[118021] in Cypherpunks
Re: CESA, "new" crypto regs
daemon@ATHENA.MIT.EDU (Greg Broiles)
Fri Sep 17 17:56:02 1999
Date: Fri, 17 Sep 1999 14:39:22 -0700
From: Greg Broiles <gbroiles@netbox.com>
To: cypherpunks@cyberpass.net
Message-ID: <19990917143922.A2480@ideath.parrhesia.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
In-Reply-To: <199909171809.UAA31644@mail.replay.com>; from Anonymous on Fri, Sep 17, 1999 at 08:09:17PM +0200
Reply-To: Greg Broiles <gbroiles@netbox.com>
On Fri, Sep 17, 1999 at 08:09:17PM +0200, Anonymous wrote:
> > they still want people to ask for permission prior to distribution, track
> > end users, and reserve the right to reject some requests.
> >
> > How, precisely, is that liberalization? Same as the old boss, if you ask me.
>
> The difference is that the review is done in the context of a policy
> change which approves export of all key lengths in mass market software.
> Previously the policy was much more restrictive. The liberalization
> is a matter of policy, not of the mechanics. Focusing on the process
> overlooks the substantial change which has occured.
There's been no substantial change - they've been approving strong
crypto for export already, assuming that the seller is willing to jump
through the regulatory hoops, track end users, and endure long delays
waiting for bureacrats to bless their software.
No change will be be detectable until February or March of next year,
when people have had a chance to request "technical review" under the
new regs .. assuming the new regs are released on December 15.
If Clinton really wants to liberalize crypto export, he can direct the
DOJ to abandon the Bernstein appeal, and let the appellate ruling become
final. We need constitutional backing for crypto possession and use -
not merely an absence of atrocious agency regulations - because (as
we've seen) agency regulations can be announced and changed overnight,
without notice nor opportunity to comment.
> That name isn't very appropriate any more, is it? Black bag job
> legislation minus black bag jobs = something else entirely.
I think it's nice to remember where the language came from.
> Right, like anyone's going to voluntarily escrow their keys. More than
> half the bill deals with how to handle escrow agents. This is totally
> obsolete; must have been left over from something composed years ago.
Good point. Probably they spent a lot of time crafting statutory
language they're not planning to use, just because they're silly or
lazy.
> > and
> > limiting the ability of criminal defendants or civil litigants to introduce
> > evidence in court which concerns law enforcement techniques for gaining
> > access to plaintext ..
>
> They've always been limited by national security concerns, which probably
> would have been brought in anyway to hide eavesdropping technology.
> This broadens the exemption somewhat but judicial review is still present.
Reviewed against what standard? The judge must decide if the evidence
would be likely to:
(1) jeopardize an ongoing investigation
(2) compromise a technique or mechanism which might be used in a future
investigation
(3) result in physical injury to any individual
(4) seriously jeopardize public health and safety
.. and, if it does, it *shall* (not "may") enter an order or take other
action to preserve the confidentiality of the technique. I don't think
there's a cop or prosecutor alive stupid enough to be unable to fit
their technique into one of the above four categories .. especially if
the argument is made in camera and ex parte (which means in secret,
without the other party present) as the section-by-section analysis
suggests.
> > the new edition goes even further than the original
> > in protecting private trade secrets related to eavesdropping techniquies,
> > and allows the government to request that even former law enforcement
> > agents be prohibited from revealing the techniques used to gather evidence.
>
> "Private trade secrets" in this context seems to be a euphemism for back
> doors. What other kind of sensitive information would be likely to be
> revealed in learning the source of recovered plaintext? The net impact
> of this section will depend on how useful such backdoors turn out to be,
> and how successful the government is at getting companies to install them.
And their success in this enveavor will probably have a lot to do with
how "liberal" the export policies are for companies which do (and don't)
cooperate with the request to install back doors.
> For years cypherpunks have urged the government to accept the fact that
> crypto is going to be everywhere, and find some way to live with it.
> Now the government is apparently doing so. They are going to work
> on decryption (useless, probably a cover story for how the funds are
> being spent) and back doors (useful but with the risk of detection).
> But obviously the back door approach doesn't work if the method is
> revealed. That's why they need this provision.
I don't necessarily agree with your characterization above, but to the
extent it's accurate, it should say ".. accept the fact that strong
crypto is going to be everywhere", and I wouldn't call intentionally and
secretly weakening otherwise strong crypto to be "dealing with it",
especially not where it involves hiding facts from juries.
> There are certainly risks of abuse with any kind of secrecy orders.
> But compared to the alternatives of criminalizaing the use of crypto
> altogether, this is something we can live with.
The choice you suggest - between criminzalizing crypto or hiding
information from juries and defendants - is a false dilemma. Congress
could leave the law the way it stands today, or they could pass
legislation reaffirming the right of every person to use any crypto they
choose.
> What we need to do is to
> address this technologically, and find ways to make back doors as unwieldy
> as decryption. Chances are the NSA has been working intensively on this
> for more than a decade. They are 10-20 years ahead of everyone else on
> the subject of covert ways of modifying target systems to acquire data.
> We need to start playing catch-up.
Sure, but we don't need to pretend that the proposed legislation is
rational, reasonable, or necessary. It's awful, pointless, and suggests
that law enforcement views the right to a fair trial as merely an
inconvenient detour on the road between arrest and punishment.
--
Greg Broiles
gbroiles@netbox.com
