At 7:08 AM 3/26/96, Shabbir J. Safdar wrote:
Timothy C. May writes:
I don't see any compelling need for U.S. legislation. And given the pressures to attach all sorts of language to bills, I think it best that no legislation happen.
Unfortunately, this is not an option. Legislation will happen, with our endorsement or without it. One good example is the Grassley computer crime bill earlier in 1995. Nobody advised him on this, as far as I can tell, he just went out and drafted it. Lo and behold, he drafted a provision that basically criminalized all crypto, including rot13.
Of course I am not saying everyone should just be silent. Various organizations, including Shabbir's own very able VTW, do a good job in challenging bad laws and helping to make the "political sausage" which is so very disgusting to watch being made. My point is that I see no compelling legislation that is needed. If enough people in Washington really want increased length in _exported products_ (remember the "exported" part), the Congress and the President should find it easy enough to get said products on to the Approved List. (I note that the Leahy Bill really doesn't change this system anyway...some products go on the list, some don't...the law only seems to say that when the horse has already left the barn, i.e., when "comparable" products are already in fairly wide use outside the U.S., then the products should be put on the approved list. Big deal. And my meta-point, repeated in several recent posts, is that compromising on very basic liberties for the sake of a "deal" to let Lotus or Microsoft or RSADSI have one uniform, "world" product is a very bad deal. (Key length alone is not an answer, anyway. Domestically we can have arbitrary key lengths, with no limits on strength. So, will a "world version" be limited to 64 bits (at best)? Will I, as an American, be forced to limit myself to this "world" length? This is a compromise of my liberties, just for the sake of simplifying the inventory control problems of Lotus and Microsoft! And it still doesn't address the many points we've discussed over the years about superencryption, rogue programs, and access by foreign LEAs.) Granted, the Leahy Bill does not explicitly mandate key escrow, whether TIS' CKE/SKE or Lotus' "40+24" crypto-with-two-heads scheme. But it includes language that suggests a role for government in key escrow and even says escrow holders may not notify the subject of a subpoena that his key has been snarfed by the Feds. (Superficially, this resembles wiretaps, except that one's escrow agent may be one's lawyer, or mother, or business partner....it makes for messy situations.) I'll have to move on to Shabbir's other comments.
We have to wake up and learn from the fight against the net censorship legislation. This is realpolitik. Congress will legislate crypto, whether we want them to or not. This is not news anyone wants to hear, but we have to face up to it.
Be my guest. You're in Washington, you're connected, you're in a position to lobby. I only speak for myself, and my views. I am 3000 miles away from D.C., and have no intention of visiting that mosquito pit (I grew up outside of D.C.). I put my argument efforts into this mailing list (and Cyberia, until recently). If people want to read my arguements, they can subscribe, or get the occasional article forwarded. Frankly, I don't think my brand of political philosophy fits, and I'm not going to change my political philosophy just to help Lotus or Microsoft get approval to export a 64-bit version of "Lotus Notes" or "Bob."
Congress has discovered the net, and partly though the widespread fame of this list, they have also discovered crypto. Simply saying, "we don't want any laws that address crypto" may be the ideal solution, but that won't stop them from passing laws that govern the domestic use of crypto.
Well, this is when things will get exciting. This is the Real Battle (tm) we've all been anticipating: laws on domestic use of encryption. Maybe I'll share a cell with that guy who was caught writing in an unapproved diary...Winston Smith, I think his name was (CNN carried a report on his conviction..."Escrow is Freedom"). Until then, the more Congress learns about the Potential Dangers of Crypto, the worse for us. (I had a noted lobbyist approach me about speaking before a committee...when it became clear to him that I wasn't interested in giving a "See Dick read, see Jane encrypt" PR blurb for crypto, he realized I was not the right person. Frankly, the ACLU and that sort can do a perfectly fine job on the "basics" of crypto, the 10-minute version (that still leaves the Congressfolks in a haze). Aside: My hunch is that crypto legislation will languish. Until, maybe next year, maybe the year after, some major event occurs. Could be a new bombing. Could be a terrorist cell raided. But they will be found to be using PGP or somesuch (80% likely to be PGP), with anonymous remailers used for breaking traffic analysis. The media will go into a feeding frenzy. John Holliman of CNN will be taken off his usual space shuttle duties and assigned to figure out what this crypto stuff is all about. Cathy Cleaver and Donna Rice will tie it into pornography. Ralph Reed will mutter about the Number of the Beast. And drastic legislation will be proposed and passed. Don't forget that Clinton's Anti-Terrorism Bill, which predated OKC by a few months, came very close to passing (and may still...as of a few days ago it was still pending, though parts of it had been gutted). And what effect will Leahy's Bromide ("bromide: a soothing concoction") Bill have if such a crypto-facillitated incident occurs? None. It will be swept away as a sand castle is swept away by the incoming tide. So why bother? Why not instead "race to the point of no return"? (For a fuller description of this "point of return," the point at which sufficiently strong crypto has been sufficiently widely deployed so that it cannot be recalled, cf. my Cyphernomicon. The crypto anarchist point of view is that the genie is out of the bottle, Pandora's Box has been opened, for the good, the bad, and the ugly, and that legislation will matter little in the long run. To be sure, for people who live near Washington, whose interest is primarily in the political (the conventional political), then I can see why their interest is in helping Congress to craft better laws. But for the rest of us, we have our own work to do.
