous and integrated into systems for security and ease of use purposes. As US manufacturers are limited in their ability to do that, the global demand for their product will fall off incrementally. This is reflected in the Market share factor, with the associated scores showing this impact.

The Impact on crime is somewhat neutral. With A1, crime will continue as before, with private citizens able to purchase appropriate products for protecting themselves and criminals attempting to get around those products. With A2, there is little additional exposure, given the limited nature of the key recovery implementation and the ability to augment it with other choices of products and services. With A3 there is a slightly worse impact on crime, with the limited ability to wiretap those criminals that meet the criteria of both using the key recoverable encryption product and having committed a crime with enough other evidence to convince a judge to issue a wiretap approval. This limited ability was of course contraposed with the attraction of the criminal element to the key recovery system and a predictable rise in crimes associated with abuse of that capability.

With regards to international relations, there would seem to need some serious diplomatic activity required to get other nations to sign up to cooperate with the US Government on the key recovery system as envisioned in A3 (see footnote 15); this would impact international relations most probably adversely, particularly if it were viewed that the US was attempting to seed the world with easily breakable encryption devices. This would be true to a limited extent with A2 as well, but the availability of other capabilities could make the negotiations more palatable. There seems to be little if any impact associated with A1.

With regards to politics, there could be a very large dampening effect on political speech with A3, particularly if it is viewed that the alternative uses for key recovery are in fact being used. This is true not only domestically but also internationally, particularly since many Non-Governmental Organizations are based in the US and actively support activities that are considered illegal, immoral or unethical in other countries. The protection provided to such activities by products such as PGP would be totally lost with A3. This effect is present by limited in A2 and totally absent in A1.

The summary of the Impact analysis is that A3 would have the worst overall impact and A1 wold have the best impact overall.

A roll-up of the data combined together without any weighting is shown in the following chart. As noted, A1 consistently seems to be the best choice. The only issue where either of the other two alternatives scored closely was in Performance, where A2 came close. Recalling the factor analysis for this case, the element that brought the two close was the potential for other uses.

The summary of the data is shown in the Roll-Up column. Here, A1 is clearly the leader and A3 is clearly the least desirable choice.

Given that there is a potential for some of the issues to be more important than others, the next step in performing the analysis was to look at sensitivities in weighting. What would the results look like if Cost were the only issue that mattered? What if some combination of Cost and Performance mattered? These are the questions that are addressed by a sensitivity analysis. In this analysis, the following weights were assigned to the elements before rolling them up into a combined score for each of the alternatives:

The different weights were used to calculate roll-up scores for each of the alternatives and then the results graphed. The graph follows the table. As can be seen clearly on the chart, it doesn't matter what weighting scheme is used: A1 is clearly the best alternative when considered against the issues.

Having performed an analysis of the issues and element factors against each alternative, the next step is to look at each stakeholder and how the issues affect them. This will allow extrapolations to be made regarding the attractiveness of each alternative. The stakeholders considered in this analysis are the following:

• US Government
• Foreign Governments
• Non Governmental Organizations
• Electronic Commerce Participants
• Privacy Advocates
• Cryptologic Mathematicians
• Academicians.
• System Manufacturers
• Individuals
• Criminal Elements

The following charts show the data regarding how strongly each stakeholder feels about each factor. In this series of charts, the value 10 represents very strong feelings or very high interest, while 1 reflects the converse of negligible interest or few if any feelings about the factor.

The first chart presents the data regarding cost. The stakeholders who are perceived to care most about cost elements include electronic commerce participants, privacy advocates, and individuals. Following a close second come stakeholders such as academicians, system manufacturers, and cryptologic mathematicians. The driving concerns here were perceived that those who are most interested in the subject would care most about the costs associated with it, with the exception of individuals, who as taxpayers would be forced to finance the entire implementation and operation of any scheme. Any increased costs for groups that operate on fixed or declining budgets, such as academicians, will be significant concerns. For groups who are strongly in favor of privacy issues and economic competitiveness, increased costs, no matter how small, can be expected to irritate. For groups who do not expect to have to contribute significantly to the costs of implementation and operations, costs are of limited concern.

For the elements of performance, each stakeholder rated as having a strong interest as shown in the following chart. As such, this does not become a distinguishing issue in the analysis.

With regards to the elements of risk, only two stakeholders rated as not having a strong interest. These two stakeholders, Foreign Governments and Criminal Elements, share the same characteristic as not having to own the results of the alternatives and thus care less about the specific risk elements, such as cost risk or performance risk. The other stakeholders all measured fairly high in this issue category.

The factors associated with Impact seem to be a strong differentiator. The US and Foreign governments as well as system manufacturers rated as having high interest in these elements, with every other stakeholder measuring medium-high levels of interest. The lowest interest level, at 5.3, was generated by privacy advocates, who can be characterized as caring less about market share and economic competitiveness as the issues relating to privacy.

Rolling all the data together produces the following chart. In each column, the high scores are bolded, to include the roll-up column. Only one stakeholder does not have any "bolds" -- the criminal element. The rest of the stakeholders all rate two or three bolds across the columns. The stakeholders who show the most sustained interest across the issue elements are electronic commerce participants, privacy advocates, system manufacturers, and individuals.

Reapplying the weighting figures previously used to perform sensitivity analysis for the factors - alternatives analysis presents the following chart and graph.

The data presented by this sensitivity analysis supports the conclusions reached by the unweighted analysis: that the stakeholders that care the most about the issues are the electronic commerce participants, privacy advocates, system manufacturers, and individuals. And the elements that these stakeholders care the most about are performance and risk.

The results of the analysis shows that electronic commerce participants, privacy advocates, system manufacturers, and individuals are the stakeholders who care most about the issues associated with the concept of key recoverable systems. Their concerns are primarily associated with the factors of performance and risk. The single alternative that provides these stakeholders with strong performance on both performance and risk is A1. A2 provides equivalent results on the performance issue, but falls far short on the risk issue. Additionally, when weights are used to perform sensitivity analysis on the alternatives, A1 consistently out scores both A2 and A3. Relevant scores are shown in the table below:

This is not to say that the other stakeholders are negligible to the debate, nor that the other issues need not be considered carefully. Clearly, at least the element of cost must be considered carefully, in terms of not only direct cost but also indirect costs.

The clear results of this analysis are that A1 is the best choice given the set of assumptions and scoring parameters. Further, the sensitivity analysis shows that A1 is the best choice independent of what the primary concern is.

Candidate next steps in this analysis would be to quantify the cost elements more precisely and to get more concrete data to back up the scores. A comprehensive treatment of this issue could include surveys to each of the stakeholders to get a statistical view of their opinions and levels of tolerance in each of the issue areas.