Jonathan Rothkind writes:

If the bozo has write-priveledges to everything in the office, sounds like a problem with or without encryption. Or were you just suggesting that he was going to encrypt it all and mail it to a competitor? This too seems to be a problem with or without encryption; he can just copy to floppy and snailmail to a competitor. Same with industrial espionage of just about any kind; sure it makes it _easier_ for the hypothetical spy to do his dirty work, but it doesn't actually enable him to do anything fundamentally different then he could before.

Companies I am familiar with make some attempts to chech U.S. Mail, although this is like pissing into the ocean. Packages, though, are suspect and my old company (Intel, as you all know by now) had strict rules about sending packages, and all were subject to inspection. But I agree that it's ridiculously easy to get 4 gigabytes out of a company. In my years at Intel, my pockets were never searched. A 4 GB DAT tape.... Still, none of these examples are reasons to "outlaw" a company's ban on PGP or any other software produce it doesn't want used. My recent essay explains this position in more detail.

I can't think of any real security risks introduced by allowing employees the use of encryption, that weren't present already. Certainly none mentioned thus far fit the bill.

Here's an example that inspired my early thinking about crypto, crypto anarchy, and "BlackNet," back in late 1987: Will companies "allow" employees to log on to information market services to buy and sell information? I was evaluating the business plan for the "American Information Exchange," which later got funding from Autodesk (but failed, and is now essentially dormant), and had to think about this. My conclusion: allowing employees access to such a system would be dangerous. Yes, they could log in at home, but that's no reason to facilitate "digital moonlighting" on company time. Encryption allows this to happen even if companies don't wish it to, hence a rationale for limiting encryption use, or requiring a snoop mode to spot-check what types of business are being conducted. (We may not like it, but that's tough. Forbidding a company from enforcing policies is truly disastrous.) ...

Although of course I'm not accusing you of suggesting that corporations shouldn't have access to good cryptology; you probably wouldn't be on the list if you thought that. I'm not completely sure how different it is to say that individuals give up their right to good cryptology upon being employed by a corporation, however.

Yes, employees give up various "rights" when they enter into contracts, or work for companies, etc. (They don't actually give up the rights per se, the rights just don't apply. I have a "civil right" to read "Moby Dick," in the sense that the U.S. government cannot ban it, but this does not mean I have a "right" to read "Moby Dick" while I'm supposed to be working at Apple!). --Tim May -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^859433 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway."