[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Netscape and NSA



Let's not get carried away here.

Netscape's done a lot for privacy, and every indication we have is that
they'll continue to do so.  They've introduced strong crypto to the
consumer software market for the first time.  Giving users control over CAs 
says a lot about where Netscape is coming from -- it's an obscure thing 
for which there was no public demand, and which might hurt Netscape's 
position by opening up the market to competitors.  But it destroys the 
choke point which would have made it possible to impose GAK.

Our interests and Netscape's interests coincide.  Netscape needs to export
strong crypto to be competitive in the global marketplace.  As a 
consequence, Netscape has been making public statements pushing for 
unrestricted exports of strong crypto.  I have no doubt that they're 
pushing hard for the same thing in private discussions with government 
officials.

Where do people think things like the recent statements from Ron Brown
come from?  Big companies -- like Netscape -- have ongoing dialogues with
the Commerce Department, and apparently they've been pushing for exports. 
In and of itself that statement wasn't much -- nothing has changed.  But
it's a sign that the tide is turning.  Parts of the government are
starting to admit that we're right, and that giving people free access to 
strong crypto is in everyone's best interest.  That's important.

But at the same time, it's important for companies like Netscape and 
Lotus to know that we'll do everything we can to make it painful to back 
down on these issues.  What Lotus is doing is wrong, and we have to do 
whatever we can to make their decision painful to them.  It's absolutely 
essential that we do whatever we can to make the right decision less 
painful than the wrong one.

We don't have a lot of options in terms of strategy.  An immediate,
strong, and strident negative reaction may not be the best weapon 
imaginable, but it's one of the only ones we've got.  To those of you who 
work for these companies, and who are pushing for what's right -- don't 
take it personally.  We have to do it.

The Lotus approach is totally unacceptable.  A 64 bit key is only a 40 bit
key when your opponent already has 24 bits, and a 40 bit key just isn't
good enough.  But Lotus' plan is much worse than another plan which only
provides 40 bits of security.

Anything that involves government storehouses of keys is extremely
dangerous.  Lotus is doing everyone a big disservice when they pretend
that this is a step forward.  It's gak, and it's not just a proposal
anymore -- it's real this time.  This is the first wave of guys hitting
the beach.

Netscape is never going to convince everyone that they're on the right
side.  Some people will never trust a large company, no matter who works
there or what the company does.  But by widening the scope of its public 
efforts on behalf of privacy, Netscape could generate a lot of good will 
and do a lot of good for its own interests (and its bottom line) as well.

It would be good for everyone if Netscape took a more aggressive political
stand for free access to strong crypto.  How?  Expand the crypto coverage
on Netscape's web server.  Hire a full time person to write about crypto
technology and issues.  Put a link to the site on the Netscape home page. 
Netscape's home page links are the most visible on the net -- use them. 
Get together with companies like Sun and Microsoft to form a lobbying and
publicity organization similar to the Tobacco Institute.  (I know that's a
bad example -- many people think the Tobacco Institute is an evil
organization.  But it's a good tactic.)

I'm personally a little frustrated by the timidity of industry's 
response.  I don't understand it.  Netscape's interests are clear, their 
voice is loud, and their resources are vast.  Where's John D. Rockefeller 
when you need him?