Info Age Crime Terror and War

[Tim May]

At 9:09 AM -0800 11/13/98, John Young wrote:
>Senator Kyl has issued a long report, "Crime, Terror &
>War: National Security and Public Safety in the Information
>Age," which recounts his Subcommittee's hearings and
>recommendations on encryption, Y2K, terrorism, info war,
>domestic preparedness, wiretap, and more:
>
>   http://jya.com/ctw.htm  (97K)
>
>It describes a plan to combat threats to critical infrastructure
>and the US homeland which, if implemented, would criminalize
>much held dear to a few of this list's subscribers; other lurkers
>will be overjoyed to read Kyl coming to the rescue of careers
>and budgets of MIB and their suppliers of technological of
>political control.
>
>He wants DoD to get cracking on domestic protection, move over
>piddling LEA. Civil liberties, nonsense. Crypto genie out of the bottle,
>more nonsense. Getting government access to encrypted
>communications, you bet. Through commercial products, yep.

I'll address one section, near the end of the report:

--begin excerpt--

The "genie premise" is that encryption software is free and widely
available (PGP being the most frequently cited example), rendering moot any
attempt to impose controls
over its transfer, manufacture or use. Yet at the same time, manufacturers
and sellers of products with encryption features argue that they are losing
market share to foreign
competition because of export controls. Which raises the question: if users
can simply download encryption software for free, why is there still a
market for American products
with encryption features?

The answer must be that the demand for American products is based on
something more than encryption features alone. If that is true, it implies
the possibility of addressing
the needs of law enforcement without jeopardizing market share. In that
regard, Chairman Kyl offered a model of the domestic market for information
security solutions. The
proponents of domestic controls may have done a disservice in focusing on a
one-size fits all technical solution such as "key recovery." Such a focus
limits the search for
acceptable solutions to the cryptography-without due regard to the reality
that cryptography is just one piece of the information security puzzle.
Chairman Kyl's framework
suggests that discrete applications and user groups must be addressed
individually, providing an opportunity to identify promising technical
solutions for accessibility where
and when it is most useful.

--end excerpt--

This tells us that the focus of our Cypherpunks efforts should continue to
be on "payload" crypto and integration of interesting crypto items into the
text or HTML payloads which these other applications work with.

It looks obvious from the above--and from our years of seeing Jim Clark and
suchlike talk about "meeting the legitimate needs of law enforcement"--that
the Feds will try to get the applications makers to incorporate key
recovery. Ditto for the routers and packet movers.

But all this is mooted by two major approaches:

1. Crypto at the message, or text, or payload level. Whatever Netscape or
Microsoft or Lotus may do at the application level is made moot if people
are using PGP or similar approaches. Furthermore, the constitutional
protections are strong at the message level--jailing a person for not
writing in an approved language is rather clearly a violation of the First
Amendment.

(This is a familiar message, about concentrating on the _contents_ of
communcation systems. Many of us have been making this point for years and
years. But it bears repeating in light of things like "Private Doorbell"
and attempts to build CALEA (Communications Assistance for Law Enforcement,
aka Digital Telephony) compliance into various systems.)

I like the integration of PGP into Eudora, but I would rather have to do
manual cut-and-paste operations than have some CALEA-compliant version of
Eudora implement GAK-friendly crypto. I'm not accusing the Eudora folks of
thinking of doing this, just trying to look ahead a few years to a world
where the major ISPs and Web corporations have acquiesced to CALEA
pressures.

2. Proxies and offshore remailers. Whatever the U.S. gov't. does, hard to
control offshore services. And, again, the crypto needs to be at the
payload level, so that all traces of GAK and whatnot can be easily removed.
(The "::request-remailing-to" in the text field being a beautiful example
of this. Very hard for governments to insist on what can and cannot be
inside text fields!)

And applications like digital money, if they ever get off the ground, will
also benefit from some of the same kinds of thinking. (Ian Goldberg's
demonstrations of his variant of Chaumian digital cash were of this sort,
using conventional tools with the salient digital cash stuff orthogonal to
the basic communications tools. We want this instead of, say, "Netscape
Cash," implemented as part of Navigator and fully compliant with TLA
wishes.)

Anyway, I haven't been able to work up a lot of energy to write stuff here
on the Cyphepunks list, for the usual reasons, but reading this Kyl report
on plans to further stifle civil liberties motivates me to emphasize the
obvious.

--Tim May

Common Y2K line: "I'm not preparing, but I know where _you_ live."
---------:---------:---------:---------:---------:---------:---------:----
Timothy C. May              | Crypto Anarchy: encryption, digital money,
ComSec 3DES:   831-728-0152 | anonymous networks, digital pseudonyms, zero
W.A.S.T.E.: Corralitos, CA  | knowledge, reputations, information markets,
Licensed Ontologist         | black markets, collapse of governments.