Re: "First do no harm"

[Tim May <tcmay@got.net>]

At 12:17 PM -0700 10/19/97, Fabrice Planchon wrote:
>On Sun, Oct 19, 1997 at 10:54:18AM -0700, Tim May wrote:
>> I'm not sure the people who wrote the U.S. laws had a clue, either. (Check
>> out Dan Bernstein's report in sci.crypt on the latest appeal arguments of
>> the government side in his case...the Feds are arguing that the First
>> Amendment (to the U.S. Constitution) does not protect speech that may be
>> read and acted upon by computers!).
>
>Ohoh. How interesting. But they have to define what they mean by acted
>upon computers, and we are back to a technical issue they don't
>understand. But does the judge understand this issue better ? If I


By the way, the main discussion for this Bernstein point is on
misc.legal.computing, where followups have been redirected. He asked for
examples, modern and old, of where the government's position could be used
for prior restraint and censorship.

I suggested JPEGs and GIFs, which are clearly machine-readable instructions
telling a computer how to write a pattern of pixels in a display window.
Are we to presume that such JPEGs and GIFs (and WAVs and MOVs and...) have
lost their First Amendment protection? If upheld, the CDA would not even be
needed.

Oh, folks, don't submit your own examples _here_. Do it in the appropriate
thread in misc.legal.computing, so Bernstein can get a lot of examples
collected.


>> corporate and institutional purchases. It's not too surprising that the
>> security staff at Random Corporation and at the University of Middle
>> America want access to all communications...if it were up to them alone
>> they'd have video cameras scattered everywhere.
>
>eheh, I had an argument with my local (PU) system administrator, and at
>some point he said "and what are all mails coming from cypherpunks
>anyway ?" (I hope he reads this one...). So, they are already snooping,
>by fear, or because in a moment of boredom, they look at the mail log
>(the same way phone operators in the old days were listening to calls, I
>guess. Part of human nature)

Yes, they snoop. Out of boredom, out of instructions from Administration,
whatever.  Encryption will help, but not if the same snoopers can continue
to snoop.


>> And as for the University of Middle America, wait until professors and
>> students discover that UMA bought PGP 5.5 Snoopware for Sysadmins and that
>> communications with other professors, other employers, etc. will be subject
>> to snooping by some low-level security employees.
>
>Somehow, I can play the devil advocate and argue that it would be better
>than the current situation where:
>1) people don't use encryption at all
>2) networks are weakly secured and snooping is easy
>3) people use e-mail without thinking it can be snooped, archived, and
>reused later, unlike, say, a phone call.

I disagree. Snoopware will tend to centralize the files to a point where
snooping is easier. Those using PGP 5.0 and earlier will likely be told to
switch to the snoopware version.

While many may not encrypt now, this is changing. Snoopware rolls back the
clock.

To be clear: we should be advocating the wider use of strong encryption,
not arguing that snoopware is better than nothing. Nothing is not really
the proper alternative to weigh snoopware against.


>If you tell a professor that any student can easily read his e-mail but
>that with this nice pgp5.5 software it will be no longer the case, he
>might embrace it readily, even if on the long run and on second thoughts
>it might not be a good idea.

Why does this professor not have the option of PGP 5.0? That's the real
alternative to consider.

(Some of us have fears that development of the "free" version of PGP will
not be supported or developed. While PGP may _hope_ that many buy the PGP
5.0 they plan to sell to individuals, the fact is that most individuals
won't pay money for what they can get for free. This is presumably a
motivation for the development of PGP for Business, with Netscape-like
incentives for corporate buys.)



>> I advocate KISS, "Keep it Simple, Stupid," for the OpenPGP effort. Let PGP,
>> Inc. go off on quixotic crusade to provide snoopware for corporations and
>> universitites, and let the market decide.
>
>Yes and no, as I said before it's not clear what the market will decide,
>if people who make key buying decisions don't do the right thing. Once
>every single university is equipped with pgp5.5, it's not that easy to
>go back. And because of their reputation capital, people are more likely
>to buy the product blindly. Sounds scary ? I don't believe in
>conspiration theory, usually stupidity, ignorance and such are enough to
>make bad things happen. And we see it now.

We all agree that widespread adoption of PGP 5.5 could be scary. Hence our
concerns.

(Even more scary are the many ways various governments could gain easy
access to the CMR keys. Whereas enforcement of key escrow is difficult with
millions of diverse, anarchic users and approaches, CMR essentially
centralizes the target nicely.)

--Tim May


The Feds have shown their hand: they want a ban on domestic cryptography
---------:---------:---------:---------:---------:---------:---------:----
Timothy C. May              | Crypto Anarchy: encryption, digital money,
ComSec 3DES:   408-728-0152 | anonymous networks, digital pseudonyms, zero
W.A.S.T.E.: Corralitos, CA  | knowledge, reputations, information markets,
Higher Power: 2^2,976,221   | black markets, collapse of governments.
"National borders aren't even speed bumps on the information superhighway."