Does encrypted equal safe?
At 10:08 PM 1/11/95 -0800, Eric Hughes wrote:
Edited from response on the 'How do I know if its encrypted?' thread to get some points in the clear.
If you can't read it, it's not kiddie-porn *for you*, although it might be for someone with the key.
So the fact that its not kiddie-porn *for me* makes it safe *for me* to be transporting or storing for others that know it is kiddie-porn?
Encryption fragments meaning subjectively. A magazine, for example, has a fixed center of meaning for all who can read the language. A magazine looks the same to all who look at it. An encrypted file looks different to those who have the key from those who do not.
But why does the meaning of the data assume to change? If I take my stack of kiddie-porn and put it in a box with a big strong lock on it, in a way physically encrypting it, change the meaning of what I have? I now have a locked box that looks different from my original.
Encrypted data is fundamentally different from paper-and-ink data in this way. The metaphor of "planting it on somebody" does not apply to data that the "somebody" can't read.
It is fundamentally a different process, but does that make it different from the locking the physical data in a box as above?
[...] If you can't easily read it, you can't be expected to have read it. The operator of a data service has _zero_ motivation to cryptanalyze something. If they happen to apply a viewer to the file (for whatever reason), they don't _want_ to see what's inside.
It seems to me that what you are saying is that because the data is in a form that I can't understand, I'm safe from trouble. Now it seems to me that this is not all that different from changing the form or appearence of physical data and saying I'm not responsible for it. Now think of a remailer: If somebody gave me this box of stuff, stuff that I had no idea of what it was since it was *locked up*, to transport over to location X and I got busted half way there am I safe? Would the argument that I didn't know what it was hold up? I would tend to say no. If the answer was yes, which is what some current arrguments seem to indicate, what does that say about responsibility towards spamming or remailing illegal data? Can I say that even though someone is using me to spam or distribute kiddie porn, I have no reason to try and stop it since I don't know what they are doing? If I did take it upon myself to stop the abuse wouldn't I need to analyize the incomming data to stop it? Something I'm not supposed to do. A Data Haven: It is illegal to handle certain items in the physical world. I can get in some trouble if I have kiddie porn or drugs or what not in my possesion. This is true, for most things I would guess, even if I was just 'holding it for someone else.' After all, how do I prove that somebody else put illegal articles, encrypted or not, on my 'site' and it didn't atually come from me? Does 'holding it for someone else' type arguments work in net.world better than in the physical world? Once again, current arguments would say yes, it is different and I'm safe to hold onto illegal data since I don't know what it is. Lets see if I got this straight. In my own words, I'm just as responsible for the data I massage as the person I'm doing it for judging by real world parellels, encrypted or not. Now I would hope this is not the case, since being a remailer operator would mean that if somebody starts a spam using my site I would be just as responsible as the person that started it. Having kiddie porn on my DH would be illegal even if I had no idea it was present. This doesn't sound to good, since many of the uses of my services would be restricted if I wanted to stay 'safe.' After all if I wasn't as responsible for the spam and was safe from harm, or guilt, about what people used my site for I wouldn't care what went through my system, I'm not really supposed to care what people send me right? In fact I may even take pride that my system is being used so much. ;-) But this doesn't seem to be the case, nor in some regards would I hope them to be. Now I'm getting confused. There seems to be some contradictions in some of the above that need to be worked out, or at least explained to me. Some pretty serious legal problems seem to be lurking with in. It just doesn't seem as cut and dry to me as the argument that if I don't know what it is I don't have to worry about it. I'm sure others will have some comments to help me sort this out. -Mark ---------- Mark Oeltjenbruns marko@Millcomm.com N0CCQ SnipIt Research Finger for PGP key.
From: marko@millcomm.com (Mark Oeltjenbruns)
If you can't read it, it's not kiddie-porn *for you*, although it might be for someone with the key.
So the fact that its not kiddie-porn *for me* makes it safe *for me* to be transporting or storing for others that know it is kiddie-porn? Do you want it to be, or not? This is exactly the situation I was talking about when I emphasized the need for a positive rhetoric. We have here a situation for which I see the need for a clear statement of position and persuasive arguments in its favor. The law gets created by discussion. If we as a group fail to articulate our positions, these positions won't be represented and, failing other advocates (who?), will have no place in the law. Legal support of privacy technology will be necessary for its long term acceptance. The structure of the argument quoted below is primarily that of "this can't be right". I can only infer advocacy that operators of privacy services must be primarily responsible for content. This is to say one of several things, none of which I desire. It is to say privacy service operators who don't know content and who don't know identity should not exist, because no sane person would take upon themselves the liability of the world. It is alternately to say that privacy service operators must know content and filter it. It is alternately to say that such operators must know identity and be able to transfer liability, and these last two are not mutually exclusive. If you don't want this situation, speak up now. I desire the approved existence of privacy services which offer true privacy and as completely ignorant as possible operators of them.
Encryption fragments meaning subjectively. A magazine, for example, has a fixed center of meaning for all who can read the language. A magazine looks the same to all who look at it. An encrypted file looks different to those who have the key from those who do not.
But why does the meaning of the data assume to change? Because I want it to. Meaning is subjective. If I see encrypted text, am I to be held responsible for having seen through an encryption for which I hold not the key? Merely because someone knows a transformation into a disapproved form does not mean that I do. If I take my stack of kiddie-porn and put it in a box with a big strong lock on it, in a way physically encrypting it, change the meaning of what I have? Ask your local postal or parcel service. Is your local letter carrier responsible for the possession of kiddie porn while walking around with the mail in their sack? I certainly hope not. That would be a ludicrous situation. More accurately, it would be an outrage. Pushing responsiblity for interpretation, the ascertaining of meaning, onto people who transport and store either physical goods or information would be to require them to become deputies in enforcement. The policeman inside indeed! No one is required to love the State nor its dictates.
Encrypted data is fundamentally different from paper-and-ink data in this way. The metaphor of "planting it on somebody" does not apply to data that the "somebody" can't read.
It is fundamentally a different process, but does that make it different from the locking the physical data in a box as above? It is identical in its removal of any knowledge of content from the state of mind of the holder. What is different is that encrypted data is even more clear in its removal of knowledge. With a physical container, the boundary of the container can be breached. With a crypto container, it is impossible. It seems to me that what you are saying is that because the data is in a form that I can't understand, I'm safe from trouble. Now it seems to me that this is not all that different from changing the form or appearence of physical data and saying I'm not responsible for it. If you personally enclose a physical object, you haven't removed your own state of knowledge about the contents. But if you give the package to someone else, they don't know the contents. Even when the package changes hands, the state of knowledge doesn't. The War on Certain Drugs has had the unfortunate effect of stretching the imputations of knowledge to holders of Certain Drugs. If a single person denies a state of knowledge, yet has physical possession of some Certain Drug, a court may assume that the possessor is lying. And the fact that certain situations like this have been legislated badly makes them no less totalitarian. On the other hand, someone in the business of taking packages from many different people can reasonably argue that they have no specific knowledge of the contents of any of them. Now think of a remailer: If somebody gave me this box of stuff, stuff that I had no idea of what it was since it was *locked up*, to transport over to location X and I got busted half way there am I safe? I'll consider this a reasonable argument if you can show that some analogous delivery service has been busted in this way. And not all delivery services are common carriers. Can I say that even though someone is using me to spam or distribute kiddie porn, I have no reason to try and stop it since I don't know what they are doing? I can tell from this situation that you yourself wouldn't not feel comfortable running a remailer. So don't do that. I see you're already not doing that; good. Eric
participants (2)
-
eric@remailer.net -
marko@millcomm.com