A. Michael Froomkin

Document information and copyright notice

To table of contents

Notes for Part II, Sections A and B

220. Some have argued that the process also violates the Computer Security Act of 1987. See infra part II.A.3. Back to text

221. U.S. Const. art. I, § 8, cl. 5. Back to text

222. NIST issues FIPS pursuant to § 111(d) of the Federal Property and Administrative Services Act of 1949, ch. 288, 63 Stat. 379 (the Brooks Act), as amended by the Computer Security Act of 1987, Pub. L. No. 100-235, 101 Stat. 1724. Relevant parts of the authority are codified at 40 U.S.C. § 759(d) (1988 & Supp. V 1993) and 15 U.S.C. § 278g-3 (1988). Arguably, neither of these statutes gives either NIST or the Secretary of Commerce the authority over telecommunications required to issue FIPS 185, because neither statute mentions telecommunications equipment. See National Bureau of Standards Act of 1901, 15 U.S.C. §§ 271-278h (1988) (describing NIST's powers prior to Computer Security Act of 1987); Computer Security Act of 1987, 15 U.S.C. § 278g-3 (1988) (giving NIST power to develop "standards, guidelines, and associated methods and techniques for computer systems" and to make standards for the "cost-effective security and privacy of sensitive information in Federal computer systems," and defining the latter to include "automatic data processing equipment" (ADPE)); Federal Property and Administrative Services Act of 1949, 40 U.S.C. § 759(d)(1) (1988) (giving the Secretary of Commerce authority to "promulgate standards and guidelines pertaining to Federal computer systems"); Federal Property and Administrative Services Act of 1949, 40 U.S.C. § 759(a)(2) (1988) (defining ADPE to include "any equipment or interconnected system or subsystems of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching interchange, transmission, or reception, of data or information").

NIST, however, obtained a delegation of authority from the General Services Administration (GSA) to issue a FIPS relating to telecommunications system, although the GSA itself argued that the delegation was unnecessary. See Letter from Francis A. McDonough, Assistant Commissioner, Federal Information Resources Management, General Services Administration, to Michael R. Rubin, Deputy Chief Counsel, NIST (Jan. 28, 1994) (included in volume 3 of the official record of FIPS 185); see also 41 C.F.R. § 201-20.303(b)(2)(i)(B) (1993) (stating, per GSA regulation, that NIST has substantial telecommunications authority, which is arguably based on an incorrect reading of the Paperwork Reduction Reauthorization Act of 1986, Pub. L. No. 99-591, § 101(m), 100 Stat. 3341-335). Back to text

223. See Department of Commerce, Semiannual Agenda of Regulations, 59 Fed. Reg. 20,135, 20,136 (1994) [hereinafter Agenda of Regulations] (noting that FIPS "apply only to the Federal Government" and that in FIPS' development, NIST "works closely with private industry standard-setting organizations"); Mitch Ratcliffe, Security Chips Trigger Alarm: Clipper and Capstone Open Digital Back Door, MacWeek, Apr. 26, 1993, at 1, 1 (stating that FIPS often become de facto standards because the U.S. government is the largest computer customer in the world).

For an economic analysis of the costs and benefits of standards, see Stanley M. Besen & Joseph Farrell, Choosing How to Compete: Strategies and Tactics in Standardization, J. Econ. Perspectives, Spring 1994, at 117, 117-18 (asserting that firms manipulate standards for competitive advantage); Michael L. Katz & Carl Shapiro, Systems Competition and Network Effects, J. Econ. Perspectives, Spring 1994, at 93, 93-95 (warning that pervasive standards lead to inefficient market outcomes in "systems markets" characterized by products that require other conforming products to function). But see S.J. Liebowitz & Stephen E. Margolis, Network Externality: An Uncommon Tragedy, J. Econ. Perspectives, Spring 1994, at 133, 133-35 (arguing that the negative effects of standards identified by Katz and Shapiro are infrequent, if they exist at all). Back to text

224. See, e.g., USACM Position on the Escrow Encryption Standard, Comm. ACM, Sept. 1994, at 16, 16 (reporting a press release by the Association for Computing Machinery stating that "[i]ncreasingly, the standards set through the FIPS process directly affect non-federal organizations and the public at large"). Back to text

225. See FIPS 185, supra note 14, at 6002. Back to text

226. Id. at 5999. Back to text

227. Id. at 6003. Back to text

228. See id. Back to text

229. Id. at 6005. Apparently, individuals who are not members of organizations, or organizations that do not already supply products or services to the government, need [**PAGE 767**]not apply. Back to text

230. Id. Back to text

231. Id. at 6001. Back to text

232. 5 U.S.C. § 553(b)-(d) (1988). There is no reason other than long-standing practice by the NBS and NIST to believe that a notice and comment procedure was actually required. But see American College of Neuropsychopharmacology v. Weinberger, [1975 Developments] Food Drug Cosm. L. Rep. (CCH) § 38,025 (D.D.C. July 31, 1975) (holding that publication in the Federal Register combined with the complexity of the rules themselves meant that the rules in question were subject to the notice and comment procedures of § 553 of the APA). Back to text

233. Publication in the Federal Register is only required if the President should disapprove or modify a FIPS. See 40 U.S.C. § 759(d)(1) (1988). Back to text

234. A legislative rule is an exercise of power delegated by Congress to an administrative agency. It can create, modify or remove legal duties, rights or exemptions. Agencies may make legislative rules through formal or informal rule making. Formal rule making is rarely used. Informal rule making ordinarily requires publication of [**PAGE 768**]a notice of the proposed rule in the Federal Register, a request for comments, and then a reasoned attention to those comments before the final rule is promulgated in the Federal Register. See 5 U.S.C. § 553(b)-(d) (1988) (detailing the rule-making procedures for administrative agencies).

Most FIPS which affect federal procurement are mandatory in the sense that only federal agencies, but not the public, are required to adhere to them. See Agenda of Regulations, supra note 23, at 20,136; see also FIPS 46-2, supra note 106, at 69,347 (reaffirming FIPS 46-1 "for Federal Government use"); cf. Delegation of Authority for Waivers for Federal Information Processing Standards (FIPS), and of Procedures for Waivers for FIPS, 54 Fed. Reg. 4322 (1989) [hereinafter Waivers for FIPS] (establishing waiver procedures for agencies seeking exemptions from FIPS's requirements). FIPS 185 states, however, that it is "totally voluntary," even for federal agencies. FIPS 185, supra note 14, at 5998. Back to text

235. A nonlegislative rule is a rule which does not exercise a power delegated by Congress to an administrative agency. It cannot create, modify, or remove legal duties, rights, or exemptions. See Michael Asimow, Nonlegislative Rulemaking and Regulatory Reform, 1985 Duke L.J. 381, 383 (defining nonlegislative rules as those which "do not exercise delegated lawmaking power," but only "provide guidance to the public and to agency staff and decisionmakers"); Charles H. Koch, Jr., Public Procedures for the Promulgation of Interpretative Rules and General Statements of Policy, 64 Geo. L.J. 1047, 1048 (1976) (using the term "nonlegislative rules" to refer to rules not promulgated under the direction of the legislature and not in compliance with the APA's notice and comment procedures). If FIPS 185 is a rule at all, it is formally a nonlegislative rule in the sense that it does not attempt to create any legal obligations that bind the public.

FIPS 185 is barely a rule within the APA's definition because the only way in which it constitutes "the whole or a part of an agency statement of general or particular applicability and future effect designed to implement, interpret, or prescribe law or policy," 5 U.S.C. § 551(4) (1988), is that it allows other agencies to substitute EES products for DES products. See FIPS 185, supra note 14, at 5999 (suggesting, but not mandating, that federal managers use EES instead of DES). Back to text

236. FIPS 185 is far too formal to fall into the miscellaneous category of agency products. This category includes press releases, informational publications, letters, etc. Such informal documents are not published in the Federal Register, which contains only documents "having general applicability and legal effect." Industrial Safety Equip. Ass'n, Inc. v. EPA, 837 F.2d 1115, 1121 (D.C. Cir. 1988); cf. Brock v. Cathedral Bluffs Shale Oil Co., 796 F.2d 533, 539 (D.C. Cir. 1986) (noting that the Federal Register, unlike the Code of Federal Regulations, also contains "policy statements" that have no legal affect). Back to text

237. See Asimow, supra note 235, at 383. Back to text

238. Peter L. Strauss, An Introduction to Administrative Justice in the [**PAGE 769**]United States 157 (1989); see also Peter L. Strauss, The Rulemaking Continuum, 41 Duke L.J. 1463, 1467 (1992) (noting that "publication rulemaking" is typically effected by agency staff without participation by the agency's head). Back to text

239. Cf. Robert A. Anthony, Interpretive Rules, Policy Statements, Guidances, Manuals, and the Like--Should Federal Agencies Use Them to Bind the Public?, 41 Duke L.J. 1311, 1333-40 (1992) (discussing nonlegislative documents on which agencies rely for these categories of cases). Back to text

240. For the APA exception for policy statements, see 5 U.S.C. § 553(b)(3)(A), (d)(2) (1988). Back to text

241. Prior to FIPS 185, agencies that did not procure waivers were required to use DES for sensitive nonclassified information. See FIPS 46-2, supra note 106, at 69,348. "Sensitive information" is defined as:

[A]ny information, the loss, misuse, or unauthorized access to or modification of which could adversely affect the national interest or the conduct of Federal programs, or the privacy to which individuals are entitled under section 552a of Title 5 [United States Code] (the Privacy Act), but which has not been specifically authorized under criteria established by an Executive order or an Act of Congress to be kept secret in the interest of national defense or foreign policy.
15 U.S.C. § 278g-3(d)(4) (1988). Back to text

242. FIPS 185, supra note 14, at 6003. Back to text

243. See Office of the Press Secretary, The White House, Fact Sheet: Public Encryption Management 2 (Apr. 16, 1993), in "Key Escrow" Information Packet, supra note 20. Back to text

244. See 28 U.S.C. § 524(c)(4) (1988 & Supp. V 1993) (listing the financial sources of this fund). The Attorney General has discretion to use this fund for law enforcement purposes and is not required to return money in the fund to the Treasury. Legitimate uses of the fund include paying informants, equipping government vehicles for law enforcement functions, and purchasing evidence. See § 524(c)(1). The fund is substantial, with about $1 billion in the pipeline at any time, including money due to be paid to state law enforcement agencies. See William P. Barr, Attorney General's Remarks, Benjamin N. Cardozo School of Law, Nov. 15, 1992, in 15 Cardozo L. Rev. 31, 33 (1993). The expected income alone from the Assets Forfeiture Fund in 1987 was estimated at $150 million. See David J. Fried, Rationalizing Criminal Forfeiture, 79 J. Crim. L. & Criminology 328, 365 n.167 (1988) (citing Budget Appropriations: Hearings Before the Subcomm. of the House Comm. on Appropriations, 99th Cong., 2d Sess. 114 (1986)). Back to text

