1994-11-30 - Censorship In Cyberspace 5/6

Header Data

From: rarachel@photon.poly.edu (Arsen Ray Arachelian)
To: anavarro@pipeline.com
Message Hash: a38cb8edb63f9c39b97c5c1beb2f062c4e1a9049c68b89e0415d40dbba720b8f
Message ID: <9411302012.AA01012@photon.poly.edu>
Reply To: N/A
UTC Datetime: 1994-11-30 20:10:13 UTC
Raw Date: Wed, 30 Nov 94 12:10:13 PST

Raw message

From: rarachel@photon.poly.edu (Arsen Ray Arachelian)
Date: Wed, 30 Nov 94 12:10:13 PST
To: anavarro@pipeline.com
Subject: Censorship In Cyberspace 5/6
Message-ID: <9411302012.AA01012@photon.poly.edu>
MIME-Version: 1.0
Content-Type: text




          MODERATOR:  Well.  Getting back to censorship.  I'm not
quite sure what Phil Zimmermann is going to talk about, but I have
a feeling that unlike some computer experts that I've talked to who
think that the wide dissemination of encryption software like Phil
Zimmermann's Pretty Good Privacy make the Digital Telephony Act no
big deal because all the government will get is static when they
tap in on these new phones, I have a feeling that he is a little
bit more suspicious of the possibility of restrictive government
action.  So perhaps we can now find out what we might loosely call
"the censorship crunch" (ph) and what is going to happen in it. 
Phil Zimmermann.
          ZIMMERMANN:  How many people here know what PGP is? 
Okay.  How many people don't?  Okay.  Looks like we've got about
half and half maybe.  Well, I'm not here to talk about PGP mostly
but rather government policies, but I'll just talk about it a
little bit.
          Cryptography is the art of making secret writing.  It's
been around for a long time.  The problem is if I want to send you
a message I use a key to scramble that message up and then you have
to use the same key to unscramble it.  The problem is how do I tell
you what the key is?  Do I tell you over the telephone what the key
is to unscramble the message?  If I do that then it can be inter-
cepted, and so that's the problem with cryptography.  In fact that
has been the problem with cryptography since the days of Julius
Caesar.  
          But in the late 1970's some mathematicians at Stanford
and M.I.T. devised another kind of cryptography that solves that
problem of key distribution.  It's called Public Key Cryptography,
and the way it works is that there are really two keys.  One
encrypts, the other decrypts.  As a matter of fact the two keys
have a kind of yin-yang relationship so that either one will
decrypt what the other one encrypts.  This means that if you
generate a pair of these keys, everybody generates a unique pair of
keys for themselves, the keys have this mathematical relationship
like this.  They're kind of like Siamese twins.  And you separate
them at birth and you broadcast one of them to the world and put it
on all your business cards and in your telephone book and, you keep
the other one secret.  Then if anyone wants to send you a message
they encrypt it with the key that you published.  That's your
public key.  But you're the only person in the world that can
decrypt that message with the corresponding secret key.  
          This solves the problem of key distribution.  You don't
need secure channels to distribute keys beforehand.  With the old
way that cryptography used to work before Public Key Cryptography
came along, you needed a secure channel for the prior distribution
of keys.  Well, if you had a secure channel for the prior distribu-
tion of keys then why do you need to use any cryptography at all? 
You know, I remember my Mom used to tell me when I was a kid that
if you sprinkle salt on a bird's tail you can catch the bird.  And
for years I wondered about that.  You know, maybe there's something
about salt and birds.  But I finally figured out why you can catch
a bird if you can sprinkle salt on its tail.  So if you could get
a secure channel to distribute keys, then you've got the communica-
tion problem solved.  But maybe you could just send your message
through that secure channel.
          Well, with Public Key Cryptography you don't need any
secure channels.  So if you combine that with the technologies of
the Information Age, modems, personal computers, fax machines,
etc., then you have a really good synergistic combination of tech-
nologies that makes it possible for the first time for cryptography
to affect millions of people in their everyday lives.  In the old
days before Public Key Cryptography you would have to do this prior
distribution of keys.  Governments didn't mind doing this, because
they could put a guy on a plane to Moscow with a satchel handcuffed
to his wrist carrying keys to the Embassy there.  They don't mind
paying the salary of somebody and buying them an airline ticket to
do that.  But if you're going to talk to your cousin in Colorado
you're not going to do it by sending a courier carrying keys.  So
cryptography never had a chance to affect the lives of millions of
people until Public Key Cryptography was invented and personal
computers and the Information Age came along.
          Well, how many people here don't know what the Clipper
Chip is, or haven't heard of it?  Or just don't know what it is? 
Okay.  I see almost everybody does.  I'll just say a couple of
words, but I'll abbreviate my remarks about the Clipper Chip.  The
Clipper Chip is an encryption device that the government is making
for us that they hope we'll put in all of our telephones.  It
encrypts our telephone conversations so we can talk to other tele-
phones that also have the Clipper Chip.  The trick though is that
at the time of manufacture the government puts the keys for encryp-
tion and decryption in these chips, and they keep a copy of these
keys for wiretap purposes.
          You know, I haven't talked to an audience where it wasn't
immediately obvious to everybody that there's a problem with that
as far as -- you know, I was talking on the phone the other day
with the General Counsel of the NSA.  I'm going to be debating him
next week in Los Angeles and so we were talking about what we were
going to do in the debate.  And I made the remark that there is a
difference in attitude between people on the inside and people on
the outside.  What I was talking about of course was inside the
government, and in particular the law enforcement and the intel-
ligence agencies.  He said something like, that I was assuming a
lot to think that it was just people on the inside who were for the
Clipper Chip, and, you know, I just -- I don't remember running
into too many people on the outside that felt differently.  
          The government is trying to at first not pass legislation
to make us use the Clipper Chip but rather to use government spend-
ing power to make an awful lot of Clipper Chips deployed.  They're
using government spending power both to buy Clipper Phones that
have the Clipper Chip in it and then they're going to use govern-
ment spending power to require government contractors to buy
Clipper Phones if they want to talk to the government.  Well, this
kind of gets the production lines going and brings the cost down. 
It makes it cheap enough so that it can be used more and more by
the general population, the related chips to the Clipper Chip.
          It's not just the Clipper Chip.  There's a whole series
of chips the government's making.  Capstone (ph) is another chip. 
They have this little card, a PCMCIA card.  It's something that
slips into your personal computer, into your notebook computer,
that they're calling the Tessera Card, and the Tessera Card has got
something similar to the Clipper Chip in it and it can do digital
signatures, and they want you to file your taxes with it electron-
ically.  You know, it's funny.  They call it the Tessera Card.  Now
I looked up "tessera" in the dictionary.  I've got one of those
giant, thick dictionaries.  And tessera is a name that ancient Rome
had for these little cards that were kind of like that, the size
and shape of a Tessera Card, kind of a tile.  And it was an
identity card.  And slaves were required to carry it, and if you
didn't they could chop your head off or something awful like that. 
And I thought what a brilliant stroke of naming, you know?  Who
thought of that?
          I was talking to Clint Brooks, the Assistant to the
Director of the NSA, in Los Angeles a couple of months back.  We
were on a panel together to argue this point.  And he said that he
was the one who named the Clipper Chip, and he was thinking that
for these things, for example the Clipper Chip may not have been
the best choice of names for it because people think of clipper as
clipping the wings of democracy.  Of course cryptographers like to
rearrange letters and things because we like to do that, so we kind
of just moved a couple of letters around and called it the Cripple
Chip.  
          So anyway what they're trying to do is to use government
spending power to change the facts on the ground.  Not by legis-
lation, but by changing the facts on the ground.  We don't have any
laws requiring us to use 120 volt AC power, but we do.  When was
the last time you saw a 48 volt vacuum cleaner?  It's the tyranny
of the installed base.  That's why, you know, all computers are
Windows or MS-DOS computers or Macintoshes.  It's something that,
if it's out there and it's -- deployment wins, in other words. 
Well, the government is not the only ones that can change the facts
on the ground.  I can change the facts on the ground.  I've already
done that to some extent.  And I'm going to do it some more.
          You know if we wake up one morning with 100 million
Clipper Phones installed it's going to be too late to worry about
changing government policy.  It doesn't matter who we elect
President.  We could have somebody elected President that says,
"Elect me and I promise to get rid of all these Clipper Phones." 
It won't do any good at all.  The installed base and the technology
infrastructure is more powerful than a government, is more powerful
than government policy.  There is no way we could change, you know,
our power standards.  There is no way that a government can decide
that we're not going to use PC's anymore or something like that. 
So that's what they hope to do with Clipper.
          Well right now PGP, Pretty Good Privacy, a program that
I wrote that does E-mail encryption using Public Key Cryptography
and using other algorithms that were chosen from the academic
literature, the most powerful algorithms, the ones that had been
the best peer reviewed, not my own home grown invented algorithms,
because those had not been through the kind of peer review it takes
to stand up to major governments.  PGP uses the best algorithms in
the academic literature.  
          PGP has become the most widely used program in the world
for E-mail encryption, bar none.  Nothing else comes even close. 
It's used all over the world.  It's used in Burma by political
opposition groups in Burma, freedom fighters in Burma.  Burma has
an absolutely wretched government.  They torture and kill thousands
of people.  They have a Nobel Peace Prize Laureate in custody in
Burma.  They're being trained to use PGP in Burma in jungle
training camps on portable computers.  They take this knowledge to
other jungle training camps and teach them too.  I talked to
somebody who's connected with those groups and they tell me that
it's raised morale quite a bit because before PGP came along
captured documents would lead directly to the arrest and torture
and execution of entire families.  
          I talked with a guy who was a human rights worker in
Central America.  This was at the offices of the American
Association for the Advancement of Science in Washington.  They
have a human rights group there.  And he told me that he was
documenting atrocities, death squads, and he encrypts his files
with PGP.  But if the government found his files they would go and
kill all his witnesses, probably not very fast either.  PGP is
saving lives there.  I gave him a few pointers on good disk
hygiene, how to keep his stuff clean, not just -- using PGP alone
isn't enough.
          Well, my next project is a secure voice project.  I just
a couple of nights ago spent about a half an hour talking to one of
my lawyers over it.  I haven't put the encryption in yet.  It does
it all without encryption.  But you talk into your personal com-
puter with a SoundBlaster board that compresses your voice, digi-
tizes, compresses and encrypts your voice, sends it out through a
modem, and at the other end it reverses those steps.  So we have
this in test now, and I hope to release this through M.I.T.  
          M.I.T. is the current official publisher of PGP.  They
have what is known as an FTP (ph) site.  That's something on the
InterNet.  It means that anybody can get a file from their computer
by just reaching in and grabbing it.  But their FTP site is
structured in such a way that people outside the United States
can't do that.  They won't let people in from outside the United
States.  And not only that, even if you're inside the United States
it makes you answer a questionnaire saying that you are an
American, that you're not going to export this and promise not to
export it, and if you answer yes to the right questions it will let
you get PGP.  It didn't take very long before PGP showed up in
Europe after that, probably the same day.  Information wants to be
free.  Apparently that applies to free software more than anything
else.  
          PGP was published in June of 1991 initially.  It spread
like dandelion seeds blowing in the wind.  It didn't take very long
for it to spread to Europe.  Now M.I.T. with their lawyers and
their prestige is standing there publishing PGP in a way identical
to the encryption methods that they have used for publishing other
encryption software without any previous harassment by the federal
government on their doing it improperly, so they haven't gotten any
complaints about the way they're publishing PGP either.  All future
versions of PGP for the foreseeable future are going to be pub-
lished that way, so I hope that that will protect it.
          You [Corn-Revere] mentioned the Carr (ph) case.  There is
a book by Bruce Schneider called Applied Cryptography, and it has
encryption algorithms in it.  I liked it.  I like the book, the
preface of the book.  It's good.  He says, "There are two kinds of
cryptography in this world:  the kind that can prevent your kid
sister from reading your messages and the kind that can prevent
major governments from reading your messages.  This book is about
the latter."  You know, I wanted to steal that line for my book
because he stole many lines from my book in his book without an
attribution.  But that's okay because information wants to be free
and I like to be quoted even if he doesn't credit.  So I might call
up Bruce and ask him if I could put that in my preface for that
book.
          A guy named Phil Carr took Bruce Schneider's book and
applied for an export license.  Actually he applied for a
commodities jurisdiction grant by the State Department that the
book can be -- that this item can be exported.  It was immediately
granted, because it was a book.  He then applied for a CJ, commo-
dities jurisdiction, to export a floppy disk containing the same
source code in the book, exactly byte for byte the same source
code, and they said no.  He has appealed it.  They said no again. 
Members of my own legal defense team are helping in his appeal. 
This is a multifront war.  You know, it's funny.  The number of
lawyer jokes that I've told has gone down in the last year.  I'm
starting to run into lawyers that are actually men of conscience. 
It's great.
          I'm about to publish the source code for PGP in a book
through M.I.T. Press.  Books may be exported.  I'm going to put it
in an OCR font.  We're going to apply for a commodities jurisdic-
tion.  We're probably going to get it, we presume.  If they don't
it's going to be the first time that it was ever declined for a
book and I think the press would probably make much of that.  They
probably know that, and they'll probably take that into their
calculations when they decide whether to grant this jurisdiction. 
If they do that then I'll also publish the secure voice project I'm
working on in a book through M.I.T. press and see what happens with
that.
          The government is -- you know, I found this interesting,
the point about the different media affecting what the government
tries to say, what we have free speech in.  When telephones were
first invented there was an attitude in the government that you
could wiretap these things without a court order because they
didn't go into your house to do it.  It was not a violation of the
Fourth Amendment of unreasonable search and seizure because they
could just go down the block and attach their alligator clips to
the copper and that would be all that's needed.  So it took fifty
years of litigation to come up with the idea, or rather to
establish the idea that you need a court order to do a wiretap. 
          Well, we're facing the same thing again on the InterNet. 
When the Founding Fathers made the Constitution they didn't think
it was necessary to say that we had a right to a private conversa-
tion, because there was no technology at the time that made it hard
to have a private conversation.  If you want to just go talk behind
the barn with somebody you can say whatever you want and you don't
have to worry.  You don't have to codify it in the Constitution
that you're allowed to do that.  But now most of our conversations
are over copper or glass fiber.  Most of the people I talk to I've
never seen the face.  Maybe I will when they have those AT&T
things.  Have you ever had a $10,000 phone bill?  I know I don't
plan on installing a videophone in my house, because most of my
East Coast clients think that I wear a suit all the time.  They
don't know how I work.
          I ought to be able to whisper in your ear even if your
ear is 1,000 miles away.  And the government says I can't do that,
and that's what this whole thing is about, removing all of our
communication from vibrating air molecules to photons.  As more and
more of our traffic switches to electronic media it becomes more
and more lucrative to tap into it.  You can't read all the paper
mail.  The government can't read it all.  They can read one per-
son's paper mail if they target somebody, but they can't read it
all.  It's too much work to read everyone's paper mail.  But they
can read everyone's E-mail.  A single government computer could
scan every single piece of E-mail in the country, all of it, every
day, constantly.  
          Now I'm not saying they do that, but the technology
exists that they could.  And it could scan for subversive key words
and it could look for political troublemakers.  It could look for,
you know, the next anti-Vietnam War protesters or the next civil
rights protesters or the next environmental protesters, whatever
the issue of the day is.  Some unpopular war or something like that
could come up again, and they'll be able to find people who are
talking about it.  What could Joe McCarthy have done with these
kinds of tools?  
          What about traffic analysis?  What about all these E-mail
headers that say who it's from, who it's to, what the subject is
and so on?  I think this means that we should try to encrypt all of
our E-mail, because that's the only way to put it back the way it
was with paper mail.  In fact it puts it beyond that.  This is not
a black and white issue, because there are some downsides to this. 
There's never been a time in our history where it's been possible
to place information beyond the reach of the collective efforts of
society, but with modern cryptography you can.  
          You know, if you put information in a bank vault you can
always get it out with dynamite or welding torches or something
like that.  I remember in Butch Cassidy and the Sundance Kid, you
know, the dynamite, where it's raining money, you know?  Used
enough dynamite there, Butch?  You can always get that information
when it's physically protected.  But it's now possible for the
first time in history to place information beyond the reach of the
collective efforts of society.  The Gross National Product is not
enough to get it out.  It takes less energy to make a round trip to
the nearest solar system than it does to compute the prime factors
of some large composite number.
