So about this “warrantless encryption” thing. We’ve been here before.

The first time was way back in 1993, a time when the Internet was just starting to gain widespread traction and concerns about privacy and information security were on the cusp of entering the mainstream.
1/

Encryption wasn’t routinely used by the public in 1993, but it was becoming clear to almost everyone that it would soon be a critical tool - maybe the only viable tool - for protecting private communication and data in an increasingly complex and connected networked world. 2/

The government saw the handwriting on the wall. They knew, and the rest of us nerds knew, that encryption would soon need to be integrated, at large scale, into the infrastructure that we have today in 2019. And 1993 was when we needed to get to work on this. 3/

But the government was worried. What if encryption was TOO GOOD? Wouldn’t that make wiretapping obsolete as an investigative tool? Encryption, they said, is dangerous. Yes, it protects the good guys, but it also shields the bad guys. So they came up with a Clever Solution. 4/

The Clever Solution was called the Escrowed Encryption Standard, popularly known as the Clipper Chip. Clipper would use a strong, NSA designed cipher, but with a special new mechanism called “key escrow”. This would make it possible for the government to decrypt Clipper data. 5/

Clipper must have seemed like the perfect solution to an otherwise irreconcilable problem. The good guys- the law abiding public- get strong encryption, but the government could still collect evidence when the bad guys used it. Problem Officially Solved! 6/

Clipper’s key escrow scheme involed splitting the decryption process among two agencies to prevent unauthorized use. Clipper itself relied on tamper-resistant hardware that you’d be able to buy if you wanted to use the strong new cipher.

It was controversial.

7/

Most of the controversy centered around whether the government could really be trusted to hold everyone’s keys. Could they really set up a secure decryption process at scale that could also reliably prevent unauthorized use? Good questions, but that’s not what sunk it. 8/

While we were debating these important questions, I got hold of some Clipper chips and analyzed them. I found ways to bypass the escrow mechanism so you could use the strong cipher without being exposed to government access, thus eliminating the whole point of the thing. 9/

But that’s not the point of this story. (You can read about it here if you want: mattblaze.org/escrow-acsac11… )

I want to imagine instead what would have happened if Clipper had been a SUCCESS.

10/

Let’s imagine that Clipper hadn’t suffered from the flaws I found. And let’s imagine that the government satisfied enough of everyone’s concerns about its management of the escrowed keys that Clipper became the universal standard that the government hoped it would become. 11/

Clipper required that encryption be done in special-purpose hardware. The whole scheme depended in this. If you wanted encryption, you’d need to make sure your device had a Clipper chip. Otherwise there was no way to interoperate with other encryption users. 12/

This might have seemed like no big deal in 1993. Hardly anyone was using encryption, so asking this niche market to buy a $20 chip in order to encrypt might have seemed perfectly reasonable. But it meant no interoperable software-only encryption, ever. 13/

That would have been an utter disaster. As bad as security is now, it would be much worse if people had to pay $20 in order to use crypto that’s essentially free in software. The Internet changed rapidly since 1993, and Clipper would have forced encryption out of it. 15/

The point here is that technology changes very rapidly, and security tech (especially encryption) needs to be able to keep up or it will simply be left out. Any requirements or mandates rhat make it harder increase the risk that it will be left out of whatever comes next. 17/

One big risk of backdoors is that they might fail or be abused. And that’s very serious. But it’s not the only problem here. The other, perhaps less obvious problem is that backdoor requirements make robust security less agile, and therefore less compatible with the future. 17/

Making a truly secure encryption backdoor is probably impossible. Making one that won’t hobble us in the future is unimaginable. 18/18

A Clipper Chip postscript I would be remiss in not mentioning: when I found the weakness in the escrow scheme, NSA was COMPLETELY professional about it. They never tried to deny or discourage me from publishing in any way. They even pointed out typos in the draft of my paper.

Bell Labs management was also amazing. Fully suppotive, even in the face of considerable pressure from AT&T’s government relations department, which no doubt was planning to have me kidnapped or something.

The first (and ultimately only) commercial product to use Clipper was this $1400 encrypted phone from AT&T. It was designed by the same group at at&t that did the STU-III secure phone for classified calls. flickr.com/photos/mattbla…

Anyway, when it comes to crypto policy history, those who fail to remember history at least aren’t doomed to hitting their head against the wall and screaming into the void every time this comes up.