1997-10-19 - Re: “First do no harm”

Header Data

From: Fabrice Planchon <fabrice@math.Princeton.EDU>
To: Tim May <tcmay@got.net>
Message Hash: 80c7ab1f33a19b85b5705313c2d40a1aa68fcc2d2268dbbcb7ab437313872ef2
Message ID: <19971019151704.25165@math.princeton.edu>
Reply To: <199710181953.UAA00908@server.test.net>
UTC Datetime: 1997-10-19 19:32:12 UTC
Raw Date: Mon, 20 Oct 1997 03:32:12 +0800

Raw message

From: Fabrice Planchon <fabrice@math.Princeton.EDU>
Date: Mon, 20 Oct 1997 03:32:12 +0800
To: Tim May <tcmay@got.net>
Subject: Re: "First do no harm"
In-Reply-To: <199710181953.UAA00908@server.test.net>
Message-ID: <19971019151704.25165@math.princeton.edu>
MIME-Version: 1.0
Content-Type: text/plain



On Sun, Oct 19, 1997 at 10:54:18AM -0700, Tim May wrote:
> I'm not sure the people who wrote the U.S. laws had a clue, either. (Check
> out Dan Bernstein's report in sci.crypt on the latest appeal arguments of
> the government side in his case...the Feds are arguing that the First
> Amendment (to the U.S. Constitution) does not protect speech that may be
> read and acted upon by computers!).

Ohoh. How interesting. But they have to define what they mean by acted
upon computers, and we are back to a technical issue they don't
understand. But does the judge understand this issue better ? If I
recall correctly my CS classes, translating plain english to computer
code is doable, and depending on what rules you use for lexical and
syntaxical issues you would get different codes. Wether you can do
something with it is another issues, of course... Somehow if they follow
this heuristic, they will have to ban speech recognizion software (which
would be bad for me as my research has potential applications exactly
there).

> corporate and institutional purchases. It's not too surprising that the
> security staff at Random Corporation and at the University of Middle
> America want access to all communications...if it were up to them alone
> they'd have video cameras scattered everywhere.

eheh, I had an argument with my local (PU) system administrator, and at
some point he said "and what are all mails coming from cypherpunks
anyway ?" (I hope he reads this one...). So, they are already snooping,
by fear, or because in a moment of boredom, they look at the mail log
(the same way phone operators in the old days were listening to calls, I
guess. Part of human nature)

> And as for the University of Middle America, wait until professors and
> students discover that UMA bought PGP 5.5 Snoopware for Sysadmins and that
> communications with other professors, other employers, etc. will be subject
> to snooping by some low-level security employees.

Somehow, I can play the devil advocate and argue that it would be better
than the current situation where:
1) people don't use encryption at all
2) networks are weakly secured and snooping is easy
3) people use e-mail without thinking it can be snooped, archived, and
reused later, unlike, say, a phone call.

If you tell a professor that any student can easily read his e-mail but
that with this nice pgp5.5 software it will be no longer the case, he
might embrace it readily, even if on the long run and on second thoughts
it might not be a good idea.


> What I expect will happen with CMR and CAK is that employees or professors
> or whatever who really need confidentiality--and their are many valid
> reasons for this--will use either their own products (probably freeware, to
> boot), or will use non-company accounts. The professor at UMA who doesn't
> want administrations snoops monitoring his e-mail will use his AOL or
> Netcom account. As we are already seeing today. If his institution has a
> firewall preventing such services from being connected to (itself a
> hardship), he'll just wait until he gets home and send his sensitive mail
> then.

Somehow, and even if I perfectly agree with you, you forget to see that
while this may be true for professors from, say, CS, Engineering, Math,
it won't be true for others which don't have the technical background to
understand the problems and their solutions. I guess what I am saying is
what seems obvious to you, me, and probably most of the readers is not
the the general public. And the group of all professors at UMA probably
reflects this.
Unfortunatly I don't have any solution to the advertising crypto
problem. My best hope is that within a generation people will understand
the technical issues and the underlying social implications of the way
you make implementations. I fear it might be to late then...

> I advocate KISS, "Keep it Simple, Stupid," for the OpenPGP effort. Let PGP,
> Inc. go off on quixotic crusade to provide snoopware for corporations and
> universitites, and let the market decide.

Yes and no, as I said before it's not clear what the market will decide,
if people who make key buying decisions don't do the right thing. Once
every single university is equipped with pgp5.5, it's not that easy to
go back. And because of their reputation capital, people are more likely
to buy the product blindly. Sounds scary ? I don't believe in
conspiration theory, usually stupidity, ignorance and such are enough to
make bad things happen. And we see it now.

                             F.

-- 
Fabrice Planchon                                          (ph) 609/258-6495
Applied Math Program, 210 Fine Hall                      (fax) 609/258-1735








Thread