My thesis is that both Netscape and Microsoft are in positions at this time to either do the right thing (tm) or to help build in the tools for a police state, an Orwellian surveillance state. Netscape, being the dominant browser company, and Microsoft, being the dominant OS company, are in special positions to "build in Big Brother." I'm not claiming they are, just that they are clearly in a position to make it technologically more feasible to make non-GAK illegal. They both need to carefully think about the role that's been "given" to them (whether by fortune, hard work, or being in the right place at the right time) and do what's right. Strong words, perhaps, but the implications of mandatory key escrow are quite clear. We debated these points for a long time during the Clipper debate, and later when "Software Key Escrow" began to rear its head. I won't repeat these arguments against GAK here, but will take this opportunity to quote from a new book that actually quotes my words: "May, ever the idea juggler, also weighed in with some powerful arguments _for_ PGP that appealed to a stodgy old Democrat (small "d" as well) like me. Even the Feds should have grasped them. "Could strong crypto be used for sick and disgusting and dangerous purposes?" May asked. And then he answered himself: "So can locked doors, but we don't insist on an 'open door policy' (outside of certain quaint sorority and rooming houses!). So do many forms of privacy allow plotters, molesters, racists, etc. to meet and plot." Whatever May was, anarchist, libertarian, objectivist, or nothing, he was making more sense in those three sentences than Baker could have in a 1,000 essays." [David H. Rothman, "NetWorld! What People are Really Doing on the Internet, and What it Means to You," Prima Publishing, 1996. Note: I don't recall meeting Rothman, and didn't know about this book until I stumbled across it last night in a bookstore.] It is important that such companies as Netscape and Microsoft fully understand that crypto policy will largely determine civil liberties in this country and other countries for a long time to come. And they must understand that they can influence the direction. Bill Gates, after some early waffling, seems to now fully understand the implications of GAK and has written persuasively against it. Jim Clark does not seem to me have thought about it as deeply, or perhaps has views of civil liberties which are not at odds with mandatory key escrow, the "open door policy" mentioned above. And time is of the essence. Things move very fast. It is no longer the case that a law is passed, then companies respond to the new legal regime with their own policies and products. Companies, especially in high tech, are "partners" from the start, as we saw with the Clipper development (where AT&T had known about Clipper for years prior to the first public announcement, and was cooperating in the development of it, not to mention the other companies such as Mykotronx, VLSI Technology, etc., which were involved in secret for years). It is only sheer speculation on our part (some of us, at least) that negotiations about GAK have been going on with the major software companies. Jim Clark, for example, learned what he knows about key escrow _someplace_, and it probably wasn't from our list or from articles he'd read. I'm betting, but could of course be wrong, that he and other folks at Netscape (and I mustn't leave out Microsoft, Sun, SGI, Apple, etc.) have been briefed on key escrow and that various negotiations are already underway. This would match how things were done with Clipper, and would explain Clark's voiced support for the need for GAK. I hope Jeff W. and Jim C. can have some _long_ chats. The stakes are too high for product decisions to be made without full awareness of the implications. The statements from Jim Clark do tend to imply a kind of defeatism, and even Jeff's comments seemed laden with qualifications about "only if the government requires us to." As Hal Finney noted in his post, it's as if the Netscape people are preparing for the inevitable. Maybe it's not an indication that GAK is being considered within Netscape, but maybe it is. After all, one rarely hears "only if we have to" qualifications on things that are truly from out in left field. And what Netscape agrees to put in future releases of its browsers or its servers could have dramatic effects on the whole climate. (A side point, somewhat abstract: The dominance of Netscape, rising from nowhere to becoming the major player in this debate, illustrates a point about "monocultures" and their ecological effects. If yellow corn is good, replace other strains of corn with yellow corn. Pretty soon, the world's corn output is 96% yellow corn. Some ecological downsides to this. In this case, Netscape is becoming the yellow corn of the Web, and an obvious "choke point" for the NSA and its sisters to mandate crypto policies. Hence, the role of non-yellow-corn alternatives...) Should Netscape play ball with the NSA or refuse to cooperate? I'm not suggesting that Netscape "break the law." Actually, there are *no* laws at present about GAK or about the use of strong crypto within the U.S., and most of us want to keep it that way. Thus, Jim Clark and Netscape could strongly lobby for keeping things the way they are, and could even say "If foreign governments demand GAK, let them build it in themselves--we will not produce the software to run a police state." And if export laws demand GAK in exported products, Netscape should "do the right thing" and have two versions. It may add to their costs a little, but it's better than building in the machinery for a GAK law to later be passed. (Explain something to me. I have never, ever understood why it is a concern of the U.S. government that we help build in GAK for foreign governments, that we make sure that products intended for export to France or Syria have GAK that allows those governments to read the traffic of their citizens. And if the concern is that exported versions of software must be readable to the _United States_, then this is a non-starter in terms of sales in many or even most foreign countries! I'm sure France will welcome with open arms a version of Netscape that allows the NSA to read the traffic of French citizens. Oh, by the way, what legal jurisdictions will be involved in obtaining the escrowed keys of foreigners? The answers are both clear and murky, if you catch my drift.) If the U.S. insists on GAK _within the U.S._, as many of us fear is the long-term danger, then all bets are off anyway. But I would hope that Netscape does nothing to make it _easier_ to make this the case! A viable thing for Netscape to do is to announce forthrightly that it will separate the issue of export from what it sells in the U.S., that there will be NO GAK included in any U.S.-sold packages. The quest for an "all world" version, freely exportable, should not take precedence over the civil liberties issues. And I predict that any slight losses in market share or slight increases in product cost will be _less_ than the effects Netscape will see if their product comes to be associated with "Big Brother Inside." Enough for now. --Tim May Views here are not the views of my Internet Service Provider or Government. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 | black markets, collapse of governments. "National borders are just speed bumps on the information superhighway."