From: Black Unicorn <unicorn@schloss.li>
Date: Sat, 27 Jan 1996 22:23:34 +0800
To: "Perry E. Metzger" <perry@piermont.com>
Subject: Re: "Gentlemen do not read each other's mail"
In-Reply-To: <199601251947.OAA16586@jekyll.piermont.com>
Message-ID: <Pine.SUN.3.91.960127090407.8008E-100000@polaris.mindport.net>
MIME-Version: 1.0
Content-Type: text/plain


On Thu, 25 Jan 1996, Perry E. Metzger wrote:

> 
> Phill refers to the man who said "Gentlemen do not read each other's
> mail", (Henry L. Stimson) as a twit.
> 
> I highly disagree. In some ways I regard him as our patron saint
> (although the man was actually far from saintly and later as a member
> of the Roosevelt cabinet adopted an opposite policy of aggressive
> signals intelligence.)
> 
> Why is he our patron saint? He was a government official coming out
> against invasion of privacy. Isn't that what we are all after, in the
> end? The reason we deploy cryptography is to assure privacy for
> all. We often refer to those who listen in on conversations
> (regardless of who they are) as, in some sense, our
> opposition. Therefore, is not Stimson's remark in closing down
> Yardley's "Black Chamber" to be praised rather than attacked?
> 
> Perry
> 

Unfortunately what he did was take the emphasis away from personal 
empowerment and personal responsibility for privacy and put it at the 
mercy of some creed or moral stand which had:

1> No common calling or degree of obervance in the population, or the 
intelligence communities at the time.
2> No structure, legal or otherwise, to provide for its enforcement.
3> The rather disturbing impication that no one need take pains to hide 
their private exchanges because a moral standard would protect them.

Instead, at least I always thought, cypherpunks stand for the personal 
empowerment and personal assurance of privcacy.

Indeed everything I can think of discussed here seems to revolve around a 
single goal-  making it easier, and simpler for a person to protect 
him or herself from unwanted intrusion into data he or she wishes to 
protect.  In fact, some goals, especially where transparency is 
concerned, seem to take the even more cynical view that the general 
population would be better off protected by crypto whether they know it 
or not.

Making crypto widely available to the general population, reviewing 
crypto for its implementation, basic skepticism about the protection 
afforded by new systems, basic skepticism for systems produced for 
commercial gain, basic skepticism for government produced systems, 
arguments for the lessening of government involvement in crypto, crypto 
standards, and a powerful dislike for the regulation of communication in 
all forms.  Perhaps most importantly, the production, review and 
discussion of "grass roots" crypto and communications security code.

All these, common themes on the list in my view, push us away from some 
blind notion that all is well in the world, and that man is basically 
good and will not intrude on his fellows.  All these insist that man is 
curious, probing, and that information is by its very nature nearly 
impossible to restrain without powerful methods.  All these insist that 
information will be exposed, be it by accident, malice, theft, by hook or 
by crook, or even well intentioned discourse, unless protected.  Isn't 
this the objection to ITAR?  It is folly to try and restrain information 
by legislation.

It should be clear that it is dangerous to depend on anything, be it 
government, industry, Lotus Notes, the Constitution, the Bill of Rights, 
your best friend's promise, your wife's pillow talk, and least of all a 
misplaced faith in the decency of the common man, when your sensitive 
data is at issue.

In short, crypto helps those who help themselves to crypto.

I have no sympathy what-so-ever for those who lose the privacy of their 
data through negligence.  I believe they should be estopped from 
all complaint.  I believe they are great fools.  Moreover, I note that 
almost without exception, they try to place the cost of their 
missteps on the world at large, and the responsibility for policing 
privacy in the hands of others.  "It was not my fault that I left the 
letter sitting on my desk knowing that the spy convention was about to 
walk in," they whine, "Someone should DO something about all this 
immoral letter reading.  There ought to be a LAW.  How can >I< be 
expected to stop all these spies?"

Is it not clear that allowing this mentality to persist is an unwise and  
dangerous thing?

"Gentlemen do not read other's mail," while noble, clever, and a 
wonderful bit of public relations, ignores the basic reality of the 
modern age.  There are few gentlemen anymore, and even those occasionally 
stumble upon something they might not be entitled to examine.

Not only is crypto smart, but it distributes the (increasingly small) 
costs of protecting data properly.  It puts the burden on the 
least cost avoider, and the individual with the best access to full 
information.  "What is this data worth?  What would exposing it cost 
me?  How much is it worth to spend protecting this data?"  Who better to 
answer these questions than the owner of the data?  How easier to 
protect it than by the negliagable cost of encrypting it?

Not only does placing the burden of data protection on Government or 
society at large miscalculate and misplace the incentives for the 
protection of the data, it also places the selection of degree and method 
of protection on the wrong party as well.

In the end it also causes an undue amount of waste.

When Mr. May indicates that he does not use PGP very often because he 
finds it too much trouble to use for most mail, he is part of a process 
that in the aggregate must save millions of hours and dollars.  He is 
making a decision that data X is only worth an expenditure of Y to 
protect, and that PGP represents an expenditure higher than Y.  
Expenditure Y is thus saved, as would be unlikely in a government program.

Who among us would argue that government, the phone company, or the 
church would better make this judgment?

I would bemoan a world where gentlemen actually never read each other's 
mail.  Such a world would be so vulnerable to the "first market entry" 
into the business of mail reading as to be almost beyond salvage.  A 
certain First Minister of France comes to mind who, by his non-observance 
of the religious restricitons of the day and his alliance with 
traditional enemies of the Church, reduced Germany to 250 years of 
fragementation and assured that, for a time, France was the greatest 
power on earth.  "If there is a God," it was said of him, "the minister has 
much to account for.  If not, well, he had a good life."

The evil snooping man is hero from one perspective.  He is the incentive 
to be risk averse.  He is the skeptic who says that the market is not 
efficient and bets against it and so makes it efficient once more.  Moral 
utopia of the kind that would see no peeping tom's is a fantasy, and the 
evil man a-plenty saves us from Germany's fate.

So then we should brand Mr. Stimpson as a fool, and a liar.  Or at best, 
perhaps a convert who realized quickly (or not so quickly) the error of his 
ways and fell into proper line in his later embrace of signals intelligence.

At the very least we might apply a less optimistic creed.

He who builds on the people builds on mud.

---
My prefered and soon to be permanent e-mail address: unicorn@schloss.li
"In fact, had Bancroft not existed,       potestas scientiae in usu est
Franklin might have had to invent him."    in nihilum nil posse reverti
00B9289C28DC0E55  E16D5378B81E1C96 - Finger for Current Key Information