The public sees no need for crypto at this time

[Timothy C. May]

I believe that at this time the differential market value to customers of
having strong crypto in telephones is near-zero, and in cell-phones is only
slightly greater. My reasons will follow below.

I'm explicitly discussing "things as they are" rather than "things as they
should be."

At 9:10 AM -0500 11/21/96, Clay Olbon II wrote:

>I think we need to keep a couple of goals in mind.  The first, is to get
>encrypting phones (or phone add-ons) into Wal-mart, K-mart, etc (where
>probably most Americans now buy their phones).  The prices need to be low
>enough that people will want to buy them (<$100?).  Is this technically
>feasible?  The comsec device from the above URL already demonstrates the
>needed capability.  Is the cost target possible?  My guess is soon, given
>the lowering costs and increasing capabilities of current processors.

While I would certainly _like_ to see wider use of crypto, and crypto
deployed ubiquitously in products like telephones, cellphones, pagers, and,
of course, computers and networks, I think any honest appraisal of market
conditions must conclude that there is little _average American_ awareness
of, or demand for, crypto.

One could cite many reasons. Here are some that I see. (Note: I'm not
saying these are true for me and thee, nor for everyone else. And these
reasons may change with time. But for now, I think they're pretty accurate.)

* Most people don't think they're targets of wiretapping. They don't think
the FBI is tapping their phones, and they've never even heard of the NSA,
let alone GCHQ, NRO, SDECE, etc.

* "What have I got to hide?"

* Given a choice to use ordinary phone lines or cordless handsets, with
attendant ease-of-eavesdropping issues, they'll take the convenience of
cordless handsets nearly every time. (And the 900 MHz increase-security
cordless handsets are not yet in heavy demand...they'll succeed when
they're as cheap as ordinary cordless phones.)

* Security always takes some effort. The military can have it only by
having elaborate protocols, checks and balances, and essentially full-time
"crypto" personnel to go through the rigamarol of setting up secure
communications and locking up key material according to elaborate
procedures.

(I like to cite the evolution of metal safes. Mosler Safe Company says the
driving force behind safe design, and deployment to merchants and banks,
was the _insurance business_. Instead of preaching about the value of
increased security, the insurers--who knew how to take the long
view--offered rate discounts if stronger safes were installed. Voila,
stronger safes. Until similar incentives exist for data--e.g., insurance
for loss of patient records, confidential dossiers, etc.--I doubt most
people will listen to the "preaching.")

* Look at how few people--myself included--routinely use crypto (digital
signatures, etc.) here on this list! It is now "worth it" to me to
digitally sign all messages. (Please, don't send me your personal
experiences or your scripts for interfacing Pegasus Zapmail to PGP 2.8!)

* Even those with secure phones--STU-IIIs and Clipperphones--admit that
they rarely use the features. (Recall several stories where advocates of
Clipper had to take the books and magazines piled up on top of their
Clipperphones, dust them off, and try to remember how to initiate a secure
conversation!)

* And this raises the problem of: whom do you communicate with securely? If
your friends and family don't have compatible hardware, what's the point?
Sure, some corporations and enterprises will take the plunge and buy sets
of units, but Joe Public will likely not, at least not until a critical
mass of compatible crypto is installed...perhaps a decade or more from now.

* In short, most people don't see the need. They're not doing things they
think would warrant surveillance, and they have no experience with bad
effects from wiretaps or whatnot. Just not on their list of things to worry
about. And they don't want the additional confusion, learning, and
incompatibility with what their friends and coworkers have.

As to the larger issue of "edcucating the public," I think this is almost
always an exhausting and fruitless task. Do-gooders have been trying this
for decades, even longer.

(Don't let me stop you, anyone. But I think it's unlikely that a new
campaign to educate people about a potential risk that they have never seen
any concrete evidence for in their own lives is going to do much.)

When crypto is cheap enough, it may be a selling factor for a consumer
making a choice. How much extra people are willing to pay is unclear. And
there are "sophisticated users" who may pay extra for such features.

And certainly there does not have to be "wide acceptance" for crypto to be
deployed to the "point of no return" (hint: this is a more important goal
to me than acceptance by Joe Public). For example, the SSL and SWAN stuff
is incredibly important, because wide encryption of network traffic, even
if Joe and Jane Public are not using crypto at home, means surveillance and
vacuum-cleaner types of NSA monitoring are made ten thousand times more
difficult. Which may be enough to secure for us the blessings of crypto
anarchy.

P.S. I'll be away at the Hackers Conference in Santa Rosa, CA for the next
several days, and then travelling for the American holiday of Thanksgiving
Day. So, I'll be mostly away from the list for a while.

--Tim May



>The second goal needs to be to push a similar product for cell-phones.  I
>think this will be perhaps an easier sell, given the higher initial cost for
>these phones, and their reduced security.  Perhaps a home device could be
>sold with the cell-phone as a package deal, so that communications with the
>"home base" (i.e your office, home, etc) would be secure.  With the rapid
>growth in cell-phone sales, selling a package such as this might ensure a
>larger user-base of home devices.
>
>Given that these goals are met, I think widespread use of crypto over phone
>lines would become almost inevitable.  However, the fun part would be the
>introduction of such products.  The FUD coming from police, the government,
>etc. would be amazing to behold.
>
>        Clay
>
>
>
>*******************************************************
>Clay Olbon			    olbon at ix.netcom.com
>engineer, programmer, statistitian, etc.
>**********************************************tanstaafl


Just say "No" to "Big Brother Inside"
We got computers, we're tapping phone lines, I know that that ain't allowed.
---------:---------:---------:---------:---------:---------:---------:----
Timothy C. May              | Crypto Anarchy: encryption, digital money,
tcmay at got.net  408-728-0152 | anonymous networks, digital pseudonyms, zero
W.A.S.T.E.: Corralitos, CA  | knowledge, reputations, information markets,
Higher Power: 2^1,257,787-1 | black markets, collapse of governments.
"National borders aren't even speed bumps on the information superhighway."