* EXPORT OF CRYPTO BEYOND U.S.: This is indeed a thorn in the sides of U.S. companies, but is not _per se_ an issue I worry about. So long as I have strong crypto, I don't really care too much about export. It would be nice to get the ITARs modified, but not at the risk of adding language (such as Leahy did) making use of encryption a possible crime (we've debated this, so I won't elaborate here). Besides, I think the best way to overturn the ITARs is through a court challenge; as I have noted, even the NSA's lawyers felt that the ITARs would not withstand court scrutiny.
Unfortunately, many U.S. software companies don't agree with you.
This is fine. I don't expect them to agree with me. When one of them begins paying me a salary or sending me shares of their company's stock, then perhaps I will argue for their positions. (Not that I'm a sellout, just noting the obvious. They're looking to sell more products, at lower cost, which if not surprising. But if the price for "getting" approval for 64-bit export is some flavor of key escrow or limitations on domestic use, then why should we help them push for this?)
While I agree with you (I've got PGP, what's the problem?), several of these companies are working through their trade organizations to introduce and push crypto legislation to allow them to raise the key length in their products.
Put ourselves in their shoes for a minute. They're sitting there, with their 40 bit products, knowing that it blows chunks. They want to produce stronger crypto, but know they won't be able to export it. They talk to the company's attorneys, who speak to speak to the lobbyists, and poof, a crypto bill.
I outline the answer to this during the Netscape--Jim Clarke situation several months ago. The simple solution: have two versions. Version 1 has unlimited-strength crypto, no mandatory key escrow. It ships to domestic customers only, and can only be downloaded domestically (a la the PGP distributions). Version 2 is crippled. 40 bits, 45 bits, whatever. Maybe it has a set of hooks for attaching "local regulations" hooks (e.g., all versions of Netscape entering France must have no crypto, all versions entering The Islamic People's Republic must automatically cc: the secret police on all e-mail, etc.). These versions may or may not intercommunicate easily. The "added inventory" problems that a vendor faces are real, but he faces problems already with multiple languages (English, French, Spanish, German, Japanese, etc.), with multiple platforms, etc. Also--and this is seldom mentioned!--the inclusion of U.S.-mandated crypto restrictions may end up "opening the flood gates" for various other countries to demand their own versions (as noted above in the examples). If the U.S. stands firm and takes no stand, it will be very hard for Iraq or Singapore to demand special versions. But if the U.S. insists that packages have NSA-friendly provisions, so, too, might the other countries demand the same. (A vendor may refuse to comply, but his hand has already been weakened by his acquiescence to the U.S. demands for a special version.) Thus, it is possible that the crypto provisions will actually _worsen_ the inventory problem. (As noted by so many others, what are the chances that France or Singapore or Iran will go along with the inclusion of NSA trapdoors in products their citizen-units and corporations will be using? Does anyone imagine that France will tolerate a version of Netscape being used by its corporations that the NSA can trivially break? Get with it.) But the issue raised by Shabbir is still this: corporations really want to ship stronger products and they'd like to be able to only have to develop and stock one version. So should we accept a weaker domestic encryption standard to let RSA and Lotus achieve this goal? (One can imagine many parallels with other products. Perhaps some countries only allow citizen-units to have access to .22 caliber firearms. Gun companies would like a single world standard. Does this mean gun enthusiasts in the U.S. should then lobby for the .22 as the allowable standard? Interestingly, at least some gun companies (names excised to avoid lawsuits) have exactly this position, that gun control laws are fine with them if it means they can ship more products and face less regulation. I am not equating Jim Bidzos, Ray Ozzie, or Jim Clarke to these folks, but am pointing out that the "interests of industry" are not always coterminous with the interests of citizens, or users, or free men.) There are in fact many situations where a corporation will gladly welcome government regulation. They can cement their own positions and keep out upstart competitors. There's a lot of evidence that some large electronics companies actually _like_ regulatory burdens, as it tends to make it very tough for a small company these days to start a production fab. I can thus see that some crypto and software companies would potentially make a deal with the devil if it increased sales and strengthened their "franchise." I've written more than enough, so I'll have to stop here. I believe what I have read from others, that the Leahy Bill is going nowhere. As to other legislation, I've never said people should do nothing. What I've said is that I place more faith in technology: the development of anonymous remailers, for example, does more to disperse unstoppable communication than any bill I've seen come out of Congress. And, frankly and bluntly, while I am not as extreme (in some ways) as, say, Jim Bell, in other ways I and many others of us are quite extreme. (I usually vote Libertarian, but even they are recognizing that they have no effect on Congress because the goals of Congress and of themselves are so far apart.) Were I closer to Washington, maybe I'd be more interested. But I'm not. I'm even too far from San Francisco to drive the 100 miles over mountain roads to stand in the rain with a placard being a spear carrier for some cause. Life is tough. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway."