The Crypto Winter
Tim May
tcmay at got.net
Sat Nov 17 10:00:05 PST 2001
Alternative Subject Name: Decline and Fall: Crypto without politics is
just applied number theory
This will be a long article. Fair warning.
Also, I plan to reply only to folks who make a serious effort to debate.
Folks who chime in with inanities or with "Another C-A-C-L rant!" will
of course just ignore. I don't expect much discussion, though. For the
same "lots of reasons" I mention many times below. Still, I wanted to
make these points even if only six of you are worth responding to.
On Saturday, November 17, 2001, at 12:10 AM, Declan McCullagh wrote:
> On Fri, Nov 16, 2001 at 10:31:24PM -0800, Petro wrote:
>> Part of the energy in those days was people pushing in to vastly
>> new territories, figuring out how to solve the hard problems--and there
>> were a whole bunch back then. There are still lots of hard problems,
>> but
>> they come in dribs and drabs, and often one of these new problems can
>> be
>> reduced to one or two old problems--which isn't nearly as interesting.
>
> I may have started reading the list in 1994. To add something to the
> above: Also in the early days, folks were still thinking through the
> implications of the technologies, the future was a bit sunnier than it
> is nowadays, and there weren't quite as many (this may be just wishful
> thinking) loserflamers around. In addition, the FBI and Secret Service
> and TIGTA and whatnot hadn't been interrogating and arresting list
> members.
There are many reasons/factors for the decline. Few would argue that the
decline has been a many-year process. As I lack the energy or will to
write a detailed essay (which is one of the reasons...), I'll summarize
a few basic reasons:
1. The newness issue. Even before the list/group started, finding new
and amazing implications was so easy that we were able to figure out a
bunch of things before the official crypto community noticed them. Early
list messages were often about these implications. Hal Finney, Eric
Hughes, Duncan Frissell, and a dozen others were all actively debating
these implications--years before the "crypto press" started reporting
them, years before even apologists for Big Brother started denouncing
them. The newness has shifted. I'll come back to this issue again.
2. Fewer infusions of new blood. We had some good infusions of new blood
in the 1993-95 period, including people like Lucky Green, Declan
McCullagh, and Greg Broiles. In the past couple of years, fewer creative
contributors have arrived. We had a guy from Germany, whose name I have
spaced out on, but he showed up at ZKS (another point I will get to in a
moment) and hasn't been active on the list in a long while. In the last
year or two, David Molnar stands out as a new and innovative
contributor, but I believe his is now involved in a start up in NYC and
so he doesn't post here often anymore.
A couple of apologists for Big Brother have arrived (George at Orwellian,
whom I am tentatively assuming is the same as the frequent Nomen Nescio
user: a leftie who rants about the evils of ideas here), a couple of
agent provocateurs have arrived, and several infantile flamers are still
here.
[Note: Related to this point and the one following below, we had a
_huge_ number of students and grad students active on the list in the
early years. "Wired" did a big piece on Cypherpunks in their second
issue, and "Wired" was still cool in those years. A surge of subscribers
hit the list in 1993. And Clipper was much in the news. Many of those
students contributed provocative, anarchist-leaning ideas. Many went on
to get jobs in industry, even in crypto and security. Some went to
Microsoft (Matt Tomlinson, I believe, and possibly Wei Dai, though I
could be wrong), some went to Netscape, some to RSA, and so on.]
3. The commercialization of crypto. This has been a plus and a minus. On
the plus side, several startup companies have drawn heavily from former
(or lurking) list members, including C2Net, Digicash, PGP, RSA and
Verisign, security consulting companies in the Bay Area, Zero Knowledge,
and the security departments of leading dot com and Net companies. Even
Mojo Nation, which had about half a dozen list members in it--not much
being heard from it now.
(Remember when three members of the same family were on the list and two
of them were essentially Netscape's security department! Remember when
at least three key list members worked for Digicash?) The ZKS issue
alone took half a dozen of our most significant contributors off the
list (for various obvious reasons), including Ian Goldberg, both Adams
(Back and Shostack), and some others. And when ZKS recast itself a year
or so ago as some kind of "consulting company" (??) and then when they
recently dropped the Freedom remailer/proxy service, things took another
steep decline. Even if these former list members end up leaving ZKS, as
would seem likely, I doubt they'll return to our list.)
The effects of the commercialization were manyfold (or is it manifold?)
and deserve an entire essay, but here are a few of them:
a) Cypherpunks physical meetings (second Saturday of each month, held in
the South Bay 1992-95, held all around the Bay Area after that) became
more corporate-focused. Guys at companies often recruited. A kind of
rolling job fair.
b) The projects discussed started being more and more about what some
particular company was doing
c) I believe some people are much less willing to discuss radical
implications and ideas when they think future employers may be reading,
or may have access to their posts through search engines. It may be
coincidental, but the beginning of the real decline of the list happened
at just about the same time the Web was becoming ubiquitous (which has
other implications, mentioned later) and as search engines like Deja
News and Alta Vista made it obvious that one's words on the list would
echo forever.
d) Siphoning of energy. Not a bad thing, but the commercialization of
crypto definitely meant that many long-range projects were shifted to
short-range. Depressingly, most of the short-range efforts never really
went very far. (Between the dot com crash and other things, all we
really have is what we had in 1992: basic crypto and signatures.)
e) The mess with PGP. At one point, probably a dozen list members worked
at PGP, and we often heard updates from them on new versions. (One of
those pluses as well as minuses. A plus that PGP was expanding, and that
usage was increasing, but a minus because all it really was basic
encryption stuff, so it was fairly boring to spend meetings discussing
the details of a version update.) The transfer of PGP to NAI further
confused things, and now there are probably fewer PGP users than in
1996. (Multiple versions, an OpenPGP version, a GPG effort, Zimmermann
at Hushmail, and NAI saying they plan to demphasize PGP....already a
moot point.)
[Note: There was a period when using PGP was "cool." Lots of digerati
were using it, playing with it. It showed up on "Wired"'s "hot" list.
This has changed. Lots of reasons.]
4. The discrediting of "politics." After the first heady year or two of
discussing digital money, data havens, dead drops, black nets, tax
avoidance, colonization of cyberspace, and so on, some voices began to
argue against talking politics. To be sure, the list had always been
focused on the "exploitation of crypto for meta-political purposes."
Mundane politics about left vs. right was not interesting to most of us.
Yes, the list had a strong libertarian focus, but so does much of the
Net and so does much of the computer community (with also a
lefty/Green/ecobabble contingent out there, though not on this list).
Why this is so should not surprise anyone.
The discrediting of politics was correlated to the formation of
alternative lists. Lewis McCarthy started a moderated list called
"Coderpunks" in which only code and programming techniques was to be
discussed. Perry Metger started a moderated list called "Cryptography."
Some of the active participants in Cypherpunks did most of their posting
on those lists...let a thousand flowers bloom and all. I chose not to
subscribe to those lists for a couple of reasons. First, I hate
moderated lists where some satrap decides what is OK for me to talk
about and what is not. Second, I am much less interested in the C++
coding of Rijndael than I am in discussing digital money and
quasi-political issues touching on economics, public policy, social
repudiation and reputation issues, etc. In my view, crypto without
politics is just applied number theory.
The discrediting is even happening on the Cypherpunks list. It is deeply
ironic that people who have never contributed an innovative idea,
poitical or technical, are hectoring us that "Cypherpunks write code!"
(Having been involved since the Ur-Cypherpunk days, I know precisely
what that slogan means, and it _doesn't_ mean what many think it means.)
5. The resurgence of politics and law. Strangely, despite the above
discrediting, politics and law became _more_ of the focus of the list!
How could that be? Here's a partial list: Communications Decency Act,
the Bernstein case, crypto export laws, ITAR, European plans to regulate
crypto, Napster, copyright, the DMCA, and on and on. Despite the
"Cypherpunks write code!" pseudo-mantra, more and more physical meetings
were devoted to hearing from various spokeslawyers representing the EFF,
EPIC, CDT, and other lobbying/litigating firms. More and more list
members muttered about going to law school...and some did.
(Not to besmirch the reputation of Greg Broiles, who was already
well-along in law school before beginning to contribute many fine
On to another major, possibly _the_ major, factor:
5. The boredom factor. As Declan and Petro have noted, the ideas are not
new. The same reasons that made the 1992-94 period so heady also mean
that later developments are usually just revisitations or rediscoveries
of the "nuggets" found in the early years. This is like any new field:
the early pioneers find gems and nuggest lying on the ground, lots of
low-hanging fruit. (To mix some metaphors.) Later arrivals find the
low-hanging fruit gone, the richest veins of ore already mined.
(I have not given up. There are amazing things yet to be done. I had a
stimulating discussion with some computer pioneers last weekend and am
redoubling my own efforts in my "ontology" project I have occasionally
mentioned.)
The "read the archives!" advice often given, especially by me, is only
to be expected. When literally tens of thousands of articles, some of
them very long and detailed, have already been written on core topics,
why should any of the "old-timers" spend an hour writing an essay to
educate a newbie who is unwilling to even spend a few minutes with
Google looking for already-written articles?
(And many of the newcomers are shockingly ignorant of even the basic
definitions and ideas, ones that have been written about in full-length
articles. My own chapter-length essays outline the basics and have been
included in recent books like "Building-In Big Brother" (Ludlow),
"Crypto Anarchy, Cyberstates and Pirate Utopias" (also Ludlow), and the
forthcoming "True Names and the Opening of the Cyberspace Frontier"
(Vinge, Frenkel, others). Any search on the keywords so common on our
list will turn up full-length articles, as well as the "Cyphernomicon"
mega-FAQ I spent (wasted?) about a year of my life working on.)
6. The failure to get true digital money. Call it what you like,
"digital cash" or "ecash" or even one of Hettinga's pet names, but the
fact is that for both political and technical reasons we don't have
digital cash. This has ripple effects for nearly all of the constructs
which depend on digital money: data havens, good remailers, black nets,
beacons, and of course for certain sociopolitical implications of
untraceable transactions.
Without this basic building block, we are left just with the "privacy"
stuff...and the privacy stuff is both fairly boring and at the same time
wrapped-up in legal/political baggage about secrecy, hiding things, etc.
Boring!
Why digital money has not happened is still an interesting topic to
discuss. I described the two axes of "value of untraceability" versus
"cost of untraceability" in an article I wrote a few months ago. I
characterized the "millicent ghetto" that most companies have
concentrated on, and the fallacy of the "one size fits all" pricing
models.
Now, given the events of 911 and the rush to control the Net and to
impose new and unconstitutional limitations on what people can do with
their own money, the likelihood of a quasi-visible digital money
operation like Mark Twain Bank setting up seems to be nil.
Money-laundering laws, and the attempted crackdowns on "hawalah"
exchanges, will mean any digital cash effort will have to be done beyond
the margins of the law. Maybe for something with no identifiable nexus,
something beyond even what Gnutella and Freenet are doing. Beyond
Morpheus/Music City, beyond Mojo Nation, beyond _any_ of the current P2P
efforts. (By the way, the only book that I know of on Peer-to-Peer
computing has references to the pioneering role that Cypherpunks played,
in remailers, in screen-saver code crackers, etc. Look to the archives
from 1992-94 and one will see most of the P2P issues covered, from the
point of view of distributed, agoric models, black markets, etc. My own
BlackNet, 1988, is obviously a P2P model.)
This failure to get workable untraceable digital cash (true 2-way
untraceable, not the bastardized, banker-friendly, government-friendly
one-way untraceable form) is the _deep_ reason things are stagnating.
And we are not alone...
"How to make money off of these ideas" is the fundamental reason the dot
com crash happened. Absent efficient digital payment systems, and absent
strong cryptographic constructs to build cyberspace structures, just
about the only working model for funding all of these dot com things was
"online advertising." That, coupled with scads of companies all
figuring they would dominate their markets.
I'm concentrating here on the online digital services companies, not so
much the "clicks and mortar" companies trying to sell dog food over the
Net (yeah, the pets.com and boo.com companies failed, but in their cases
the Net was just another communications medium for basically a
mail-order or phone-order business). More interesting are why the
crypto-related companies are failing. People just aren't paying for
digital signatures, encryption, and other "Cypherpunkish" things.
This doesn't surprise me at all. But, I see that I am drifting away from
my intended brief listing of reasons for the decline and am instead
moving into something that should be saved for another article.
In closing, the long-term prospects for our ideas are still bright. The
"degrees of freedom" (multiple senses) still mean that crypto anarchy
will likely triumph over central control. But we probably are facing a
"crypto winter" lasting at least 5 years, and maybe much longer. The
moves to expand wiretapping and surveillance, the Carnivore boxes, the
rapid move to reduce civil liberties in the wake of 911, the calls by
various European and Asian countries to crack down on use of the Net,
and the draconian restrictions on money....all of these things will make
it very difficult to establish Cypherpunks technologies.
Maybe a collapse will come, maybe P2P will sneak these ideas in through
the back door (*).
(* as might well have happened sooner had Napster _started_ in a
distributed, no nexus sort of way instead of starting as a central file
server with a huge "Sue me!" sign painted on the roof of their San Mateo
offices)
The thing I would advise folks to do is to not think about getting rich.
Those who lust after the riches of an IPO for their Digital Signature
Datawhack, Inc. startup are probably heading for crushing
disapppointment. "Do what you love and the money will follow" is still
good advice.
And working on the interesting stuff, even if it doesn't appear to be
"commercial," will probably be where the commercial things of ten years
from now come from. There are so many examples of this from past years
that I can't begin to list them here.
Well, now I'm again moving afield into career advice, so I'll stop here.
Best wishes,
--Tim May
"Gun Control: The theory that a woman found dead in an alley, raped and
strangled with her panty hose, is somehow morally superior to a woman
explaining to police how her attacker got that fatal bullet wound"
More information about the cypherpunks-legacy
mailing list