10.21.1. Legality of trying to break crypto systems
+ "What's the legality of breaking cyphers?"
- Suppose I find some random-looking bits and find a way to
apparently decrease their entropy, perhaps turning them
into the HBO or Playboy channel? What crime have I
committed?
- "Theft of services" is what they'll get me for. Merely
listening to broadcasts can now be a crime (cellular,
police channels, satellite broadcasts). In my view, a
chilling developemt, for practical reasons (enforcement
means invasive monitoring) and for basic common sense
ethics reasons: how can listening to what lands on your
property be illegal?
- This also opens the door for laws banning listening to
certain "outlaw" or "unlicensed" braodcast stations.
Shades of the Iron Curtain. (I'm not talking about FCC
licensing, per se.)
+ "Could it ever be illegal to try to break an encryption
scheme, even if the actual underlying data is not
"stolen"?"
+ Criminalizing *tools* rather than actions
- The U.S. is moving in the direction of making mere
possession of certain tools and methods illegal, rather
than criminalizing actual actions. This has been the
case--or so I hear, though I can't cite actual laws--
with "burglar tools." (Some dispute this, pointing to
the sale of lockpicks, books on locksmithing, etc.
Still, see what happens if you try to publish a
detailed book on how to counterfeit currency.)
- Black's law term for this?
+ To some extent, it already is. Video encryption is this
way. So is cellular.
- attendees returning from a Bahamas conference on pirate
video methods (guess why it was in the Bahamas) had
their papers and demo materials seized by Customs
- Counterfeiting is, I think, in this situation, too.
Merely exploring certain aspects is verboten. (I don't
claim that all aspects are, of course.)
- Interception of broadcast signals may be illegal--
satellite or cellular phone traffic (and Digital
Telephony Act may further make such intercepts illegal
and punishable in draconian ways)
+ Outlawing of the breaking of encryption, a la the
broadcast/scanner laws
- (This came up in a thread with Steve Bellovin)
+ Aspects
+ PPL side...hard to convince a PPL agent to "enforce"
this
- but market sanctions against those who publically use
the information are of course possible, just as with
those who overhear conversations and then gossip
widely (whereas the act of overhearing is hardly a
crime)
- statutory enforcement leads to complacency, to below-
par security
+ is an unwelcome expansion of power of state to enforce
laws against decryption of numbers
- and may lead to overall restrictions on crypto use
10.21.2. wais, gopher, WWW, and implications
- borders more transparent...not clear _where_ searches are
taking place, files being transferrred, etc. (well, it is
deterministic, so some agent or program presumably knows,
but it's likely that humans don't)
10.21.3. "Why are so many prominent Cypherpunks interested in the
law?"
- Beats me. Nothing is more stultfyingly boring to me than
the cruft and "found items" nature of the law.
- However,, for a certain breed of hacker, law hacking is the
ultimate challenge. And it's important for some Cypherpunks
goals.
10.21.4. "How will crypto be fought?"
- The usual suspects: porn, pedophilia, terrorists, tax
evaders, spies
+ Claims that "national security" is at stake
- As someone has said, "National security is the root
password to the Constitution"
+ claims of discrimination
- as but one example, crypto allows offshore bank accounts,
a la carte insurance, etc...these are all things that
will shake the social welfare systems of many nations
10.21.5. Stego may also be useful in providing board operators with
"plausible deniabillity"--they can claim ignorance of the LSB
contents (I'm not saying this will stand up in court very
well, but any port in a storm, especially port 25).
10.21.6. Can a message be proved to be encrypted, and with what key?
10.21.7. Legality of digital signatures and timestamps?
- Stu Haber confirms that this has not been tested, no
precedents set
10.21.8. A legal issue about proving encryption exists
- The XOR point. Any message can be turned into any other
message, with the proper XOR intermediate message.
Implications for stego as well as for legal proof
(difficulty of). As bits leave no fingerprints, the mere
presence of a particular XOR pad on a defendant's disk is
no proof that he put it there...the cops could have planted
the incriminating key, which turns "gi6E2lf7DX01jT$" into
"Dope is ready." (I see issues of "chain of evidence"
becoming even more critical, perhaps with use of
independent "timestamping authorities" to make hashes of
seized evidence--hashes in the cryptographic sense and not
hashes in the usual police sense.)
