Re: Another problem w/Data Havens...
-----BEGIN PGP SIGNED MESSAGE-----
Data havens that can split data to two or more locations in seperate jurisdictions can effectively ignore attention from authorities not related to the site management or site preformance. Encryption mandated sites can also take this stance, while encryption is legal in any event.
It just occurred to me when reading this another method for ensuring the "I can't tell what's in it" condition with a data haven operator. Why not use a secret sharing system where the contraband data is split into a number of pieces and sent to different havens? It could be argued that the individual pieces are not the same as the whole, and there is absolutely no way the operator could recover the original from a given piece (thus providing plausible deniability.) Using M by N secret sharing, with M < N, you build in some redundancy in case one of the havens gets shutdown. Ok, Eric, go ahead and blast your holes in this argument :) == Johnathan Corgan "Violence is the last refuge of the incompetent." jcorgan@scruznet.com -Isaac Asimov -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBLxspxk1Diok8GKihAQG4FAQAjCaFOGC+N5zjQ3zVQstv75wxBp/d0js1 2a3ecWdD/S3Sv70l9Y2N4e4vja8Pps4eR1a7Gtzq/nWcHmZXRGRgCzaaHGCNibF5 RaIJUlGGpaKe/UaQ3XfZH2guRBSUCIi4To7QWf3CzpZoWkR4gmZhhB1AcZrd6Z34 WYqZUBwuISI= =68Mc -----END PGP SIGNATURE-----
From: Johnathan Corgan <jcorgan@scruznet.com> It just occurred to me when reading this another method for ensuring the "I can't tell what's in it" condition with a data haven operator. Why not use a secret sharing system where the contraband data is split into a number of pieces and sent to different havens? [...] Ok, Eric, go ahead and blast your holes in this argument :) How do you know that what you the operator of the storage service gets was generated by secret sharing? The suggestion of having certificates that say "I encrypted this" are interesting, but merely transfer the problem onto that signer. Eric
On Mon, 16 Jan 1995, Johnathan Corgan wrote:
It just occurred to me when reading this another method for ensuring the "I can't tell what's in it" condition with a data haven operator. Why not use a secret sharing system where the contraband data is split into a number of pieces and sent to different havens?
Damn it, you beat me to it. :-) [ ... ]
Ok, Eric, go ahead and blast your holes in this argument :)
I'm not Eric, but hey. This entire discussion is completely unnecessary. There are ways of removing operator liability without examining the submission at all. ---------- unix3.netaxs.com:/home/grendel 1/511> host bermuda-gw.alter.net bermuda-gw.alter.net has address 137.39.234.130 bermuda-gw.alter.net mail is handled by relay2.UU.NET bermuda-gw.alter.net mail is handled by relay1.UU.NET unix3.netaxs.com:/home/grendel 1/512> ---------- Nicht wahr? Michael
On Mon, 16 Jan 1995, Johnathan Corgan wrote:
Date: Mon, 16 Jan 95 18:14:26 PST From: Johnathan Corgan <jcorgan@scruznet.com> To: Robert Rothenberg <rrothenb@libws4.ic.sunysb.edu>, Black Unicorn <unicorn@access.digex.net> Cc: cypherpunks@toad.com Subject: Re: Another problem w/Data Havens...
-----BEGIN PGP SIGNED MESSAGE-----
Data havens that can split data to two or more locations in seperate jurisdictions can effectively ignore attention from authorities not related to the site management or site preformance. Encryption mandated sites can also take this stance, while encryption is legal in any event.
It just occurred to me when reading this another method for ensuring the "I can't tell what's in it" condition with a data haven operator. Why not use a secret sharing system where the contraband data is split into a number of pieces and sent to different havens? It could be argued that the individual pieces are not the same as the whole, and there is absolutely no way the operator could recover the original from a given piece (thus providing plausible deniability.)
Using M by N secret sharing, with M < N, you build in some redundancy in case one of the havens gets shutdown.
This was essentially my point, phrased much more precisely. I believe this has been suggested, even discussed at length before on the list. Just from a structure standpoint, the haven could segment the data, use some sort of encryption, and then send an encrypted message containing the "resegmenting key." Theoretically the haven would destroy the resegmenting key after generating it and sending it, leaving the original sender with the only copy. Trust in the data haven operator is bolstered by his or her interest in not knowing the contents of the data, or the retrevial key for the data, less he or she be vulnerable to authority scrutiny.
== Johnathan Corgan "Violence is the last refuge of the incompetent." jcorgan@scruznet.com -Isaac Asimov
-uni- (Dark) -- 073BB885A786F666 nemo repente fuit turpissimus - potestas scientiae in usu est 6E6D4506F6EDBC17 quaere verum ad infinitum, loquitur sub rosa - wichtig!
participants (4)
-
Black Unicorn -
eric@remailer.net -
Johnathan Corgan -
Michael Handler