PGP and Compliance with SEC and Liability Rules

Tim May tcmay at got.net
Mon Nov 3 17:18:16 PST 1997




A few weeks ago I said that I thought the real reason for PGP's CMR
features and Policy Management Agent had little to do with the reasons
being discussed (by PGP employees, amongst others), things like "What if
Joe is not at his desk and his boss wants to access his encrypted e-mail?"
(and variants).

 I explicitly speculated that the real reason had more to do with snooping
on employees, with the corporate security and IS departments monitoring
what is being sent and received, etc. I even mentioned compliance with SEC,
FTC, and other agency rules.

(And I'm not saying such compliance isn't a valid concern, even a mandated
concern. And I'm not questioning the property rights of business owners to
enforce policies on their property with their equipment as they see fit. I
just think PGP is being disingenuous in saying they are not actually
building in snoopware. They are, and the very same objections Phil
Zimmermann had to Viacrypt's snoopware applies to PGP 5.5 and its "Policy
Management Agent.")

Well, it appears the real reason is now emerging.

In the 1997-10-27 issue of "Macweek," an article on corporate use of
crypto, including PGP, appears. "Mac encryption finding its way into
corporations," by Larry Stevens, p. 27.

Much discussion of crypto, symmetric vs. asymmetric approaches, reasons
companies haven't been using crypto, etc.

The final paragraph summarizes a key point:

"The Gartner Group's Wheatman pointed out that PGP Policy Management Agent
allows corporatins for the first time to centralize control over
encryption: "For encryption to be accepted, IT had to gain control. This
isn't Big Brother; this is necessary to comply with liability laws and SEC
regulations.""

Note: I presume "IT" stands for Information Technology, or somesuch. That
is, some corporate Information Services or Computer Services group. In
other words, snoops in some department need to use the Policy Management
Agent to monitor messages.

Perhaps PGP, Inc. will say that Gartner Group does not speak for them. Fair
enough. But I think the Gartner comments correctly capture the real reason
we hear that corporations are insisting on snoopware.

And, incredibly dangerously for us all, why the SEC, FTC, OSHA, IRS, and
other agencies may seize on CMR as a feature which "must" be turned on,
with archives of messages kept, etc. Were I a bureaucrat in their shoes, I
know I would certainly want CMR mandated. "Not for Big Brother, but to
ensure compliance with corporate regulatory rules."

This is the dangerous world PGP, Inc. is helping to build. And I expect now
that RSADSI will enter this snoopware arms race and thus the escalation
will begin in earnest.

Sadly, had PGP kept true to its core foundations of personal privacy, it
might have been able to exert some moral guidance and slow down this
headlong rush into a snoopware world. But by becoming the annointed leader
of Corporate Message Recovery and Policy Management Agent products, the
other companies can jump in with their own snoopware products, pointing to
PGP. Sad. Very sad.

--Tim May

The Feds have shown their hand: they want a ban on domestic cryptography
---------:---------:---------:---------:---------:---------:---------:----
Timothy C. May              | Crypto Anarchy: encryption, digital money,
ComSec 3DES:   408-728-0152 | anonymous networks, digital pseudonyms, zero
W.A.S.T.E.: Corralitos, CA  | knowledge, reputations, information markets,
Higher Power: 2^2,976,221   | black markets, collapse of governments.
"National borders aren't even speed bumps on the information superhighway."









More information about the cypherpunks-legacy mailing list