[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Corporate Access to Keys (CAK) Considered Harmful
At 11:48 PM -0700 10/9/97, John W. Noerenberg wrote:
>Moreover, it is not unheard of during legal discovery for email to be made
>subject to search (Our lawyers are constantly tut-tuting about all the
>email that is saved). So to say it is not used for long-term storage is
>simply incorrect.
Not surprising that your lawyers are worried about extensive mail archives.
Imagine the juicy things that must lie in gigabytes of archived e-mail
messages! (Or the messages which can be twisted by skilled lawyers into
seeming to be anticompetitive, price-fixing, conspiratorial, etc.)
I don't think we've yet seen a good example of massive amounts of e-mail
being examined in a "discovery" process, yet, but we saw the effects on IBM
during its antitrust issues in the 70s. Basically, every scrap of paper,
every desk calendar, every internal memo, everything, had to be turned over
to opposing counsel.
We will almost certainly see some examples of where lawyers demand access
to all company e-mail.
(When I was at Intel there were periodic purges of old memos, old reports,
old scraps of paper. Ostensibly this was to cut clutter, but the real
reason was, probably, that Intel feared old memos and reports would be
demanded by AMD or whichever competitors were suing Intel, or by a
government bent on breaking up the world's most powerful chip monopoly (as
the Feds saw it). As a sidenote, I kept nearly all of my old reports and
papers, and this came in handy several times...others had purged their
corporate memories, but I had the needed information to solve a problem.)
I can imagine that companies are getting very worried about the possibly
"discovery" of their increasingly computerized communications systems, with
lawyers pawing through gigabytes with keyword searches for anything to help
their case.
(And there are similar examples in the political sphere. E-mail in the
President's "PROFS" system during the Iran-Contra controversy was acquired;
the Ollie North crowd thought they had deleted the messages implicating
them, but the PROFS backups revealed all.)
Is there a solution? Well, "key recovery" is probably one of the _worst_
solutions! (This is in my opinion. If I had a company I'd fear a CAK system
would be used against my company. Expect CAK keys to be the first things
demanded in the discovery process.)
Certainly lawyers can subpoena the holders of various keys, and I'm
certainly not saying that having X hundred separate, non-CAKked keys means
the discovery process hits an insurmountable obstacle. But it is certainly
true that having a large repository of all e-mail, conveniently accessible
with a small number of easily subpoenaed CAK keys, is an overwhelmingly
tempting target.
If CAK is implemented, and these corporate discovery trends continue,
expect to see less communication through the official corporate channels,
and more through personal accounts. (E.g. people will use the Net to access
other accounts, even Web mail throwaway accounts, to communicate even with
persons in their own company!)
It may be that PGP, Inc. and the other companies claiming "communications
plaintext recovery" is so important are talking to the wrong groups of
lawyers at various companies.
--Tim May
The Feds have shown their hand: they want a ban on domestic cryptography
---------:---------:---------:---------:---------:---------:---------:----
Timothy C. May | Crypto Anarchy: encryption, digital money,
ComSec 3DES: 408-728-0152 | anonymous networks, digital pseudonyms, zero
W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets,
Higher Power: 2^2,976,221 | black markets, collapse of governments.
"National borders aren't even speed bumps on the information superhighway."