At 04:33 PM 9/4/2001 -0700, John Young wrote:
And I am not as sanguine about the wisdom of providing technology to government on the same footing as the citizen. There is more than a bit of marketing opportunism is this view -- and government knows very well what power the purse has to seduce young firms into the world of secrecy.
So I say again, that despite it being economic foolhardiness, indeed because it is that, there needs to be a code of practice for anonimyzer developers to state their policy of helping governments snoop on us without us knowing. Agnosticism in this matter is complicity when such a stance cloaks government intrusiveness.
Look, I'll accept that we will all succumb to the power of the market, so limit my proposal for full disclosure to those over 30. After that age one should know there is no way to be truly open-minded.
I don't think the problem here is really the power of the market - it's the ease of copying digital media, and the difficulty of keeping a secret. I think a disclosure program like you discuss isn't an awful idea - and it might make sense for crypto companies to include, as part of their sales contracts with government agencies, explicit permission to disclose those purchases for public awareness and marketing purposes. But any such disclosure list is going to be incomplete, because the sellers themselves don't know who they're selling to, or who their customers are passing the goods along to. It's the same old crypto export control problem - but now we're thinking of the US government as the bad guys, instead of the government of Iraq - and all of the practical objections to the export control nonsense still make as much sense as they ever did. And the ease of circumventing the control regime still makes it a laughingstock, or just a marketing exercise. (See, for example, the PROMIS software package - licensed by Inslaw to DoJ, and from there distributed far and wide, depending on who you believe. A Google search on "promis inslaw casolaro" will provide a catalog of real or imagined government abuses of small software sellers.) I agree that we in the US have much more to fear from our government than from the government of Iraq - and perhaps the moral or strategic questions about arms control weigh even more heavily against giving the US government strong privacy or encryption or monitoring tools - but those moral questions are irrelevant given the speed and ease of distribution in the modern world. We can't control the spread of drugs, or guns, or money, or crypto, or surveillance tools - not as a government, and certainly not as individuals or small companies. Given those constraints on our abilities, publishers of crypto/privacy tools must assume that, when they make any significant distribution of their products, some of them will end up in the hands of government agencies, who will use them (if they're useful) and disassemble/analyze them to find exploitable weakness. That's not really different from what others - like hostile foreign governments, or motivated criminals, will do with them. Similarly, citizens must assume that, if tools are available to anyone, that they are available to governments, and to the least honest and least honorable and least humanitarian people within those governments, and plan their affairs accordingly. There's no other realistic path - we can agree that it would be nice if governments didn't perceive a need to mislead and deceive their own citizens, and if governments would follow their own laws - just as it would be nice if other humans would follow laws and act decently, too. But they won't, not all of them. So we've got to make our plans assuming that the worst people are going to get access, sooner or later, to the best tools, and they're going to lie to us about it along the way. And that's what we've got to work with - but we can have the good tools, too, if we choose them. -- Greg Broiles gbroiles@well.com "We have found and closed the thing you watch us with." -- New Delhi street kids