[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Anti-Electronic Racketeering Act of 1995 (fwd)



   Date: Fri, 14 Jul 95 19:11:39 EDT
   From: Carl Ellison <[email protected]>
   Cc: [email protected]
   Sender: [email protected]
   Precedence: bulk

[I've combined parts of Carl's two recent messages...]

   I believe that the concern about defining predicate acts this way comes
   from the RICO requirement that there be TWO instances of a crime in order
   to pass the test of perpetrating a *pattern of crime* and therefore be
   ranked as a mobster subject to RICO.  My guess is that the intent is that
   from one placement on an FTP server or one posting to a newsgroup, the
   perpetrator of that heinous act will have passed his RICO qualification and
   therefore be subject to having all he owns taken from him.

I agree with Carl here.  

   The crypto section has no GAK exclusion.  It makes it as illegal to release
   GAKed crypto on a net as PGP.

The proposed 1030A(c) provides a defense to prosecution under 1030A(a).
So if GAKed crypto satisfies 1030A(c) then it can be deployed without
fear of prosecution under 1030A(a).  It might still violate ITAR, of
course, although I suspect any system that satisfies 1030A(c) would be
granted a CJ.

   >       `(c) It shall be an affirmative defense to prosecution under this
   >     section that the software at issue used a universal decoding device
   >     or program that was provided to the Department of Justice prior to
   >     the distribution.'.

   This isn't escrowed encryption being allowed here.  This is straight giving
   of keys (or a back door) to the gov't.  Even Clipper fails this test.

Why doesn't GAK satisfy this clause?  Clearly if the keys are escrowed
with two Dept. of Justice entities (or if there's only one escrow agent
and it's a DOJ entity) then DOJ will have been provided with sufficient
information to decode any encryted information by themselves.  

Certainly commercial escrow systems (such as TIS's CKE[*] system with DRCs
(data recovery centers) and DRFs (data recovery fields)) could fail this
test, since the chosen escrow agents may not be subject to DOJ control.
But I could build a CKE system with an "overriding UI (user identifier)"
that had access to all the keys, and provide that UI to DOJ.  The
"universal decoding device" would then be to go to the DRC, present that
UI and the DRF and recover the desired information.

I don't see how Clipper fails the 1030A(c) test, except possibly for the
fact that the proposed escrow agents were not both within DOJ.  I think
that's a minor point.

					--bal

[*] See ftp://ftp.tis.com/pub/crypto/drc/papers/drc.ps, Carl's initial
description of the TIS CKE system.