1996-03-27 - Re: So, what crypto legislation (if any) is necessary?

Header Data

From: shabbir@vtw.org (Shabbir J. Safdar)
To: tcmay@got.net (Timothy C. May)
Message Hash: c6b85917e5ff6d8f0cae9fa442d95dc21504d9580e6ded2ed5c1f4bb5b1b46ed
Message ID: <199603260852.DAA24892@panix4.panix.com>
Reply To: N/A
UTC Datetime: 1996-03-27 23:13:11 UTC
Raw Date: Thu, 28 Mar 1996 07:13:11 +0800

Raw message

From: shabbir@vtw.org (Shabbir J. Safdar)
Date: Thu, 28 Mar 1996 07:13:11 +0800
To: tcmay@got.net (Timothy C. May)
Subject: Re: So, what crypto legislation (if any) is necessary?
Message-ID: <199603260852.DAA24892@panix4.panix.com>
MIME-Version: 1.0
Content-Type: text/plain


I read Tim's comments with enthusiasm, as I think we agree on many 
things.  I, as well, wish for a world where there is crypto so
heavily proliferated that all the regulations in the world cannot
either hinder or help get it into the hands of the public.

In the meantime, Tim advocates putting good code out there for people
to use, racing to the point of no return.  I don't disagree, but that's
not where my talents lie.  Mine lies in keeping Congress from doing damage
today, a strategy which Tim may call very short term (getting good code
out and well-deployed is long term) but hey, it's what we do.

Let's hope we both arrive at that end in time to retrospect about
strategy.  I must agree though, watching legislation is a lot like
watching sausage being made...

-Shabbir J. Safdar * Online Representative * Voters Telecomm. Watch (VTW)
 http://www.vtw.org/ * Defending Your Rights In Cyberspace

PS If you're going to be at CFP, stop me and say hi.

Timothy C. May writes:
>At 7:08 AM 3/26/96, Shabbir J. Safdar wrote:
>>Timothy C. May writes:
>
>>>I don't see any compelling need for U.S. legislation. And given the
>>>pressures to attach all sorts of language to bills, I think it best that no
>>>legislation happen.
>>
>>Unfortunately, this is not an option.  Legislation will happen, with our
>>endorsement or without it.  One good example is the Grassley computer
>>crime bill earlier in 1995.  Nobody advised him on this, as far as I can
>>tell, he just went out and drafted it.  Lo and behold, he drafted a
>>provision that basically criminalized all crypto, including rot13.
>
>Of course I am not saying everyone should just be silent. Various
>organizations, including Shabbir's own very able VTW, do a good job in
>challenging bad laws and helping to make the "political sausage" which is
>so very disgusting to watch being made.
>
>My point is that I see no compelling legislation that is needed. If enough
>people in Washington really want increased length in _exported products_
>(remember the "exported" part), the Congress and the President should find
>it easy enough to get said products on to the Approved List. (I note that
>the Leahy Bill really doesn't change this system anyway...some products go
>on the list, some don't...the law only seems to say that when the horse has
>already left the barn, i.e., when "comparable" products are already in
>fairly wide use outside the U.S., then the products should be put on the
>approved list. Big deal.
>
>And my meta-point, repeated in several recent posts, is that compromising
>on very basic liberties for the sake of a "deal" to let Lotus or Microsoft
>or RSADSI have one uniform, "world" product is a very bad deal.
>
>(Key length alone is not an answer, anyway. Domestically we can have
>arbitrary key lengths, with no limits on strength. So, will a "world
>version" be limited to 64 bits (at best)? Will I, as an American, be forced
>to limit myself to this "world" length? This is a compromise of my
>liberties, just for the sake of simplifying the inventory control problems
>of Lotus and Microsoft! And it still doesn't address the many points we've
>discussed over the years about superencryption, rogue programs, and access
>by foreign LEAs.)
>
>Granted, the Leahy Bill does not explicitly mandate key escrow, whether
>TIS' CKE/SKE or Lotus' "40+24" crypto-with-two-heads scheme. But it
>includes language that suggests a role for government in key escrow and
>even says escrow holders may not notify the subject of a subpoena that his
>key has been snarfed by the Feds. (Superficially, this resembles wiretaps,
>except that one's escrow agent may be one's lawyer, or mother, or business
>partner....it makes for messy situations.)
>
>I'll have to move on to Shabbir's other comments.
>
>>We have to wake up and learn from the fight against the net censorship
>>legislation.  This is realpolitik.  Congress will legislate crypto,
>>whether we want them to or not.  This is not news anyone wants to hear,
>>but we have to face up to it.
>
>Be my guest. You're in Washington, you're connected, you're in a position
>to lobby. I only speak for myself, and my views. I am 3000 miles away from
>D.C., and have no intention of visiting that mosquito pit (I grew up
>outside of D.C.).
>
>I put my argument efforts into this mailing list (and Cyberia, until
>recently). If people want to read my arguements, they can subscribe, or get
>the occasional article forwarded. Frankly, I don't think my brand of
>political philosophy fits, and I'm not going to change my political
>philosophy just to help Lotus or Microsoft get approval to export a 64-bit
>version of "Lotus Notes" or "Bob."
>
>>Congress has discovered the net, and partly though the widespread fame
>>of this list, they have also discovered crypto.  Simply saying, "we don't
>>want any laws that address crypto" may be the ideal solution, but that won't
>>stop them from passing laws that govern the domestic use of crypto.
>
>Well, this is when things will get exciting. This is the Real Battle (tm)
>we've all been anticipating: laws on domestic use of encryption. Maybe I'll
>share a cell with that guy who was caught writing in an unapproved
>diary...Winston Smith, I think his name was (CNN carried a report on his
>conviction..."Escrow is Freedom").
>
>Until then, the more Congress learns about the Potential Dangers of Crypto,
>the worse for us. (I had a noted lobbyist approach me about speaking before
>a committee...when it became clear to him that I wasn't interested in
>giving a "See Dick read, see Jane encrypt" PR blurb for crypto, he realized
>I was not the right person. Frankly, the ACLU and that sort can do a
>perfectly fine job on the "basics" of crypto, the 10-minute version (that
>still leaves the Congressfolks in a haze).
>
>Aside: My hunch is that crypto legislation will languish. Until, maybe next
>year, maybe the year after, some major event occurs. Could be a new
>bombing. Could be a terrorist cell raided. But they will be found to be
>using PGP or somesuch (80% likely to be PGP), with anonymous remailers used
>for breaking traffic analysis. The media will go into a feeding frenzy.
>John Holliman of CNN will be taken off his usual space shuttle duties and
>assigned to figure out what this crypto stuff is all about. Cathy Cleaver
>and Donna Rice will tie it into pornography. Ralph Reed will mutter about
>the Number of the Beast. And drastic legislation will be proposed and
>passed. Don't forget that Clinton's Anti-Terrorism Bill, which predated OKC
>by a few months, came very close to passing (and may still...as of a few
>days ago it was still pending, though parts of it had been gutted).
>
>And what effect will Leahy's Bromide ("bromide: a soothing concoction")
>Bill have if such a crypto-facillitated incident occurs? None. It will be
>swept away as a sand castle is swept away by the incoming tide.
>
>So why bother? Why not instead "race to the point of no return"? (For a
>fuller description of this "point of return," the point at which
>sufficiently strong crypto has been sufficiently widely deployed so that it
>cannot be recalled, cf. my Cyphernomicon. The crypto anarchist point of
>view is that the genie is out of the bottle, Pandora's Box has been opened,
>for the good, the bad, and the ugly, and that legislation will matter
>little in the long run.
>
>To be sure, for people who live near Washington, whose interest is
>primarily in the political (the conventional political), then I can see why
>their interest is in helping Congress to craft better laws. But for the
>rest of us, we have our own work to do.
>
>
>>>* EXPORT OF CRYPTO BEYOND U.S.: This is indeed a thorn in the sides of U.S.
>>>companies, but is not _per se_ an issue I worry about. So long as I have
>>>strong crypto, I don't really care too much about export. It would be nice
>>>to get the ITARs modified, but not at the risk of adding language (such as
>>>Leahy did) making use of encryption a possible crime (we've debated this,
>>>so I won't elaborate here). Besides, I think the best way to overturn the
>>>ITARs is through a court challenge; as I have noted, even the NSA's lawyers
>>>felt that the ITARs would not withstand court scrutiny.
>>
>>Unfortunately, many U.S. software companies don't agree with you.
>
>This is fine. I don't expect them to agree with me. When one of them begins
>paying me a salary or sending me shares of their company's stock, then
>perhaps I will argue for their positions. (Not that I'm a sellout, just
>noting the obvious. They're looking to sell more products, at lower cost,
>which if not surprising. But if the price for "getting" approval for 64-bit
>export is some flavor of key escrow or limitations on domestic use, then
>why should we help them push for this?)
>
>>While I agree with you (I've got PGP, what's the problem?), several of
>>these companies are working through their trade organizations to introduce
>>and push crypto legislation to allow them to raise the key length in their
>>products.
>>
>>Put ourselves in their shoes for a minute.  They're sitting there, with
>>their 40 bit products, knowing that it blows chunks.  They want to
>>produce stronger crypto, but know they won't be able to export it.
>>They talk to the company's attorneys, who speak to speak to the
>>lobbyists, and poof, a crypto bill.
>
>I outline the answer to this during the Netscape--Jim Clarke situation
>several months ago. The simple solution: have two versions.
>
>Version 1 has unlimited-strength crypto, no mandatory key escrow. It ships
>to domestic customers only, and can only be downloaded domestically (a la
>the PGP distributions).
>
>Version 2 is crippled. 40 bits, 45 bits, whatever. Maybe it has a set of
>hooks for attaching "local regulations" hooks (e.g., all versions of
>Netscape entering France must have no crypto, all versions entering The
>Islamic People's Republic must automatically cc: the secret police on all
>e-mail, etc.).
>
>These versions may or may not intercommunicate easily.
>
>The "added inventory" problems that a vendor faces are real, but he faces
>problems already with multiple languages (English, French, Spanish, German,
>Japanese, etc.), with multiple platforms, etc.
>
>Also--and this is seldom mentioned!--the inclusion of U.S.-mandated crypto
>restrictions may end up "opening the flood gates" for various other
>countries to demand their own versions (as noted above in the examples). If
>the U.S. stands firm and takes no stand, it will be very hard for Iraq or
>Singapore to demand special versions. But if the U.S. insists that packages
>have NSA-friendly provisions, so, too, might the other countries demand the
same. (A vendor may refuse to comply, but his hand has already been
>weakened by his acquiescence to the U.S. demands for a special version.)
>
>Thus, it is possible that the crypto provisions will actually _worsen_ the
>inventory problem. (As noted by so many others, what are the chances that
>France or Singapore or Iran will go along with the inclusion of NSA
>trapdoors in products their citizen-units and corporations will be using?
>Does anyone imagine that France will tolerate a version of Netscape being
>used by its corporations that the NSA can trivially break? Get with it.)
>
>But the issue raised by Shabbir is still this: corporations really want to
>ship stronger products and they'd like to be able to only have to develop
>and stock one version. So should we accept a weaker domestic encryption
>standard to let RSA and Lotus achieve this goal?
>
>(One can imagine many parallels with other products. Perhaps some countries
>only allow citizen-units to have access to .22 caliber firearms. Gun
>companies would like a single world standard. Does this mean gun
>enthusiasts in the U.S. should then lobby for the .22 as the allowable
>standard? Interestingly, at least some gun companies (names excised to
>avoid lawsuits) have exactly this position, that gun control laws are fine
>with them if it means they can ship more products and face less regulation.
>I am not equating Jim Bidzos, Ray Ozzie, or Jim Clarke to these folks, but
>am pointing out that the "interests of industry" are not always coterminous
>with the interests of citizens, or users, or free men.)
>
>There are in fact many situations where a corporation will gladly welcome
>government regulation. They can cement their own positions and keep out
>upstart competitors. There's a lot of evidence that some large electronics
>companies actually _like_ regulatory burdens, as it tends to make it very
>tough for a small company these days to start a production fab. I can thus
>see that some crypto and software companies would potentially make a deal
>with the devil if it increased sales and strengthened their "franchise."
>
>I've written more than enough, so I'll have to stop here.
>
>I believe what I have read from others, that the Leahy Bill is going
>nowhere. As to other legislation, I've never said people should do nothing.
>What I've said is that I place more faith in technology: the development of
>anonymous remailers, for example, does more to disperse unstoppable
>communication than any bill I've seen come out of Congress.
>
>And, frankly and bluntly, while I am not as extreme (in some ways) as, say,
>Jim Bell, in other ways I and many others of us are quite extreme. (I
>usually vote Libertarian, but even they are recognizing that they have no
>effect on Congress because the goals of Congress and of themselves are so
>far apart.)
>
>Were I closer to Washington, maybe I'd be more interested. But I'm not. I'm
>even too far from San Francisco to drive the 100 miles over mountain roads
>to stand in the rain with a placard being a spear carrier for some cause.
>
>Life is tough.
>
>
>--Tim May
>
>
>Boycott "Big Brother Inside" software!
>We got computers, we're tapping phone lines, we know that that ain't allowed.
>---------:---------:---------:---------:---------:---------:---------:----
>Timothy C. May              | Crypto Anarchy: encryption, digital money,
>tcmay@got.net  408-728-0152 | anonymous networks, digital pseudonyms, zero
>W.A.S.T.E.: Corralitos, CA  | knowledge, reputations, information markets,
>Higher Power: 2^756839 - 1  | black markets, collapse of governments.
>"National borders aren't even speed bumps on the information superhighway."
>
>
>
>





Thread