[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

The NSA Visits Compendium

* Does the NSA really visit companies planning to include crypto modules
and ask them to weaken or remove the crypto modules?

* How do such visits occur?

* What happens if a person or company simply refuses to meet with the Men
in Black and says "This is a free country--get lost!"?

* What pressures are brought to bear on companies to induce them to weaken
crypto, even for domestic-only use, or to remove hooks?

* Is there concrete evidence of these things?

We've all heard that the NSA sends representatives to software companies
planning to included crypto or crypto "hooks" in software. There have been
anecdotal reports of visits to many software companies.

The question is: how _real_ are these reports and what are the mechanics of
the visits? Are they urban legends, or real?

I asked these questions at the last Bay Area Cypherpunks meeting, and got
some interesting responses. In particular, I was interested in the
comparison to the other report about academic papers being submitted to a
review board, since the late 1970s. Whit Diffie of Sun and Matt Blaze of
AT&T (or, as Matt put it, maybe BT&T or CT&T, depending) shared their
experiences. They confirmed that such a panel _does_ exist, but that it is
fairly ineffectual. Apparently many people publish without approval.

(Anyway, I'm citing this as a parallel to what I'm looking for: direct
confirmation of NSA pressure and visits.)

I have volunteered to compile a compendium of reports, with or without
names attached (see details below), to pin down the extent of NSA coercion
or "subtle encouragement" of companies.

I believe this is a valid "Cypherpunks-type project," as it is aimed at
using the Net to compile a listing of experiences software developers have

To kick things off, I'll start the list below:


Example: Large relational data base company.

NSA Actions: Visits on a regular basis by two NSA representatives ("always
two"). Pressured them to drop plans for a strong domestic crypto module.

Source: Personally told to me by programmer at the company, 1995-10-14. He
wishes the company not to be named.

Description: The NSA was concerned about plans the company had for a
domestic-only 128-bit RC4 usage, and "sat on" the company's CJ request for
an exportable version of their product using 40-bit DES. After hearing
nothing for a long while, and pestering the NSA (or maybe the State
Department), the company finally backed-down on the plans for the 128-bit
RC4 use, told the NSA this, and then the government rapidly approved the
40-bit version for export. Coincidence?


So, send me your examples. Supply as much detail as you can, including
company names if possible. I'll accept "unnamed sources" if they are
_primary_ sources, but no "friend of a friend told me that...," unless the
details look very convincing.

Use remailers if you wish. Use my public key if you wish, too, though
remailers accomplish the same thing, at least for getting the details to me

My public key is:

pub  1024/54E7483F 1992/11/20 Timothy C. May <[email protected]> 11-20-92
          Key fingerprint =  8C 79 1C 1B 6F 32 A1 D1  65 FB 5F 57 50 6D D3 28

(I don't have MacPGP integrated into Eudora Pro---perhaps the NSA paid
Qualcomm a visit?--so I'm not a huge fan of getting PGP-encrypted messages
unless there's a real need.)

I'll be releasing reports on this on a regular basis. The next one when
I've accumulated several examples.

--Tim May

Views here are not the views of my Internet Service Provider or Government.
Timothy C. May              | Crypto Anarchy: encryption, digital money,
[email protected]  408-728-0152 | anonymous networks, digital pseudonyms, zero
Corralitos, CA              | knowledge, reputations, information markets,
Higher Power: 2^756839      | black markets, collapse of governments.
"National borders are just speed bumps on the information superhighway."