From: jim bell <jimbell@pacifier.com>
To: Eric Verheul <cypherpunks@toad.com>
Message Hash: 935cbb7e877d41eea61ad245253f45cb5f7861d5395411776557181af3b8d0aa
Message ID: <199610101746.KAA28742@mail.pacifier.com>
Reply To: N/A
UTC Datetime: 1996-10-10 17:48:40 UTC
Raw Date: Thu, 10 Oct 1996 10:48:40 -0700 (PDT)
From: jim bell <jimbell@pacifier.com>
Date: Thu, 10 Oct 1996 10:48:40 -0700 (PDT)
To: Eric Verheul <cypherpunks@toad.com>
Subject: Re: AW: Binding cryptography - a fraud!
Message-ID: <199610101746.KAA28742@mail.pacifier.com>
MIME-Version: 1.0
Content-Type: text/plain
At 09:05 AM 10/10/96 +-100, Eric Verheul wrote:
>>I am at the same time dismayed and disgusted at the tendency of some
>people
>>to want to "detect fraud" on the part of ordinary citizens, as this paper
>>appears to want to do, but says _nothing_ about preventing fraud
>>_by_government. How is the average citizen to know if keys are being
>given
>>out to government agents for valid reasons?
>
>First of all, that (and the legitimacy of "wiretaps" in general) is
>something that should
>be regulated in national law (including procedures, checks and balances,
>penalities).
Procedures which aren't followed. Checks and balances which don't.
Penalties which aren't enforced, etc. That sort of thing? Why not spend
your time working on a system to enforce the law...AGAINST THE GOVERNMENT!
> Maybe
>you have the opinion that that is impossible to achieve, [or at least that
>making wiretapping
>as such by government impossible is the only satisfactory way of doing it
>(-; ].
Currently that's the best way, and it may turn out to be the only way.
>Our concept
>assumes that it is possible and acceptable, although legislation (and
>especially appliance of
>it) in some countries might be improved..
But it won't be, and you know that. And if anything, the system you've
described seems to be intended to allow governemnts to become even more
restrictive. Currently, one of the problems facing government is that even
if they want to illegalize non-escrowed encryption, they can't easily do it
because escrowed encryption would be faked, or super-encrypted or... Give
them a tool to figure out who'se using "espionage-enabled" encryption, and
you've practically invited them to illegalize all other forms.
Is that really a step forward? Or a few giant steps backwards? I think
it's the latter. Why strengthen their hand? Why help them tyrannize us?
>
>Second, the concept is flexible in the choice of Trusted Retrieval Parties;
>we have the opinion
>that if you don't trust the existing TRPs then, hey, setup your own TRP. We
>believe that should be possible (and forsee serveral "privacy-protecting"
>organisations doing so). However, as you don't
>want to have criminals setting up TRPs, some legislation on this point
>should be made...
What about a "TRP" operated by an organization which says, in effect, that
they don't believe that wiretapping is constitutional, so until it's proven
to their satisfaction they're going to refuse all requests for keys?
They're not "criminals", right? But if legislation forces them to do what
they consider the wrong thing, just how "wrong" does it need to get before
they can refuse?
In addition, I object to the concept of wiretapping without informing those
tapped. Part of these "escrowed-encryption"/GAK proposals is usually a
statement that keys will be released to the government without informing
those targeted. If this system is truly "voluntary" why can't I insist on
being informed?
>Finally, as said in the announcement:
>"In [VKT], we explain how we envision the framework in which the binding
>concept could present a security tool in the information society."
Thumbscrews could also be considered "a security tool." Right?!?
>>I am further enraged by the last portion of the paragraph above where he
>>says, "fraud can be properly discouraged _and_punished_" Why "punished"?
>>Why call it "fraud"? Why should sending the "wrong" bits become a crime?
>>The US government, for example, has repeatedly claimed that key-escrow
>>systems should be "voluntary." Presumably, except for authoritarian and
>>totalitarian countries, no other country should force their own citizens
>or
>>others to use any sort of key-escrow/GAK system.
>
>Wait a minute. It is a *voluntary* system, but it has some rules that
>apply. The whole
>idea here is: if you don't like it, use your own system. "Fraude" refers to
>using the
>system without sticking to its rules, maybe fraude has a wrong connotation.
Well, you'd better be careful about your terms. But the term "voluntary" is
really far more troublesome at this point than "fraud." "Voluntary"
implies no coercion, but when the US government enforces laws against
encryption exports UNLESS a company agrees to develop GAK'd systems, how
"voluntary" is that, really? I'd say that the system isn't intended to be
"voluntary" at all, but it's intended to look that way, sorta, in a somewhat
darkened room if you squint real hard.
It's the "1984" version of "voluntary", right?
>>Maybe I'm biased: I'm a libertarian who believes that sending the wrong
>>bits shouldn't be considered a crime. The problem we have is with the
>Depends, it might be childrens pornography. The information society is
>*not* about bits, but about information.
Under the circumstances, I can't support ANY such prohibitions. All of the
"usual suspects" are being dragged out just to be able to support GAK. The
real goal is tyranny, not the elimination of "drug smuggling, terrorism,
organized crime, child pornography, etc."
>>politicians, NOT primarily the criminals. Giving the government the
>ability
>>to punish people merely for sending the wrong bits (absent some other,
>REAL
>>crime) is an enormous step backward. And if they're guilty of a real
>crime,
>>why bother about the bits?
>In a democratic country one needs evidence to convict someone.
Wishful thinking, I see. You also need a crime, right? Well, make the
use of non-GAK'ed encryption a crime, and there you have a crime! Make it
easy to detect use of non-GAK'd encryption (as you are doing) and you've
send us all down a short road to an authoritarian or even a totalitarian
government.
>>Even if I believed in GAK, which I don't, I don't think governments or
>>anyone else should be able to determine whether the "correct" code is
>>included with the data until and unless the government has a valid
>warrant,
>Code is checked (on protocol compliance) by third parties all the time.
>They
>should not get any wiser from it, that is the point
No, the government's ability to verify GAK'd software without the decrypt
key allows them to focus their harassment/enforcement on those who choose to
be different and not fit in. Ask your parents or grandparents about yellow
stars and pink triangles, if you have any doubts that governments want their
primary targets to be easily identifiable.
I believe that the government should absolutely NOT have the ability to know
who is using "GAK-ok" software. If they get what they believe is the key
and it doesn't work, they'll know soon enough. They're no worse off than
they were before, are they?
The only think your invention is going to do is to help the government ban
good encryption.
Jim Bell
jimbell@pacifier.com
Return to October 1996
Return to “jim bell <jimbell@pacifier.com>”
1996-10-10 (Thu, 10 Oct 1996 10:48:40 -0700 (PDT)) - Re: AW: Binding cryptography - a fraud! - jim bell <jimbell@pacifier.com>