245. The Pentagon plans to purchase about two million Capstone PCMCIA cards for the Defense Message System. See Messmer, supra note 16, at 20; see also OTA Information Security, supra note 97, at 127 n.29 (citing Clinton Brooks, Special Assistant to the Director, NSA, May 25, 1994, for the statement that the Pentagon is using Tessera (now renamed Fortezza) cards in the Defense Message System). Back to text

246. See Dorothy E. Denning, The Clipper Chip Will Block Crime, Newsday (N.Y.), Feb. 22, 1994, at 35 (noting that "[t]he Justice Department has ordered $8 million worth of Clipper scramblers in the hope that they will become so widespread and convenient that everyone will use them"). Back to text

247. Travelers desiring communications security while abroad should take note that exemption from export control does not equal exemption from the paperwork attendant to even a temporary export license. Temporary export licenses for exportable secure telephones or other telephone security devices require a shipper's export declaration (SED) which must be acquired before the trip and presented (in duplicate) to Customs officers upon export and re-import. Unfortunately, Customs officials who handle passengers have no familiarity with this form, do not know where [**PAGE 771**]it can be obtained, and are not necessarily willing to sign the SED because this function is allocated to the cargo department. At best, attempts to follow the regulations impose a minimum of an hour's delay in each direction, and probably more. See E-mail from Matt Blaze, Senior Research Scientist, AT&T Bell Laboratories, to Michael Froomkin (Jan. 6, 1995) (on file with author) (relating an unsuccessful attempt to go through regular channels and concluding "it just isn't possible for an individual traveler to follow all the rules"). Back to text

248. See Office of the Press Secretary, The White House, Statement of the Press Secretary 2 (Feb. 4, 1994) (explaining that the Department of State "will streamline export licensing procedures for [these] encryption products), in Key Escrow Announcements, supra note 196; U.S. Dep't of State, Statement of Dr. Martha Harris, Deputy Assistant Secretary of State for Political-Military Affairs: Encryption--Export Control Reform (Feb. 4, 1994) (detailing reforms of the licensing process), in Key Escrow Announcements, supra note 196. Back to text

249. See Dorothy E. Denning, Encryption and Law Enforcement § 5 (Feb. 21, 1994) (unpublished manuscript, on file with author). Although government procurement regulations are designed to award contracts to the lowest conforming bidder, without regard to past services rendered on other matters, cynics may find this action to be evidence of AT&T's desire to remain in the government's good graces. Paranoids may point to then-NSA Director Lincoln D. Faurer's statement in 1981 that "our intention is to significantly reward those DOD suppliers who produce the computer security products that we need." Bamford, supra note 17, at 362. Or, it may be that AT&T believed this was the patriotic, or commercially sensible, thing to do. Back to text

250. Anthony, supra note 239, at 1328; see Robert A. Anthony, "Well, You Want the Permit, Don't You?" Agency Efforts to Make Nonlegislative Documents Bind the Public, 44 Admin. L. Rev. 31, 37 (1992); cf. Asimow, supra note 235, at 382 (suggesting that postadoption public participation is the best way to deal with practically binding nonlegislative rules). Back to text

251. But cf. Anthony, supra note 239, at 1328-29 (suggesting that most nonlegislative documents with a "practical binding effect" achieve this end via one of the three means described in the text). Back to text

252. These are sometimes called "non-rule rules." Anthony, supra note 250, at 32 n.2 (defining "non-rule rules" as those that meet the APA's definition of "rules" but are not promulgated through legislative rule-making procedures). Back to text

253. See Motor Vehicle Mfrs. Ass'n v. State Farm Mut. Auto. Ins. Co., 463 U.S. 29, 33, 34 (1983) (emphasizing the duty of administrative agencies to consider all important aspects of a problem and to "articulate a satisfactory explanation for its action"). Back to text

254. See A Proposed Federal Information Processing Standard for an Escrowed Encryption Standard (EES), 58 Fed. Reg. 40,791 (1993). Back to text

255. See FIPS 185, supra note 14, at 5998 (stating that comments were received from "22 government organizations in the United States, 22 industry organizations and 276 individuals"). Back to text

256. See id. NIST ignored comments from five industry organizations and 200 individuals who stated that guarantees were needed to assure that EES would not be a first step towards prohibition of other forms of encryption. NIST responded that the standard was voluntary. See id. Eight industry organizations and 181 individuals said that it was premature to adopt EES as a standard until policy decisions on [**PAGE 773**]encryption had been made. NIST responded that the standard was voluntary. See id. at 5999. Seven individuals proposed alternate technologies that they believed would be more cost effective than EES. NIST responded that the standard was voluntary. See id. at 6000. Back to text

257. Section 553's notice and comment requirements reflect Congress's "judgment that . . . informed administrative decisionmaking require[s] that agency decisions be made only after affording interested persons" an opportunity to communicate their views to the agency. Chrysler Corp. v. Brown, 441 U.S. 281, 316 (1979). By requiring "openness, explanation, and participatory democracy" in the rule-making process, notice and comment assures the legitimacy of administrative norms. Weyerhaeuser Co. v. Costle, 590 F.2d 1011, 1027 (D.C. Cir. 1978). Back to text

