Date: Mon, 14 Mar 94 20:26:58 PST From: surfpunk@osc.versant.com (SURFPUNK Technical Journal) Subject: [surfpunk-0105] FOIA: the Clipper Key Escrow databases * "I know of no safe depository of the ultimate powers * of the society but the people themselves, and if we * think them not enlightened enough to exercise that * control with a wholesome discretion, the remedy is not * to take it from them, but to inform their discretion." * * -- Thomas Jefferson, 1820 * [passed along by librarian Ruth Reynolds] SURFPUNK BACKISSUES: ftp://ftp.yak.net/pub/surfpunk ALSO: ftp://ftp.eff.org/pub/Publications/CuD/Surfpunk/ John Gilmore has sent a Freedom Of Information Act (FOIA) request for the database of escrowed key components. These are the half-keys that will be required to decrypt conversations on the pre-wiretapped Clipper encrypted telephones. The idea behind FOIA is that the U S Government should be accountable to its citizens by having its files and databases open to public inspection. The mechanism for doing this is to file a FOIA request to a government agency, and they are supposed to send you what you ask for, with some exceptions. Requesting the Clipper key databases seems silly at first, but really it strikes at the heart of why Clipper is such a bad idea: FOIA prevents government from collecting information about citizens that the citizens themselves cannot be trusted with. If we do not want other citizens listening in to our private conversations, the government has no business doing it, either, because they should be working *for* us. BTW, Eric Hughes points out that "escrowed" is not really the right word. An escrow agent is someone chosen and agreed to by both parties to hold something for future release under certain conditions. In the case of Clipper Keys, both parties do not get to agree to who the escrow agents are. They are chosen for you: one is the U S Treasury department, whose Secret Service brought you the Steve Jackson Games fiasco; the other is NIST, who is plowing ahead with the Clipper standard despite a nearly unanimous response against it during their period of public comment. It looks like John has created a mailing list foia-keys-request@toad.com if you're interested in following this. The Cypherpunks list is still at cypherpunks-request@toad.com. --strick ________________________________________________________________________ ________________________________________________________________________ To: cypherpunks@toad.com, gnu@toad.com Subject: <6g> I have FOIA'd the Clipper Key Escrow databases Date: Fri, 25 Feb 94 12:58:40 -0800 From: gnu@toad.com There appears to be no FOIA exemption that would justify withholding the key escrow databases which Treasury and NIST are building. (The keys are not tied to any individual, so individual privacy isn't a valid exemption. The database isn't classified. Etc.) I have asked for a copy of each database, in toto. Letters were sent yesterday. One is reproduced below; the other is identical except for the addressee and minor details. You too can do things like this. It's fun and it occasionally produces highly useful information. Just think of something that the government knows, and has written down on paper, that you want to know. Ask them for it. You have the right to know. They're spending your taxes to subjugate you, and they're required to answer, though almost all agencies do it grudgingly. Post your request to the net, so that we-all will know it's happening, and can be inspired to think of other interesting things to ask for. You don't need all the boilerplate below about exemptions and time limits and stuff; that is to put the agencies on notice that we will push them in court, if necessary, to be responsive. Or you can use our boilerplate in your own requests, if you like. Alter the "media requester" section to suit your own situation. John [[ The actual FOIA request is at the end --strick ]] ________________________________________________________________________ Date: Mon, 28 Feb 94 11:48:59 -0800 From: hughes@ah.com (Eric Hughes) Message-Id: <9402281948.AA05053@ah.com> To: cypherpunks@toad.com Subject: <8c> I have FOIA'd the Clipper Key Escrow databases Should John's FOIA request for the clipper key database work, it creates a wonderful hole in the entire key custody system. It would require a legislative act to plug the hole. This is extremely significant, since the whole clipper strategy is based on unchecked and unbalanced actions by the executive branch. No laws were passed to create clipper and no judicial review has taken place. John's request will be denied, no doubt, and will go to court. Should he prevail in court, the executive branch is bound by that decision. A key custody database which was public would make the system insecure and unusable. The executive branch could not change this. Only the legislature could. Now, how many legislators do you know that are going to make a public record by voting in favor of Big Brother? We are witnessing the genius of framers of the USA Constitution here, folks. Eric ________________________________________________________________________ To: smb@research.att.com Cc: cypherpunks@toad.com, gnu@toad.com Subject: <6g> Re: I have FOIA'd the Clipper Key Escrow databases In-Reply-To: <9402252135.AA04902@toad.com> Date: Sun, 27 Feb 94 00:21:43 -0800 > I confess -- I expect one of two outcomes. First, they may say that > the database is classified, if only at the level of ``For Official > Use Only''. `For Official Use Only' is not a valid classification. A document with this marking cannot be withheld under FOIA exemption 1. You have to read the Executive Orders on classification -- this category got cleaned up a LONG time ago. The current Executive Order gives particular criteria for classifying things. If this database doesn't fit any of those criteria, it can't legally be classified. I don't believe that this database is covered. And a judge in a FOIA case can do a "de novo" (from scratch) review of whether the material is legally classified, by examining it himself in private -- we don't have to take the agency's word that "there really is some reason it is classified". Also, giving classified information to unauthorized people is a major offense. They threatened me with that offense one time, over texts that I found in a library. If the keys in the database are classified, they can't give them out to cops. FOIA requires that they "segregate" any classified part and give me the rest of what's there, so if they claim that "well, one key isn't classified, but ten or a thousand of them are classified", I bet we can (1) get some keys out, (2) challenge this idea in court. In particular, it should be possible to record the LEAF from a particular chip (whether you own it, or not!) and send it to them in a FOIA request asking for the matching unit key. They clearly can map a LEAF to a key (they do it for cops), and FOIA only requires that you "reasonably describe" the records you want. Given their mapping capability, the LEAF is a reasonable description of the record you want. > Second, maybe they will release it -- but remember that > the keys are stored encrypted. Can you file an FOIA request for the > key, too? Either I can get the key, or I can get them to decrypt it for me. If they could hold arbitrary government records in secret by simply encrypting them and classifying the keys, FOIA would be entirely thwarted; the courts wouldn't let them get away with it. By the way, I did request the keys: > This request includes your database of the escrowed key > components. This request also includes any ancillary information > about the database, such as data formats, procedures, standards, > access methods, memos and documents about its use, access > software, plans, etc. If the database itself is stored in encrypted > form, then this request also includes the computer programs and > keys required to access it. John ________________________________________________________________________ law office of Lee Tien 1452 Curtis Street Berkeley, California 94702 _______________ tien@well.sf.ca.us voice: (510) 525-0817 fax: (510) 525-3015 February 24, 1994 Reference: KEY ESCROW DATABASE-TREASURY Departmental Disclosure Office Department of the Treasury Room 1054-MT Washington, D.C. 20220 ATTN: FOIA request Dear Sir or Madam: This is a request under the Freedom of Information Act [5 U.S.C. Sec. 552] on behalf of my client, Mr. John Gilmore. I write to request a copy of all agency records or portions thereof, in electronic or other form, which relate to the database of escrowed key components for encryption using the key escrow encryption method. The Attorney General announced on Friday, February 4, 1994, that the Automated Systems Division of the Department of the Treasury will be one of the two escrow agents. This request includes your database of the escrowed key components. This request also includes any ancillary information about the database, such as data formats, procedures, standards, access methods, memos and documents about its use, access software, plans, etc. If the database itself is stored in encrypted form, then this request also includes the computer programs and keys required to access it. We specifically request that you make the database available in electronic form, such as on magnetic tape. We remind you that the long-standing rule that the FOIA "makes no distinction between records maintained in manual and computer storage systems," Yeager v. D.E.A., 678 F.2d 315, 321 (D.C.Cir. 1982), has recently been amplified in Armstrong v. Executive Office of the President, 810 F.Supp. 335 (D.D.C. 1993). Any paper print-outs of electronic records, such as e-mail, must include all information in the electronic record. Assuming that there would be no loss of releasable information, such as written comments made on paper print-outs, we therefore ask you to release all responsive electronic records in electronic, i.e., machine-readable, form. As you know, the FOIA provides that an agency must make an initial determination of whether to comply with a FOIA request within ten working days of receiving the request. If the records that you possess were originated or classified by another organization, I ask that your organization declassify them (if needed) and release them to me, as provided in the FOIA, within the statutory time limits. If there is a conflict between the statutory time limits and some regulation or policy that requires you to refer the records, the statutory requirement takes precedence over any Executive-branch regulation, policy or practice. Congress placed a limit on the time which may be expended in referrals. The FOIA explicitly provides that referrals to other interested agencies or agency components are treated under the provision for "unusual circumstances," and cannot justify a delay of more than an additional 10 working days. 5 U.S.C. Sec. 552(a)(6)(B)(iii). "[W]hen an agency receives a FOIA request for 'agency records' in its possession it must take responsibility for processing the request. It cannot simply refuse to act on the ground that the documents originated elsewhere." McGehee v. C.I.A., 697 F.2d 1095, 1110 (D.C. Cir. 1983). Even records originated by other agencies are subject to immediate release under the applicable case law, if they were at the time of the request in the possession and control of your agency. Simply put, the FOIA and the case law take precedence over executive branch regulations or practices regarding referrals. If you do refer documents to any other agency, and they are not provided within the time limits, we intend to litigate on this point. As you know, the FOIA provides that even if some requested material is properly exempted from mandatory disclosure, all segregable portions must be released. [5 U.S.C. Sec. 552(b)] If any or all material covered by this request is withheld, please inform me of the specific exemptions that are being claimed, and mark all deletions to indicate the exemption(s) being claimed to authorize each individual withholding. If the (b)(3) exemption is claimed, please indicate the relevant withholding statute(s). If any records are withheld, I request a Vaughn index or its equivalent during the administrative process. "[T]he objective of the Vaughn requirements, to permit the requesting party to present its case effectively, is equally applicable to proceedings within the agency." Mead Data Central v. Department of the Air Force, 402 F.Supp. 460 (D.D.C. 1974), remanded, 566 F.2d 242 (D.C. Cir. 1977) aff'd, 575 F.2d 932 (D.C. Cir. 1978). "[A] person cannot effectively appeal a decision about the releasability of documents ... if he is not informed of at least a list of the documents to which he was denied access ... and why those decisions were made. Denial of this information would in all likelihood be a denial of due process as well as effectively gutting the reasons for applying the exhaustion doctrine in FOIA cases." Shermco Industries, Inc. v. Secretary of the Air Force, 452 F.Supp. 306, 317 n.7 (N.D. Tex. 1978); see Oglesby v. Department of the Army, 920 F.2d 57, 65 (D.C. Cir. 1990) (citing Shermco). It should be simple to prepare a list and the claimed exemptions as the records are processed. Disclosing such information would not disclose any exempt information and it would make it easier to appeal your initial determination on the merits. In addition, I ask that your agency exercise its discretion to release information that may be technically exempt. As you know, the Attorney General on October 4, 1993, directed that agencies should administer the FOIA under a presumption of disclosure, and that information which need not be withheld should not be. I remind you that under Chrysler v. Brown, 441 U.S. 281, 293 (1979), the 5 U.S.C. Sec. 552(b) exemptions are discretionary, not mandatory. An agency can generally choose to release exempt information. This discretionary review process for withholding cannot take precedence over the law, which requires a response within specified time limits. Moreover, that discretion, according to the Attorney General's October 4, 1993 memorandum, must be exercised in accordance with a presumption of disclosure. Even if a substantial legal basis exists for withholding, information is not to be withheld unless it need be. I also request that fees be waived because Mr. Gilmore should be deemed a media requester by your agency for FOIA purposes, and because the public interest would be furthered by a fee waiver. The D.C. Circuit Court of Appeals has held that "a representative of the news media is, in essence, a person or entity that gathers information of potential interest to a segment of the public, uses its editorial skills to turn the raw materials into a distinct work, and distributes that work to an audience." National Security Archive v. Department of Defense, 880 F.2d 1381, 1387 (D.C.Cir. 1989), cert. denied 494 U.S. 1029 (1990). This definition applies strongly to Mr. Gilmore, who is a co- founder and director of the Electronic Frontier Foundation (EFF), a Washington, D.C.-based public interest organization. The EFF has been intimately involved in policy discussions concerning key escrow encryption and distributes information to the public by newsletter and electronic distribution about this and other topics involving civil liberties. Mr. Gilmore is also a skilled computer programmer who has spent the last ten years distributing his work for public use to a worldwide audience on the Internet and the Usenet. Mr. Gilmore is also entitled to a fee waiver because "disclosure of the information is in the public interest because it is likely to contribute significantly to public understanding of the operations or activities of the government and is not primarily in the commercial interest of the requester." There exists a tremendous public debate over the wisdom and legality of the key escrow encryption plan, as I am sure you are well aware. Your agency's database is clearly an operation of the government in which the public has a great interest. The Vice President himself has publicly expressed doubt about the delegating key escrow responsibilities to agencies which are part of the executive branch. The information requested herein relates to such doubt. This information is not yet in the public record, so the request makes a substantial contribution to the public understanding. This request is not primarily in the commercial interest of Mr. Gilmore. He will not benefit financially from this information in any way. He intends to disseminate the requested records widely and freely to inform this public debate. Should there be any problem in this regard, Mr. Gilmore promises to pay up to $1000 in fees, and you should therefore begin processing of this request without fee-related delays. As provided under the FOIA, I will expect a reply within ten (10) working days. Sincerely, Lee Tien Attorney at Law On behalf of Mr. John Gilmore ________________________________________________________________________ The SURFPUNK Technical Journal is a dangerous multinational hacker zine originating near BARRNET in the fashionable western arm of the northern California matrix. Quantum Californians appear in one of two states, spin surf or spin punk. Undetected, we are both, or might be neither. ________________________________________________________________________ Submissions: , Subscriptions: . Backissues: ftp://ftp.yak.net/pub/surfpunk also ftp://ftp.eff.org/pub/Publications/CuD/Surfpunk/ ________________________________________________________________________ ________________________________________________________________________ Vice President Al Gore's comments: By Jay Levin (C) 1994 From New York Unix Vol 4 #3. WASHINGTON, Feb 11 Under the Clipper plan, the keys would be stored at the Treasury Department and the National Insitute of Standards and Technology (NIST), whic is part of the Commerce Department. Both Treasury and Commerce are from the same branch of government, the executive branch. "When I saw that I said 'Wow. That is not right,' and I raised hell about that," Gore said in an interview Thursday. Having the key holders from the same branch of government raises concern because there is no systems of checks and balances, Gore said. "That's going to be changed," he said. ... The selection of NIST and Treasury "was spun out of the process at the low level and was not vetted at the top," Gore said. Gore's comments were made after appearing before the first meeting of a private sector advisory panel on the development of a "national information infrastructure" in Washington, D.C. From: Carl Ellison >The FBI and the Justice Department say the initiative would >not expand their power, but would ensure access to the type of >communications they have been entitled to tap for years. This is totally bogus. The FBI has never had the right to watch computer programs execute. Now that computer programs are being written as distributed systems, what was originally written to be an internal subroutine call can look like a message over the phone system. The FBI never had the right to bug corporate conference rooms. Now that companies are using videoconferencing, a private corporate conference could look like a phone call. Etc. This needs to be fought. - Carl To: cypherpunks@toad.com Subject: SQUISH I just received a notice concerning your game. Please send me some more information on how to join/play as well as any rules. Thanks, Jeff