[1699] in cryptography@c2.net mail archive
Re: FC: New version of PGP is "everything the FBI ever dreamed of"
daemon@ATHENA.MIT.EDU (Amanda Walker)
Mon Oct 6 18:40:41 1997
Date: Mon, 6 Oct 1997 13:59:23 -0400 (EDT)
From: Amanda Walker <amanda@intercon.com>
To: cryptography@c2.net
> There is no corporate demand for a key-recovery mechanism which
> allows Management immediate real-time access to all encrypted electronic
> communications. This new PGP facility is analogous to key-escrow or
> key-recovery for session keys; in essence, it's a backdoor to the session.
Yes, there is. It's most visible in financial institutions, but there is
demand elsewhere for real-time management access, and strong demand for
archival management access across the board. That is to say, even where
there's no real need for real-time decryption, there may be a need for
post facto decryption on demand. I personally feel that offering message
recovery without key recovery is a quite reasonable way to address this,
and only strengthens the argument that *key* recovery is only useful for
surveillance. PGP, Inc., is not supporting key recovery, they are supporting
message recovery.
> Management, at least in the US, doesn't need this sort of
> evidentiary data. Management has an employee who can be required to keep a
> copy of all business e-mail for Management review; or required to cc his or
> her boss on all e-mail to a customer -- or even forbidden to use e-mail for
> anything other than business mail cced to the boss. And, of course, the
> employee can be fired if he/she doesn't comply.
If, of course, there is evidence. Communication from a place of business
*is* treated differently than private communication, both by the law and by
private policy. Use of something like PGP 5.5 offers protections to an
employee as well, since it allows an employee to *refute* a claim that he/she
hid a communication from management, at least using company facilities.
Granted, you can never prove that someone didn't leak something, but PGP 5.5
at least lets you prove you didn't leak it via the company email system.
> But the truth is: Managment doesn't need the aggravation and --
> while the standard of managment oversight is more lenient, at least for
> professional staff -- no company can keep talented employees if it treats
> them this way.
I am tempted to ask whether or not you have ever worked for a government
agency or a financial institution.
> GAK-enabled PGP, plain and simple!
Nope. PGP 5.5 does not provide key recovery, plain and simple.
Read the docs. Access to messages is a privacy issue in its own right,
but it's a different issue than access to keys.
It has always been true that if you wish to communicate in a way that does
not permit access by others at your workplace, don't do it at the workplace.
This is hardly a new or reactionary idea.
Amanda Walker
