A few weeks ago I said that I thought the real reason for PGP's CMR features and Policy Management Agent had little to do with the reasons being discussed (by PGP employees, amongst others), things like "What if Joe is not at his desk and his boss wants to access his encrypted e-mail?" (and variants). I explicitly speculated that the real reason had more to do with snooping on employees, with the corporate security and IS departments monitoring what is being sent and received, etc. I even mentioned compliance with SEC, FTC, and other agency rules. (And I'm not saying such compliance isn't a valid concern, even a mandated concern. And I'm not questioning the property rights of business owners to enforce policies on their property with their equipment as they see fit. I just think PGP is being disingenuous in saying they are not actually building in snoopware. They are, and the very same objections Phil Zimmermann had to Viacrypt's snoopware applies to PGP 5.5 and its "Policy Management Agent.") Well, it appears the real reason is now emerging. In the 1997-10-27 issue of "Macweek," an article on corporate use of crypto, including PGP, appears. "Mac encryption finding its way into corporations," by Larry Stevens, p. 27. Much discussion of crypto, symmetric vs. asymmetric approaches, reasons companies haven't been using crypto, etc. The final paragraph summarizes a key point: "The Gartner Group's Wheatman pointed out that PGP Policy Management Agent allows corporatins for the first time to centralize control over encryption: "For encryption to be accepted, IT had to gain control. This isn't Big Brother; this is necessary to comply with liability laws and SEC regulations."" Note: I presume "IT" stands for Information Technology, or somesuch. That is, some corporate Information Services or Computer Services group. In other words, snoops in some department need to use the Policy Management Agent to monitor messages. Perhaps PGP, Inc. will say that Gartner Group does not speak for them. Fair enough. But I think the Gartner comments correctly capture the real reason we hear that corporations are insisting on snoopware. And, incredibly dangerously for us all, why the SEC, FTC, OSHA, IRS, and other agencies may seize on CMR as a feature which "must" be turned on, with archives of messages kept, etc. Were I a bureaucrat in their shoes, I know I would certainly want CMR mandated. "Not for Big Brother, but to ensure compliance with corporate regulatory rules." This is the dangerous world PGP, Inc. is helping to build. And I expect now that RSADSI will enter this snoopware arms race and thus the escalation will begin in earnest. Sadly, had PGP kept true to its core foundations of personal privacy, it might have been able to exert some moral guidance and slow down this headlong rush into a snoopware world. But by becoming the annointed leader of Corporate Message Recovery and Policy Management Agent products, the other companies can jump in with their own snoopware products, pointing to PGP. Sad. Very sad. --Tim May The Feds have shown their hand: they want a ban on domestic cryptography ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, ComSec 3DES: 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^2,976,221 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway."