Do the Right Thing

[Timothy C. May]

My thesis is that both Netscape and Microsoft are in positions at this time
to either do the right thing (tm) or to help build in the tools for a
police state, an Orwellian surveillance state.

Netscape, being the dominant browser company, and Microsoft, being the
dominant OS company, are in special positions to "build in Big Brother."
I'm not claiming they are, just that they are clearly in a position to make
it technologically more feasible to make non-GAK illegal. They both need to
carefully think about the role that's been "given" to them (whether by
fortune, hard work, or being in the right place at the right time) and do
what's right.

Strong words, perhaps, but the implications of mandatory key escrow are
quite clear. We debated these points for a long time during the Clipper
debate, and later when "Software Key Escrow" began to rear its head. I
won't repeat these arguments against GAK here, but will take this
opportunity to quote from a new book that actually quotes my words:

"May, ever the idea juggler, also weighed in with some powerful arguments
_for_ PGP that appealed to a stodgy old Democrat (small "d" as well) like
me. Even the Feds should have grasped them. "Could strong crypto be used
for sick and disgusting and dangerous purposes?" May asked. And then he
answered himself: "So can locked doors, but we don't insist on an 'open
door policy' (outside of certain quaint sorority and rooming houses!). So
do many forms of privacy allow plotters, molesters, racists, etc. to meet
and plot." Whatever May was, anarchist, libertarian, objectivist, or
nothing, he was making more sense in those three sentences than Baker could
have in a 1,000 essays."

[David H. Rothman, "NetWorld! What People are Really Doing on the Internet,
and What it Means to You," Prima Publishing, 1996. Note: I don't recall
meeting Rothman, and didn't know about this book until I stumbled across it
last night in a bookstore.]

It is important that such companies as Netscape and Microsoft fully
understand that crypto policy will largely determine civil liberties in
this country and other countries for a long time to come. And they must
understand that they can influence the direction. Bill Gates, after some
early waffling, seems to now fully understand the implications of GAK and
has written persuasively against it. Jim Clark does not seem to me have
thought about it as deeply, or perhaps has views of civil liberties which
are not at odds with mandatory key escrow, the "open door policy" mentioned
above.

And time is of the essence. Things move very fast. It is no longer the case
that a law is passed, then companies respond to the new legal regime with
their own policies and products. Companies, especially in high tech, are
"partners" from the start, as we saw with the Clipper development (where
AT&T had known about Clipper for years prior to the first public
announcement, and was cooperating in the development of it, not to mention
the other companies such as Mykotronx, VLSI Technology, etc., which were
involved in secret for years).

It is only sheer speculation on our part (some of us, at least) that
negotiations about GAK have been going on with the major software
companies. Jim Clark, for example, learned what he knows about key escrow
_someplace_, and it probably wasn't from our list or from articles he'd
read. I'm betting, but could of course be wrong, that he and other folks at
Netscape (and I mustn't leave out Microsoft, Sun, SGI, Apple, etc.) have
been briefed on key escrow and that various negotiations are already
underway. This would match how things were done with Clipper, and would
explain Clark's voiced support for the need for GAK.

I hope Jeff W. and Jim C. can have some _long_ chats. The stakes are too
high for product decisions to be made without full awareness of the
implications. The statements from Jim Clark do tend to imply a kind of
defeatism, and even Jeff's comments seemed laden with qualifications about
"only if the government requires us to." As Hal Finney noted in his post,
it's as if the Netscape people are preparing for the inevitable. Maybe it's
not an indication that GAK is being considered within Netscape, but maybe
it is. After all, one rarely hears "only if we have to" qualifications on
things that are truly from out in left field.

And what Netscape agrees to put in future releases of its browsers or its
servers could have dramatic effects on the whole climate.

(A side point, somewhat abstract: The dominance of Netscape, rising from
nowhere to becoming the major player in this debate, illustrates a point
about "monocultures" and their ecological effects. If yellow corn is good,
replace other strains of corn with yellow corn. Pretty soon, the world's
corn output is 96% yellow corn. Some ecological downsides to this. In this
case, Netscape is becoming the yellow corn of the Web, and an obvious
"choke point" for the NSA and its sisters to mandate crypto policies.
Hence, the role of non-yellow-corn alternatives...)

Should Netscape play ball with the NSA or refuse to cooperate? I'm not
suggesting that Netscape "break the law." Actually, there are *no* laws at
present about GAK or about the use of strong crypto within the U.S., and
most of us want to keep it that way. Thus, Jim Clark and Netscape could
strongly lobby for keeping things the way they are, and could even say "If
foreign governments demand GAK, let them build it in themselves--we will
not produce the software to run a police state."

And if export laws demand GAK in exported products, Netscape should "do the
right thing" and have two versions. It may add to their costs a little, but
it's better than building in the machinery for a GAK law to later be
passed.

(Explain something to me. I have never, ever understood why it is a concern
of the U.S. government that we help build in GAK for foreign governments,
that we make sure that products intended for export to France or Syria have
GAK that allows those governments to read the traffic of their citizens.
And if the concern is that exported versions of software must be readable
to the _United States_, then this is a non-starter in terms of sales in
many or even most foreign countries! I'm sure France will welcome with open
arms a version of Netscape that allows the NSA to read the traffic of
French citizens. Oh, by the way, what legal jurisdictions will be involved
in obtaining the escrowed keys of foreigners? The answers are both clear
and murky, if you catch my drift.)

If the U.S. insists on GAK _within the U.S._, as many of us fear is the
long-term danger, then all bets are off anyway. But I would hope that
Netscape does nothing to make it _easier_ to make this the case!

A viable thing for Netscape to do is to announce forthrightly that it will
separate the issue of export from what it sells in the U.S., that there
will be NO GAK included in any U.S.-sold packages. The quest for an "all
world" version, freely exportable, should not take precedence over the
civil liberties issues. And I predict that any slight losses in market
share or slight increases in product cost will be _less_ than the effects
Netscape will see if their product comes to be associated with "Big Brother
Inside."

Enough for now.

--Tim May


Views here are not the views of my Internet Service Provider or Government.
---------:---------:---------:---------:---------:---------:---------:----
Timothy C. May              | Crypto Anarchy: encryption, digital money,
tcmay at got.net  408-728-0152 | anonymous networks, digital pseudonyms, zero
Corralitos, CA              | knowledge, reputations, information markets,
Higher Power: 2^756839      | black markets, collapse of governments.
"National borders are just speed bumps on the information superhighway."