To a large extent, it's a volume question - if there's too much widespread use, it's too hard to control, prevent, or ban later. If the volumes of traffic and users are low, you can track users. So the government's working hard to keep volume down, both by export controls, FUD attacks on Phil, and constant offers to deal, such as Clipper I, II, III, and IV, all of which both delay widespread use of real crypto and try to introduce pre-wiretapped crypto instead. Strong vs. weak crypto isn't the real issue - for most business use, weak crypto is obviously unacceptable, but strong crypto with GAK is ok as long as it doesn't interfere with use (and as long as the government bureaucrats don't sell too many keys.) After all, any corporation, and most businesses, can be forced to keep and produce records when the government wants them to; a government-held master key doesn't change their "legitimate" access, only the convenience of legal and illegal access. Key Recovery, on the other hand, implies that you're required to either use GAK or use Weak Crypto, which is obviously Bad. Most businesses are far more opposed to things that make them wait for bureaucratic action in their day-to-day business than to the privacy issues, and they're more concerned about control and convenience than the economic rights issues (otherwise they'd be refusing to pay taxes....) The government might be able to stop new Netscape versions from using strong crypto - threatening to confiscate the company's ill-gotten gains from aiding and abetting money launderers might help, and threatening to confiscate PCs that use unapproved crypto. But it's tough to use a widespread threat like that on popular software once it's out there. A friend of mine lives in a kleptocracy; the local thugs haven't stolen his email provider's computer yet, mainly because the hardware doesn't work very well without software and administrators. But he's not willing to risk using PGP very often, because the volume is small enough they can watch everything (they give him enough trouble occasionally for using his native language on the phone instead of the local languages.) And sending stego isn't likely to be a good solution for a while, since mail volume is low enough to his remote area that sending lots of scanned photographs would be a big impact on email costs. # Thanks; Bill # Bill Stewart, +1-415-442-2215 stewarts@ix.netcom.com # You can get PGP outside the US at ftp.ox.ac.uk