[118010] in Cypherpunks
Re: CESA, "new" crypto regs
daemon@ATHENA.MIT.EDU (Anonymous)
Fri Sep 17 14:34:57 1999
Date: Fri, 17 Sep 1999 20:09:17 +0200 (CEST)
Message-Id: <199909171809.UAA31644@mail.replay.com>
From: Anonymous <nobody@replay.com>
To: cypherpunks@cyberpass.net
Reply-To: Anonymous <nobody@replay.com>
> they still want people to ask for permission prior to distribution, track
> end users, and reserve the right to reject some requests.
>
> How, precisely, is that liberalization? Same as the old boss, if you ask me.
The difference is that the review is done in the context of a policy
change which approves export of all key lengths in mass market software.
Previously the policy was much more restrictive. The liberalization
is a matter of policy, not of the mechanics. Focusing on the process
overlooks the substantial change which has occured.
> And, in return for that great step forward, we're asked to accept the
> "CESA", better known as the "black bag job" legislation, with the single
> section which approved black bag jobs removed -
That name isn't very appropriate any more, is it? Black bag job
legislation minus black bag jobs = something else entirely.
> but with the other
> provisions, setting up procedures for LEO access to stored keys,
Right, like anyone's going to voluntarily escrow their keys. More than
half the bill deals with how to handle escrow agents. This is totally
obsolete; must have been left over from something composed years ago.
> and
> limiting the ability of criminal defendants or civil litigants to introduce
> evidence in court which concerns law enforcement techniques for gaining
> access to plaintext ..
They've always been limited by national security concerns, which probably
would have been brought in anyway to hide eavesdropping technology.
This broadens the exemption somewhat but judicial review is still present.
> the new edition goes even further than the original
> in protecting private trade secrets related to eavesdropping techniquies,
> and allows the government to request that even former law enforcement
> agents be prohibited from revealing the techniques used to gather evidence.
"Private trade secrets" in this context seems to be a euphemism for back
doors. What other kind of sensitive information would be likely to be
revealed in learning the source of recovered plaintext? The net impact
of this section will depend on how useful such backdoors turn out to be,
and how successful the government is at getting companies to install them.
For years cypherpunks have urged the government to accept the fact that
crypto is going to be everywhere, and find some way to live with it.
Now the government is apparently doing so. They are going to work
on decryption (useless, probably a cover story for how the funds are
being spent) and back doors (useful but with the risk of detection).
But obviously the back door approach doesn't work if the method is
revealed. That's why they need this provision.
There are certainly risks of abuse with any kind of secrecy orders.
But compared to the alternatives of criminalizaing the use of crypto
altogether, this is something we can live with. What we need to do is to
address this technologically, and find ways to make back doors as unwieldy
as decryption. Chances are the NSA has been working intensively on this
for more than a decade. They are 10-20 years ahead of everyone else on
the subject of covert ways of modifying target systems to acquire data.
We need to start playing catch-up.