          I'm going to read you a quote that I got from a guy in
Latvia.  I always read this quote, so to those of you who've heard
me speak before I apologize for the repetition.  I got this, it was
sent to me by E-mail, on the day that Boris Yeltsin was shelling
his Parliament building in October of '93.  It says, "Phil, I wish
you to know.  Let it never be, but if dictatorship takes over
Russia your PGP is widespread from Baltic to Far East now and will
help democratic people if necessary.  Thanks."  That's the best
mail I've ever gotten on PGP.
          I want to read you a quote that Louis Fried (ph), FBI
Director Louis Fried, said recently at a conference on global
cryptography, on September 26th.  Steven Levy (ph) put a question
to him about what would happen if Clipper doesn't catch on, doesn't
get wide acceptance.  What would the FBI do in response to that. 
Would they outlaw other kinds of cryptography?  
          Here's a transcript of this:
     At first they didn't understand this question.  "You mean
     if the software that we write doesn't work?"  He said,
     "No.  If all you get is encrypted forms and you can't
     decipher them."  "The terms of encryption being a
     voluntary standard?"  Steven Levy said, "Yes."  The
     answer from Louis Fried, FBI Director, was, "Oh, yeah,
     definitely.  If five years from now we solve the access
     problem but what we're hearing is all encrypted, I'll
     probably if I'm still here be talking about that in a
     very different way.  The objective is the same.  The
     objective is for us to get those conversations, whether
     they're by an alligator clipped on ones and zeros [it's
     kind of garbled, I think] ... whoever they are, whatever
     they are, I need them."  
          It was obvious to everyone there who got a little bit
clearer view of it than the transcriber of the transcript here that
what he was talking about is that he would seek legislative relief, 
in other words outlaw other kinds of cryptography.  This is the
first time an Administration official has said something along
these lines.  
          Just a couple of weeks back the FBI Wiretap Bill passed
requiring phone companies to build all their equipment wiretap
ready.  The analogy to this is requiring new home builders to put
video cameras wired to a police station, with a promise to only
turn them on with a court order.  The assumption is that as we
build a new technology infrastructure we have to guarantee to the
police, to the government, that they will have access to our
private communications.  
          This is a dangerous precedent.  The FBI Wiretap Bill
passed without too much trouble, largely in part because of the
efforts of the Electronic Frontier Foundation I'm disappointed to
say.  John Curry Barlow (ph) made the remark that he could have
changed the vote of one of the Senators, and he told him to go
ahead and vote for it because it was in the EFF's view the best
deal they could get.  I think that we could have stopped it.  Last
year it was introduced and it didn't get a single sponsor.  This
year it had money in it for the phone companies to pay for the
infrastructure changes.  The phone companies stopped opposing it
for that reason.  We can't let some future legislation come down
that will slip by us that outlaws other kinds of cryptography. 
Cryptography is our one guarantor of privacy on the Information
Superhighway, the Infoban.  I was talking to a Swedish reporter
recently and I used the word "Infoban," and he said, "Oh, I wish
you wouldn't use that word.  It sounds too German.  So I understand
the new word is I-way.  I saw that in Wired.  It's a little too hip
for me.
          We have to stop this.  There's only one chance to fill
with this technology niche.  You see, your voice is going to be
digitized at your telephone not down at the office, so there's
going to be a computer in your phone.  And once it's digitized it's
practically free to encrypt it.  It will be encrypted.  The
question is will it be encrypted with technology that we control or
technology the government controls.  
          If we build a technology infrastructure that some future
government might inherit, a future government that could be a bad
government -- you know, sometimes economies change.  Germany in the
1930's, Russia in the 1990's, we don't know where our economy will
be twenty years from now, thirty years from now.  A government
could emerge with fascist tendencies.  If they inherit a technology
infrastructure that allows them to monitor every movement of their
political opposition, every transaction, every conversation and
every communication, every bit of travel, then they'll be able to
hold onto power.  It could very well be the last government we ever
elect.  I think if you're trying to analyze technology policy you
should ask yourselves what kinds of technologies would strengthen
the hand of a police state, and then don't deploy those technolo-
gies.  This is a matter of good civic hygiene.
          So that's about all I have to say.  I guess we can have
our question and answer period.

                          *     *     *





Thread