[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: More dangers of corporate snoopware




At 10:56 AM 10/11/97 -0700, Tim May wrote:
>
>
>Suppose I want to send a private message to Andy Grove at Intel.  With
>current systems, I would encrypt to his public key and send it to him. Only
>he, or those with access to his private key, could read the message.
>
>But suppose CAK becomes common, and suppose Intel has adopted PGP 5.5.
>
>I presume I have to also encrypt to Intel's corporate key...or one of them.
>(I assume different users in different departments may have different CAK
>keys.)
>
>So, who can read my message besides Andy? The Security Operations
>department? The Key Compliance Officer? Or, perhaps, only those _higher_
>than Andy Grove, e.g., no one.
>
>And suppose I send a communication to a lower-level person? How many
>higher-level persons will be able to read the message?
>
>Will companies really accept that lower-level security people will have
>access to the communications about business deals, technology deals, etc.?
>The prospects for abuse are obvious.

I wonder how many of them know if their mail can be read now?  Any admin
could just use `less /var/spool/mail/andyg` to read the unencrypted mail
queue. 

>Or will there be provisions for overriding the PGP 5.5 snoopware features?
>Will it become a status symbol to have reached the level of trust where
>one's private e-mail is not subject to snoopware encryption?

There will always be an out for management.  Managers will not like the
idea of someone being able to read their mail, thus, they will make rules
that they do not have to follow.  (People who think that such rules will be
equally enforced have never worked for a big company.) 

But the higher up the corporate ladder, the bigger risk that they will have
more info to sell out to the competition.  

This sort of policy is only to tighten management's grip on the proles, not
solve any real problem within the corporation.  (Kind of like drug testing,
but without all that messy urine.)

>I suppose it's up to companies to figure out all of these troublesome
>issues. I just hope the architecture of PGP 5.5 is pliable enough to allow
>the market to decide which options to turn on, which to turn off, and which
>to take out completely.

But those who will make the rules will not think through those issues.
Those decisions will be made for totally alien reasons.  Control will be a
big one.  Because it is there will be another.  The corporate GAKware
features of 5.5 will be a big thing with the management types who think it
is a good thing to measure workers keystrokes and monitor their precious
bodily fluids.

---
|              "That'll make it hot for them!" - Guy Grand               |
|"The moral PGP Diffie taught Zimmermann unites all| Disclaimer:         |
| mankind free in one-key-steganography-privacy!"  | Ignore the man      |
|`finger -l [email protected]` for PGP 2.6.2 key  | behind the keyboard.|
|         http://www.ctrl-alt-del.com/~alan/       |[email protected]|