New PGP "Everything the FBI ever dreamed of"

Sun Oct 5 23:22:00 PDT 1997

>An article in today's (Fri, Oct 3) New York Times (CyberTimes) ...
>describes the new release of "PGP for Business Security 5.5," which
>contains mechanisms that incorporate key recovery mechanism that can
>either be volontary or be enforced by using PGP's software for controlling
 >a company's SMTP server -- the server can verify that all encrypted
>messages include the corporate public key (or conform to other corporate
>policies):

	Alex Le Heux <alexlh at xs4all.nl> noted:

|>	Keep in mind that this is the 'PGP for Business'. Companies often
|>operate on the principle that email that's sent and received from
|>their machines is the company's, not the employee's. This is actually
|>reasonable business practice. Specially when encryption enters the
|>picture. The employee could walk under a bus, and leave some vital
|>but encrypted emails in his mailbox. This could be a real problem for
|>corporations.

	William H. Geiger III <whgiii at invweb.net> brushed aside PGP Inc's
critics to complain:

>>This has been discussed before on this list and others, and few have
>>disagreed, that a company has a legitimate need to be able to access its
>>encrypted data. If employees want to send love letters or whatnot then
>>they should not be doing it on company time using company resources.
>>
>>If a corporation wishes to establish a company policy that all
>>correspondence be encrypted with the companies master key it is their
>>right to do so and IMNSHO it would be foolhardy for them to do otherwise.
>>
>>Claiming that they are doing the work of Big Brother is a cheap-shot and
>>uncalled for.

	With respect, Gentlemen, I think you are missing the point.

	There is no corporate demand for a key-recovery mechanism which
allows Management immediate real-time access to all encrypted electronic
communications.  This new PGP facility is analogous to key-escrow or
key-recovery for session keys; in essence, it's a backdoor to the session.

	Here in the US, FBI Director Louis Freeh has been pointed in his
comments about the distinction between key-recovery for stored data and
key-recovery for transient electronic communications.  Key-recovery for
encrypted stored data, Freeh noted, serves a sensible and pragmatic
business need.  Corporations will do it because it's a necessary part of
their Disaster Planning.

	But, as Freeh noted several times in Congressional testimony, there
are few if any business requirements for surreptitious, real-time, access
to online communications, so businesses (unless forced by legislation,
argued Freeh) simply won't do it.  It is police agencies, not Management,
which seek real-time access to all encrypted e-mail.  No one but the Govt
wants it.

	Management, at least in the US, doesn't need this sort of
evidentiary data. Management has an employee who can be required to keep a
copy of all business e-mail for Management review; or required to cc his or
her boss on all e-mail to a customer -- or even forbidden to use e-mail for
anything other than business mail cced to the boss. And, of course, the
employee can be fired if he/she doesn't comply.

	But the truth is: Managment doesn't need the aggravation and --
while the standard of managment oversight is more lenient, at least for
professional staff -- no company can keep talented employees if it treats
them this way.  Surreptitious universal access to an employee's encrypted
e-mail _is_ like sound and video pickups in the bathrooms.  Vastly
intrustive; humilating; diminishing. Far more intrustive than is useful or
necessary for conventional management needs.

	It is the work of Big Brother, sadly.

	GAK-enabled PGP, plain and simple!

	As Director Freeh noted, it's only LEAs who need and want this.

	The likely early victims of such a draconian oversight will
probably be the long-suffering US government employees.  With no evidence
to support my supposition, I'll bet the GAKed-crypto strategists are once
again offering the federal workforce as the sacrificial lambs, as they did
with Fortezza.  Trying (again!) to use the bulk federal purchasing power to
establish a defacto product standard.  Watch over the next six months. I
think they used the new -- "post-Fortezza," pre-PKI -- prospect of huge
'98-'99 federal purchases of COTS crypto for non-classified DoD and
civilian agency e-mail to lure Mr. Zimmerman, major stockholder, into
swallowing the words of Feckless Phil, the wild and wooly free-crypto
rebel.

	Anyone wanna wager that this "design option" evolved concurrent
with a quiet MOU-structured review of the New Improved PGP by the X
Organization at Ft. Meade?   Nor, I fear, will this be the last enhanced
cryptographic communications app to come out of vendors active in the NSA's
new Commercial Liaison initiative.  Big federal market. Big lure. Hard not
to give the Customer what he wants.

	Still, it's sad.

	(I, btw, am moderating a panel on the "Prospects for Government
Control of the Internet" at the NSA/NIST-sponsored NISSC in Baltimore this
week.  Among my panelists are David Herson, the top pro-GAK policy maven
for the European Commission; Tom Black of Smith System Engineering, the
network specialists commissioned by the European Parlament to figure out
how to enforce content regulation; Patricia Edfors, the Chair of the
federal PKI Steering Committee and the Security Champion on GITS;  Dave
Farber of UPenn, the Internet Society, and EFF; and Danny Weitzner of CDT.
Powerful and articulate voices from all sides of the Question.

	Thoughtful and non-obvious suggestions for questions to the Panel
would be welcome -- to the List or in private e-mail. TIA.)

		_Vin

      Vin McLellan + The Privacy Guild + <vin at shore.net>
  53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548
                                  -- <@><@> --