-----BEGIN PGP SIGNED MESSAGE----- TimM > (I fear laws telling corporations they *can't* snoop as much as TimM > I fear Clipper. The reasons are obvious, to me at least, and I TimM > can expand on this point if anyone's really interested.) MarkC > The implications in the field of industrial espionage leap quickly MarkC > to mind. MarkC > Beyond that, unrestrained encryption is dangerous to MarkC > corporations, because what's to stop a ticked off employee from MarkC > encrypting everything in the office as revenge for some imagined MarkC > slight? Mark Carter makes the same erroreous simplification many people do when talking about point security. I see it most often on the Firewalls list. There, the standard answer to "Should I prevent ftp connections so employees can't send our proprietary plans off-site?" appears to be "Do you search your employees at the exit for floppies and magnetic tapes?" Security is a web, the strength of which is only as high as the biggest gap between threads. Encryption being available to employees can make industrial espionage easier only if it opens a new channel (or clears an insecure channel) for bad apple employees or contractors to get their stolen memos off site. An encrypted channel is just a channel, and probably not worth it for the spy (unless higher bandwidth per incident channels like DAT or 8mm tapes risk exposure). Mark's rhetorical question about ticked off employees encrypting everything in sight for revenge shows the same problem. If an employee can encrypt the files and lose the key, the employee can instead just delete them or fill them with garbage. It is indeed a security risk, but the sabotage can more easily be performed without strong encryption. However, strong encryption in the workplace can indeed be used to cause difficulties. I'm more worried about situations where a corporate officer or the like leaves the firm, and "forgets" to let her successor know the pass phrase for the key used to encrypt the payroll records. Or, the executive secretary to the Treasurer could be fired because he was caught trying to embezzle e-cash, and subsequently refuse to release the key used to encrypt official financial transactions. In such situations, a smart company will have used a secret-sharing scheme to split the key, and will have escrowed it with their outside counsel and/or a couple of escrow services. What other problems can we come up with? Richard -----BEGIN PGP SIGNATURE----- Version: 2.3a-sterno-bait iQCVAgUBLgPuMvobez3wRbTBAQE7cQQAlvZtNyR06aPMrmm00tByNQ9EP1sHtM20 d3ZlbeFJRzizdd/OvhSN0CaYFDnp+tkoXhRuPtvELOgE+Jp/H2181oyoDM03Z+sP H+Qsr0kp6pY7EPItzKKaz+8iLPOOPZ3zXnUIzQzbRXYiRjXAOifUzLRmdA8xaFEe /hLgZV746Js= =qlOS -----END PGP SIGNATURE-----

Earlier I wrote:

And an even better solution is for folks to have their own private machines and access to one of the cheap Internet service providers springing up all around. Then they won't have to worry about their corporations "snooping" in their e-mail files. Or restricting them about using PGP or other crypto.

Corporations have a legitimate reason to tell employees what they can and can't use. After all, corporations are held liable for most employee actions (so those death threats to whitehouse.gov will reflect back on the company) and have other concerns as well (espionage, extortion, bribery, too much use of the Net, etc.).

Having your own computer means never having to say you're sorry.

(I fear laws telling corporations they *can't* snoop as much as I fear Clipper. The reasons are obvious, to me at least, and I can expand on this point if anyone's really interested.)

Several people having asked for an explanation and/or commented here on their interpretations, I'll explain my position: * Individuals, groups, corporations are free to set their won policies, more or less, in a free society. (Not everyone agrees with this, more's the shame.) A company can set working hours, working conditions, software to be used, and so on. It is not the business of government to interfere in these decisions, nor do "civil rights" enter in...an employee told to use Microsoft Word and not to use PGP cannot claim his "civil rights" are being violated. * I did not say companies _should_ snoop...I said there should not be laws forbidding snooping--in line with the point above. Imagine the implications of a law forbidding such "snooping": a company would presumably be unable to ensure that its policies were being followed, that it's employees were not violating various laws, etc. To be sure, companies may wish to avoid snooping, as the repercussions on company morale are often severe. Not being a good idea, in general, does not imply that there "ought to be a law" regulating such things. (Ditto for searches on leaving premises, which one writer here likened to snooping. Indeed, the two are the same. For 12 years at Intel, my briefcase was searched--sometime thouroughly, usually cursorily--every time I left a building with it. Not hard to see, given that a single uP could be sold for $500 and a briefcase of them could be worth a small fortune. Floppy disks and the like were generally ignored, as determining the contents would be too difficult, etc. A lot more I could say here, but I won't. Searches of briefcases was a "condition of employment" and not a civil rights issue....except for female employees, whose handbags were exempted by external law from any search...assembly workers were often suspected of stealing packaged devices, but Intel was forbidden to check their bags!) * In summary, it's a real bad idea--ethically and practically--to deny "corporations" behaviors we take for granted for ourselves. If I hire someone to help me in my home, I can set the conditions of the job: what hours, what rate of pay, what tools can and can't be used, and what limits I may wish to place on his use of my modems to communicate with outside services or agents. Corporations are not really different. We may not like big corporations...most new companies are formed by people fed up big companies...but this does not mean we should interfere with how they run their businesses. Not working for them is always an option. (I am sympathetic to many anarchist views, such as those held by my friend Dave Mandl, but I am not at all convinced by left-leaning arguments that "sometimes people have no choice " in the jobs they take. Thus, I am a standard libertarian here.) In considering whether crypto should be "allowed" or "not allowed" for corporations, a better answer is: that's not for society and the law to concern itself with. Companies that snoop too much will lose employees, and companies that are told they cannot monitor what employees are doing and what tools are being used will also lose out. Finally, all the arguments about there being _other_ ways for corporate secrets to leak out are accurate, but beside the point. Of course there are, and I have done extensive writing on this (BlackNet, information markets, Gibson-style "escrow" of key employees, etc.). But that employees can use their home computers to sell corporate secrets is somthing they will have to learn to deal with somehow (*), not a reason to limit corporations' abilities to set policy in their workplaces. (*) One possibility, the Gibson scenario mentioned (cf. "Count Zero"), is to require key employees in extremely sensitive positions to forego access to outside contacts. It may not work very will, and it may be distasteful to many or most people, but it's not a violation of "civil rights." Along with "democracy," the term "civil rights" is bandied about too much and is used to justify entirely too much State intervention. Mutually agreed-upon contracts always take precedence over democracy and civil rights. --Tim May -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^859433 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway."

Ed Carp writes:

Clancy mentioned a scenario that corporations (and others) might be able to take advantage of - the so-called "Canary Trap". Instead of identical copies of a sensitive memo being made, slightly different copies are prepared instead. The meaning isn't changed, but the precise wording is, so that if someone quites verbatim, the precise wording will indicate which document was leaked, and hence the leaker. I know for a fact that the United States and Canada use this for their classified material, at least some of it.

The "canary trap" is also called "barium" (coined by the KGB). Tagging is sometimes useful, but can be found by XORing two or more copies.

...

Along with "democracy," the term "civil rights" is bandied about too much and is used to justify entirely too much State intervention. Mutually agreed-upon contracts always take precedence over democracy and civil rights.

This is not entirely true, as the courts have ruled that certain contractual agreements, even when made between consensual parties, may be null and void, because they go against public policy. Consider if I contract with

Sure, courts have interfered with contracts. Some of these interferences I even agree with, slightly (while I'm mostly an anarchist, I support a few laws). But my point was a judgement ("entirely too much" is a cue), not a statement of realpolitik. ...

The courts would rule that the contract had no force of law, because it essentially was a contrat to do something that was against public policy. Same with illegal "contracts" some companies coerce people into signing as a condition of employment. The companies can argue that the employees signed them of their own free will, but the courts would hold that if the act was illegal, there can be no binding contract.

Crypto anarchy means a bypassing of such courts. Money held in escrow, and reputatable (though anonymous) escrow agents will make such contracts enforceable by other means. --Tim May -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^859433 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway."