Attitude and Assumptions
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In the course of all the discussion here, I have seen a number of implicit attitudes and assumptions that irritate me. This is a short rant to air my irritation. The first thing that bugs me is what I'm calling Crypto-Correctness. I don't know a single person on cypherpunks who is against privacy, or is against the notion that in the information society, keeping and bearing crypto is an inalienable human right. Politically, I'm a Lockeian, and put privacy up there with Locke's basic trio of life, liberty, and property. As part of this, I fight the stupid notion that because there are bad people out there, rights should be abridged. Crypto is a tool, and nigh any useful tool can be misused. If we let that fact stop us from making tools, we'd be using nerf axes and dressing in bubble wrap. If we let the fact that bad guys are using our stuff bother us too much, we'd be against privacy. Here at PGP, we like to make hay out of the fact Burmese freedom fighters use PGP. A while ago, Tim May sent out something in which he stated that Hamas uses PGP, making the very valid point that one person's freedom fighters are another person's terrorists. He implied that they're not using just to tell each other where the best hummous shops are, and I don't doubt it. I like to say (now that I'm no longer an arms maker) that we are like the Red Cross in that the Red Cross gives medical attention to everyone, regardless of their moral worth; we supply privacy software to everyone, regardless of their moral worth. In the days when crypto was a munition, I used Winchester as a metaphor, complete with Sarah's cute bungalow. In its milder forms, Crypto-Correctness thinks that if a bad guy is using crypto, then it's a mitigating factor on what they're doing. I can see that it might come from not liking tack-on laws like the clause in the present bill that makes using crypto to hide a crime illegal. This is deplorable. But using crypto doesn't make something good. In some of its other forms, it pushes into what I perceive as Crypto-Socialism. We just shrug if suicide bombers or paparazzi are using crypto, but if a property-owner wants to use it, you can just hear the sharp intake of breath. If that property-owner is Big Business, there are howls of indignation. I get the impression that some people think crypto should only be produced by non-profit organizations for the use of non-profit organizations, or those that had the common decency to get their profits illegally. The next thing that bugs me is that the government has us so scared of our shadows that we look askance at anything that might make crypto mass-market. Right now, crypto is rocket science. Many of the people who need it most are only going to understand it after years of acclimatization. The sorts who inhabit the nightmares of tech-support people are going to take at least one more turn of the wheel of Maya to get it. I think a lot of people here think that blade guards on crypto in any form is stark moral evil. You lost your data? Good. Shows you're not worthy. You shouldn't have data anyway. Information is property, and property is theft. In the crypto-anarchist future, after the withering away of the state, you won't need property anyway. I suppose we'll all just eat e-cash. I really believe that this panicked, bunker-mentality fear of anything that might complicate the system with blade guards is doing the cause of freedom a sever disservice. Business people are subjected to a lot of the asinine annoyances and minor evils that government brings, too. If we get them on our side, they will be a powerful ally. I believe that the central thesis of crypto-freedom is that it doesn't matter if a document is on paper or in a text file; it doesn't matter if a conversation is on the phone or in a restaurant. The medium doesn't matter. My papers and effects have the same protection on a disk as on paper itself. We all know that deployment is the key. But real deployment means deploying to people who don't know how their toaster works, too. If we don't solve this problem, we'll get hit with the backlash. Just you wait, once crypto becomes trendy, there will be a Time cover story with some headline like, "How Much Privacy is Enough? Who's Really After You, Anyway?" and in it will be sob stories about how people lost their passphrases, were blackmailed by employees (ask me, I have real-world tales of this), or can't decrypt their backups. Congress will have hearings, and they aren't going to be fun to watch. Is trying to head this eventuality off (yes, I believe it's inevitable) really the work of Satan? The last thing that really, really bugs me is the hostility that's directed towards PGP Inc. because now we're an Inc. The core group of people who are here are the same people they always were, they're just being paid now. I'd love to be independently wealthy and do this for the crypto-anarchist, non-profit joy of it, really I would. But you know, as the great crypto-socialist Balzac said, "behind every great fortune, there is a great crime" so I suppose we must be up to no good. This is a blues riff, so let me tell you how we've paid our dues before I get to the chorus: We published our source code. One of our potential partners said and I quote, "Are you mad?" We stand firm on the issue of No Weak Crypto. A noted GAK proponent asked me at a conference, "Aren't you folks going to do an export version?" I replied, "Sure we are." This person asked, "When?" I said, "The day after the law changes." We put out a freeware product, hoping people will upgrade to the for-pay version. If you're thinking of your own startup, let me give you some investment advice: the crowd who thinks the X-files is a documentary doesn't upgrade to the for-pay version. We started an IETF working group that will take our core technology and put it out for anyone to use. They will own change control. We won't be able to use any patents or intellectual property to enhance our business position. We won't be able upgrade the protocol without a vote. The only thing we offer as a selling point is our superb engineering and our good name. The business version is funding the rest of the ball of wax. Are you afraid we'll make a deal with the devil? I have two comments on that: (1) I work in Silicon Valley. I tell headhunters, "no thank you" every week. I took a pay cut to come here. I can get a 20% raise by going to WebFoo any time I want. My options aren't worth what I would have gotten as a layoff package had I stayed at Apple. If I send out an email message that provides "technical support" to furriners, I could land in jail. I'm here because I care. Ask the people here who left behind Cisco options at 40 if they care. (2) There's one surefire way to make sure we don't make any deals with the devil. Buy the product. Encourage your friends, your mother to buy the product. If you see someone who is using the freeware version, send them a polite message to buy the product. Buy one and send it to your congresscritter. If you don't, what you're saying is, "crypto-freedom is very important to me, as long as I don't have to spend $49 on it." Convince your employer that $119 isn't too much to pay for meta-introducers. Make the crypto market so hot that someone competes with us by being badder than us. Oh, yeah, baby, I got them crypto-startup blues. Jon - ----- Jon Callas jon@pgp.com Chief Scientist 555 Twin Dolphin Drive Pretty Good Privacy, Inc. Suite 570 (415) 596-1960 Redwood Shores, CA 94065 Fingerprints: D1EC 3C51 FCB1 67F8 4345 4A04 7DF9 C2E6 F129 27A9 (DSS) 665B 797F 37D1 C240 53AC 6D87 3A60 4628 (RSA) -----BEGIN PGP SIGNATURE----- Version: PGP for Business Security 5.5 iQA/AwUBND7PCH35wubxKSepEQKD9QCgwPoRbXSHyueb9U4fLztaQkAKLlQAoNdC kX1gOsFsBZ6YDtC9AX5X/VU9 =IiAC -----END PGP SIGNATURE-----
The last thing that really, really bugs me is the hostility that's directed towards PGP Inc. because now we're an Inc.
There is no hostility towards PGP, Inc. It is just that many people think your software contains a feature which has very bad consequences. Incidentally, I heard a speech by Phil Zimmermann the day before PGP 5.5 was released. He expressed deep concerns about key escrow, epxressly including PGP products. Think about it. Personally, I think a corporation has the right to access their employees' business communications, so as long as private messages remain private, there CAK is no big problem (not that it is exactly useful, either). However, when you claim that you are reacting to to non-existant public safety concerns, I wonder what the real agenda is. It is also surprising that you fail to recognize the difference between communications keys and storage keys.
On Fri, 10 Oct 1997, Jon Callas wrote:
In the course of all the discussion here, I have seen a number of implicit attitudes and assumptions that irritate me. This is a short rant to air my irritation.
I would hate to see your *long* rants ...................:^)
The first thing that bugs me is what I'm calling Crypto-Correctness. I don't know a single person on cypherpunks who is against privacy, or is against the notion that in the information society, keeping and bearing crypto is an inalienable human right. Politically, I'm a Lockeian, and put privacy up there with Locke's basic trio of life, liberty, and property. As part of this, I fight the stupid notion that because there are bad people out there, rights should be abridged.
I express it as private information is my property and I should have whatever means necessary to protect it. And as crypto can be directly used only as a shield and not a sword, there are no reasonable arguments against me using it.
I believe that the central thesis of crypto-freedom is that it doesn't matter if a document is on paper or in a text file; it doesn't matter if a conversation is on the phone or in a restaurant. The medium doesn't matter. My papers and effects have the same protection on a disk as on paper itself.
This is really unexplored. I would extend rights in the physical world into cyberspace. And you are right [in an elided section] that corporations or businesses aren't thought of. Most of the arguments against intellectual property is toward releasing it where it is free, but there is an equal or greater threat of charging for the information without paying royalties. There are vandals, but there are also thieves.
We all know that deployment is the key. But real deployment means deploying to people who don't know how their toaster works, too. If we don't solve this problem, we'll get hit with the backlash. Just you wait, once crypto becomes trendy, there will be a Time cover story with some headline like, "How Much Privacy is Enough? Who's Really After You, Anyway?" and in it will be sob stories about how people lost their passphrases, were blackmailed by employees (ask me, I have real-world tales of this), or can't decrypt their backups. Congress will have hearings, and they aren't going to be fun to watch. Is trying to head this eventuality off (yes, I believe it's inevitable) really the work of Satan?
No, but I don't know if your solutions are real. Does PGP 5.5 prevent encrypting non-CAK, then reencrypting CAK to pass through the mailers? GAK/CAK has lots of technical problems, and I don't know that you have solved them. You assume that someone like the boss in the Dilbert cartoon is going to make this all work (or will they write the corporate passphrase on their deskpad)? I tend to be neutral to CAK, except that I can't think of an easy way to create something that is not snake-oil (i.e. that is easy, doesn't compromise security if the CAKeepers are dunces, and insures that data encrypted is accessible by the TTPs).
The last thing that really, really bugs me is the hostility that's directed towards PGP Inc. because now we're an Inc.
We put out a freeware product, hoping people will upgrade to the for-pay version. If you're thinking of your own startup, let me give you some investment advice: the crowd who thinks the X-files is a documentary doesn't upgrade to the for-pay version.
The windows versions I have seen don't allow me to select algorithms (they default to CAST, so how do I get 3DES or IDEA), and neither did the Linux version - the beta segfaulted on at least one combination of algorithms. Are all these little problems fixed? And if so, you had to modify the source, so is there a diff file you are going to publish much less a press release saying what is or is not fixed (I see the part about batch-friendly, but is that there yet, and how would I use that - you could put your manuals online). I can't even buy a license for the scanned version which I can at least fix these problems. I would pay the $49 for the license to use a working Linux version. Maybe you should add a license issuing page to your server so I can click and get an digitally signed HTML license (with a physical one to be mailed later if needed). But for now my choice is to take a chance on the $49 downloadable version (will it be another $49 for a half-fixed version, and another $49 when the IETF finishes with the spec and 6.0 meets it?). Does anything happen differently if it has problems and I report them? By the way, I can't even download it - your server requires switching to a port our firewall doesn't let through (9999) which I emailed your webmaster about three months ago. There are other common alternate ports that are allowed. So I can't even really get the $49 version, I must pay $79 (or spend an hour creating an IP tunnel to a recognized US DNS-IP address which is what I did last time - I might do that for the freeware version but not to purchase something). So I don't know if any of the problems in the freeware or betas are fixed, and I can't even download it from your website. Some hostility to the "Inc." might be from your consumer relations more than your philosophy. --- reply to tzeruch - at - ceddec - dot - com ---
Jon Callas <jon@pgp.com> writes:
In the course of all the discussion here, I have seen a number of implicit attitudes and assumptions that irritate me. This is a short rant to air my irritation.
[bucko big snip] Well, it was a nice rant, Jon. Most of it was even crypto-correct :-) But the problem is you didn't address the point causing your perceived hostilities. Not once. The point is Jon "GAK compliance meister" Callas, you're building in GAK compliance. Now we know that it is possible for you to have GAK compliance without using it for that purpose, or at least to promise that at this stage, promise sincerely even, it doesn't make any difference. When mandatory GAK is law, all you'll have done is to smooth the way for it. Your promises, and crypto-anarchic 'tudes won't amount to a stack of cards. Your wimpy sounding safegaurds and reasons why PGP Inc would have to be bought out, all staff sacked etc. don't sound very reassuring. Saying "over my dead body", doesn't really help us if we are realistic enough to figure that you'll be dead, and we'll have GAK. Personally I'd sooner we didn't have GAK (and that y'all lived too). Oh yeah, and the reason we're all "picking on you" is nothing, absolutely nothing what-so-ever, to do with the fact that PGP is an "Inc" now. The reason that it appears to you that we're picking on you is that we're trying to ram a few simple points through your skulls which we consider may be significant points in the political wars potentially leading up to mandatory GAK. For example, major point #1: that by attempting to enforce GAK compliance on the IETF OpenPGP standard you will make it easier, much easier, major point this, listening?, much easier to introduce GAK, because they can then do so interoperably with the OpenPGP standard, which you're hoping will be #1 internet email application used by netscape like 80% market dominance figures. PGP Inc has easily within it's powers the ability to remove this easy migration path for manditory GAK. Point #2, is more of a technical point really: you seem to be mixing key functionality to the detriment of security to provide a fully functional corporate email snooping service. Here's a meme to pass around the office: separate storage and encryption keys are just as important as separate encryption keys and signature keys. This is also fairly important, as keys have different recovery requirements, and different life time requirements. Re-using communication encryption keys for storage keys causes all sorts of problems. One of which is getting shouted at for being GAK compliant. Oh yes, and email in your received folder is NOT a communication anymore, it is now _stored_, and should therefore, if it is encrypted be encrypted with said storage key. Now, if y'all over there are such "live free or die" crypto-anarchist martyr's that you've given up your cisco options, and taken a pay cut, and resisted temptation for a 20% pay rise (and you very well may be die hard crypto-anarchists for all I know, I've only met a few of you), surely argument #1 means something to you: "attempting to enforce GAK compliance on the IETF OpenPGP standard you will make it MUCH easier for USG to introduce GAK" So what's your problem, if skipping on a 20% pay rise isn't a problem, why do you have to implement GAK compliance to provide small amounts of additional functionality for corporate snooping, which isn't even on your stated user requirement list. As I demonstrated you could if you figure this is necessary to the future of free crypto (though I can't see that it is), implement most of the snooping functionality without GAK compliance. It's not as if people can't hack around the whole damn caboodle anyway, as was stated as a plus point in earlier PGP person post. So why GAK compliance for that last couple of % of enforceability on snooping. Think of the lower enforceability as a boon, you've got a technical reason to use to explain to little brother why 100% snooping doesn't work that well without 24 hr video cams surveillance and NSA style body cavity searches at the door. I'd suggest you print the above document out and have a discussion of it. Get PRZ there too. Let us all know the decision so we know whether to start investing in stego applications in preparation for fast-track inadvertently (being generous here, since your whinge) PGP Inc assisted GAK. Cheers, And hang-loose, don't get up-tight, just say no to GAK compliance. Adam -- Now officially an EAR violation... Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/ print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<> )]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 A thoughtful essay by Jon Callas on the trials and tribulations of being a crypto start-up company. Before I get into commenting on parts of Jon's message, let me first make some very general points. First, I don't think PGP, Inc. is being picked on. It announced a new product this month, one with obvious implications and resonances for and with the whole key recovery/key escrow/GAK debate. Second, for us not to pick it apart would be "out of character" (considering past critical remarks directed toward Netscape (ask the Weinstein brothers), toward Microsoft (ask the MS employees who mostly post from non-MS accounts), toward Cybercash, toward First Virtual, toward RSADSI, and on and on. (And the Cypherpunks list was not even in the lead in picking on PGP for Business, as the comments by Bruce Schneier, Simson Garfinkel, etc. show.) Third, several of us have reititerated the basic point that *of course* an employer or corporation owner has every right to insist that his employees use a particular product, submit to searches of their breifcases, have their phone calls monitored, wear funny costumes, and so on. Only a couple of people have even hinted that the issue is some kind of "workers rights" thing. Fourth, though employers may wish to insist on this kind of message recovery, there are obvious dangers. Not the least of which is that the voluntary aspects may cease to be voluntary (in terms of the government mandating archival of all corporation messages, analogous to requirements for audit trails, OSHA compliance, receipts, cash register records, etc.). Fifth, it thus behooves us to think about these issues. That there will be issues to consider, and public debate, is shown by the comments here and the comments from Schneier, Garfinkel, etc. And even Phil Zimmermann, when discussing a very similar product from ViaCrypt, basically said (paraphrasing from memory): "Call it what you like, but it violates the spirit of PGP, so don't call it PGP." Amen to that. (Personally, I'll be real disappointed if Chairman Phil sends us a Zimmermann Telegram (TM) telling us that the ViaCrypt and PGP products are actually not all alike. "Pay no attention to the man behind the curtain.") Sixth, besides all of these issues, there are interesting questions about whether this form of "encrypting to a corporate key" is very useful or addresses the right problem. (I happen to believe that the "what if Joe is hit by a truck?" issue is better solved with other tools, and the "what if Joe is sending corporate secrets outside the company?" issue is not at all addresses with PGP for Business (as Joe will either stego encrypt, or, even better, will just carry out gigabytes in a CD or DAT and use a non-company account). Anyway, I guess I don't need to comment paragraph by paragraph on Jon's points. I'm happy that he's commenting here on the list. - --Tim May The Feds have shown their hand: they want a ban on domestic cryptography - ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, ComSec 3DES: 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^2,976,221 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQA/AwUBND78j1K3AvrfAt9qEQL4pgCfQqH86oZ8phNCo45ZNFRj2AX8ogYAoLjG 0d/WpUBVhv4NXPsfo/dbsa59 =88Cn -----END PGP SIGNATURE-----
While I agree with the general points you make in your Crypto Blues, I also agree with what I am reading from others regarding paving the way for GAK. This is probably because you didn't actually deal with those criticisms individually in your rant. To say that you will draw a line somewhere down the road is ineffectual. It's not unlike the gun owners who won't join an organization, won't communicate with their elected representatives, and rely on "Well, if they come for *my* gun, they'll have to pry it from my cold, dead fingers!" It's too late by then. If and when it comes time for one or more of you to decide to quit rather than do what is wrong, it will be way too late. I'm reminded of the far-left-liberal comic and actor Dennis whatshisname who, in a standup act, made reference to the "cold, dead fingers" view of some gun owners and said, "That'll work!" Whoever it was who said that the capitalists would sell the communists the rope with which to hang them was right. It is even worse in today's brain-dead business world where policy decisions are made by bean counters who can't see more than 90 days past their bottom line and have no visibility whatsoever of the rich component mix of that bottom line. I have no doubt that if and when the time comes that the government puts out RFPs for ID chip implant systems or tattooing barcodes on our foreheads there will be no scarcity of companies lining up to get the contracts. Free enterprise doesn't automatically confer intelligence, forward view, or an understanding of freedom and the long-term consequences of undermining it. It is incumbent on everyone who favors individual liberty and privacy to do everything possible to prevent the infrastructure for GAK and other police state measures from being put into place. Adam Back is entirely correct in believing only in technical solutions, not words. It must remain technically difficult, even impractical, for politicians and bureaurats to simply prescribe how mechanisms put in place by well-meaning people will be used to invade privacy and monitor communications. The best defense against censorship is a technological structure that defeats censorship before it starts. The best defense against the destruction of privacy is a technological structure that makes invasion of privacy difficult or impossible. It is far better to have a system in which a destructive proposal fits badly and threatens to cause innumerable uncontrollable consequences than one which lays the groundwork for the easy implementation of destructive proposals. The risk-of-loss set of arguments is also in some ways a large red herring. There is nothing particularly unique about crypto that makes the potential loss of information qualitatively different than countless garden variety risks with which people deal every day. May organizations have stopped backing up desktop PCs. Most everyone tried to do those backups at one time, but as disk sizes and data volumes increased it became impractical in many organizations. This represents a far greater risk than the loss of messages or files the same employees may keep in encrypted form, but there are no interest groups or government bodies trying to propose Desktop PC Escrow systems. Many employees wittingly or unwittingly use the strongest crypto in existence, from which there is *no* recovery under any circumstances should the employee drop dead: wetware storage. Rate of technological change and increasingly full "plates" have combined to reduce documentation to historic lows. If a document becomes obsolete, even false, virtually the moment it is completed, it is less likely to be written. If it's never written because its durability is in question or there is too much else to do, it can never be recovered except from the functioning mind of the custodian of the information, but no one is proposing "brain escrow." The costs of dealing with the loss of an employee with a headful of unique knowledge are becoming an expected and largely unnoticed thing, like the expectation of a third world business that a simple action like fixing a piece of hardware may involve a large multiple of the time and money it would cost in any U.S. city. And still the bean counters haven't a clue. It is even quite common these days that when one of those custodians leaves an organization there is insufficient staffing to make even a feeble attempt to pick up what the departing person has left behind. Rate of obsolescence aggravates this by making it seem easier to just implement the next version or product than pick up the pieces of managing the old one. I've seen people depart, leaving a cube full of diskettes, manuals and, presumably, notes, only to see the organization move someone else with different job responsibilities into the cube and never, ever, not even once retrieve or look at any of the materials of the departed employee -- not their PC, their files, their desk, their file cabinets, their manuals -- nothing. Individuals can also wipe their mail files, wipe their disks, suffer disk failures, etc. They can take the only copy of something home and die in a fiery car crash. They can drop their laptops from heights more than the prescribed 2 inches. It is not possible to list the ways in which information can be lost and/or compromised, ways with which key recovery cannot possibly attempt to deal. Since many of those things happen all the time in the real world on a daily basis it goes unnoticed that the vast majority of them are dealt with by the people involved without comment and largely without noticeable adverse consequences, just as when smoking was common in offices it wasn't particularly noticed that most offices didn't burn down despite the widespread use of open flame and smoldering materials in tens, perhaps hundreds of millions of instances daily. Loss of encrypted information is almost a non-issue in reality, somewhat like the non-issue of the risk of flying by scheduled airline. Crypto, like airliners, increases the probability that a loss will be more noticeable by virtue of quantity, but has no inherent effect on the likelihood that a greater percentage of total information will be lost. An employee generally exercises the same type of diligence in this area as in the myriad other areas where some thought and action must be directed at preventing catastrophic loss. The motivation is the same, too: retention of employment and avoidance of lawsuit. An operations manager already has to figure out how to make sure that last year's backups will not only be physically safeguarded but also capable of being read and restored should they be needed, for example. There is nothing more magic about "crypto" than there is about "backup" in this sense. Crypto, like the Internet, is a mere conceptual hook on which the ignorant (strongly represented in the so-called "news" media) can hang a set of alarms and not necessarily needed solutions. It's an umbrella under which those who have nothing better to do can collect a set of issues for conceptual amplification and synergistic alarm enhancement, obscuring the fact that many functional counterparts to those issues are in the fabric of everyday business work. The mere use of a computer involves a larger quantity and more serious degree of "gotchas" than arise in the use of crypto on those computers, and has for many decades. The manpower lost in the 10+ years it took us all to move past the 640K limit and the 1960's technology of DOS on the PC platform probably exceeded what would be required to do brute force solutions of the worldwide Y2K problem. Imagine that someone had latched onto the business danger of loss of source code in 1960 and had sensitized everyone to the issue to the point where this kind of discussion and debate were being conducted over the need for national and worldwide standards and mechansisms for commercial and government protection against the loss of source code. Imagine the Congress of the U.S. effectively taking the position that businesses are too stupid to safeguard the source code that runs their enterprises and that the government must require the filing of copies of all source code in case anyone loses some. Or that all compilers and source editors have source recovery features. Would that have sounded reasonable at any time in the last 30-40 years? Would it sound reasonable today? Yes, some people and organizations have lost source code. No, most people and organizations have not lost their critical source code. Those that do tend to weed themselves out, just as those who tend to make bad decisions and take self-destructive actions in any area of life, business or personal, tend to reduce their own effectiveness and participation in the game. GAK is different, of course, in that it brings the agenda of the politics of power into the fray, and thus crypto has become the subject of an array of efforts as disingenuous as the safety arguments of unions when fighting to preserve a completely obsolete and useless job function. All of a sudden governments who never gave a rat's ass about the risks to commercial entities of losses of any other kind of information in any other context are falling all over themselves to promote GAK because they are suddenly overcome by altruism. Right. Or because they have had a revelation and have remembered that commerce is good for the country and government is supposed to be a means of providing stable legal and public safety structure and not an end in and of itself. Sure. Government never misses a chance to take opportunistic advantage, and the chance to treat crypto as something qualitatively different than thousands of other business and personal privacy questions and mechanisms is too good to pass up. The opportunity for government to gain access to information that just happens to be digital is of far greater significance than any offered justification based on the danger to businesses that they will be too stupid to assure their own access to their own information or the danger to nations that a few people or groups of people may be able to communicate in ways that preclude surveillance. The only thing that GAK is about is government power over individuals and groups -- the gradual conversion of citizens into subjects, just without all the trappings of old-fashioned royalty and notions of the divine right of kings. Governments see this as an opportunity to gain access to private communications in ways that would never have been acceptable in the days of paper letters and envelopes. Because politicobureaucrats, like ants, cooperate instinctively to concentrate power in the halls of authority we see mulitple facets to the attack on privacy, but they are only that -- facets of the same ugly stone. If the best minds fall into step to build and facilitate the mechanisms to destroy individual liberty because "someone will do it," we are lost. If "someone" does it, but the best minds are working to make a police state technologically infeasible, we may not see the light of freedom extinguished after all. In the past this battle was heavily influenced by material resources. Increasingly, the playing field is being leveled by technology. The likelihood that a small number of individuals can significantly influence the balance has passed the threshold of credible probability, witness Phil's PGP and numerous other developments. This likelihood is on an upward trend, but the forces of darkness are also making better and better use of technology. Every person who can make a difference and isn't committed to individual freedom is an effective participant in its destruction. If we have to explain to our children and grandchildren why they have microchip transponders in their asses and all their communications are archived by the government it will be a pretty weak justification to say that we brought home the paychecks without interruption. Thomas Junker tjunker@phoenix.net
participants (6)
-
3umoelle@informatik.uni-hamburg.de -
Adam Back -
Jon Callas -
nospam-seesignature@ceddec.com -
Thomas Junker -
Tim May