Re: How might new GAK be enforced?

[Paul Elliott <paul.elliott@hrnowl.lonestar.org>]

> 
> 
> 
> 
> On Tue, 1 Oct 1996, Timothy C. May wrote:
> > Any other ideas on how the government plans to enforce GAK, to make GAK the
> > overwhelmingly-preferred solution?
> 
> I am not certain that the USG has to make interoperable software illegal. 
> It simply can withhold export licenses for products that allow such 
> interoperability. That might go a long way to incentivizing industry to 
> cooperate. But I would not at all be surprised if they took stronger 
> measures.
> 

If the evil Clinton administration has not made GAK illegal, it is
simply because it does not think it has the votes in congress right
now to get such legislation passed. It is probably hoping that
some outrage ( perhaps engineered ) will change this.

Thus, we have a race between those who want to get strong
unescrowed crypto so entrenched that it can not be changed and
the Clinton administration which is waiting for a change in legislative
climate.

The Clinton administration hopes to use ITAR's market pressure
to slow things down long enough for victory.

But how is ITAR to be enforced, in the absence of a new law?
As has been pointed out on this list, the inevitability of software
privacy and sub-licensing provides a loophole that would allow
US companies to evade the ITAR as a _LEGAL_ inhibition.
The big companies have smart lawyers, so why is not this loophole
being used to evade the ITAR?

The obvious answer is that extra-legal pressure can be brought to
bear on a big company. Things like threats of IRS audits and other
harassment, probably act as the big breaks. Probably such pressure
in combination with foreign governments has prevented big
foreign companies to withhold strong crypo as well.

So, if big companies are subject to governmental pressure, why
would we want their crypto? Most big companies do not release
their source-code with their crypto products. The big companies
could have been presured, ITAR or no, to put crypto holes in their
products. Big companies simply are not trustable for purposes of
crypto. Bear in mind that a sabotaged crypto product can be made
to inter-operate with a strong crypto product, by simply having
the sabotaged crypto product always choose its keys from a covertly
restricted keyspace! Thus an product made to a open strong-crypto 
standard does not address the trust problem.

Cypherpunks should not be asking big companies to write crypto
products, but rather should be asking for crypto-with-a-hole.
This would allow us to check the software for cracks and PGP
or something like it could become the world crypto standard.

Perhaps if the hole were made general enough, it could also
be used to evade the ITAR. A software product could support
generalized filtering with other uses besides crypto. After all,
they have not embargoed C compilers and compilers can be 
used to implement crypto. (I do not know, I am not a lawyer.)

Any how, conclusion is that cypherpunks should not be asking
big companies to implement crypto, but rather look for easy ways
users can implement crypto "on top of" commercial software products.
Therefore we should boycott and disparage any commercial products
that voluntarily implement GAK.

-- 
Paul Elliott                                  Telephone: 1-713-781-4543
Paul.Elliott@hrnowl.lonestar.org              Address:   3987 South Gessner #224
                                              Houston Texas 77063