* Does the NSA really visit companies planning to include crypto modules and ask them to weaken or remove the crypto modules? * How do such visits occur? * What happens if a person or company simply refuses to meet with the Men in Black and says "This is a free country--get lost!"? * What pressures are brought to bear on companies to induce them to weaken crypto, even for domestic-only use, or to remove hooks? * Is there concrete evidence of these things? We've all heard that the NSA sends representatives to software companies planning to included crypto or crypto "hooks" in software. There have been anecdotal reports of visits to many software companies. The question is: how _real_ are these reports and what are the mechanics of the visits? Are they urban legends, or real? I asked these questions at the last Bay Area Cypherpunks meeting, and got some interesting responses. In particular, I was interested in the comparison to the other report about academic papers being submitted to a review board, since the late 1970s. Whit Diffie of Sun and Matt Blaze of AT&T (or, as Matt put it, maybe BT&T or CT&T, depending) shared their experiences. They confirmed that such a panel _does_ exist, but that it is fairly ineffectual. Apparently many people publish without approval. (Anyway, I'm citing this as a parallel to what I'm looking for: direct confirmation of NSA pressure and visits.) I have volunteered to compile a compendium of reports, with or without names attached (see details below), to pin down the extent of NSA coercion or "subtle encouragement" of companies. I believe this is a valid "Cypherpunks-type project," as it is aimed at using the Net to compile a listing of experiences software developers have had. To kick things off, I'll start the list below: --- Example: Large relational data base company. NSA Actions: Visits on a regular basis by two NSA representatives ("always two"). Pressured them to drop plans for a strong domestic crypto module. Source: Personally told to me by programmer at the company, 1995-10-14. He wishes the company not to be named. Description: The NSA was concerned about plans the company had for a domestic-only 128-bit RC4 usage, and "sat on" the company's CJ request for an exportable version of their product using 40-bit DES. After hearing nothing for a long while, and pestering the NSA (or maybe the State Department), the company finally backed-down on the plans for the 128-bit RC4 use, told the NSA this, and then the government rapidly approved the 40-bit version for export. Coincidence? --- So, send me your examples. Supply as much detail as you can, including company names if possible. I'll accept "unnamed sources" if they are _primary_ sources, but no "friend of a friend told me that...," unless the details look very convincing. Use remailers if you wish. Use my public key if you wish, too, though remailers accomplish the same thing, at least for getting the details to me anonymously. My public key is: pub 1024/54E7483F 1992/11/20 Timothy C. May <tcmay@netcom.com> 11-20-92 Key fingerprint = 8C 79 1C 1B 6F 32 A1 D1 65 FB 5F 57 50 6D D3 28 (I don't have MacPGP integrated into Eudora Pro---perhaps the NSA paid Qualcomm a visit?--so I'm not a huge fan of getting PGP-encrypted messages unless there's a real need.) I'll be releasing reports on this on a regular basis. The next one when I've accumulated several examples. --Tim May Views here are not the views of my Internet Service Provider or Government. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 | black markets, collapse of governments. "National borders are just speed bumps on the information superhighway."