At 9:09 AM -0800 11/13/98, John Young wrote:

Senator Kyl has issued a long report, "Crime, Terror & War: National Security and Public Safety in the Information Age," which recounts his Subcommittee's hearings and recommendations on encryption, Y2K, terrorism, info war, domestic preparedness, wiretap, and more:

http://jya.com/ctw.htm (97K)

It describes a plan to combat threats to critical infrastructure and the US homeland which, if implemented, would criminalize much held dear to a few of this list's subscribers; other lurkers will be overjoyed to read Kyl coming to the rescue of careers and budgets of MIB and their suppliers of technological of political control.

He wants DoD to get cracking on domestic protection, move over piddling LEA. Civil liberties, nonsense. Crypto genie out of the bottle, more nonsense. Getting government access to encrypted communications, you bet. Through commercial products, yep.

I'll address one section, near the end of the report: --begin excerpt-- The "genie premise" is that encryption software is free and widely available (PGP being the most frequently cited example), rendering moot any attempt to impose controls over its transfer, manufacture or use. Yet at the same time, manufacturers and sellers of products with encryption features argue that they are losing market share to foreign competition because of export controls. Which raises the question: if users can simply download encryption software for free, why is there still a market for American products with encryption features? The answer must be that the demand for American products is based on something more than encryption features alone. If that is true, it implies the possibility of addressing the needs of law enforcement without jeopardizing market share. In that regard, Chairman Kyl offered a model of the domestic market for information security solutions. The proponents of domestic controls may have done a disservice in focusing on a one-size fits all technical solution such as "key recovery." Such a focus limits the search for acceptable solutions to the cryptography-without due regard to the reality that cryptography is just one piece of the information security puzzle. Chairman Kyl's framework suggests that discrete applications and user groups must be addressed individually, providing an opportunity to identify promising technical solutions for accessibility where and when it is most useful. --end excerpt-- This tells us that the focus of our Cypherpunks efforts should continue to be on "payload" crypto and integration of interesting crypto items into the text or HTML payloads which these other applications work with. It looks obvious from the above--and from our years of seeing Jim Clark and suchlike talk about "meeting the legitimate needs of law enforcement"--that the Feds will try to get the applications makers to incorporate key recovery. Ditto for the routers and packet movers. But all this is mooted by two major approaches: 1. Crypto at the message, or text, or payload level. Whatever Netscape or Microsoft or Lotus may do at the application level is made moot if people are using PGP or similar approaches. Furthermore, the constitutional protections are strong at the message level--jailing a person for not writing in an approved language is rather clearly a violation of the First Amendment. (This is a familiar message, about concentrating on the _contents_ of communcation systems. Many of us have been making this point for years and years. But it bears repeating in light of things like "Private Doorbell" and attempts to build CALEA (Communications Assistance for Law Enforcement, aka Digital Telephony) compliance into various systems.) I like the integration of PGP into Eudora, but I would rather have to do manual cut-and-paste operations than have some CALEA-compliant version of Eudora implement GAK-friendly crypto. I'm not accusing the Eudora folks of thinking of doing this, just trying to look ahead a few years to a world where the major ISPs and Web corporations have acquiesced to CALEA pressures. 2. Proxies and offshore remailers. Whatever the U.S. gov't. does, hard to control offshore services. And, again, the crypto needs to be at the payload level, so that all traces of GAK and whatnot can be easily removed. (The "::request-remailing-to" in the text field being a beautiful example of this. Very hard for governments to insist on what can and cannot be inside text fields!) And applications like digital money, if they ever get off the ground, will also benefit from some of the same kinds of thinking. (Ian Goldberg's demonstrations of his variant of Chaumian digital cash were of this sort, using conventional tools with the salient digital cash stuff orthogonal to the basic communications tools. We want this instead of, say, "Netscape Cash," implemented as part of Navigator and fully compliant with TLA wishes.) Anyway, I haven't been able to work up a lot of energy to write stuff here on the Cyphepunks list, for the usual reasons, but reading this Kyl report on plans to further stifle civil liberties motivates me to emphasize the obvious. --Tim May Common Y2K line: "I'm not preparing, but I know where _you_ live." ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, ComSec 3DES: 831-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments.