7 September 1999

Date: Mon, 06 Sep 1999 23:01:46 -0700
From: "Paul E. Merrell" <pem@televar.com>
Organization: Lawyer
To: "ukcrypto@maillist.ox.ac.uk" <ukcrypto@maillist.ox.ac.uk>
Subject: Does Microsoft's CryptoAPI key violate U.S. law?

What follows is a copy of my post to a U.S.-based listserv for law
office technical issues:

"Eric C. Grimm" wrote:
> The HotMail hole means a lot of fun
> and games about whether one or more
> privacy causes of action lie against
> a private entity -- Microsoft.  But if
> this latest NSA rumor turns out to be
> true, then it appears to be more of a
> straight shot -- fraud, common-law
> conspiracy, 42 U.S.C. sec. 1983, and 42
> U.S.C sec. 1985 against both Microsoft
> and NSA.
> Any others have thoughts or comments?

Assuming the key is a backdoor to intercepted encrypted information,
Microsoft would be walking on very thin ice indeed, but may have severe
legal problems in any event. The federal wiretapping statute is very
clear in its prohibitions against advertising or distributing in
commerce "devices" for intercepting electronic communications.  Except
in very narrowly drawn circumstances, a court order is necessary and
must address the need to intercept communications of a particular
person, and only for a limited time.  See
http://www4.law.cornell.edu/uscode/18/2511.html (prohibitions);
http://www4.law.cornell.edu/uscode/18/2510.html (definitions);
http://www4.law.cornell.edu/uscode/18/2518.html (procedures for
obtaining court order).

So Microsoft's involved officials could be looking at a 5-year criminal
sentence for each distribution of each copy of Win32 **unless** it does
have a valid contract with the government to include the cryptographic
key in question, which seems to defy the statute in any event.  See
e.g., http://www4.law.cornell.edu/uscode/18/2512.html (.)
There is also potential civil liability including punitive damages to
persons whose communications were thereby intercepted,
http://www4.law.cornell.edu/uscode/18/2520.html (,) as well as a remedy
for injunctive relief.  http://www4.law.cornell.edu/uscode/18/2521.html
(.) There are certain affirmative defenses allowed, but the situation
would seem to provide fair grounds for litigation, particularly absent
an actual valid order or contract.

Regarding the NSA's public referral of all relevant questions to the
private companies involved, that referral may be disingenuous.  Under
Section (2)(a)(ii) of 18 U.S.C.  2511,
http://www4.law.cornell.edu/uscode/18/2511.html (,) assuming Microsoft
**does** have a valid instruction to include the encryption key, any
unauthorized disclosure or discussion of the key's actual purpose would
appear to subject Microsoft to further civil and criminal penalties. We
must discount Microsoft's input on the matter accordingly.

For further background, see also 50 U.S.C. 1801, et seq., the Foreign
Intelligence Surveillance Act of 1978
as amended, which adopts roughly
equivalent procedures, prohibitions, and rights, but which are for the
most part limited to surveillance of non-U.S. citizens. In summary form,
the right of federal intelligence agencies to engage in electronic
surveillance under the act is severely limited when it comes to U.S.

If there is authority in the statutes for the U.S. federal government to
require across-the-board inclusion of decryption keys in software, I did
not find it. The purported authority is a rather expansive reading of
export restriction laws lacking any provisions in apparent conflict with
the more specific prohibitions in the wiretapping statutes.

The federal encryption export controls for Web browsers appear to cross
the line from limiting the encryption key length to requiring inclusion
of a prohibited "device" for decryption purposes.  In the following
quoted material discussing that issue, I've included some content
required for understanding the discussion that follows of IBM,
Microsoft, and Netscape encryption/decryption keys.  The references for
the quoted material are included as footnotes in the linked article.


39.  From the 1940s to date, NSA has undermined the effectiveness of
cryptographic systems made or used in Europe.  The most important target
of NSA activity was a prominent Swiss manufacturing company, Crypto AG.
Crypto AG established a strong position as a supplier of code and cypher
systems after the second world war.  Many governments would not trust
products offered for sale by major powers.  In contrast, Swiss companies
in this sector benefited from Switzerland's neutrality and image of

40.  NSA arranged to rig encryption systems sold by Crypto AG, enabling
UKUSA agencies to read the coded diplomatic and military traffic of more
than 130 countries.  NSA's covert intervention was arranged through the
company's owner and founder Boris Hagelin, and involved periodic visits
to Switzerland by US "consultants" working for NSA.  One was Nora L
MacKabee, a career NSA employee.  A US newspaper obtained copies of
confidential Crypto AG documents recording Ms Mackebee's attendance at
discussion meetings in 1975 to design a new Crypto AG machine".(92)

41.  The purpose of NSA's interventions were to ensure that while its
coding systems should appear secure to other cryptologists, it was not
secure.  Each time a machine was used, its users would select a long
numerical key, changed periodically.  Naturally users wished to selected
their own keys, unknown to NSA.  If Crypto AG's machines were to appear
strong to outside testers, then its coding system should work, and
actually be strong.  NSA's solution to this apparent conundrum was to
design the machine so that it broadcast the key it was using to
listeners.  To prevent other listeners recognising what was happening,
the key too had also to be sent in code - a different code, known only
to NSA.  Thus, every time NSA or GCHQ intercepted a message sent using
these machines, they would first read their own coded part of the
message, called the "hilfsinformationen" (help information field) and
extract the key the target was using.  They could then read the message
itself as fast or even faster than the intended recipient(93)

42.  The same technique was re-used in 1995, when NSA became concerned
about cryptographic security systems being built into Internet and
E-mail software by Microsoft, Netscape and Lotus.  The companies agreed
to adapt their software to reduce the level of security provided to
users outside the United States.  In the case of Lotus Notes, which
includes a secure e-mail system, the built-in cryptographic system uses
a 64 bit encryption key.  This provides a medium level of security,
which might at present only be broken by NSA in months or years.

43.  Lotus built in an NSA "help information" trapdoor to its Notes
system, as the Swedish government discovered to its embarrassment in
1997.  By then, the system was in daily use for confidential mail by
Swedish MPs, 15,000 tax agency staff and 400,000 to 500,000 citizens.
Lotus Notes incorporates a "workfactor reduction field" (WRF) into all
e-mails sent by non US users of the system.  Like its predecessor the
Crypto AG "help information field" this device reduces NSA's difficulty
in reading European and other e-mail from an almost intractable problem
to a few seconds work.  The WRF broadcasts 24 of the 64 bits of the key
used for each communication.  The WRF is encoded, using a "public key"
system which can only be read by NSA.  Lotus, a subsidiary of IBM,
admits this.  The company told Svenska Dagbladet:

"The difference between the American Notes version and the export
version lies in degrees of encryption.  We deliver 64 bit keys to all
customers, but 24 bits of those in the version that we deliver outside
of the United States are deposited with the American government".(94)

44.  Similar arrangements are built into all export versions of the web
"browsers" manufactured by Microsoft and Netscape.  Each uses a standard
128 bit key.  In the export version, this key is not reduced in length.
Instead, 88 bits of the key are broadcast with each message; 40 bits
remain secret.  It follows that almost every computer in Europe has, as
a built-in standard feature, an NSA workfactor reduction system to
enable NSA (alone) to break the user's code and read secure messages.


Under the U.S.  wiretapping statutes, it thus appears that Microsoft is
advertising and distributing in commerce a prohibited "device" intended
for the interception of electronic communications, in the form of a
decryption key included in the "weak encryption" versions of web
browsers.  It is the inclusion of decryption information as opposed to
reliance on shortened keys that crosses the line established by the
wiretapping statute's prohibitions. (An argument could be made, however,
that purposefully weakening an encryption key as an aid to electronic
interception also crosses the line.) By Microsoft's own admissions, the
CryptoAPI key in Win32 under discussion is intended at best to verify
the existence of the decryption key in "weak encryption" E-Mail
software.  E.g.,
http://www.microsoft.com/security/bulletins/backdoor.asp (;) The
CryptoAPI key under discussion is thus a quality control feature of a
prohibited device. 

I also question whether the U.S. National Security Agency has any
reliable means to determine that users of "weak encryption" browser
versions are in fact not U.S. citizens, which might arguably move the
legal issues to the Foreign Intelligence Surveillance Act rather than
the domestic wiretapping statutes.  I know many U.S.  citizens who use
the "weak encryption" versions of Netscape and Internet Explorer simply
because they may download them using a faster and more reliable FTP
connection, rather than going through the questionnaire and using an
HTTP download.

So there seem to be plausible grounds to file a good faith lawsuit for
injunctive relief on a civil rights theory.  The availability of damages
beyond the price of the software and time lost installing and
uninstalling it, however, would depend heavily on the ability to prove
that the clients' communications were in fact intercepted and injury
caused thereby.  My reading of the wiretapping statutes suggests that
similar evidence would be needed to rely on them.  They do, however,
appear to provide a federally-secured right for conceptual purposes of
framing a civil rights lawsuit and commencing discovery.

I'd caution, however, that I have not done a thorough study of this
subject and people need to do their own research and investigation
before pursuing demands based on such theories.