From: jya@pipeline.com (John Young)
Date: Mon, 3 Jun 1996 13:12:37 +0800
To: cypherpunks@toad.com
Subject: NRC Session Hiss
Message-ID: <199606030150.BAA27932@pipe2.t1.usa.pipeline.com>
MIME-Version: 1.0
Content-Type: text/plain


   During the Q&A of the NRC public session, it was asked why 
   56-bit DES was selected as the standard of export over 
   other widely distributed programs such as PGP. 
 
   The panelists seemed to me uneasy in answering this. 
   Primarily their view was that DES was "ubquitious," well- 
   known and tested by use. 
 
   However, when pressed by later questioners on this topic, 
   they expanded their view: that if another, stronger, 
   program became "ubiquitous" -- in wide use -- they would 
   support it as the standard of export. When it was pointed 
   out that PGP now fit this definition, the panel merely 
   repeated the statement about ubiquity without specifically 
   affirming or denying the PGP claim. Their poker faces 
   seemed uniformly in place to dampen a potential 
   inflammatory topic. 
 
   Perhaps other attendees will amplify this odd demeanor, but 
   it seems to me that the panel was attempting to avoid 
   commenting one way or the other on PGP's worldwide ubiquity 
   for unstated reasons. 
 
   I wonder if this was a nudge to the audience that the 
   informal spread of unapproved encryption is the best way to 
   establish its ubiquity and thereby to set a new standard 
   for export, sort of under the noses of the authorities -- 
   as if PGP was exemplary. 
 
   Recall that this fits the Clinton administration's way of 
   getting around the Croatian arms embargo -- the "no 
   position" position of sidestepping legality. 
 
   Also, I wonder if the panel wants avoid an open conflict 
   with the administration, the LEAs and the security agencies 
   about PGP. (Or do they know something about PGP that we 
   don't know, or have been led to think they do?) 
 
   Peter Neumann had pointed out earlier that crypto was going 
   to be ubiquitous, and fairly soon, no matter what. He noted 
   that it is the NRC's recommendation that LEAs take the 
   "long-term, pro-active" view about this and get on with 
   developing other technologies, and training personnel in 
   them, to fight computer crime -- like traffic analysis, 
   packet trace, etc. -- and to accept that prohibiting and 
   cracking crypto is not effective. (This may have been 
   diversionary, but he seemed sincere.) 
 
   Perhaps the panel is agreeing the crypto genie is out of 
   the bottle, and are advising the authorities to recognize 
   that stronger and stronger crypto is going to become 
   ubiquitous, and it's time to move on to other, presumably 
   less ubiquitious, cyber-crime fighting technolgies. 
 
   Perhaps the committee was briefed on these technolgies, or 
   maybe some members are even developing them -- Mr. Neumann, 
   for example, in conjunction with Ms. Denning, et al. 
 
   Those who plan to attend the June 6 session might want to 
   pursue the "no position" position about PGP's ubiquity, and 
   why. Diversionary sop, say, to cover the promotion of non- 
   crypto invasion of privacy. 
 
   Further, it would be helpful to learn more about what the 
   the committee members were told about "long-term" cyber- 
   surveillance technologies in the pipeline. 
 
   What bothered me more than anything else about the session 
   was that individual privacy got such short shrift by 
   panelists and by the audience.  While there was a bit of 
   discussion on personal privacy protection, government and 
   business, and their mutual back-scratching, seemed to the 
   the primary focus. 
 
   Pretty Lousy Privacy appears to be in the works, judging 
   from what was not disclosed in the session (and in the 
   report) about two 800-pounders working in concert at 
   citizen data gathering, mining, selling, controlling, 
   dominating -- at the expense of individual privacy, and, 
   shout it, liberty. 
 
   Peter Neumann got to me when he described the "downside" of 
   anonymity, encryption and security: how can we know who are 
   the criminals if we don't for sure who is who and know for 
   sure who is doing what? Not a single panelist disagreed 
   with his statement about this, but then I heard only a few 
   snorts from the criminal-fraught-fed audience. 
 
   I kept mum. Jesus, who knows who was recording every 
   titter and hiss -- besides anonymous beside me and me.