At 5:06 AM 5/3/96, Bill Stewart wrote:

One of the most important parts of any security analysis is the threat models. In this case, we're talking about sending email _to_the_government_.

There may be something you want to tell the Senator or his staff that you want kept private from the public or from rest of the government, and Tim's phrase "Unless the information is 'secret'" seems to cover that. Maybe you want to say "My company lost $X to competitor Y"; that's private. Maybe you want to say "The FBI is reading your email, y'know..." Maybe you want to attach a $20 MarkTwain DigiCash campaign contribution.

And besides my explicit mention of "unless secret," which I suspect is not the case in the context of "communicating with Sen. Leahy," I also explicity mentioned that it is unlikely Sen. Leahy is doing the reading of e-mail or the encrypting. The PGP key is really "Leahy's office key." I'd say it's 99.95% likely that the PGP key was generated by a staffer--the resident e-mail geek--and that only staffers know how to use PGP. (In fact, probably only the one staffer who generated the key and knows the passphrase....) This gives new meaning to "man in the channel." When you send an encrypted message to "Senator Leahy," be sure to tell "Mitch" it's urgent that the Senator see it! (Don't misunderstand me, anyone. I'm not expecting perfect security, and the fact that secretaries and staffers may likely be the actual "keepers of the keys" is hardly new or surprising. They've always served this role. And until this changes, with PGP getting easier to use or with a more conventional key arrangement, I expect few senators will be typing in PGP stuff. (By "more conventional" I mean a model where some token or object is used, as with the crypto ignition keys, which I can imagine _some_ Senators actually carry and use, depending on their connections to the intelligence and military establishment. Or biometric security, etc.)

But usually, telling the government something is fairly similar to publishing it, in terms of expectation of privacy, even in a republic. The tradeoff is between using PGP to make a point, and getting the staff to read it. Typically, Congressional Staffs are Your Friends, at least more directly than the Congresscritters themselves. Lobby _them_; making their job easier is a good start.

I agree. My main point was that staffers are already extremely pressed for time, often quickly sorting incoming constituent mail into "yes" or "no" piles for later counting on some issue. It's unlikely in the extreme that a PGP-encrypted mail message will be looked at, unless the staffer thinks it must be spook-related. When the staffer finds it's just a position advocacy letter, and that he spent time decrypting it, it'll likely have the opposite effect we want. And it _still_ won't be the "real" Senator Leahy doing the decrypting! So, what is accomplished except "feel good" thoughts? --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway."