[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Netscape, Corporations, and GAK Support

The firestorm of criticisms of Netscape and Jim Clark over his apparent
support for mandated key escrow (GAK, "Government Access to Keys," Carl
Ellison) raises some issues:

1. To what extent is the government and its supporters of GAK applying
pressure to corporations and/or giving them private briefings on security

(Recall the infamous "If you knew what I knew, you'd support Clipper" sorts
of comments from people who'd apparently been glimpses of the Four Horsemen
riding in.)

2. What is the appropriate response for folks like us when it becomes
apparent that a corporation with a tremendous influence on future
directions in security and privacy (examples being both Microsoft and
Netscape) have apparently been jaw-boned in private on security issues?

(I tend to use "apparently" and "ostensibly" a lot, as you've probably
noticed. It's my way of signalling some uncertainty. The history of GAK has
indicated to me that discussions are happening in private with CEOs and
suchlike, else why or how could some of the public comments come out the
way they do? But I don't know this for a fact--a side effect of private
channels, ironically--so I can only call 'em as I "apparently" see 'em.)

Supporters of corporations, motivated by a range of reasons, often ask
critics to "hold off" on criticisms until firmer statements of policy are
made, or until actual products are introduced.

Alas, this is a bad strategy for us to follow. The very nature of the
behind-the-scenes manouvering, and the long lead times for products, means
that we must be alert for "early warning signals" of impending GAK and
other totalitarian measures.

I personally believe that the government supporters of mandated key escrow
and other restrictions on the use of encryption have looked at the
explosive growth of the Web in general and of Netscape in particular and
are *frantically* looking for ways to get a handle on the issues that
motivate them. As others have speculated, putting GAK into every Netscape
_server_ would have certain advantages, and I would be very surprised
indeed if NSA/NIST/Denning have not been thinking about this issue.

(Ray Cromwell says it can be skirted...I don't doubt this, just as
superencryption can skirt GAK in machine-to-machine e-mail. But this
doesn't mean that we should just ignore signs that GAK may be built into
Netscape, or other products.)

It's possible that Jim Clark--whose quotations I have not yet seen denied
by Netscape--is merely naive on matters of mandated key escrow. It's
possible that he hasn't given it much thought. It's also possible that he
sincerely is supportive of plans for Big Brother to have an "escrowed" copy
of our conversations, diaries, travel plans, etc.

I don't know, and I hope we soon hear more from Jim Clark on this issue.
But I will always think it appropriate to listen carefully for evidence
that a company plans to help build the Surveillance State, and to act in
response to such evidence.

The stakes are just too high to "wait for an actual product" before
speaking out.

--Tim May

Views here are not the views of my Internet Service Provider or Government.
Timothy C. May              | Crypto Anarchy: encryption, digital money,
[email protected]  408-728-0152 | anonymous networks, digital pseudonyms, zero
Corralitos, CA              | knowledge, reputations, information markets,
Higher Power: 2^756839      | black markets, collapse of governments.
"National borders are just speed bumps on the information superhighway."