[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Do the Right Thing



I personally believe that this topic does not deserve the heat that it
has generated on this list. This opinion could change. I'll have a much
better idea Tuesday evening when I've had a chance to hear the latest from
NIST on GAK for export.

Much of the complaining in September was that vendors didn't want
to build two versions, one domestic and one for "export"
Netscape is currently doing at least two, and probably closer to
ten if you count Windows 16, 32, Mac, Motif, etc.

  [email protected] (Timothy C. May)  writes:
> Netscape, being the dominant browser company, and Microsoft, being the
> dominant OS company, are in special positions to "build in Big Brother."
> I'm not claiming they are, just that they are clearly in a position to
> make it technologically more feasible to make non-GAK illegal. They both
> need to carefully think about the role that's been "given" to them
> (whether by fortune, hard work, or being in the right place at the right
> time) and do what's right.

Except for Louis Freeh and Dorrthy Denning, I haven't heard real people
support GAK domestically, although Geoff Grevildinger's pitch at the Sept
NIST meeting was 99 & 44/100% domestic. I'll be listening pretty
carefully this Tuesday.

I think we need to save out fury for real statements about making
non-GAK illegal for domestic use. If this starts to condense out
of the Ether, I expect that the civil liberties lobbies will
get real loud. the ACLU and VTW were both vocal at the September
meeting, and EPIC was there, along with folks like Proffessor Hoffman of
GW.


> And what Netscape agrees to put in future releases of its browsers or its
> servers could have dramatic effects on the whole climate.

I have no problem with Netscape having a GAK-ified browser in addition
to a real one. At least as long as the GAK'd version is clearly identified
-- a logo saying "big brother inside" covering 25% of the screen should
do it for me.


> And if export laws demand GAK in exported products, Netscape should "do
> the right thing" and have two versions. It may add to their costs a
> little, but it's better than building in the machinery for a GAK law to
> later be passed.

Netscape is currently doing two (or ten) version. This simple
fact seems to have been lost by most of the posters in the
past few days.

If the issue is just that people don't like the idea that the free,
downloadable is GAK'd and that they have to pay $50 for a browser
with strong crypto, please take your whining off list. Or find
one you like (Netmanage's is too buggy for me, but Mosaic version 2 is
quite usable, as is Microsoft's, IMHO)

> (Explain something to me. I have never, ever understood why it is a
> concern of the U.S. government that we help build in GAK for foreign
> governments, that we make sure that products intended for export to
> France or Syria have GAK that allows those governments to read the
> traffic of their citizens. And if the concern is that exported versions
> of software must be readable to the _United States_, then this is a
> non-starter in terms of sales in many or even most foreign countries! I'm
> sure France will welcome with open arms a version of Netscape that allows
> the NSA to read the traffic of French citizens. Oh, by the way, what
> legal jurisdictions will be involved in obtaining the escrowed keys of
> foreigners? The answers are both clear and murky, if you catch my drift.)

The "criteria" (see my http://www.isse.gmu.edu/~pfarrell/nistmeeting.html
page) clearly say that approved systems can _not_ interoperate
with unapproved systems. This means that exportable systems can not
interoperate with, say, PGP.

There was talk about having multinational treaties so the French, Iranian,
and other "friends" could access the GAK's messages, but that was
recognized as being many years out. Diplomacy is slow.

It was quite clear from multinational vendors that they thought
that non-US corporations would _absolutely not_ accept
GAK in the US.

The main effect of this stupid export stuff is to drive
crypto development offshore.

> If the U.S. insists on GAK _within the U.S._, as many of us fear is the
> long-term danger, then all bets are off anyway. But I would hope that
> Netscape does nothing to make it _easier_ to make this the case!

It was quite clearly implied at the September meetings that the
Government expected that vendors would do only one version, GAK'd.
This would allow the LEAs to tromple all over US civil liberties
at will.


> A viable thing for Netscape to do is to announce forthrightly that it will
> separate the issue of export from what it sells in the U.S., that there
> will be NO GAK included in any U.S.-sold packages. The quest for an "all
> world" version, freely exportable, should not take precedence over the
> civil liberties issues. And I predict that any slight losses in market
> share or slight increases in product cost will be _less_ than the effects
> Netscape will see if their product comes to be associated with "Big
> Brother Inside."

I've been developing software too long to accept that the increases
in product support costs will be "slight". But I agree that
Netscape should _continue_ to have three separate versions, one for
domestic use, a second one for export from the US, and the third  with
Fortessa for sale to Govie agancies that want it.  They probably need to
add a fourth version, a strong foreign version developed offshore.

Tim's suggestion of a formal statement that separates domestic product
from export, and clearly leaves GAK out of US products, is a very good one.
It is close to what Netscape is doing now, it is completely consistant
with current and publically announced policies, and it would
let this list return to discussions that are relevant to
cryptography.

Pat

Pat Farrell    Grad Student      http://www.isse.gmu.edu/students/pfarrell
Info. Systems & Software Engineering, George Mason University, Fairfax, VA
PGP key available on homepage               #include <standard.disclaimer>