1997-03-19 - (Fwd) lambda 3.01 - Your Customs Officer is Watching You

Header Data

From: “Charles Anthony” <canthony@info-nation.com>
To: cypherpunks@toad.com
Message Hash: ac7e893fc53a4d50651cf1d9745e0fe80adc513bff2872e2d9f5933a7b026f86
Message ID: <199703191543.JAA05103@bitstream.net>
Reply To: N/A
UTC Datetime: 1997-03-19 15:43:16 UTC
Raw Date: Wed, 19 Mar 1997 07:43:16 -0800 (PST)

Raw message

From: "Charles Anthony" <canthony@info-nation.com>
Date: Wed, 19 Mar 1997 07:43:16 -0800 (PST)
To: cypherpunks@toad.com
Subject: (Fwd) lambda 3.01 - Your Customs Officer is Watching You
Message-ID: <199703191543.JAA05103@bitstream.net>
MIME-Version: 1.0
Content-Type: text/plain

------- Forwarded Message Follows -------
Date:          Wed, 19 Mar 1997 11:07:46 +0100
To:            thorel@netpress.fr
From:          Jerome Thorel <jt@freenix.fr>
Subject:       lambda 3.01 - Your Customs Officer is Watching You

lambda 3.01

--> CDA countdown : The Supreme Court Has Some Clues
on Knocking Down the CDA
--> New in Cyberspace: The Frontiers Are Back!
Your Customs Officer Is Watching You
--> Crypto Update : France and the OECD

*	*	*	*	*


Well before the U.S. Supreme Court hears arguments on the constitutionality
of the CDA, David Sobel, EPIC's legal counsel, reminded the electronic
community that the Court handed down a decisive decision two years ago.
Excerpts from the EPIC Alert 4.04 newsletter herewith:

--- begin fwd message ---

To avoid potential criminal liability under the CDA's "indecency"
provision, information providers would, in effect, be required to verify
the identities and ages of all recipients of material that might be deemed
inappropriate for children. If upheld, the statutory regime would thus
result in the creation of "registration records" for tens of thousands of
Internet sites, containing detailed descriptions of information accessed by
particular recipients. These records would be accessible to law enforcement
agencies and prosecutors investigating alleged violations of the statute.
Such a regime would constitute a gross violation of Americans' rights to
access information privately and anonymously.

Two years ago, the Supreme Court upheld the right to anonymous speech in
McIntyre v. Ohio Elections Commission. EPIC believes that the Court's
rationale in that case applies with even greater force to the Internet
"indecency" provisions now under review. The Court noted in McIntyre that:

" The decision in favor of anonymity may be motivated by fear of economic
or official retaliation, by concern about social ostracism, or merely by a
desire to preserve as much of one's privacy as possible. ...

"Anonymity is a shield from the tyranny of the majority. It thus
exemplifies the purpose behind the Bill of Rights, and of the First
Amendment in particular: to protect unpopular individuals from retaliation
-- and their ideas from suppression -- at the hand of an intolerant

Whether the millions of individuals visiting sites on the Internet are
seeking information on teenage pregnancy, AIDS and other sexually
transmitted diseases, classic works of literature or avant-garde poetry,
they enjoy a Constitutional right to do so privately and anonymously. The
Communications Decency Act seeks to destroy that right. If upheld, the CDA
would render the Internet not only the most censored communications medium,
but also the most heavily monitored.

"EPIC is confident that upon review of the legislation and its impact upon
free speech and privacy rights in emerging electronic media, the Supreme
Court will affirm the lower court decision invalidating the CDA as
fundamentally at odds with the Constitution."

--- end fwd message ---

The EPIC said that following the oral argument, the Reno v. ACLU plaintiffs
and lawyers will hold a news conference to offer in-depth analysis and
commentary (approximately 11:30 a.m. ET). The event will be cybercast live
via RealAudio on the World Wide Web.

Links to the cybercast will be available at:

*	*	*	*	*

New in Cyberspace: The Frontiers Are Back!

On March 6, the French security agency SCSSI gave its approval for a
secured payment protocol called C-SET, or Chip-Secured Electronic
Transaction. After one look at this European version of the US standard of
SET, which will be completed this year, one might ask: "Why bother?" Your
customs officer might well reply: "For me!"

C-SET re-draws the boarders of the real world in cyberspace -- where
national boundaries were scheduled to have been given up forever. Moreover,
the system could easily be used to escrow private communications, because
encrypted messages will be transmitted to a third party in order for police
to have a lawful access to its secret key.

The Intelligence Newsletter (http://www.indigo-net.com/intel.html) first
reported in its Feb. 26 edition that C-SET could be used as a national
shield for controlling money transfers, and thus be used as an intermediary
between the law enforcement agencies, the vendor and the buyer. French
security officials agreed to accept C-SET because it is compatible with
future trusted third-party systems, dedicated to assuring national
governments that all encrypted communications will be key-escrowed.

"The French Finance Ministry has not yet decided to apply taxes and duties
for online transactions, but C-SET is the adequate system to do that", says
Claude Meggle, director of security at the French Groupement des Cartes
Bancaires (a consortium of 200 French banks), the main architect of C-SET.
"It is a way for national states to keep their sovereignty, without
hindering international commerce".

In France and other European countries, credit cards are so-called "smart
cards." Embedded with microchips, it is a more secure way to authenticate
-- and identify -- the buyer than a hand-written signature. The GCB was not
fully satisfied by the SET standard, which "provides only software security
as it doesn't include a smart card," the Intelligence Review reported. "As
a result, the 'certificate' which enables a customer to be identified when
making an electronic purchase is stored on his hard disk. This exposes it
to all types of attack, and makes the system less than 'portable' -- the
certificate is linked to the computer and not the person. The C-SET is
exactly the opposite," the newsletter added.

Hardware is needed to use C-SET; a PIN-number pad manufactured by
state-owned Bull's smart card division CP8 will be sold for less than 500
FF (US$100), Meggle told lambda bulletin. When the users are connected to a
virtual mall, they'll have to type their 4-digits secret code (as it is
today with bank cards), and the transaction will be transferred to a
distant server owned by the bank. Thus this go-between server will be based
in the country where a user has his or her bank account, and the same bank
plays the role of a TTP. The user's privacy and anonymity will be
protected, but only from the merchant's point of view.

Banks-turned-TTPs will have to keep records of all transactional data for
law-enforcement purposes. Recently, officials at the main money laundering
agencies of industrialised countries met to discuss the problems caused by
the Internet. C-SET could be one way to keep money transfers under the
close eye of the law. The European Commission agreed to the system being
tested as a possible future standard, and all major European countries have
plans to test it in the near future (from Germany to Belgium, UK, Spain,

It is no surprise that the SCSSI, one of the most conservative cryptography
agencies in the world -- which considers the US technology lead on
encryption as a national threat -- first refused to allow C-SET to encrypt
a part of the transaction. The TTP compatibility was seen as a necessary
condition for approval. Meggli said the encrypted material uses a DES-based
56-bit key, while a RSA public-key system (1024-bit length) is used for

As Meggle acknowledged, this PIN-pad based identification system could be
also used as a way to identify users that send encrypted messages in
private communications. The TTPs will have to keep a record of connections
-- as all banks are doing today to officially fight fraud -- and give a
user's private key to police authorities if called upon to do so.

*	*	*	*	*


* French officials at the SCSSI and the prime minister's office are worried
that aspects of the government's crypto policy may be regarded by the
European Commission in Brussels as an obstacle to common market principles.
The government's law outlining a TTP key-recovery system, voted by the
legislature last summer, has yet to be enacted by ministerial decree. An
initial version of the decree (see lambda 2.13) stated that only French
employees (of companies held with a majority of French capital) would be
allowed to act as a TTP in the country. Whether the law would violate rules
concerning the free flow of capital and workers in the European Union is
uncertain. However the French government has something in its favor (for
better or for worse) regarding possible anti-competitive practices in this
area: The EC is prohibited from making decisions that may overlap with
issues of national security.

* Meanwhile, the Paris-based OECD is to publish its guidelines on
international cryptography procedures (lawful access, condition of TTP
systems, etc.) at the end of March. The report has been approved by both
the OECD expert group and division committee with slight changes in the
wording, and now needs only the endorsement of the OECD Council of

A report by Jerome Thorel <jt@freenix.fr>
English rewriting: Ken N. Cukier <100736.3602@CompuServe.COM>
lambda archives --> www.freenix.fr/netizen

Jerome Thorel 			Planete Internet
Journalist, Paris		Editor / Redac chef
thorel@netpress.fr		191 av A. Briand, 94230 Cachan
Tel: 33 1 49085833 - fax-31	www.planete-internet.com