From: eric@remailer.net (Eric Hughes)
Date: Tue, 17 Jan 95 13:28:41 PST
To: cypherpunks@toad.com
Subject: Re: Does encrypted equal safe?
In-Reply-To: <m0rU6g1-000kfxC@mill2.millcomm.com>
Message-ID: <199501172128.NAA06955@largo.remailer.net>
MIME-Version: 1.0
Content-Type: text/plain


   From: marko@millcomm.com (Mark Oeltjenbruns)

   >If you can't read it, it's not kiddie-porn *for you*, although it
   >might be for someone with the key.
   >
	   So the fact that its not kiddie-porn *for me* makes it safe *for me*
   to be transporting or storing for others that know it is kiddie-porn?

Do you want it to be, or not?

This is exactly the situation I was talking about when I emphasized
the need for a positive rhetoric.  We have here a situation for which
I see the need for a clear statement of position and persuasive
arguments in its favor.

The law gets created by discussion.  If we as a group fail to
articulate our positions, these positions won't be represented and,
failing other advocates (who?), will have no place in the law.  Legal
support of privacy technology will be necessary for its long term
acceptance.

The structure of the argument quoted below is primarily that of "this
can't be right".  I can only infer advocacy that operators of privacy
services must be primarily responsible for content.  This is to say
one of several things, none of which I desire.  It is to say privacy
service operators who don't know content and who don't know identity
should not exist, because no sane person would take upon themselves
the liability of the world.  It is alternately to say that privacy
service operators must know content and filter it.  It is alternately
to say that such operators must know identity and be able to transfer
liability, and these last two are not mutually exclusive.

If you don't want this situation, speak up now.  I desire the approved
existence of privacy services which offer true privacy and as
completely ignorant as possible operators of them.

   >Encryption fragments meaning subjectively.  A magazine, for example,
   >has a fixed center of meaning for all who can read the language.  A
   >magazine looks the same to all who look at it.  An encrypted file
   >looks different to those who have the key from those who do not.
   
   But why does the meaning of the data assume to change?

Because I want it to.

Meaning is subjective.  If I see encrypted text, am I to be held
responsible for having seen through an encryption for which I hold not
the key?  Merely because someone knows a transformation into a
disapproved form does not mean that I do.

   If I take my stack of kiddie-porn and put it in a box with a big
   strong lock on it, in a way physically encrypting it, change the
   meaning of what I have?

Ask your local postal or parcel service.  Is your local letter carrier
responsible for the possession of kiddie porn while walking around
with the mail in their sack?  I certainly hope not.  That would be a
ludicrous situation.

More accurately, it would be an outrage.  Pushing responsiblity for
interpretation, the ascertaining of meaning, onto people who transport
and store either physical goods or information would be to require
them to become deputies in enforcement.  The policeman inside indeed!
No one is required to love the State nor its dictates.

   >Encrypted data is fundamentally different from paper-and-ink data in
   >this way.  The metaphor of "planting it on somebody" does not apply to
   >data that the "somebody" can't read.

   It is fundamentally a different process, but does that make it
   different from the locking the physical data in a box as above?

It is identical in its removal of any knowledge of content from the
state of mind of the holder.

What is different is that encrypted data is even more clear in its
removal of knowledge.  With a physical container, the boundary of the
container can be breached.  With a crypto container, it is impossible.

   It seems to me that what you are saying is that because the data is
   in a form that I can't understand, I'm safe from trouble.  Now it seems to
   me that this is not all that different from changing the form or appearence
   of physical data and saying I'm not responsible for it.  

If you personally enclose a physical object, you haven't removed your
own state of knowledge about the contents.  But if you give the
package to someone else, they don't know the contents.  Even when the
package changes hands, the state of knowledge doesn't.

The War on Certain Drugs has had the unfortunate effect of stretching
the imputations of knowledge to holders of Certain Drugs.  If a single
person denies a state of knowledge, yet has physical possession of
some Certain Drug, a court may assume that the possessor is lying.

And the fact that certain situations like this have been legislated
badly makes them no less totalitarian.

On the other hand, someone in the business of taking packages from
many different people can reasonably argue that they have no specific
knowledge of the contents of any of them.

	   Now think of a remailer:  If somebody gave me this box of stuff,
   stuff that I had no idea of what it was since it was *locked up*, to
   transport over to location X and I got busted half way there am I safe?

I'll consider this a reasonable argument if you can show that some
analogous delivery service has been busted in this way.  And not all
delivery services are common carriers.

   Can I say that even though someone is using me to
   spam or distribute kiddie porn, I have no reason to try and stop it since I
   don't know what they are doing?  

I can tell from this situation that you yourself wouldn't not feel
comfortable running a remailer.  So don't do that.  I see you're
already not doing that; good.

Eric