During the Q&A of the NRC public session, it was asked why 56-bit DES was selected as the standard of export over other widely distributed programs such as PGP. The panelists seemed to me uneasy in answering this. Primarily their view was that DES was "ubquitious," well- known and tested by use. However, when pressed by later questioners on this topic, they expanded their view: that if another, stronger, program became "ubiquitous" -- in wide use -- they would support it as the standard of export. When it was pointed out that PGP now fit this definition, the panel merely repeated the statement about ubiquity without specifically affirming or denying the PGP claim. Their poker faces seemed uniformly in place to dampen a potential inflammatory topic. Perhaps other attendees will amplify this odd demeanor, but it seems to me that the panel was attempting to avoid commenting one way or the other on PGP's worldwide ubiquity for unstated reasons. I wonder if this was a nudge to the audience that the informal spread of unapproved encryption is the best way to establish its ubiquity and thereby to set a new standard for export, sort of under the noses of the authorities -- as if PGP was exemplary. Recall that this fits the Clinton administration's way of getting around the Croatian arms embargo -- the "no position" position of sidestepping legality. Also, I wonder if the panel wants avoid an open conflict with the administration, the LEAs and the security agencies about PGP. (Or do they know something about PGP that we don't know, or have been led to think they do?) Peter Neumann had pointed out earlier that crypto was going to be ubiquitous, and fairly soon, no matter what. He noted that it is the NRC's recommendation that LEAs take the "long-term, pro-active" view about this and get on with developing other technologies, and training personnel in them, to fight computer crime -- like traffic analysis, packet trace, etc. -- and to accept that prohibiting and cracking crypto is not effective. (This may have been diversionary, but he seemed sincere.) Perhaps the panel is agreeing the crypto genie is out of the bottle, and are advising the authorities to recognize that stronger and stronger crypto is going to become ubiquitous, and it's time to move on to other, presumably less ubiquitious, cyber-crime fighting technolgies. Perhaps the committee was briefed on these technolgies, or maybe some members are even developing them -- Mr. Neumann, for example, in conjunction with Ms. Denning, et al. Those who plan to attend the June 6 session might want to pursue the "no position" position about PGP's ubiquity, and why. Diversionary sop, say, to cover the promotion of non- crypto invasion of privacy. Further, it would be helpful to learn more about what the the committee members were told about "long-term" cyber- surveillance technologies in the pipeline. What bothered me more than anything else about the session was that individual privacy got such short shrift by panelists and by the audience. While there was a bit of discussion on personal privacy protection, government and business, and their mutual back-scratching, seemed to the the primary focus. Pretty Lousy Privacy appears to be in the works, judging from what was not disclosed in the session (and in the report) about two 800-pounders working in concert at citizen data gathering, mining, selling, controlling, dominating -- at the expense of individual privacy, and, shout it, liberty. Peter Neumann got to me when he described the "downside" of anonymity, encryption and security: how can we know who are the criminals if we don't for sure who is who and know for sure who is doing what? Not a single panelist disagreed with his statement about this, but then I heard only a few snorts from the criminal-fraught-fed audience. I kept mum. Jesus, who knows who was recording every titter and hiss -- besides anonymous beside me and me.