Criminalizing crypto criticism

Alan Olsen alan at clueserver.org
Wed Aug 1 12:40:57 PDT 2001 

On Wed, 1 Aug 2001, Rick Smith at Secure Computing wrote:

> I had suggested that a large number of crypto researchers take the 
> proactive (or rather, prophylactic) step of informing *all* vendors of copy 
> protection that the researchers are interested in studying the encryption 
> used in their products. The notion of this would be that such an act by a 
> large group would reduce the risk of retribution against individuals who 
> participated.

Trying to get a large group of any profession to do one thing is next to
impossible.

I can see what this is going to do to third party due dilligance.

Say you have a company that wants to use product X.  But the lawyers set
in and say "prove it is reasonably secure" as a CYA measure.

There are many cases where you do not want to give the company advanced
warning that you are doing this, otherwise they may try and skew the
results.  (Making "special" versions that don't work the same as the
normal one. Taking out especially dangerous features.)

BTW, this is *not* a hypothetical example.

I worked on a project under contract to break a security method used by an
e-commerce system.

When the company found out what we discovered, they were very pissed off.
If we had not had one of the bigger computer companies backing us up on
the project, they would have probably sent lawyers after us.  (At some
point, the information will get out.  The details of snake-oilness are
pretty funny, in a sad sick way.)

The security industry is going to be seriously burned by this.

If I were to get a group of people together, it would be the security
profesionals. I would have them boycott the US Govenment and any of the
supporters of the DMCA.  Just refuse to do work for them and explain why.
(Something like "If I do my job, you might decide to put me in jail on a
whim".)

> At 05:43 PM 7/31/2001, Alan Olsen wrote:
> 
> >All they have to do is make a messy example out of one or two. (It also
> >helps if you can get a prosecutor that is working on a promotion to help out.)
> 
> I Am Not A Lawyer, so someone more knowledgeable may correct me if I'm 
> wrong, but...
> 
> There's nothing here for a prosecutor to do. There's nothing illegal about 
> a bona fide crypto researcher informing a vendor of an intent to study 
> their product, which is offered to sale to the public. In fact, the 
> researcher is complying with the legal requirements.
> 
> I don't see any way the vendor could file an injunction or take other legal 
> action simply because someone (especially one of a large number of people) 
> announced an intent to study their product, again, as a bona fide crypto 
> researcher, as stated in the law.
> 
> Rick.
> 
> 

alan at ctrl-alt-del.com | Note to AOL users: for a quick shortcut to reply
Alan Olsen            | to my mail, just hit the ctrl, alt and del keys.
 "All power is derived from the barrel of a gnu." - Mao Tse Stallman

More information about the cypherpunks-legacy mailing list