Attitude and Assumptions

[Jon Callas]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In the course of all the discussion here, I have seen a number of implicit
attitudes and assumptions that irritate me. This is a short rant to air my
irritation.

The first thing that bugs me is what I'm calling Crypto-Correctness. I
don't know a single person on cypherpunks who is against privacy, or is
against the notion that in the information society, keeping and bearing
crypto is an inalienable human right. Politically, I'm a Lockeian, and put
privacy up there with Locke's basic trio of life, liberty, and property. As
part of this, I fight the stupid notion that because there are bad people
out there, rights should be abridged. 

Crypto is a tool, and nigh any useful tool can be misused. If we let that
fact stop us from making tools, we'd be using nerf axes and dressing in
bubble wrap. If we let the fact that bad guys are using our stuff bother us
too much, we'd be against privacy.

Here at PGP, we like to make hay out of the fact Burmese freedom fighters
use PGP. A while ago, Tim May sent out something in which he stated that
Hamas uses PGP, making the very valid point that one person's freedom
fighters are another person's terrorists. He implied that they're not using
just to tell each other where the best hummous shops are, and I don't doubt
it. I like to say (now that I'm no longer an arms maker) that we are like
the Red Cross in that the Red Cross gives medical attention to everyone,
regardless of their moral worth; we supply privacy software to everyone,
regardless of their moral worth. In the days when crypto was a munition, I
used Winchester as a metaphor, complete with Sarah's cute bungalow.

In its milder forms, Crypto-Correctness thinks that if a bad guy is using
crypto, then it's a mitigating factor on what they're doing. I can see that
it might come from not liking tack-on laws like the clause in the present
bill that makes using crypto to hide a crime illegal. This is deplorable.
But using crypto doesn't make something good.

In some of its other forms, it pushes into what I perceive as
Crypto-Socialism. We just shrug if suicide bombers or paparazzi are using
crypto, but if a property-owner wants to use it, you can just hear the
sharp intake of breath. If that property-owner is Big Business, there are
howls of indignation. I get the impression that some people think crypto
should only be produced by non-profit organizations for the use of
non-profit organizations, or those that had the common decency to get their
profits illegally. 

The next thing that bugs me is that the government has us so scared of our
shadows that we look askance at anything that might make crypto
mass-market. Right now, crypto is rocket science. Many of the people who
need it most are only going to understand it after years of
acclimatization. The sorts who inhabit the nightmares of tech-support
people are going to take at least one more turn of the wheel of Maya to get
it.

I think a lot of people here think that blade guards on crypto in any form
is stark moral evil. You lost your data? Good. Shows you're not worthy. You
shouldn't have data anyway. Information is property, and property is theft.
In the crypto-anarchist future, after the withering away of the state, you
won't need property anyway. I suppose we'll all just eat e-cash.

I really believe that this panicked, bunker-mentality fear of anything that
might complicate the system with blade guards is doing the cause of freedom
a sever disservice. Business people are subjected to a lot of the asinine
annoyances and minor evils that government brings, too. If we get them on
our side, they will be a powerful ally.

I believe that the central thesis of crypto-freedom is that it doesn't
matter if a document is on paper or in a text file; it doesn't matter if a
conversation is on the phone or in a restaurant. The medium doesn't matter.
My papers and effects have the same protection on a disk as on paper itself.

We all know that deployment is the key. But real deployment means deploying
to people who don't know how their toaster works, too. If we don't solve
this problem, we'll get hit with the backlash. Just you wait, once crypto
becomes trendy, there will be a Time cover story with some headline like,
"How Much Privacy is Enough? Who's Really After You, Anyway?" and in it
will be sob stories about how people lost their passphrases, were
blackmailed by employees (ask me, I have real-world tales of this), or
can't decrypt their backups. Congress will have hearings, and they aren't
going to be fun to watch. Is trying to head this eventuality off (yes, I
believe it's inevitable) really the work of Satan?

The last thing that really, really bugs me is the hostility that's directed
towards PGP Inc. because now we're an Inc.

The core group of people who are here are the same people they always were,
they're just being paid now. I'd love to be independently wealthy and do
this for the crypto-anarchist, non-profit joy of it, really I would. But
you know, as the great crypto-socialist Balzac said, "behind every great
fortune, there is a great crime" so I suppose we must be up to no good.

This is a blues riff, so let me tell you how we've paid our dues before I
get to the chorus:

We published our source code. One of our potential partners said and I
quote, "Are you mad?"

We stand firm on the issue of No Weak Crypto. A noted GAK proponent asked
me at a conference, "Aren't you folks going to do an export version?" I
replied, "Sure we are." This person asked, "When?" I said, "The day after
the law changes." 

We put out a freeware product, hoping people will upgrade to the for-pay
version. If you're thinking of your own startup, let me give you some
investment advice: the crowd who thinks the X-files is a documentary
doesn't upgrade to the for-pay version.

We started an IETF working group that will take our core technology and put
it out for anyone to use. They will own change control. We won't be able to
use any patents or intellectual property to enhance our business position.
We won't be able upgrade the protocol without a vote.

The only thing we offer as a selling point is our superb engineering and
our good name. The business version is funding the rest of the ball of wax.
Are you afraid we'll make a deal with the devil? I have two comments on that:


(1) I work in Silicon Valley. I tell headhunters, "no thank you" every
week. I took a pay cut to come here. I can get a 20% raise by going to
WebFoo any time I want. My options aren't worth what I would have gotten as
a layoff package had I stayed at Apple. If I send out an email message that
provides "technical support" to furriners, I could land in jail. I'm here
because I care. Ask the people here who left behind Cisco options at 40 if
they care.

(2) There's one surefire way to make sure we don't make any deals with the
devil. Buy the product. Encourage your friends, your mother to buy the
product. If you see someone who is using the freeware version, send them a
polite message to buy the product. Buy one and send it to your
congresscritter. If you don't, what you're saying is, "crypto-freedom is
very important to me, as long as I don't have to spend $49 on it." Convince
your employer that $119 isn't too much to pay for meta-introducers. Make
the crypto market so hot that someone competes with us by being badder than
us.

Oh, yeah, baby, I got them crypto-startup blues.

	Jon




- -----
Jon Callas                                  jon at pgp.com
Chief Scientist                             555 Twin Dolphin Drive
Pretty Good Privacy, Inc.                   Suite 570
(415) 596-1960                              Redwood Shores, CA 94065
Fingerprints: D1EC 3C51 FCB1 67F8 4345 4A04 7DF9 C2E6 F129 27A9 (DSS)
              665B 797F 37D1 C240 53AC 6D87 3A60 4628           (RSA)


-----BEGIN PGP SIGNATURE-----
Version: PGP for Business Security 5.5

iQA/AwUBND7PCH35wubxKSepEQKD9QCgwPoRbXSHyueb9U4fLztaQkAKLlQAoNdC
kX1gOsFsBZ6YDtC9AX5X/VU9
=IiAC
-----END PGP SIGNATURE-----