- I find a number which looks to be compressed or encrypted. I fiddle around with it and manage to decrypt it, and it turns out to be a useful to me (and possibly harmful to others). What law have I broken, plausibly? With the possible exception of this point, I suspect that we agree more than we disagree. My note included the following excerpt from the original: The bill makes it a crime to possess or use an altered telecommunications instrument (such as a cellular telephone or scanning receiver) to obtain unauthorized access to telecommunications services (Sec. 9). This provision is intended to prevent the illegal use of cellular and other wireless communications services. Violations under this section face imprisonment for up to 15 years and a fine of up to $50,000. My reply was keyed to the phrase ``unauthorized access to telecommunications services''. As I read it -- and you may differ -- the action that's being prohibited here is picking up things like ESNs, credit card numbers, etc., and using those to obtain fraudulent access to the phone network. I'm hard put to justify such behavior as ethical, and I have no problem with declaring it illegal. (Again, though, prudent folks and/or their insurance companies and/or the government may choose to use/mandate crypto. Banks started using DES authentication for EFT transfers because the Fed insisted -- they didn't see the problem.) As for decrypting numbers picked up over the air -- although I'm going to be vague, I suspect that there is a real issue here. Suppose that you run a pay TV service that you genuinely attempt to protect -- that is, you use DES or stronger. Am I *entitled* to watch for free because I happen to be smart enough and/or rich enough to crack DES? Can I legally or ethically give away or sell recovered keys? The point I'm making here is that you're making a reasonable effort to protect something, and thus implicitly declare it private and worthy of protection. This is in distiction to unencrypted transmissions (i.e., today's cellular stuff), security through obscurity (today's digital cellular), or marginally encrypted (frequency inversion). To be sure, I don't know where to draw the line here, and I don't think I want a judge (state-appointed or freely agreed upon) drawing it for me. Maybe we should take a leaf from NSA's book and say that 40 bits or less of key amounts to a welcome mat... --Steve Bellovin