[118027] in Cypherpunks
Re: US encryption announcement: Business as usual
daemon@ATHENA.MIT.EDU (Anonymous)
Fri Sep 17 19:58:34 1999
Date: Sat, 18 Sep 1999 01:40:58 +0200 (CEST)
Message-Id: <199909172340.BAA26923@mail.replay.com>
From: Anonymous <nobody@replay.com>
To: cypherpunks@cyberpass.net
Reply-To: Anonymous <nobody@replay.com>
Bill Stewart:
> In the absence of technical constraints, it's hard to tell what the
> technical review could be reviewing - we're being told to believe
> that we're allowed to export full-strength crypto, and there aren't
> requirements for key compromise, and "works in North Korea" isn't a
> technical requirement, just a customer-destination one.
Declan probably hit it on the head here. The intention is to gum up
the works, monkey the wrench, sabot the tage. It is to make it harder
to export crypto, so that only companies that really, really want to do
it will be willing to go through with this. It will discourage adding
crypto to other products like network interfaces, mail readers, etc.,
because suddenly you've got to jump through this technical review hoop.
It is one more barrier to ubiquitous built-in crypto, which is the law
enforcement nightmare.
Declan McCullagh:
> Why did the Clinton administration cave on crypto?
> ...
> Another answer might lie in a little-noticed section of the legislation
> the White House has sent to Congress. It says that during civil cases
> or criminal prosecutions, the Feds can use decrypted evidence in court
> without revealing how they descrambled it.
Maybe, but there is no guarantee that this new legislation will
pass. The relaxation is not tied to the legislation. The best the
administration can do is to push for it, but there will certainly be a
backlash from privacy advocates. It is questionable whether this measure
will go anywhere, so it can hardly have been a controlling reason for
the administration's change of heart.
Greg Broiles:
> Some (anecdotal) information on this topic is available from Microsoft, as
> part of their discussion of the NSAKEY discovery - they claim they were
> forced to adopt that peculiar two-key architecture in order to comply with
> the NSA's rules for what's exportable.
>
> Assuming Microsoft is telling the truth about this - and we've had several
> big names weigh in on behalf of Microsoft's good faith and credibility - we
> can conclude that, in some cases, the NSA wants to not only review the
> technical specs, but make substantitve design modifications with
> considerable security implications prior to granting their approval.
Keep in mind that this review was done under the old policy. There is
no reason to believe that the same kind of review will be applied under
the relaxed rules. The only specifically stated purpose for the review
so far is to determine whether the product is truly mass market versus
"custom". If the NSA starts coming back from these reviews and asking
for back doors or weakened crypto, that will clearly be inconsistent
with the stated policy:
: Any encryption commodity or software of any key length can now be
: exported under a license exception (i.e., without a license) after a
: technical review, to commercial firms and other non-government end users
: in any country except for the seven state supporters of terrorism.
Ben Laurie:
> Declan McCullagh wrote:
> > Another answer might lie in a
> > little-noticed section of the legislation the
> > White House has sent to Congress. It
> > says that during civil cases or criminal
> > prosecutions, the Feds can use
> > decrypted evidence in court without
> > revealing how they descrambled it.
>
> If you can not reveal how you descramble it, doesn't that mean you can't
> be asked to show that it actually corresponds to the ciphertext?
The claim is that the prosecutors must still prove to the judge that the
material was obtained in a reliable fashion, and that the government is
protected from revealing its original source for the data. Generally,
judges are in the business of deciding admissibility of evidence. This
kind of in camera review is not without precedent.
There are two dangers. The more obvious but less important one is that
the government may simply fabricate evidence. They make up whatever
incriminating data they want, then go before the judge and lie, claiming
that it was a valid decryption or intercept. This can't be ruled out
but it is a risky strategy for a well-paid lawyer to risk prison just
to win a case. The nice thing about being a lawyer normally is that
you're not the one who has to do time if you lose.
The more subtle danger is simply that this shields the government from
bending the law in order to get these intercepts. Even though the
administration has withdrawn its proposal for black bag jobs, it is
conceivable that a secret executive order could authorize them in some
cases, on the basis of the various national emergencies which exist.
This measure eliminates one possible means of oversight into whether
the intercepted data was gained legally.
