From: Tim May <tcmay@got.net>
Date: Mon, 20 Oct 1997 02:04:00 +0800
To: Fabrice Planchon <cypherpunks@cyberpass.net
Subject: "First do no harm"
In-Reply-To: <199710181953.UAA00908@server.test.net>
Message-ID: <v03102801b06ff194bce5@[207.167.93.63]>
MIME-Version: 1.0
Content-Type: text/plain



At 10:44 PM -0700 10/18/97, Fabrice Planchon wrote:

>I would say people who wrote the current law 2 years ago didn't have a
>clue on the technical issues, anyway. That's why we are still waiting
>for the "decrets d'application", which are the set of rules on how the
>law will be enforced. Somehow I would bet they are waiting to see where
>the wind blow at the international level.

I'm not sure the people who wrote the U.S. laws had a clue, either. (Check
out Dan Bernstein's report in sci.crypt on the latest appeal arguments of
the government side in his case...the Feds are arguing that the First
Amendment (to the U.S. Constitution) does not protect speech that may be
read and acted upon by computers!).

>I know at least one academic site where system administrator were
>prevented from switching to ssh because of the legal issue. Seems the
>campus administration folks wanted to protect their asses...

This is an important point. Covering their asses. I think much of the
"corporate demand" for CMR and CAK has been coming from medium-level
bureaucrats, the mid-level "security staff" who make recommendations on
corporate and institutional purchases. It's not too surprising that the
security staff at Random Corporation and at the University of Middle
America want access to all communications...if it were up to them alone
they'd have video cameras scattered everywhere.

But I predict serious downstream (future) objections to CMR and CAK will
arise. Once the higher-ups at Random Corporation realize that all e-mail
will now be logged in perpetuity for easy perusal in lawsuits, FTC actions,
etc. (*), they'll no doubt have second thoughts.

(* It may be argued that all corporate e-mail is already archived, on the
machine backups for the corporate mail servers, SMTP, etc. Possibly, but
such e-mail is often hard to get. Some sites may choose to not keep mail
server backups, etc. Certainly ISPs have the same machine backups, and yet
it has proven difficult for investigators and whatnot to get complete
e-mail archives on targets. A CMR or CAK system would formalize the
archiving and make obtaining such records much easier. A very tempting
target indeed for "discovery" procedures. Or for law enforcement.)

And as for the University of Middle America, wait until professors and
students discover that UMA bought PGP 5.5 Snoopware for Sysadmins and that
communications with other professors, other employers, etc. will be subject
to snooping by some low-level security employees.

...
>still). But what I certainly fail to understand is why PGP inc (and
>people who support them) is focusing on a solution which allows to
>intercept and read e-mail in transit. That inherently evil, no matter

I agree. It makes the job of snoopers much easier. And while I don't
dispute the property right of a business owner to state the terms of
encryption use on his property, the practical situation is that few
businesses tape-record all telephone calls, open all incoming and outgoing
physical mail, etc. Even though this is in some sense their "right," they
realize the morale effects this would have on employees, the trust issues,
and the sheer impracticality.

(I am reminded of the issue of "personal use" of telephones in companies.
Companies which forbid personal use find decreased productivity as
employees leave the premises to find payphones, or queue up at the
payphones in the cafeteria, etc. Most companies have decided to let
employees--especially their professionals--use their phones for personal
uses, within reason. (My company, Intel, had this policy, though a printout
of calls to long-distance locations was kept, of course, and occasionally
there were inquiries made about the purposes of calls, etc.))

What I expect will happen with CMR and CAK is that employees or professors
or whatever who really need confidentiality--and their are many valid
reasons for this--will use either their own products (probably freeware, to
boot), or will use non-company accounts. The professor at UMA who doesn't
want administrations snoops monitoring his e-mail will use his AOL or
Netcom account. As we are already seeing today. If his institution has a
firewall preventing such services from being connected to (itself a
hardship), he'll just wait until he gets home and send his sensitive mail
then.

PGP could actually lose business this way.


>you put it. And the "hit by a truck" hypothesis doesn't stand a minute
>in real life (Yah, shit happens, so what ?). The (legitimate) needs of a
>company can be achieved via an agreement with its employees, on how data
>are stored, backed, duplicated, whatever, and it has merely nothing to
>do with cryptography. Or am I missing something obvious ?

No, you're not missing anything. The claimed need that PGP for Business
fills is that of recovery of important information. In fact, it fails
miserably at that.

(For reasons several of us have outlined. First, truly confidential
information will be sent in other ways, as noted above. Second, very little
of the important stuff ever travels by e-mail, for obvious reasons. Third,
the important files in the "hit by a truck" scenario are the gigabytes of
local storage on user machines...the circuit files, the process
descriptions, the work in progress, the source code, etc. These are the
files a company wants to protect against unrecoverable encryption. And
these files have very little to do with mail encryption.)

What PGP for Business appears to do, the market it appears to satisfy, is
the desire for some companies and institutions to be able to monitor what
their employees are saying to each other, to detect banned language, to
cover their asses for lawsuits, etc.

(In fact, it fails at most of these uses, too. For obvious reasons. And it
introduces new risks for lawsuits, as noted above.)


>And as far as the "legitimate needs of the law enforcement agencies",
>well, if they want to read e-mail sent by an employee from his company
>account because he is a potential drug dealer, they can obtain the
>proper authorization from the court and snoop on the guy from within the
>company. As usual, the weakest link is the guy typing on his keyboard,
>as I doubt anybody speaks IDEA fluently...(even rot13 I am
>skeptical. Crime organizations in Paris at the beginning of the century
>were using "Javanais", which was a very basic code, but sufficient to
>confuse the police)

Exactly so.

I believe governments will _like_ PGP for Business because it simplifies
the monitoring process for them. If they get a court order telling Random
Corporation to turn over their keys, or convince Random Corporation to
voluntarily cooperate, they now have easy access to _all_ of the traffic.

I believe it's a slam dunk certainty that corporations in many countries
will be required on a pro forma basis to give their keys to the law
enforcement agencies. This does not even seem debatable. Of _course_ these
will be turned over.

(By focussing on the United States we, and PGP, Inc., is missing the
obvious reality that most of the world's nations have no constitutional
protections sufficient to stop this from happening. And even the U.S. may
be able to get these keys easily...invocation of "commerce" and FTC/SEC
sorts of issues may be sufficient.)

>So why isn't everybody focusing on being sure the transport layer is
>secure, and leave to social interaction at both end of the communication
>process the problem of recovery of whatever was transmitted ? (which, I
>feel dumb for saying it, was in clear at some point before being sent,
>and will be when it will be read...)

This is what some of us have been saying for a long time.

I advocate KISS, "Keep it Simple, Stupid," for the OpenPGP effort. Let PGP,
Inc. go off on quixotic crusade to provide snoopware for corporations and
universitites, and let the market decide.

PGP, Inc. should remind themselves of the moral promise doctors make:

"First do no harm."


--Tim May




The Feds have shown their hand: they want a ban on domestic cryptography
---------:---------:---------:---------:---------:---------:---------:----
Timothy C. May              | Crypto Anarchy: encryption, digital money,
ComSec 3DES:   408-728-0152 | anonymous networks, digital pseudonyms, zero
W.A.S.T.E.: Corralitos, CA  | knowledge, reputations, information markets,
Higher Power: 2^2,976,221   | black markets, collapse of governments.
"National borders aren't even speed bumps on the information superhighway."