Crypto Exports, Europe, and Conspiracy Theories
At 8:49 PM 1/24/96, Alex Strasheim wrote: (quoting me)
The usual issue: That if a foreign-originated product even appears to be a standard (so far, none have been), and includes strong crypto, then the NSA and other agencies will simply change the rules. Thus, if extremely strong crypto from "Netscape-Zurich" starts to have a significant market presense in the U.S., then some law will be passed to restrict it.
But what would they restrict? The use of strong crypto between two domestic points, or strong crypto where one end is within the US and the other without? We already have the former -- wouldn't it be hard for them to take it away? Especially if the software already has a large installed base, which is your premise?
Specifically, I believe--though obviously cannot prove, given the nature of time--that a cryptographically strong version of Netscape developed outside the borders of the U.S. would not be freely importable into the U.S. I don't know what form such a law would take, to answer the point raised in another post by Peter Junger. Nor am I saying either State or NSA passes the laws...the ITARs have worked largely because they have never been challenged; if they were to be successfully challenged and stricken, as even some folks inside the NSA think is likely if tested in a proper case, then a Four Horseman-scared Congress will likely step in with some restrictions.
I'm not denying that there are people in the NSA who would want to react that way, but I don't think they'd be able to pull it off.
It is true that the National Security establishment has a lot of power and influence here. But there are other groups with power as well, and the security types don't have the ability to do whatever they want without regard to the opinions and interests of those other groups.
And now here's where I will speculate openly, although my speculation is informed by having followed these debates (and even contributing to them) for many years. You have to ask yourself this question: "Why are there no cryptographically strong products--finished products, not specific ciphers or chunks of code--developed in Europe and freely imported into the U.S.?" More specifically, given that the situation with crypto exports being limited (the so-called $60 billion a year problem...even if inflated, still a lot of money) has been known about for a long time, and given that Europe, and to a lesser extent Japan, India, etc., has a strong software infrastructure, you have to ask why "Netscape-Zurich" is not now being imported into the U.S., as a core module that then (for example) the American developers could add additional stuff to. Or why Lotus Notes-Tel Aviv is not being imported, with at least an 80-bit work factor. Or why Digicash is not taking the relatively trivial step of offering extremely strong ciphers (maybe something like Haval?) and blitzing the U.S. market? ("Only Digicash is offering _all_ of our customers the same level of communications security.") (I'll get to some of the practical issues, that the culture of Europe is not quite as conducive as the culture of the U.S. to startups, such as Netscape, Spry, Intuit, etc., but I don't think this gets at the main point of why strong crypt is not being _imported_ into the U.S.) If the business losses are anything really close to $60 billion a year, then companies wishing to have strong crypto should be *screaming* for Europe-developed products to be brought back in to the U.S. There are of course two components to the alleged $60 B a year losses, broadly speaking: * the losses of companies not in the crypt tools business who are losing out because the crypto they are allowed to export weakens their product's attractiveness. * the losses of crypto tool makers who are losing out because their products are not attractive to non-U.S. buyers (Does anyone else out there see a disconnect in the logic here? If Company A is losing business to a non-U.S. Company B, then why is whatever Company B is providing (such as stronger crypto) not being imported into the U.S. For example, if Netscape is losing out to "CERNScape," the hypothetical browser company out of the CERN WWW groups, then why is CERNScape not selling here? In fact, where _are_ the products that are winning out over the crippled American products?) (Understand that I'm not claiming there are no losses, that the $60 B a year figure is not accurate (though I think it inflated a bit), I'm just trying to figure out what's really going on here.) Let's review some points that may be relevant to why "offshore development" has not become a reality, even though one might think it would (given the $60 B figure...that pays for an awful lot of overseas programmers!). First, the "crypto hooks" point we discuss so often. Merely having hooks that link to offshore crypto is a problem, as the ITARs make clear. Thus, Lotus cannot simply say to its non-U.S. customers, "We are shipping a version overseas that contains only 40-bit crypto; you are advised to download 80-bit crypto from http://defeat-itars.lotus-geneva...." I don't know precisely how the NSA and State would react, and what law would be cited (beyond a reading of the ITARs), but pretty clearly this would not fly in the current climate. Lotus might get visits from the NSA, might be threatened with conspiracy to violate the Munitions Act charges, might have its shipments seized, etc. Second, folks at RSADSI told me several years ago that it even violates the ITARs to send cryptographic knowledge out of the country (especially, in this context, with the intention of the folks with the knowledge being the "Geneva" operation of RSADSI, for example). [Note: This is really where all the stuff about exporting code comes from, and why the debate about exporting the RSA-in-Perl t-shirt is not really hitting the main point. The NSA and State have no real concern about copies of Schneier's book going out, given that they know they can't stop it anyway and the stuff in it has already been published worldwide. No, their real concern is ensuring that Lotus does not skirt the whole crypto exports issue by sending a team to an overseas location to develop a core module _there_. Before someone like Duncan protests that this strategy is ultimately--and maybe even soon--doomed to fail, for the many reasons we discuss often, I agree. But for the nonce, NSA and State are trying to fight a holding action, and keeping U.S. companies from distributing strong crypto is currently within their powers in a way that domestic control of crypto is not.] Third, even _interoperability_ is disliked by the NSA. Thus, if Lotus Notes says that it will support an open standard such that its package can communicate easily with Europe-developed crypto modules, the NSA will consider this to be a means of skirting the ITARs. (This was actually the main strength of PGP, as I saw it, that a "standard" could be supported on many platforms, and once the program was proliferated to many countries, all could interoperate. Note that there are very few other such interoperable crypto programs---Lotus Notes talks to other Lotus Notes sites (a chokepoint in controlling distribution), MicrosoftMail and other products talk to other MS products, RSADSI's own standalone crypto program, Mailsafe, talks to other Mailsafe users (again, a chokepoint for distribution), and so on. [Side note: this situation is changing as standards are adopted, as the Web takes on a more prominent role. But I believe it to still be true that strong crypto in the U.S. cannot easily talk to strong crypto in Europe and Asian, except via things like PGP. If I'm wrong, I'd appreciate hearing about some examples.] Fourth, bizarre as it may sound, _imported_ strong crypto may face the same restrictions if attempts are made to _export_ it! Even if the code is unchanged. (The only justification for this position is that the U.S. is trying to create a chokepoint for control...there is no logical reason for a product imported from Israel to then not be allowed for export back to Israel, except that NSA and State hope to interfere with markets and thus have more control over things.) The effect of this restriction is that companies planning to import crypto from, say, Switzerland, and integrate it into their products will still face the ITARs when they try to export the product. And even having _two_ versions, one developed in the U.S. and one developed in Switzerland, will then run into the issues already cited: skirting the law by having hooks, (maybe) engaging in a conspiracy to export cryptographic talent for the purposes of skirting the ITARs, and having interoperable versions. Fifth, there are cryptographically-competent companies and programmers in Europe. Companies such as Crypto AG, companies in Israel, programmers in the U.K., Slovenia, Romania, and all over. (Many on this list, in fact.) And programmers and very competent crypto folks in Australia, New Zealand, etc. Given the relatively small teams that built capable browsers, and given the capable programmers, and given the (alleged) huge losses American companies are suffering for lack of secure products, why are there no Europe-developed browsers with strong crypto? I promised conspiracies. My points above implicitly involve some behind-the-scenes pressuring (and I know this to be the case from first-hand accounts), but here are some more: -- maybe even the European companies have been threatened, perhaps by their own crypto-fearful intelligence agencies (recall the many reports of key escrow talk in Germany, France, Sweden, etc.) -- maybe, as some have claimed, the European crypto companies, such as Zug-based Crypto AG, are actually controlled or influenced by the NSA. (This was a recent thread here, dismissed by the list.censors as "off-topic," but, I think, in actuality a terribly important topic to consider.) -- maybe the Europeans just don't want a piece of the Web browser market, maybe the prospect of a software company reaching a capitalization of $5 billion in less than two years doesn't excite them. (Maybe Clinton didn't inhale.) In a kind of variant of the Fermi Paradox ("Why aren't they here?," referrring to alien visitors), my question is this: "Why aren't we able to solve this pressing problem of not being able to export strong crypto by _importing_ it?" I don't think it's an accident, or laziness on the part of European and Asian companies, that we haven't gotten around the U.S.'s laws about exporting crypto by getting our crypto from competent programmers and companies outside the U.S. Comments? --Tim May Boycott espionage-enabled software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway."
On Wed, 24 Jan 1996, Timothy C. May wrote: [...]
Specifically, I believe--though obviously cannot prove, given the nature of time--that a cryptographically strong version of Netscape developed outside the borders of the U.S. would not be freely importable into the U.S. I
Nope. Nope. Nope. Nope. Donuts to dollars that it's freely importable. Now, whether you could freely use it becomes another version of the "could they ban strong crypto for domestic use" issue. I don't think so. Why? See my articles on my homepage, www.law.miami.edu/~froomkin I also (to pick on Tim's excellent "you got to think like them" thread) don't really see why they need to expend massive energies fighting this battle once it looks lost (I do see why they would want to fight and have fought delaying actions; every delay is a win in that mindset). A cryptographically strong browser isn't such a threat to policy, except that you get more encrypted traffic messing up traffic analysis, and that's happening gradually anyway. Not to mention that traffic volumes going up must strain some capacity somewhere. No, the real threats to LEAs/traditional ways of doing things are more likely to be anonymity and anonymous cash. And these are things that may well be within the power of governments to at least make difficult if not eliminate for some time. "Chokepoints" is indeed the key word here, with banks and remailer operators as chokees. If you are a government strategist, you might think, Why not make people strictly liable for, e.g., any crimes planned with their remailers? And make ISPs strictly liable for crimes panned or executed on their systems? Those things stand more chance of being upheld than a ban on domestic use of strong crypto, whether foreign or domestic coded. I won't go so far as to say "would be upheld" but it's much easier for me to imagine than a ban on importing or using strong crypto. I'm going to expand on this in the next draft of my "oceans" paper; the draft currently on the web page does not really do these issues much justice.
don't know what form such a law would take, to answer the point raised in another post by Peter Junger. Nor am I saying either State or NSA passes the laws...the ITARs have worked largely because they have never been challenged; if they were to be successfully challenged and stricken, as even some folks inside the NSA think is likely if tested in a proper case, then a Four Horseman-scared Congress will likely step in with some restrictions. [...]
OK, Tim, what am I missing? How will Enhanced-crypto-Netscape match remailers for their ability to keep TLAs up at night? A. Michael Froomkin | +1 (305) 284-4285; +1 (305) 284-6506 (fax) Associate Professor of Law | U. Miami School of Law | froomkin@law.miami.edu P.O. Box 248087 | http://www.law.miami.edu/~froomkin Coral Gables, FL 33124 USA | It's warm here.
froomkin@law.miami.edu:
No, the real threats to LEAs/traditional ways of doing things are more likely to be anonymity and anonymous cash. And these are things that may well be within the power of governments to at least make difficult if not eliminate for some time. "Chokepoints" is indeed the key word here, with banks and remailer operators as chokees.
But look at the recent NYT story re: Russian banks.... (The Fed even supplies the greenbacks.....) -- A host is a host from coast to coast.................wb8foz@nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433
TCM wrote a long post about how the ITAR tends to prevent just about any kind of crypto software and hardware development, and that even importing crypto into the U.S. is likely to be outlawed if not already illegal. but I think this whole line of complex thinking and pontificating is really yucky, and it embarrasses and exasperates me to see it here of all places, and from TCM of all people. it really bugs me how much cypherpunks try to point out the "gotchas" in all the laws with crypto. when we become *experts* on these laws, and tell people why they prevent them from doing various things, we are actually *supporting* them. that is the ultimate test of legitimacy: what do you do when you hear someone wants to do something that would seem to "break a law"? when you tell them that "what you are doing breaks the law", you are implicitly revealing that *you*support*that*law*. the way to *not*support*a*law* is *not* to play these games. not to second guess what the NSA is doing, how they would react to some situation, etc. not to point out what you think they would do if someone violated their list of "naughty no-nos" the NSA benefits from the *perceived* straightjacket. the NSA succeeds by creating a *perception* of restriction, regardless of enforcement. you *perpetuate* this perception by keeping a handy list of all the ways that crypto software and hardware development is *impossible* and repeatedly rebroadcasting it to your friends and public forums like this. the NSA *loses* through public confrontation, which focuses the spotlight on the atrociousness of their agenda. isn't this list the first place that people should say and emphasize, THE LAWS ARE NOT EXACT. THERE IS ROOM FOR MANEUVERING. PEOPLE SHOULD CHALLENGE THEM IN COURT. we are *not* breaking the law or encouraging breaking the law in saying this. we are *challenging* the law. we are saying, "no matter what law is passed, the ultimate test of legitimacy of any law is whether it is supported by our judicial system. many NSA 'laws' have *never* been tested, and therefore they are *all* suspect!! we *encourage* people to challenge them, and do a noble service for our country in clarifying what the laws *really* are!!" do you think these ITAR laws are legitimate, or not? if they are *not*, then why do you *treat*them*as*such???? the ridiculous debate about whether the 4 line perl code was illegal or legal was PLAYING INTO THE HANDS OF THE NSA. the NSA *wants* people to think twice every time they write a modulo function, and all the endless legal pontificating on this list is a gift from heaven to them. what *really* exasperates me is TCM saying that "even importing code is likely to be illegal, because if it is legal now it is likely to be outlawed". well, WHO SAYS?? this is a *beautiful* example of a place where some REAL CYPHERPUNKS WITH SOME BALLS could challenge the government, and possibly get the support of some strong allies (EFF, business interested in crypto such as Netscape, Microsoft, Lotus, etc) if they were challenged in court. this is a *perfect* opportunity for someone to import the crypto, and get it into the market-- don't you see that the government would then be put at a *disadvantage* *even*if* they decided they were against it and tried to introduce bills-- it would get the publicity of newspapers and the focus of people watching congress do something that has been done in the shadows by the NSA for so long (and one of the main reasons they have gotten away with it). imagine the brilliant "photo opportunity" of customs agents trying to stop someone at an airport because of them taking in computer disks!!! there is a line of thinking here that goes, "keep your head down, and don't challenge anything that even *might* be illegal". but I tell you that is NOT how odious laws are removed. that is exactly how they are PERPETUATED. we *win* through major public confrontation over crypto issues. are we *ashamed* because we want strong crypto? is it something to *hide*?? what TCM's whole essay epitomizes is the *exact*chilling*effect* that the NSA is aiming for. all this debate about what the current laws actually allow *begs*the*point* and does not support our agenda for the spread of crypto, and in fact is detrimental to it. instead, we need to broadcast to the world the message "its a gray area, and we cypherpunks are *dying* for someone to challenge this in court, we would actually lend them our support and rally around them as we did with PRZ". ok, now someone is going to say, OK wiseguy, why don't YOU do it. that is not my point. my point is that we merely need to get the message that even though many cpunks are spineless sheep who don't have the balls to challenge the laws themselves, or even suggest this in public, instead endlessly yammering about what is 100% kosher and what isn't (you don't have to say that part (g), ... "we would support someone who challenges these laws!!!" the idea that MS signing a cryptographic package from outside this country constitutes EXPORT OF AN ALGORITHM is OUTRAGEOUS. of course you agree with me, but the way to demonstrate you agree is to not put up with it. DEFY any bogus law that you think is bogus!! the test of the legitimacy of a law is our *court*system*, not what government bureacrats tell you to do!! and every day that someone listens to a government bureacrat, and not *what*a*court*thinks*, a little bit of our precious freedom is eroded. what scares and infuriates me is that by the NSA's standards, the cypherpunks turn out to me some of the most "law abiding" citizens regarding crypto than anyone else in the entire country...!!! maybe TCM, who in this case imho is part of the PROBLEM and not part of the SOLUTION, and an example of how our own behavior is sabotaging our key goals, will think twice when he writes another *sskissing, tedious "what the NSA thinks about [x]" post. this ends my semi-periodic rant-of-the-moment. we return you to your regular listless dialogue.
Vladimir Z. Nuri writes:
when you tell them that "what you are doing breaks the law", you are implicitly revealing that *you*support*that*law*.
That assertion is, I claim vociferously, false. False false false. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | Nobody's going to listen to you if you just | Mike McNally (m5@tivoli.com) | | stand there and flap your arms like a fish. | Tivoli Systems, Austin TX | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
M.M.:
when you tell them that "what you are doing breaks the law", you are implicitly revealing that *you*support*that*law*.
That assertion is, I claim vociferously, false. False false false.
the Tao of bad government: if you really want to get rid of a law, act and think at all times as if it doesn't even exist. how do "laws" work? the policeman coming to arrest you is only one part of the process. the court handing down a decision is another part. your friends, family, associates, etc. constantly *reminding* you of that law is the major, critical, unseen mechanism in propagation of laws. laws are about perception. the government does not want to arrest everyone that breaks a law. they do not want to have to enforce laws. they want the law *not*to*be*broken*. the key way that is done is through public perception that "doing so-and-so" can't be done, that it "breaks the law". how is this public perception propagated? whenever discussion of "so-and-so" is brought up, everyone verbally thinks, agrees, acts as if, "you can't do so-and-so". if no one is aware of a law, that law effectively *does*not*exist*. there are a bazillion laws in the government that are never enforced, because no one ever thinks of them. because everyone affected by it is always thinking about the ITAR, it largely does not even need to be enforced. the government has succeeded in a pavlovian conditioning of the populace whenever any law is unchallenged.
Vladimir Z. Nuri writes:
the Tao of bad government: if you really want to get rid of a law, act and think at all times as if it doesn't even exist.
I accept that that's one way of going about things, but I challenge you to demonstrate conclusively that it is the only means to generate political interest in opposition to a law. I happen to disagree with this, and I refuse to accept the wacky notion that by explaining to somebody that what they're doing is in violation of a pointless stupid law, and explaining why it's only through wide exposure of that pointless stupidity that the law and others like it can be struck down, that I am unwittingly strengthening the law. Balderdash. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | Nobody's going to listen to you if you just | Mike McNally (m5@tivoli.com) | | stand there and flap your arms like a fish. | Tivoli Systems, Austin TX | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vladimir Z. Nuri writes:
the Tao of bad government: if you really want to get rid of a law, act and think at all times as if it doesn't even exist.
I accept that that's one way of going about things, but I challenge you to demonstrate conclusively that it is the only means to generate political interest in opposition to a law.
it was not my point at all to "demonstrate conclusively" that ignoring a law helps create opposition to a law. actually, I was not talking about opposition to a law at all. my main point was that for a law to work, people must *actively*support* it. by not supporting a law, it effectively ceases to exist. in other words, what you consider "opposition" to laws in fact may be playing into the hands of the NSA. by taking the laws very seriously (such as the preposterous ideas that bureacrats are allowed to prevent companies from even exporting software with "hooks" in it, and effectively allowing spooks to vet every piece of crypto code written in this supposedly free country) you are doing NSA's "heavy lifting" *for* them. these laws would be no problem if nobody followed them, if nobody gave a damn about them. *opposition* in many ways is the wrong mindset. by opposing the laws, you implicitly reveal that you believe they are legitimate, that they are enforceable, that they are important to conform to, etc (all the things that cpunks publicly deny). by ignoring them, you put your reality where your mouth is. it sounds paradoxical, but ignoring a law is far more destructive to it than opposing it!!
I happen to disagree with this, and I refuse to accept the wacky notion that by explaining to somebody that what they're doing is in violation of a pointless stupid law, and explaining why it's only through wide exposure of that pointless stupidity that the law and others like it can be struck down, that I am unwittingly strengthening the law. Balderdash.
"when the wise hear of the Tao, they are intrigued. when the skeptical hear of the Tao, they scoff. when the stupid hear of the Tao, they laugh loudly".
-----BEGIN PGP SIGNED MESSAGE----- On Thu, 25 Jan 1996, Mike McNally wrote:
Date: Thu, 25 Jan 1996 16:18:47 -0600 From: Mike McNally <m5@dev.tivoli.com> To: "Vladimir Z. Nuri" <vznuri@netcom.com> Cc: cypherpunks@toad.com Subject: RANT: cypherpunks do NSA's job for them!!
Vladimir Z. Nuri writes:
when you tell them that "what you are doing breaks the law", you are implicitly revealing that *you*support*that*law*.
That assertion is, I claim vociferously, false. False false false.
i have to agree. there is a huge difference in telling someone that they're breaking the law and supporting a law. as far as i'm concerned, on cypherpunks we try to disect laws or regulations so that we can chip away at weaknesses in them. it is also useful if one wants to determine how your oppenent is going to react when you do something; know your enemy and all that. - -pat "Those that give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -- Benjamin Franklin (1773) zifi runs LINUX 1.3.57 -=-=-=WEB=-=-=-> http://zifi.genetics.utah.edu -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Processed by mkpgp1.6, a Pine/PGP interface. iQCVAwUBMQgpH03Qo/lG0AH5AQHDKwQAqB8FEpPF0j+rTZUme+n/Fv4So/EIfEQr tHyjDpaFh1iRcHP/8wOJaazEsYFFrgo/J3gmna7md31xFhV6SPF1eOY4rEKpTz01 qFsinS0lhwXiXTCnvWlzHnOIKC6B6El4aVI4Wo1E39xMX3abm2Euxo2t5a6va8lC 5/M8p4ANrxk= =VdvL -----END PGP SIGNATURE-----
Timothy C. May wrote: | You have to ask yourself this question: "Why are there no cryptographically | strong products--finished products, not specific ciphers or chunks of | code--developed in Europe and freely imported into the U.S.?" There are. If you buy a Gauntlet Internet firewall from TIS, you can also buy a German T1 speed DES card for it. I believe the code was written by TIS's London office. The Israeli Firewall-1 (version 2) firewall offers VPN (Virtual Private Networks) with some decent encryption scheme. There are not yet a lot of products, and these, as Tim will doubtless point out, are somewhat obscure, not mass market products. I would attribute that to the nature of information in the international marketplace. There is not 'perfect information' but very imprecise and foggy information. Most of us don't know anyone who has bought a foriegn crypto product (heck, how many of us have bought a crypto product at all?). Incidentally, TIS (ww.tis.com) did a survey of forgien crypto products which is on the web. There are very few 'full blown' encryption products out there. PGP seems to have the most users, but I don't know of any real compitition for it, inside or outside the US. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume
There's a lot I don't know about the NSA, Tim's original post in this thread reminded me of that. I don't know if they'll continue to be successful supressing crypto -- perhaps (probably?) I've underestimated them. But I think networking is creating an enormous commercial demand for strong crypto that didn't previously exist. It's one thing to suppress an esoteric technology that few people feel the need for; it's quite another to suppress a reasonably well understood technology that everyone feels they need to run their businesses. The NSA is powerful, but so are commercial interests. I tend to think that the money will win out in the end, but I have to admit that I don't know enough about the NSA to have a serious opinion. Why aren't foreign companies flooding America with strong crypto? Well, there are clearly pressures of the sort Tim described at work. But there are other factors as well: o Crypto has only recently become useful/necessary to lots of business people -- the demand from crypto is born out of the networking boom, especially the Internet, which isn't picky about who can use it. American software companies dominate the industry -- they grabbed market share in the days before crypto was vital. There's inertia at work. o Crypto isn't at the top of the list of factors when people pick software. Do most of use use 40-bit downloadable Netscape's or Mosaics with strong crypto? Netscape wouldn't be easy to pick off for New Delhi programmers (an understatement, of course), and crypto wouldn't give them as big of an advantage as it probably ought to. o Most foreign countries aren't wired as well as we in the US are. Most people in Switzerland don't have cheap easy access to the net, for example. That's one reason that the web, a good Swiss idea, has been developed primarily in this country. America has more people thinking about the net than other countries do, and it's not surprising that we're out in front in net software. These factors are short lived, and they're not going to keep crypto out of America forever. (That doesn't mean the NSA can't -- although I don't think they can.) Digicash is probably the first significant crypto product to be exported to America. It's not very popular yet, but I think that most of us here agree that it is, in potential at least, as significant as Mosaic/Netscape. It's important to note that this extremely important product couldn't have been produced here, patents aside. Transaction systems need to be international, and our rules make America an unsuitable place from which to launch tranaction software. Will the NSA be able to stand up against growing economic pressures? I don't know. But it does seem pretty clear that those pressures are building all the time, and that the problem of supressing crypto in 1996 is a much tougher one than it was in 1986. In general, it's myopic and ill advised to focus on one factor -- economics, politcs, the national security establishment -- when trying to predict what will happen. I've probably been guilty of placing too much emphasis on money, and not enough on the NSA. We do seem to be winning, though.
Alex Strasheim writes:
Why aren't foreign companies flooding America with strong crypto? Well, there are clearly pressures of the sort Tim described at work. But there are other factors as well:
o Crypto has only recently become useful/necessary to lots of business people -- the demand from crypto is born out of the networking boom, especially the Internet, which isn't picky about who can use it.
Security is an odd thing. I have clients who have obvious and very extreme security needs that do not spend any real time worrying about security and as a result end up being burned. However, until the day you are burned, you never think about security and never notice it is absent. To some extent, it is the job of consultants such as myself to assure that firms understand what they have at stake and how to protect themselves, especially by securing their communications networks with cryptography. Perry
participants (9)
-
Adam Shostack -
Alex Strasheim -
David Lesher -
m5@dev.tivoli.com -
Michael Froomkin -
Perry E. Metzger -
tcmay@got.net -
Vladimir Z. Nuri -
zinc