Greg Broiles <gbroiles@netbox.com> writes:
Adam Back writes:
You have a dual concern: you are trying to protect against big brother and against little brother.
At the technical level, is there a meaningful difference between the brothers?
I think so yes. I think I am able to demonstrate situations where there is a trade-off: you can trade government resistance against little brother resistance. PGP Inc's CMR I believe is a form of this; they have nice recommendations for companies, statement of intents for plaintext handling, and transparent statements of when email is a company recoverable email address. But way that they have implemented this functionality I believe could be perverted for uses other than their intentions by governments. I think this means that the resulting system has traded off weaker government resistance to acheive marginally stronger little brother resistance. (I may even say no stronger little brother resistance, I think CDR can acheive same functionality). The best example I can think of is France. Other governments (US/UK) people say: it'll never happen; tin pot dictator scenarios people are less worried about because they feel the dictator will do unreasonable things in any case. The situation in France is: currently (or recently) you could not use encryption at all without a license. The enforcement rate is low to zero. (Jerome Thorel interviewed the head of SCSSI (NSA equivalent), and they said that if you asked for a license for personal use they would say "no", but if you didn't bother asking and used PGP2.x anyway, they wouldn't do anything about it typically). Now I understand the French have switched position: you can use encryption without a license *provided* that it has master key access for the government. Lets say then that our aim is to design the OpenPGP standard and the pgp5.5 implementation to be as resistant to use by the French government as possibe. With the pgp standard as is french government could insist that people use pgp5.x. pgp5.x provides a reasonablly useful framework for the french government to adapt to be used as a master access system. Because this will then be explicitly allowed, more people are likely to use it. (Current people using pgp2.x illegally are one suspects the french cypherpunks subset of the population). This means that the french government can start to ramp up enforcement as there are less objections (you _can_ protect confidentiality for business and privacy uses, use this: pgp5.x). If on the other hand pgp5.x were to use only single recipients for confidentiality, and to base company recovery of encrypted mail folders on key recovery information stored locally alongside the mailbox the system would be less useful to the french government.
Aren't we really talking about third-party access to communications, and second-party access to stored data ... with the "brother" distinction being one made at a social/political level, as a judgement about the legitimacy of the access or the size of the actor, rather than the character of the access?
It is more than that I think. This is because many people acknowledge legitimacy of companies to a) encrypt data b) to recover data in case employee forgets keys, or dies unexpectedly. Second party access to stored data is much less scary. Little brother can ultimately read _everything_ you do at work. If he gets suspicious he can install keyboard logger, keyboard password sniffer, or concealed videocam whilst you are out of the office. The best we can do is discourage little brother from abusing systems designed for data recovery as mass communications snooping. The best suggestion I have seen for this so far was Bill Stewart's suggestion to only store recovery info for some of the bits. Make the recovery process artificially slow: say 40 bits. Worth it for recovering main developers design notes made in email when he dies unexpectedly. Some hinderance to little brother unless he is determined. As long as this hinderance is similar scale to other similar things little brother could do to check up on suspicious user, you have achieved your goal of hindering little brother. Big brother is hindered very significantly if you do recovery locally, rather than on the communications link as PGP Inc CMR does. This is because big brother does not have access to the ciphertext on disks. He must come and take them. Whereas for communications he can practically acheive access to your email ciphertext at push button convenience. Your email communications are already secret split with the NSA: the data is split into to unequally sized halves: the _key_ and the _ciphertext_. For this reason you really don't want the NSA to get that key. For data storage recovery, your data is again in two halves: you have one, the _key_, your employee/you have the other, the _ciphertext_ on disk. Your employee can recover that info anyway. The NSA can't easily. It is much more logistically expensive to collect or randomly sample disk contents. Adam -- Now officially an EAR violation... Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/ print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<> )]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`