The NSA Visits Compendium
* Does the NSA really visit companies planning to include crypto modules and ask them to weaken or remove the crypto modules? * How do such visits occur? * What happens if a person or company simply refuses to meet with the Men in Black and says "This is a free country--get lost!"? * What pressures are brought to bear on companies to induce them to weaken crypto, even for domestic-only use, or to remove hooks? * Is there concrete evidence of these things? We've all heard that the NSA sends representatives to software companies planning to included crypto or crypto "hooks" in software. There have been anecdotal reports of visits to many software companies. The question is: how _real_ are these reports and what are the mechanics of the visits? Are they urban legends, or real? I asked these questions at the last Bay Area Cypherpunks meeting, and got some interesting responses. In particular, I was interested in the comparison to the other report about academic papers being submitted to a review board, since the late 1970s. Whit Diffie of Sun and Matt Blaze of AT&T (or, as Matt put it, maybe BT&T or CT&T, depending) shared their experiences. They confirmed that such a panel _does_ exist, but that it is fairly ineffectual. Apparently many people publish without approval. (Anyway, I'm citing this as a parallel to what I'm looking for: direct confirmation of NSA pressure and visits.) I have volunteered to compile a compendium of reports, with or without names attached (see details below), to pin down the extent of NSA coercion or "subtle encouragement" of companies. I believe this is a valid "Cypherpunks-type project," as it is aimed at using the Net to compile a listing of experiences software developers have had. To kick things off, I'll start the list below: --- Example: Large relational data base company. NSA Actions: Visits on a regular basis by two NSA representatives ("always two"). Pressured them to drop plans for a strong domestic crypto module. Source: Personally told to me by programmer at the company, 1995-10-14. He wishes the company not to be named. Description: The NSA was concerned about plans the company had for a domestic-only 128-bit RC4 usage, and "sat on" the company's CJ request for an exportable version of their product using 40-bit DES. After hearing nothing for a long while, and pestering the NSA (or maybe the State Department), the company finally backed-down on the plans for the 128-bit RC4 use, told the NSA this, and then the government rapidly approved the 40-bit version for export. Coincidence? --- So, send me your examples. Supply as much detail as you can, including company names if possible. I'll accept "unnamed sources" if they are _primary_ sources, but no "friend of a friend told me that...," unless the details look very convincing. Use remailers if you wish. Use my public key if you wish, too, though remailers accomplish the same thing, at least for getting the details to me anonymously. My public key is: pub 1024/54E7483F 1992/11/20 Timothy C. May <tcmay@netcom.com> 11-20-92 Key fingerprint = 8C 79 1C 1B 6F 32 A1 D1 65 FB 5F 57 50 6D D3 28 (I don't have MacPGP integrated into Eudora Pro---perhaps the NSA paid Qualcomm a visit?--so I'm not a huge fan of getting PGP-encrypted messages unless there's a real need.) I'll be releasing reports on this on a regular basis. The next one when I've accumulated several examples. --Tim May Views here are not the views of my Internet Service Provider or Government. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 | black markets, collapse of governments. "National borders are just speed bumps on the information superhighway."
re: "Men In Black Study" I think this is a really excellent project, for the main reason that the NSA lives and dies by a "nobody is noticing" modus operandii (relative congressmen, the public, companies, foreign governments, etc.). it is a sort of "security through obscurity" that can be defeated. this has been a topic that has long fascinated me. I suggest however that the scope of the survey be expanded to the FBI. there are reports the FBI visited Lotus a long time ago to ask them to put in a "back door" into their encryption software, because it was too strong. it seems to me this is very similar to the survey questions. also keep in mind that the NSA loves to use "front agencies" like NIST to do their dirty work. so it might be hard to detect an "NSA visit". however the NSA like all intelligence agencies is really brilliant in intimidation. I think one would find that these situations are going to go "unreported" because the NSA may be leaving the impression that "not following our suggestion" is one sin, but that "screaming about this in the public" is going to be another liability. that is the coercion tactics that they are legendary for, IMHO. "you must do this, but we can't tell you why. you can't ask anyone else about this, either". I suspect that the entire crypto industry has been sabotaged in a lot of subtle ways by the NSA doing this, and nobody is the wiser. I hope people realize that by not reporting this, you contribute to the problem, not the solution. as Thomas Paine said, roughly, "the power of tyranny lies solely in the fear of rebellion". a study on this would be very significant. (from what I understand, the NSA tried to do this with public key crypto, i.e. suppress it at the publication stage. a professor gave a lecture on this in one of my classes and said that it was even covered in the NYT at the time. unfortunately I lost the date. I believe it was a long time ago (maybe the 80's or even the 70's). hopefully someone else has an encyclopedic brain. in fact, we might be able to get Levy or Markoff to write on this subject if we can get any significant results. that would be *hot*. they could put a great spin on it, like "the netscape bugs are a problem, but an even more horrifying and unimaginable thing going on is..." if the NSA has visited Netscape, that's virtually an article right there!!
* Does the NSA really visit companies planning to include crypto modules and ask them to weaken or remove the crypto modules?
a rumor was floating around that they visited Mosaic designers.
* What pressures are brought to bear on companies to induce them to weaken crypto, even for domestic-only use, or to remove hooks?
probably just the insinuation that they may be liable. you know the lovely intimidation tactic, "what you are doing may have LIABILITY". of course everyone does all kinds of ridiculous things, because, after all, one might be LIABLE after doing them.
* Is there concrete evidence of these things?
it is in the NSA's interest to cover up any evidence, and furthermore to suggest that their program, if it exists, is totally ineffective. I think otherwise. I think it is prime dirty secret of the NSA and a major public relations liability that ought to be exploited to the utter, full extent by cypherpunks. [Blaze etc.]
They confirmed that such a panel _does_ exist, but that it is fairly ineffectual. Apparently many people publish without approval.
however it may be more effective with commercial companies worried about liability. sometimes the slightest whiff of liability sends a company screaming for cover and not touch an entire area with a ten foot pole. I wonder if cellular phone encryption in the US has been delayed for this reason.
NSA Actions: Visits on a regular basis by two NSA representatives ("always two"). Pressured them to drop plans for a strong domestic crypto module.
Source: Personally told to me by programmer at the company, 1995-10-14. He wishes the company not to be named.
unfortunately, whenever someone says, "don't name my company", it loses effectiveness. I would like to point out that people are directly contributing to their erosion of rights by this behavior that suggests that they doing something lawbreaking that they are ashamed of. well, good luck with the study. I'll do what I can to publicize it <g>
participants (2)
-
tcmay@got.net -
Vladimir Z. Nuri