10.21.9. "What are the dangers of standardization and official
sanctioning?"
- The U.S. has had a disturbing tendency to standardize on
some technology and then punish deviations from the
standard. Examples: telephones, cable (franchises granted,
competitors excluded)
- Franchises, standards...
+ My concern: Digital money will be blessed...home banking,
Microsoft, other banks, etc. The Treasury folks will sign
on, etc.
- Competitors will have a hard time, as government throws
roadblocks in front of them, as the U.S. makes
international deals with other countries, etc.
10.21.10. Restrictions on voice encryption?
+ may arise for an ironic reason: people can use Net
connections to talk worldwide for $1 an hour or less,
rather than $1 a minute; this may cause telcos to clamor
for restrictions
- enforcing these restrictions then becomes problematic,
unless channel is monitored
- and if encrypted...
10.21.11. Fuzziness of laws
- It may seem surprising that a nation so enmeshed in
complicated legalese as the U.S., with more lawyers per
capita than any other large nation and with a legal code
that consists of hundreds of thousands of pages of
regulations and interpretations, is actually a nation with
a legal code that is hard to pin down.
- Any system with formal, rigid rules can be "gamed against"
be an adversary. The lawmakers know this, and so the laws
are kept fuzzy enough to thwart mechanistic gaming; this
doesn't stop there from being an army of lawyers (in fact,
it guarantees it). Some would say that the laws are kept
fuzzy to increase the power of lawmakers and regulators.
- "Bank regulations in this country are kept deliberately
somewhat vague. The regulator's word is the deciding
principle, not a detailed interpretation of statute. The
lines are fuzzy, and because they are fuzzy, the banks
don't press on them nearly as hard as when there's clear
statutory language available to be interpreted in a court.
"The uncertainty in the regulatory environment _increases_
the hold the regulators have over the banks. And the
regulators are known for being decidedly finicky. Their
decisions are largely not subject to appeal (except for the
flagrant stuff, which the regulators are smart enough not
to do too often), and there's no protection against cross-
linking issues. If a bank does something untoward in, say,
mortgage banking, they may find, say, their interstate
branching possibilities seem suddenly much dimmer.
"The Dept. of Treasury doesn't want untraceable
transactions." [Eric Hughes, Cypherpunks list, 1994-8-03]
- Attempts to sneak around the laws, especially in the
context of alternative currencies, Perry Metzger notes:
"They are simply trying to stop you from playing games. The
law isn't like geometry -- there aren't axioms and rules
for deriving one thing from another. The general principle
is that they want to track all your transactions, and if
you make it difficult they will either use existing law to
jail you, or will produce a new law to try to do the same."
[Perry Metzger, 1994-08-10]
- This fuzziness and regulatory discretion is closely related
to those wacky schemes to avoid taxes by claiming , for
example, that the "dollar" is defined as 1/35th of an ounce
of gold (and that hence one's earnings in "real dollars"
are a tiny fraction of the ostensible earnings), that Ohio
did not legally enter the Union and thus the income tax was
never properly ratified,, etc. Lots of these theories have
been tested--and rejected. I mention this because some
Cypherpunks show signs of thinking "digital cash" offers
similar opportunities. (And I expect to see similar scams.)
- (A related example. Can one's accumulation of money be
taken out of the country? Depending on who you ask, "it
depends." Taking it out in your suitcase rasises all kind
of possibilies of seizure (violation of currency export
laws, money laundering, etc.). Wiring it out may invoke
FinCEN triggers. The IRS may claim it is "capital flight"
to avoid taxes--which it may well be. Basically, your own
money is no longer yours. There may be ways to do this--I
hope so--but the point remains that the rules are fuzzy,
and the discretionary powers to seize assets are great.
Seek competent counsel, and then pray.)
10.21.12. role of Uniform Commercial Code (UCC)
- not discussed in crypto circles much, but the "rules of the
road"
- in many way, an implementation of anarcho-capitalism, in
that the UCC is a descendant (modulo some details) of the
"Law Merchant" that handled relations between sovereign
powers, trade at sea, etc.
- things like electronic funds transfere, checks, liablities
for forged sigs, etc.
- I expect eventual UCC involvement in digital money schemes
10.21.13. "What about the rush to legislate, to pass laws about
cyberspace, the information superduperhighway, etc.?
+ The U.S. Congress feels it has to "do something" about
things that many of us feel don't need regulation or "help"
from Congress.
- crypto legislation
- set-top boxes, cable access, National Information
Infrastructure (Cable Version)
- information access, parental lock-outs, violence ratings,
sexually explicit materials, etc.
- Related to the "do something!" mentality on National Health
Care, guns, violence, etc.
- Why not just not do anything?
+ Scary possibilities being talked about:
+ giving television sets unique IDs ("V chips") with cable
access through these chips
- tying national ID cards to these, e.g., Joe Citizen, of
Provo, Utah, would be "allowed" to view an NC-17
violence-rated program
- This would be disastrous: records, surveillance,
dossiers, permission, centralization
- The "how can we fix it?" mindset is very damaging. Many
things just cannot be "fixed" by central planners....look
at economies for an example. The same is usually true of
technologies.
10.21.14. on use of offshore escrow agents as protection against
seizures
- contempt laws come into play, but the idea is to make
yourself powerless to alter the situation, and hence not
willfully disobeying the court
+ Can also tell offshore agents what to do with files, and
when to release them
- Eric Hughes proposes: "One solution to this is to give
the passphrase (or other access information) to someone
who won't give it back to you if you are under duress,
investigation, court order, etc. One would desire that
this entity be in a jurisdiction other than where an
investigation might happen." [E.H., 1994-07-26]
- Sandy Sandfort adds: "Prior to seizure/theft, you would
make an arrangement with an offshore "escrow agent."
After seizure you would send your computer the
instruction that says, "encrypt my disk with the escrow
agents public key." After that, only the escrow agent
could decrypt your disk. Of course, the escrow agent
would only do that when conditions you had stipulated
were in effect." [S. S., 1994-07-27]
- related to data havens and offshore credit/P.I. havens
10.21.15. Can the FCC-type Requirements for "In the clear" broadcasting
(or keys supplied to Feds) be a basis for similar legislation
of private networks and private use of encryption?
- this would seem to be impractical, given the growth of
cellular phones, wireless LANs, etc....can't very well
mandate that corporations broadcast their internal
communications in the clear!
- compression, packet-switching, and all kinds of other
"distortions" of the data...requiring transmissions to be
readable by government agencies would require providing the
government with maps (of where the packets are going), with
specific decompression algorithms, etc....very impractical
10.21.16. Things that could trigger a privacy flap or limitations on
crypto
- Anonymously publishing adoption records [suggested by Brian
Williams, 1994-08-22]
- nuclear weapons secrets (true secrets, not just the
titillating stuff that any bright physics student can
cobble together)
- repugant markets (assassinations, organ selling, etc.)
10.21.17. Pressures on civilians not to reveal crypto knowledge
+ Example: mobile phone crypto standards.
- "This was the official line until a few months ago - that
A5 was strong and A5X a weakened export
version....However, once we got hold of A5 we found that
it was not particularly strong there is an easy 2^40
attack. The government's line then changed to `you
mustn't discuss this in public because it would harm
British export sales'....Perhaps it was all a ploy to get
Saddam to buy A5 chips off some disreputable arms dealer
type. [Ross Anderson, "mobil phone in europe <gms-
standard>, a precedence?," sci.crypt, 1994-08-15]
- Now this example comes from Britain, where the
intelligence community has always had more lattitude than
in the U.S. (an Official Secrets Act, limits on the
press, no pesky Constitution to get in the way, and even
more of an old boy's network than we have in the U.S.
mil-industrial complex).
- And the threat by NSA officials to have Jim Bidzos, the
president of RSA Data Security, Inc., killed if he didn't
play ball. {"The Keys to the Kingdom," San Jose Mercury
News]
10.21.18. "identity escrow", Eric Hughes, for restrictions on e-mail
accounts and electronic PO boxes (has been talked about,
apparently...no details)
By Tim May, see README
HTML by Jonathan Rochkind