258. By bringing the case as a protest to a specific contract award, ideally one in which the competitor had made a tender of goods which conformed to the preexisting standard, the competitor might be able to distinguish Control Data Corp. v. Baldridge, 655 F.2d 283 (D.C. Cir.), cert. denied, 454 U.S. 881 (1981). In Baldridge, the D.C. Circuit held, effectively, that no one has standing to sue to overturn a FIPS outside of the bid protest context because the public is outside the "zone of interests to be protected or regulated by" the Brooks Act. Id. at 290. Bid protests of this sort go initially to the Board of Contract Appeals of the General Services Administration. See 40 U.S.C. § 759(f) (1988 & Supp. V 1993); see also Contract Disputes Act of 1978, 41 U.S.C. §§ 601-613 (1988 & Supp. V 1993). Back to text

259. To have standing, a plaintiff must demonstrate "injury that fairly can be traced to the challenged action of the defendant, and not injury that results from the independent action of some third party not before the court." Simon v. Eastern Ky. Welfare Rights Org., 426 U.S. 26, 41-42 (1976); see also Valley Forge Christian College [**PAGE 774**]v. Americans United for Separation of Church and State, Inc., 454 U.S. 464, 473 (1982) (applying the "injury in fact" element of the standing requirement). Back to text

260. Cf. 40 U.S.C. § 759(d) (1988) (creating waiver power); Waivers for FIPS, supra note 234, at 4322 (permitting delegation of waiver power). Back to text

261. 481 U.S. 465, 475 (1987) (holding that plaintiff office-holder's allegation that his constituents would be "influenced against him" by government action labeling films he sponsored as "political propaganda" sufficed to create standing). Back to text

262. 655 F.2d 283, 295-97 (D.C. Cir.) (applying the zone of interest test to hold that plaintiff lacked standing to challenge a FIPS), cert. denied, 454 U.S. 881 (1981). Back to text

263. See supra notes 254-57 and accompanying text. Back to text

264. See, e.g., International Tel. & Tel. Corp. v. Local 134, 419 U.S. 428, 442-48 (1975) (determining that an agency process without binding effect, even if it leads to significant practical consequences, is not reviewable under APA § 551); Industrial Safety Equip. Ass'n v. EPA, 837 F.2d 1115, 1121 (D.C. Cir. 1988) (holding that the joint publication and dissemination of a "Guide" by the National Institute for Occupational Safety and Health and the EPA, branding petitioner's wholly EPA-compliant protective device much less safe than a competitor's device, was not a reviewable action, nor a legislative rule: the Guide "established no rule that the regulated industry must obey"); American Trucking Ass'n, Inc. v. United States, 755 F.2d 1292, 1296-98 (7th Cir. 1985) (concluding that a report was an "educational undertaking" and did not "impose an obligation, determine a right or liability or fix a legal relationship," and was therefore not reviewable agency action, despite allegations of revenue loss to parties resulting from the report). Back to text

265. See supra notes 234-41 and accompanying text (questioning, in the context of the APA, the government's seeming nonaccountability regarding FIPS). Back to text

266. Cf. Valley Forge Christian College v. Americans United for Separation of Church and State, Inc., 454 U.S. 464, 485-86 (1982) (holding that "psychological" injury is insufficient to confer standing). Back to text

267. This is not to suggest that abuses of the standard-setting process are not properly actionable. See, e.g., Allied Tube & Conduit Corp. v. Indian Head, Inc., 486 U.S. 492, 503-07 (1988) (denying Noerr antitrust immunity to parties who manipulated the standard-setting process of a private association without official authority). Back to text

268. "[S]tandards are essential to the achievement of full competition and to the saving of large sums of money by the Government." Control Data Corp. v. Baldridge, 655 F.2d 283, 286 (D.C. Cir.), cert. denied, 454 U.S. 881 (1981). On the benefits of standardization, see Michael A. Epstein, Standards and Intellectual Property, in[**PAGE 776**]Intellectual Property/Antitrust 1993 (PLI Patents, Copyrights, Trademarks, and Literary Property Course Handbook Series No. G4-3903, 1993), available in WESTLAW, TP-All Database. Back to text

269. Vermont Yankee Nuclear Power Corp. v. Natural Resources Defense Council, Inc., 435 U.S. 519, 549 (1978), presents a particularly great hurdle by its holding that courts cannot impose on an agency procedural requirements not found in the APA. Back to text

270. Narrowing the terms of the Asset Forfeiture Super Surplus Fund is very much a second-best solution. Not only would suitable amendments to the authorizing legislation be difficult to draft, but the terms of the fund are already narrow enough to force money to be spent in inappropriate ways. See generally Alison R. Solomon, Comment, Drugs and Money: How Successful Is the Seizure and Forfeiture Program at Raising Revenue and Distributing Proceeds?, 42 Emory L.J. 1149, 1166-91 (1993) (examining the benefits, drawbacks, and management of federal asset forfeiture programs as law enforcement and revenue-raising tools). Back to text

271. NIST takes the position that all the interesting information is classified or confidential. Computer Professionals for Social Responsibility (CPSR) filed a FOIA request to obtain documents relating to the NSA's role in FIPS 185. CPSR's challenge to the denial of their request was dismissed with prejudice on summary judgment in Computer Professionals for Social Responsibility v. National Inst. of Standards & Technology, No. 92-0972-RCL (D.D.C. Apr. 11, 1994). CPSR is currently appealing the district court's summary judgment ruling. See Computer Professionals for Social Responsibility v. National Inst. of Standards & Technology, No. 94-5153 (D.C. Cir. filed June 27, 1994). Back to text

272. Pub. L. No. 100-235, 101 Stat. 1724 (codified as amended at 15 U.S.C. §§ 271, 272, 278g-3 to g-4, 278h (1988 & Supp. V 1993) and 40 U.S.C. § 759 (1988 & Supp. V 1993)). Back to text

273. See Telecommunications Network Security: Hearings Before the Subcomm. on Telecommunications and Finance of the House Comm. on Energy and Commerce, 103d Cong., 1st Sess. 133-35 (1993) (prepared testimony of Marc Rotenberg, Director of Washington Office, Computer Professionals for Social Responsibility); see also Plaintiff's Memorandum in Opposition to Defendant's Motion for Summary Judgment and in Support of Plaintiff's Cross-Motion for Partial Summary Judgment at 3-7, Computer Professionals for Social Responsibility v. National Inst. of Standards and Technology (D.D.C. filed May 18, 1993) (No. 92-0972-RCL) [hereinafter CPSR Motion] (suggesting that, contrary to the intent of Congress, NIST may have retained "surface" control of the development of DSS, but allowed the NSA to develop the technical guidelines). Back to text

274. Nor is it clear, if the Act were violated, who would have standing to complain. See supra text accompanying notes 258-64. Back to text

275. See supra note 271 (discussing CPSR's lawsuit against NIST). Back to text

276. One slight complication is that NIST's authority to promulgate FIPS 185, insofar as it relates to the Clipper Chip itself (as opposed to Capstone), probably does not derive from the Computer Security Act. The Act relates to computer systems and related equipment, not telephones. NIST's authority to promulgate a telecommunications standard that applies beyond modems derives from a delegation of authority from the GSA. See supra note 222. The discussion in the text undoubtedly applies to more directly computer-related devices such as the Capstone Chip and the Fortezza PCMCIA card. Back to text

277. H.R. Rep. No. 153(I), 100th Cong., 1st Sess., pt. 2, at 6 (1987), reprinted in 1987 U.S.C.C.A.N. 3120, 3158. For a summary of NSDD 145, see Renae A. Franks, Note, The National Security Agency and Its Interference with Private Sector Computer Security, 72 Iowa L. Rev. 1015, 1020-24 (1987). Back to text

278. See H.R. Rep. No. 153(I), supra note 277, at 22, 25-26, reprinted in 1987 U.S.C.C.A.N. at 3137, 3141 (noting that "[g]reater emphasis should be given to cooperation between the military and civil agencies as well as the private sector in setting computer security and training goals," and stating that, although the NBS (now NIST) should work closely with other agencies such as the NSA, the NBS/NIST should retain "final authority" over the development of guidelines). Back to text

279. Id. at 21. Back to text

280. See id. at 7. Back to text

281. Computer Security Act § 2(b)(1). Back to text

282. Computer Security Act § 3(b)(6)(A), 15 U.S.C. § 278g-3(b)(6)(A) (1988). Back to text

283. See Computer Security Act § 3(c)(2), 15 U.S.C. § 278g-3(c)(2) (1988). Back to text

284. Memorandum of Understanding Between the Director of the National Institute of Standards and Technology and the Director of the National Security Agency Concerning the Implementation of Pub. L. No. 100-235 (Mar. 23, 1989), reprinted in Schneier, supra note 12, at 442-44 [hereinafter the NSA-NIST MOU]. Back to text

285. Id. at 444. Back to text

286. Id. Back to text

287. For example, according to a document dated March 26, 1990, obtained by CPSR under FOIA, at one Technical Working Group meeting the NSA provided NIST with a position paper, classified "TOP SECRET CODEWORD," that discussed "rea-sons for the selection of certain algorithms." CPSR Motion, supra note 273, at 7. Back to text

288. See Computer Security Act § 2(b)(1) (stating that the "specific purposes" of the Act include assigning to NIST, and no other agency, "responsibility" for standards and guidelines for the security and privacy of federal computer systems that have non-classified information). Back to text

289. See id. Back to text

290. Agencies are allowed to choose to defer to other opinions, so long as they make the final decision. See Delta Data Sys. Corp. v. Webster, 744 F.2d 197, 201-02 (D.C. Cir. 1984) (stating that an agency may accept recommendations from the GAO); City of Alexandria v. United States, 737 F.2d 1022, 1025-27 (Fed. Cir. 1984) (stating that the separation of powers doctrine requires administrative agencies to be open to persuasion by congressional committees); Westinghouse Elec. Corp. v. United States Nuclear Regulatory Comm'n, 598 F.2d 759, 775-76 (3d Cir. 1979) (holding that an independent agency may allow itself to be persuaded by the President or Congress); M. Steinthal & Co. v. Seamans, 455 F.2d 1289, 1304-05 (D.C. Cir. 1971) (noting that the GAO's significant experience in procurement contracts makes it a persuasive source of information in procurement cases); A.G. Schoonmaker Co. v. Resor, 445 F.2d 726, 728 (D.C. Cir. 1971) (upholding the Army's adoption of the Comptroller General's opinion to set aside the awarding of a bid); John Reiner & Co. v. United States, 325 F.2d 438, 442-43 (Ct. Cl. 1963) (holding it was not arbitrary or capricious for an executive agency to defer to the GAO, an arm of the legislature, in order to promote interbranch comity, even if at first the agency disagreed with GAO's views), cert. denied, 377 U.S. 931 (1964); Henry Spen & Co. v. Laird, 354 F. Supp. 586, 588 (D.D.C. 1973) (allowing a procurement officer to be convinced by the Comptroller General, even when the latter lacks jurisdiction); United States ex rel. Brookfield Constr. Co. v. Stewart, 234 F. Supp. 94, 100 (D.D.C.) (holding that a disbursement [**PAGE 780**]officer properly and prudently followed the advice of the Comptroller General), order aff'd, 339 F.2d 753 (D.C. Cir. 1964). Back to text

