[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Netscape gives in to key escrow
On Fri, 1 Dec 1995, Jonathan Zamick wrote:
>
> >And thus we return to my original point, which is that it will depend on
> >what is said/disclosed. If every copy of GAKscape had a banner, bigger
> >than the Netscape "N" which said, "The government can read every message
> >you send using this software no matter what you do" then I think
> >consumers will be hard pressed to say they weren't warned.
>
> I don't mean to be inflamatory, but it isn't much of a point. They aren't
> going to put such a banner up because that would limit their business. The
Once again, I must disagree. Several bulletin boards I frequent include
an opening banner announcing that, essentially, all messages left there
are "public" and can be read by anyone. I can get the exact language if
you like. The message specifically refers to the wiretapping statute, 18
U.S.C. Section 2510 et seq. This keeps the sysop, arguably, from
suffering civil liability if mail is intercepted. Nobody reads the
banner, but I believe that it has more effect than a fig leaf.
> goal of Netscape (though I don't single them out), any corporation that would
> profit from business of those who seek encryption while still allowing GAK,
> and the government, is to limit the public's awareness of the size of the
> hole. If they let people know the extent of the hole, then they'll use
> products w/out it which blows profits from companies involved, and doesn't
> benefit the government who want it in common use.
>
> >I disagree. Almost nobody read the fine print on the back of a note you
> >sign when you buy a car or otherwise take out a loan, but the provisions
> >are generally enforceable ... Ignorance is not necessarily an excuse.
>
> The question is whether there was false representation of the security of
> the product.
> 1. The general knowledge of encryption and secure electronic financial
> transactions is significantly lower than that of more standard
> transactions.
>
But how many of those who are less knowledgable about such things expect
the level of privacy you automatically infer? Is that expectation
reasonable? Does the party have any duty to inquire???
> 2. Applying for a loan or buying a car involve actively going out, negotiating,
> signing contracts, etc. It will be much simpler to simply stick your vital
> info into a 'secure' browser.
>
Getting a browser involves going to the store and installing the software
or surfing to a site and downloading the software. Then it must be
installed.
> 3. The choice of browser to use will be done, based on representations by
> companies about the security of their product. If Netscape doesn't
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
I doubt it in the case of the less sophisticated (and the more
sophisticated are on their own). I suspect that Mr. Newbie is more
likely to pick a browser on the basis of what his friend tells him, or
what PC Computing tells him, or the fact that he read about Netscape in
the business section of the paper.
> explicitly
> state in direct terms when accessing the browser that the GAK is a
> potential security risk, then they will be sued. Simply because someone
> will get blamed.
Getting sued and being liable are very different, just as getting charged
with a crime and having done something morally wrong can be very
different. I am much less confident than you apparently are that the
court system (and products liability law) are likely to impose duties on
the makers of browsers such as you suggest. In an advancing
technological area, I don't believe that liability will be imposed so
quickly, especially if some disclosure is made. What disclosure is
required is likely to be fact specific on a case by case basis until the
law has time to develop some sort of standards.
Can I expect to recover from Ford for my injuries in a car wreck because
I would not have been hurt in a Volvo, when Ford meets all federal
standards? Generally not.
> Since they (or again any company that incorporates GAK.. I really don't
> want to target Netscape in specific) will make the threat sound as
> insignificant as possible, and not bring it to people's attention (and they
> can't afford to do so) when (not if) it is breached they will be taken to
> court repeatedly.
Don't forget, taking them to court takes $$$. And they only have $5
Billion to pay for lawyers ...
> > >
> >EBD
>
> Jonathan
>
> ------------------------------------------------------------------------
> ..Jonathan Zamick Consensus Development Corporation..