[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AW: Binding cryptography - a fraud!



At 09:05 AM 10/10/96 +-100, Eric Verheul wrote:

>>I am at the same time dismayed and disgusted at the tendency of some 
>people
>>to want to "detect fraud" on the part of ordinary citizens, as this paper
>>appears to want to do, but says _nothing_ about preventing fraud
>>_by_government.  How is the average citizen to know if keys are being 
>given
>>out to government agents for valid reasons?
>
>First of all, that (and the legitimacy of "wiretaps" in general) is 
>something that should
>be regulated in national law (including procedures, checks and balances, 
>penalities).

Procedures which aren't followed.  Checks and balances which don't.  
Penalties which aren't enforced, etc.  That sort of thing?  Why not spend 
your time working on a system to enforce the law...AGAINST THE GOVERNMENT!

> Maybe
>you have the opinion that that is impossible to achieve, [or at least that 
>making wiretapping
>as such by government impossible is the only satisfactory way of doing it 
>(-; ]. 

Currently that's the best way, and it may turn out to be the only way.

>Our concept
>assumes that it is possible and acceptable, although legislation (and 
>especially appliance of
>it) in some countries might be improved..

But it won't be, and you know that.  And if anything, the system you've 
described seems to be intended to allow governemnts to become even more 
restrictive.  Currently, one of the problems facing government is that even 
if they want to illegalize non-escrowed encryption, they can't easily do it 
because escrowed encryption would be faked, or super-encrypted or...    Give 
them a tool to figure out who'se using "espionage-enabled" encryption, and 
you've practically invited them to illegalize all other forms.

Is that really a step forward?  Or a few giant steps backwards?  I think 
it's the latter.  Why strengthen their hand?  Why help them tyrannize us?

>
>Second, the concept is flexible in the choice of Trusted Retrieval Parties; 
>we have the opinion
>that if you don't trust the existing TRPs then, hey, setup your own TRP. We 
>believe that should be possible (and forsee serveral "privacy-protecting" 
>organisations doing so). However, as you don't
>want to have criminals setting up TRPs, some legislation on this point 
>should be made...

What about a "TRP" operated by an organization which says, in effect, that 
they don't believe that wiretapping is constitutional, so until it's proven 
to their satisfaction they're going to refuse all requests for keys?  
They're not "criminals", right?  But if legislation forces them to do what 
they consider the wrong thing, just how "wrong" does it need to get before 
they can refuse?

In addition, I object to the concept of wiretapping without informing those 
tapped.  Part of these "escrowed-encryption"/GAK proposals is usually a 
statement that keys will be released to the government without informing 
those targeted.  If this system is truly "voluntary" why can't I insist on 
being informed?


>Finally, as said in the announcement:
>"In [VKT], we explain how we envision the framework in which the binding
>concept could present a security tool in the information society."

Thumbscrews could also be considered "a security tool."  Right?!?


>>I am further enraged by the last portion of the paragraph above where he
>>says, "fraud can be properly discouraged _and_punished_"  Why "punished"? 
>>Why call it "fraud"?  Why should sending the "wrong" bits become a crime? 
>>The US government, for example, has repeatedly claimed that key-escrow
>>systems should be "voluntary."  Presumably, except for authoritarian and
>>totalitarian countries, no other country should force their own citizens 
>or
>>others to use any sort of key-escrow/GAK system.
>
>Wait a minute. It is a *voluntary* system, but it has some rules that 
>apply. The whole
>idea here is: if you don't like it, use your own system. "Fraude" refers to 
>using the
>system without sticking to its rules, maybe fraude has a wrong connotation.

Well, you'd better be careful about your terms.  But the term "voluntary" is 
really far more troublesome at this point than "fraud."   "Voluntary" 
implies no coercion, but when the US government enforces laws against 
encryption exports UNLESS a company agrees to develop GAK'd systems, how 
"voluntary" is that, really?   I'd say that the system isn't intended to be 
"voluntary" at all, but it's intended to look that way, sorta, in a somewhat 
darkened room if you squint real hard.

It's the "1984" version of "voluntary", right?


>>Maybe I'm biased:  I'm a libertarian who believes that sending the wrong
>>bits shouldn't be considered a crime.  The problem we have is with the
>Depends, it might be childrens pornography. The information society is 
>*not* about bits, but about information.

Under the circumstances, I can't support ANY such prohibitions.  All of the 
"usual suspects" are being dragged out just to be able to support GAK.  The 
real goal is tyranny, not the elimination of "drug smuggling, terrorism, 
organized crime,  child pornography, etc."  


>>politicians, NOT primarily the criminals.  Giving the government the 
>ability
>>to punish people merely for sending the wrong bits (absent some other, 
>REAL
>>crime) is an enormous step backward.  And if they're guilty of a real 
>crime,
>>why bother about the bits?
>In a democratic country one needs evidence to convict someone.

Wishful thinking, I see.    You also need a crime, right?  Well, make the 
use of non-GAK'ed encryption a crime, and there you have a crime!  Make it 
easy to detect use of non-GAK'd encryption (as you are doing) and you've 
send us all down a short road to an authoritarian or even a totalitarian 
government.


>>Even if I believed in GAK, which I don't, I don't think governments or
>>anyone else should be able to determine whether the "correct" code is
>>included with the data until and unless the government has a valid 
>warrant,
>Code is checked (on protocol compliance) by third parties all the time. 
>They
>should not get any wiser from it, that is the point

No, the government's ability to verify GAK'd software without the decrypt 
key allows them to focus their harassment/enforcement on those who choose to 
be different and not fit in.  Ask your parents or grandparents about yellow 
stars and pink triangles, if you have any doubts that governments want their 
primary targets to be easily identifiable.  

I believe that the government should absolutely NOT have the ability to know 
who is using "GAK-ok" software.  If they get what they believe is the key 
and it doesn't work, they'll know soon enough.  They're no worse off than 
they were before, are they?

The only think your invention is going to do is to help the government ban 
good encryption.






Jim Bell
[email protected]