291. A deadlocked vote does not in itself require NIST to change its mind. Nevertheless, it is not difficult to imagine why an agency might choose to compromise rather than involve the head of the entire department in a battle with the Secretary of Defense. In any case, the MOU's involvement of the Secretary of Defense seems contrary to the Act because the Act envisions no decision-making role for anyone outside NIST. NIST is part of a chain of command that goes up through the Secretary of Commerce to the President. Both the President and the Secretary of Commerce are free to consult anyone in the Cabinet, if they desire, for advice, but the Act provides no authority for NIST to turn over actual decision-making power, even in shared form, to the Secretary of Defense. Back to text

292. "The National Security Council, the Justice Department, the Commerce Department, and other key agencies were involved in this decision [to propose the Clipper Chip]. This approach has been endorsed by the President, the Vice President, and appropriate Cabinet Officials." Office of the Press Secretary, The White House, Questions and Answers About the Clinton Administration's Telecommunications Initiative 1 (Apr. 16, 1993), in "Key Escrow" Information Packet, supra note 20. Back to text

293. See Letter from NIST and the NSA to the Hon. John Conyers, Jr. and the Hon. Frank Horton, House Comm. on Gov't Operations (Dec. 22, 1989), reprinted in OTA Information Security, supra note 97, app. B at 201, 205-09. Back to text

294. Id. at 206. Back to text

295. Id. at 209. Back to text

296. Id. at 208. Back to text

297. Id. at 206. Back to text

298. See OTA Information Security, supra note 97, at 14. Back to text

299. See id. at 14-15 (discussing the NSA's advisory role in working with NIST). Back to text

300. Cf. id. at 16-18 (proposing seven options for congressional oversight and action on cryptography). Back to text

301. See Digital Privacy and Security Working Group, supra note 31, at 7 (critiquing guidelines set forth by the Clinton Administration for the Information Infrastructure Task Force). Back to text

302. 366 F. Supp. 104, 108 (D.D.C. 1973) (holding that the Acting Attorney General violated Justice Department regulations in firing Watergate Special Prosecutor Archibald Cox without first changing the rules giving the prosecutor limited tenure in office or finding that Cox acted with "extraordinary impropriety"). Back to text

303. 418 U.S. 683, 697 (1974) (rejecting the argument that an action brought by a Special Prosecutor against the President was nonjusticiable because both parties were officers of the executive branch); see Michael Herz, United States v. United States: When Can the Federal Government Sue Itself?, 32 Wm. & Mary L. Rev. 893, 952-53 (1991) (noting the limited ability of the President to control executive and independent agencies). See generally Note, Violations by Agencies of Their Own Regulations, 87 Harv. L. Rev. 629 (1974) (examining agencies' ability to depart from existing regulations). Back to text

304. 5 U.S.C. § 552 (1988); cf. APA § 552(a)(2)(c) (1988) (requiring agencies to disclose changes in regulations that will affect such disclosures). Back to text

305. See, e.g., Silvio Micali, Fair Public-Key Cryptosystems, in Advances in Cryptology-CRYPTO '92, at 113, 116 (Ernest F. Brickell ed., 1993). Back to text

306. Others see the issues differently. See, e.g., Letter from Johnny H. Killian, Senior Specialist American Constitutional Law, Congressional Research Service, to Joan D. Winston, Office of Technology Assessment 1 (March 3, 1994) (concluding that "placing custody of one of the keys in a federal court or in an agency of the Judicial Branch would almost certainly pass constitutional challenge"). In earlier drafts of this Article, I argued that holding keys was outside the judicial function because it was not "incidental" to any task specified in Article III. I am grateful to Larry Lessig and other participants in the LEXIS Counsel Connect on-line cryptography seminar for persuading me that there are two sides to the question. Back to text

307. See Metropolitan Wash. Airports Auth. v. Citizens for the Abatement of Aircraft Noise, Inc., 501 U.S. 252, 276-77 (1991) (holding that the participation of members of Congress on a committee possessing the power to veto decisions regarding local airports violated the doctrine of separation of powers); Bowsher v. Synar, 478 U.S. 714, 727-32 (1986) (holding that the Comptroller General could not be considered an executive branch official because Congress reserved the right to remove him by legislation, and, therefore, he could not constitutionally exercise budget-cutting powers given to him by the Deficit Control Act); Buckley v. Valeo, 424 U.S. 1, 126-33 (1976) (holding that members of Congress could not constitutionally appoint the members of the Federal Election Commission). Back to text

308. See Morrison v. Olson, 487 U.S. 654, 679 (1988) (stating that the Special Division may constitutionally exercise power to determine jurisdiction of Special Counsel only if this power is "truly `incidental' to" its appointment power). Back to text

309. See id. at 680-81 (noting that separation of powers ensures that "judges do not . . . undertake tasks that are more properly accomplished" by other branches). Back to text

310. 2 U.S. (2 Dall.) 409 (1792). Back to text

311. Id. at 410 n.! (reporter's note quoting from the judgment of the Circuit Court for the District of New York, a panel that included Chief Justice Cushing riding circuit); see United States v. Ferreira, 54 U.S. (13 How.) 40, 50-51 (1852) (relying on Hayburn's Case); see also Buckley, 424 U.S. at 123 (citing Hayburn's Case and Ferreira for the proposition that "executive or administrative duties of a nonjudicial nature may not be imposed on judges holding office under Article III of the Constitution"); National Mut. Ins. Co. v. Tidewater Transfer Co., 337 U.S. 582, 591 (1949) (Jackson, J., plurality opinion) (noting that courts properly are not asked to "participate in any legislative, administrative, political or other nonjudicial" functions). Back to text

312. Chandler v. Judicial Council of the Tenth Circuit, 398 U.S. 74, 111 (1970) (Harlan, J., concurring in denial of writ). Back to text

313. See Morrison v. Olson, 487 U.S. 654, 681 (1988) (discussing federal judicial control of the disclosure of federal grand jury matters). Back to text

314. The membership of judges on the Federal Sentencing Commission was upheld against a separation of powers challenge in Mistretta v. United States, 488 U.S. 361, 371-412 (1989). Back to text

315. The Supreme Court upheld the judiciary's role in the selection and supervision of independent counsel, in regards to the Ethics in Government Act of 1978, in Morrison, 487 U.S. at 684. Back to text

316. See 50 U.S.C. §§ 1801-1811 (1988); see also supra note 196 and accompanying text. Back to text

317. See Letter from Johnny H. Killian to Joan D. Winston, supra note 306, at 1-3 (discussing the probable constitutionality of placing custody of keys in the federal judiciary). Back to text

318. The proposed "Encryption Standards and Procedures Act of 1994" falls far short of this objective because it allows the President to designate any technologically qualified agency to hold key segments, so long as such agency lacks the authority to conduct wiretaps. See H.R. 5199, supra note 218, § 31(d)(1)-(2). Back to text

319. Compare Steven G. Calabresi, The Vesting Clauses as Power Grants, 88 Nw. U. L. Rev. 1377, 1389-1400 (1994) (describing the unitary executive theory, which suggests that there is only limited congressional power to restructure the executive department because the President is vested with the power to control and direct subordinate officials in their execution of statutory provisions) and Steven G. Calabresi & Kevin H. Rhodes, The Structural Constitution: Unitary Executive, Plural Judiciary, 105 Harv. L. Rev. 1155, 1155-71 (1992) (same) and Kevin H. Rhodes, A Structure Without Foundation: A Reply to Professor Froomkin, 88 Nw. U. [**PAGE 786**]L. Rev. 1406, 1416-17 (1994) (same) with A. Michael Froomkin, The Imperial Presidency's New Vestments, 88 Nw. U. L. Rev. 1346, 1347-49, 1366-69 (1994) (arguing that the Constitution gives Congress broad power to structure the President's control over the executive department) and A. Michael Froomkin, Still Naked After All These Words, 88 Nw. U. L. Rev. 1420, 1427-30 (1994) (same) and A. Michael Froomkin, Note, In Defense of Administrative Agency Autonomy, 96 Yale L.J. 787 (1987) (same). Back to text

320. Even more complex, and elegant, solutions exist. See, e.g., Silvio Micali, Fair Cryptosystems 7-8 (Aug. 1994) (unpublished manuscript, on file with author). Micali proposes a scheme in which the key can be broken up into any number of parts, and in which every part of the key is required to decrypt the message. See id. at 7. Micali's scheme includes a number of elegant but complex refinements, notably a scheme for making the keyholder "oblivious." Id. at 18, 40-41. By "oblivious" Micali means that even the trustee need not know the identity of the person whose key has been requested by the government. See id. at 18. In this way the trustees are unable to notify the person whose communications are being wiretapped. See id. Back to text

321. See Telephone Interview with Lynn McNulty, Associate Director, NIST (Aug. 5, 1994). Back to text

322. France, for example, prohibits the use of unregistered cryptographic algorithms. See James P. Chandler, et al., National Intellectual Property Law Inst. & George Washington Univ., Identification and Analysis of Foreign Laws and Regulations Pertaining to the Use of Commercial Encryption Products for Voice and Data Communications § 2.7.1 (Jan. 1994). Back to text

323. Recall that, according to the FBI, industrial espionage by friendly foreign governments is a growing threat to U.S. businesses. See supra note 43 and accompanying text. Back to text

324. The NSA has long-standing and close relationships with some of its foreign counterparts. See Bamford, supra note 17, at 309-37 (discussing BRUSA and UKUSA agreements with UK, Canada, Australia). The texts of the agreements, which date back to 1947, remain classified. John Gilmore has filed a FOIA request seeking information as to these agreements. See Posting from John Gilmore to USENET Group sci.crypt (Dec. 10, 1993) (on file with author). The NSA has yet to provide significant documents in response to this request. See Telephone Interview with Lee Tien (July 27, 1994) (notes on file with author) (Tien represents Gilmore in his FOIA request). Back to text

325. H.R. 5199, supra note 218, § 31(e)(2)(B). Back to text

326. One newspaper reported as follows:

The US plan for a Clipper chip . . . has raised fears among European businesses that sensitive information would no longer be secret if it were vetted by the CIA [or] the FBI . . . .
. . . .
. . . [T]he European organisation representing users of computer security has rejected the Clinton initiative as "totally unacceptable."
. . . [T]he Information Security Business Advisory Group (Ibag), warns European governments to ignore overtures from the US government aimed at restricting access to the information superhighway to users who use encryptions that the government agencies can decode.
Leonard Doyle, Spooks All Set to Hack It on the Superhighway, Independent (London), May 2, 1994, at 10. Back to text

327. See supra note 43 and accompanying text. Back to text

328. See S. Rep. No. 541, 99th Cong., 2d Sess. 12 (1986), reprinted in 1986 U.S.C.C.A.N. 3555, 3566 ("The conversion of a voice signal to digital form for purposes of transmission does not render the communication non-wire."). A wire communication is an "aural transfer" made in whole or in part by wire, cable, or other like connection (for example, a telephone call). 18 U.S.C. § 2510(1) (1988). "Aural transfer" means "a transfer containing the human voice at any point between and including the point of origin and the point of reception." § 2510(18). Back to text

329. The Electronic Communications Privacy Act of 1986, Pub. L. No. 99-508, 100 Stat. 1848 (codified at 18 U.S.C. §§ 2510-2521 (1988 & Supp. V 1993)), defines an "electronic communication" as "any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system that affects interstate or foreign commerce, but . . . not includ[ing] . . . any wire or oral communication." 18 U.S.C. § 2510(12). Back to text

330. A LEAF followed by an e-mail does not present the statutory problem discussed in this subsection because both the LEAF and the e-mail are electronic communications under 18 U.S.C. § 2510(12). The Fourth Amendment analysis, however, does apply to a LEAF preceding an e-mail message. Back to text

331. 18 U.S.C. § 2510(8). Back to text

332. Id. Back to text

333. See Fishman Supplement, supra note 199, § 7.3. Back to text

334. See id. § 42.1 (Supp. 1993). This difference is more significant than it may sound. See United States v. Giordano, 416 U.S. 505, 524-29 (1974) (holding that warrant application initialed by Attorney General's executive assistant, apparently without the Attorney General's knowledge, was invalid). Back to text

335. The statutory exclusionary rule appears at 18 U.S.C. § 2515; see also § 2511(1)(d) (making it unlawful to use the contents of any wire or oral communication obtained in violation of the statute). Unlike the constitutional exclusionary rule, the statutory rule reaches private action, applies in civil and regulatory proceedings as well as in criminal cases, and is unaffected by the growing body of exceptions the Supreme Court has placed on the constitutional exclusionary rule, such as good faith exceptions, the eventual discovery exception, and the exception for use in rebuttal. See § 2515. I am indebted to Charles C. Marson for pointing this out to me. Back to text

336. See § 2520 (providing for damages and injunctive relief in civil actions). Congress deliberately omitted an exclusionary remedy. See S. Rep. No. 541, supra note 328, at 23, reprinted in 1986 U.S.C.C.A.N. at 3577; Fishman Supplement, supra note 199, §§ 252.1, 253. I am again indebted to Charles C. Marson for pointing this out to me. Back to text

337. See supra note 211. Back to text

338. See 18 U.S.C. §§ 3121-3123 (1988); supra note 211. Back to text

339. See, e.g., United States v. Miller, 425 U.S. 435, 442-43 (1976) (holding that by voluntarily conveying information to a bank and its employees, the respondent did not have a legitimate expectation of privacy); Katz v. United States, 389 U.S. 347, 353 (1967) ("The Government's activities in electronically listening to and recording the petitioner's words violated the privacy upon which he justifiably relied while using the telephone booth . . . ."). Back to text

340. See Katz, 389 U.S. at 361 (Harlan, J., concurring). Back to text

341. See Smith v. Maryland, 442 U.S. 735, 745-46 (1979). Back to text

342. See Miller, 425 U.S. at 443 (holding that a depositor had no legitimate expectation of privacy, and hence no protectable Fourth Amendment interest, in copies of checks and deposit slips retained by his bank because the depositor, by writing the checks and making the deposits, had taken the risk that "the information [would] be conveyed . . . to the Government"). Back to text

343. For an argument that Miller should be reversed on the theory that the Right to Financial Privacy Act of 1978, Pub. L. No. 95-630, 92 Stat. 3697 (codified at 12 U.S.C. §§ 3401-3422 (1988 & Supp. V 1993)), creates a reasonable expectation of privacy in bank records, see Bercu, supra note 90, at 407-09. Back to text

344. See supra text accompanying note 155 (noting that intelligence agencies learn important information by tracking who calls whom). Back to text

345. Because telephone traffic carries with it switching information regarding the destination of the call (information that is used by the service provider's routing system), a sophisticated eavesdropper may in any event have access to some of this information with less effort. Back to text

346. See Communications Assistance for Law Enforcement Act, Pub. L. No. 103-414, § 103(a)(1), 108 Stat. 4279, 4280 (1994) (requiring telephone-service providers to make systems wiretap-ready). Back to text

To table of contents