[4029] in cryptography@c2.net mail archive
Re: RE: France Allows 128 Bit Crypto
daemon@ATHENA.MIT.EDU (Kawika Daguio)
Thu Jan 21 16:47:23 1999
Date: Thu, 21 Jan 1999 12:09:13 -0500
From: "Kawika Daguio" <KDAGUIO@aba.com>
To: <cryptography@c2.net>, <clive@davros.org>, <unicorn@schloss.li>
..Kawika Daguio said...
>>> "Black Unicorn" <unicorn@schloss.li> 01/20/99 11:22PM >>>
> -----Original Message-----
> From: Kawika Daguio [mailto:kdaguio@aba.com]=20
> Sent: Wednesday, January 20, 1999 8:00 PM
> To: cryptography@c2.net; clive@davros.org; unicorn@schloss.li=20
> Subject: RE: France Allows 128 Bit Crypto
>
>
> I believe that it is appropriate for governments to require the
> delivery of electronic documents (unencrypted)when appropriate
> due process mechanisms are in place that mirror protections given
> to physical documents.
Oh, come on. You've been in the United States too long or something.
No one is denying the need of government to compel testimony or production
of documents. This threatens to be much worse than that.
Think very hard about the circumstance you are setting up. If you go down
the road of compelling the disclosure of plaintext rather than a crypto =
key
and you provide a mechanism to penalize via criminal contempt (jail) you =
are
compelling more than just testimony. You are compelling a certain set of
actions. You are putting someone in the position of having a positive =
duty
to produce plaintext. This may be irrespective of the ability or =
inability
of the person to decrypt ciphertext in his or her possession. Or it may
impose an effective presumption that the holder of encrypted data can
decrypt it. The only effective way to even come close to verifying
someone's inability to decrypt a file is, in this case, for a court to =
toss
them in the clink for awhile. What circumstance might this put a system
administrator who has encrypted data to which he does not have the key in?
What provisions are you now going to have to take to insure you have the
keys for all of the ciphertext on your various systems?
...We have found more often than anyone feels comfortable that the =
information desired by law enforcement (and requested in a due process =
generated piece of paper) did not exist anymore (lost or destroyed) or is =
difficult to retrieve (read slow). While no one is happy when this =
happens, no one goes to jail either. The people who operate widely =
deployed infrastructures employing cryptography for secrecy will not allow =
law or regulation to punish them when there is no intent to obstruct =
justice.
This is precisely the problem that many of the telecos in the United =
States
were concerned about when it came to Digital Telephony back when.
...I unfortunately was the only non-government, non-telco negotiator in =
the Digital Telephony drafting process other then the EFF (now CDT) =
representatives and the only representative of a commercial user community =
in the room to represent deployers of private networks. I regularly =
oppose and help stop initiatives that would provide the government with =
direct access or inappropriate access to our systems and information. We =
frequently produce results that both work for us and benefit the wider =
user community.
Having greater direct participation (physical bodies, not petitions) in =
these types of issues is essential to good outcomes. I encourage you to =
continue to do so and to get others to do the same or it will only get =
worse for all of us.
...I am not a fan of unrestricted government access as a policy nor naive =
about the real world. Some of my family members (blood, but not immediate)=
spent time in Manzanar because they identified themselves as Americans of =
Japanese Ancestry to census takers. Others were given tatoos in German =
concentration camps based on information about their race. There are =
other relatively recent examples that are almost as bad on three or four =
continents. I personally once told an IRS CID employee to go away when =
they wanted information without complying with the requirements of the =
RFPA. I know that some bad apples are out there and that the policy and =
practices are not perfect. However, unwarranted and inappropriate =
requests for financial information by government officials to depository =
institutions are regularly turned away when they are presented. LEOs =
often push us but we push back directly and indirectly. Protecting our =
freedoms requires wide participation and long term investment in relationsh=
ips with policymakers. Thats why lobbyists and activists have to be =
involved in the policy making processes pursuing strategic goals.
All this is getting ahead of the game. It's not at all clear that France
has taken this position, although it does appear so from the (limited)
documentation I have seen.
...I would hope that the French pursue this approach rather than continuing=
to restrict unescrowed encryption. I spent a little time in France on =
the issue almost 4 years ago making our case and worked with many others =
with closer ties to them to continue to argue the points I made, but was =
absolutely convinced of their closemindedness when they told us to stop =
wasting our time and money trying to change their policies.
> Our industry takes great care to prevent unwarranted and
> inappropriate fishing expeditions into our records. We have
> duties to our customers. Our customers have expectations of us.
> And information retrieval is not a trivial matter. In addition,
> the Right to Financial Privacy Act provides a relatively
> reasonable hurdle, visibility, and accountability when the
> information holder is a depository institution in the US.
You either _must_ be kidding or you have little idea about the real and
practical aspects of the Right to Financial Privacy Act and the Bank =
Secrecy
Act. I find this absolutely astounding given your position and the =
(former)
level of respect I had for your contributions to this and other lists.
... I am sorry I wasn't clear or disappointed you.
My point was that the rules are relatively clear when depository institutio=
ns in the US are involved and not clear at all when the RFPA does not =
apply. I believe that the RFPA guided rules we operate under are better =
than the arbitrary and ad hoc "rules" everyone else will face. Even more =
importantly, law enforcement officials understand that we expect that they =
will have a piece of paper with them when they come looking for information=
and that they should have reasonable expectations relating to the =
retrieval and delivery of the information requested. Law enforcement =
agents in the field are pretty practical about the whole matter as they =
and our folks have a lot of experience dealing with each other. I am =
afraid that that may not be the case when the rules are less clear. I =
suggest that several someones work out their version of "reasonable and =
acceptable rules" and offer them to the community and various governments =
as a basis for negotiation.
...I still respect you, but disagree with you about our prospects of =
making this work for everyone everywhere.
...Kawika....
The above are my personal views
