At 10:44 PM -0700 10/18/97, Fabrice Planchon wrote:
I would say people who wrote the current law 2 years ago didn't have a clue on the technical issues, anyway. That's why we are still waiting for the "decrets d'application", which are the set of rules on how the law will be enforced. Somehow I would bet they are waiting to see where the wind blow at the international level.
I'm not sure the people who wrote the U.S. laws had a clue, either. (Check out Dan Bernstein's report in sci.crypt on the latest appeal arguments of the government side in his case...the Feds are arguing that the First Amendment (to the U.S. Constitution) does not protect speech that may be read and acted upon by computers!).
I know at least one academic site where system administrator were prevented from switching to ssh because of the legal issue. Seems the campus administration folks wanted to protect their asses...
This is an important point. Covering their asses. I think much of the "corporate demand" for CMR and CAK has been coming from medium-level bureaucrats, the mid-level "security staff" who make recommendations on corporate and institutional purchases. It's not too surprising that the security staff at Random Corporation and at the University of Middle America want access to all communications...if it were up to them alone they'd have video cameras scattered everywhere. But I predict serious downstream (future) objections to CMR and CAK will arise. Once the higher-ups at Random Corporation realize that all e-mail will now be logged in perpetuity for easy perusal in lawsuits, FTC actions, etc. (*), they'll no doubt have second thoughts. (* It may be argued that all corporate e-mail is already archived, on the machine backups for the corporate mail servers, SMTP, etc. Possibly, but such e-mail is often hard to get. Some sites may choose to not keep mail server backups, etc. Certainly ISPs have the same machine backups, and yet it has proven difficult for investigators and whatnot to get complete e-mail archives on targets. A CMR or CAK system would formalize the archiving and make obtaining such records much easier. A very tempting target indeed for "discovery" procedures. Or for law enforcement.) And as for the University of Middle America, wait until professors and students discover that UMA bought PGP 5.5 Snoopware for Sysadmins and that communications with other professors, other employers, etc. will be subject to snooping by some low-level security employees. ...
still). But what I certainly fail to understand is why PGP inc (and people who support them) is focusing on a solution which allows to intercept and read e-mail in transit. That inherently evil, no matter
I agree. It makes the job of snoopers much easier. And while I don't dispute the property right of a business owner to state the terms of encryption use on his property, the practical situation is that few businesses tape-record all telephone calls, open all incoming and outgoing physical mail, etc. Even though this is in some sense their "right," they realize the morale effects this would have on employees, the trust issues, and the sheer impracticality. (I am reminded of the issue of "personal use" of telephones in companies. Companies which forbid personal use find decreased productivity as employees leave the premises to find payphones, or queue up at the payphones in the cafeteria, etc. Most companies have decided to let employees--especially their professionals--use their phones for personal uses, within reason. (My company, Intel, had this policy, though a printout of calls to long-distance locations was kept, of course, and occasionally there were inquiries made about the purposes of calls, etc.)) What I expect will happen with CMR and CAK is that employees or professors or whatever who really need confidentiality--and their are many valid reasons for this--will use either their own products (probably freeware, to boot), or will use non-company accounts. The professor at UMA who doesn't want administrations snoops monitoring his e-mail will use his AOL or Netcom account. As we are already seeing today. If his institution has a firewall preventing such services from being connected to (itself a hardship), he'll just wait until he gets home and send his sensitive mail then. PGP could actually lose business this way.
you put it. And the "hit by a truck" hypothesis doesn't stand a minute in real life (Yah, shit happens, so what ?). The (legitimate) needs of a company can be achieved via an agreement with its employees, on how data are stored, backed, duplicated, whatever, and it has merely nothing to do with cryptography. Or am I missing something obvious ?
No, you're not missing anything. The claimed need that PGP for Business fills is that of recovery of important information. In fact, it fails miserably at that. (For reasons several of us have outlined. First, truly confidential information will be sent in other ways, as noted above. Second, very little of the important stuff ever travels by e-mail, for obvious reasons. Third, the important files in the "hit by a truck" scenario are the gigabytes of local storage on user machines...the circuit files, the process descriptions, the work in progress, the source code, etc. These are the files a company wants to protect against unrecoverable encryption. And these files have very little to do with mail encryption.) What PGP for Business appears to do, the market it appears to satisfy, is the desire for some companies and institutions to be able to monitor what their employees are saying to each other, to detect banned language, to cover their asses for lawsuits, etc. (In fact, it fails at most of these uses, too. For obvious reasons. And it introduces new risks for lawsuits, as noted above.)
And as far as the "legitimate needs of the law enforcement agencies", well, if they want to read e-mail sent by an employee from his company account because he is a potential drug dealer, they can obtain the proper authorization from the court and snoop on the guy from within the company. As usual, the weakest link is the guy typing on his keyboard, as I doubt anybody speaks IDEA fluently...(even rot13 I am skeptical. Crime organizations in Paris at the beginning of the century were using "Javanais", which was a very basic code, but sufficient to confuse the police)
Exactly so. I believe governments will _like_ PGP for Business because it simplifies the monitoring process for them. If they get a court order telling Random Corporation to turn over their keys, or convince Random Corporation to voluntarily cooperate, they now have easy access to _all_ of the traffic. I believe it's a slam dunk certainty that corporations in many countries will be required on a pro forma basis to give their keys to the law enforcement agencies. This does not even seem debatable. Of _course_ these will be turned over. (By focussing on the United States we, and PGP, Inc., is missing the obvious reality that most of the world's nations have no constitutional protections sufficient to stop this from happening. And even the U.S. may be able to get these keys easily...invocation of "commerce" and FTC/SEC sorts of issues may be sufficient.)
So why isn't everybody focusing on being sure the transport layer is secure, and leave to social interaction at both end of the communication process the problem of recovery of whatever was transmitted ? (which, I feel dumb for saying it, was in clear at some point before being sent, and will be when it will be read...)
This is what some of us have been saying for a long time. I advocate KISS, "Keep it Simple, Stupid," for the OpenPGP effort. Let PGP, Inc. go off on quixotic crusade to provide snoopware for corporations and universitites, and let the market decide. PGP, Inc. should remind themselves of the moral promise doctors make: "First do no harm." --Tim May The Feds have shown their hand: they want a ban on domestic cryptography ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, ComSec 3DES: 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^2,976,221 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway."