10.21.1. Legality of trying to break crypto systems + "What's the legality of breaking cyphers?" - Suppose I find some random-looking bits and find a way to apparently decrease their entropy, perhaps turning them into the HBO or Playboy channel? What crime have I committed? - "Theft of services" is what they'll get me for. Merely listening to broadcasts can now be a crime (cellular, police channels, satellite broadcasts). In my view, a chilling developemt, for practical reasons (enforcement means invasive monitoring) and for basic common sense ethics reasons: how can listening to what lands on your property be illegal? - This also opens the door for laws banning listening to certain "outlaw" or "unlicensed" braodcast stations. Shades of the Iron Curtain. (I'm not talking about FCC licensing, per se.) + "Could it ever be illegal to try to break an encryption scheme, even if the actual underlying data is not "stolen"?" + Criminalizing *tools* rather than actions - The U.S. is moving in the direction of making mere possession of certain tools and methods illegal, rather than criminalizing actual actions. This has been the case--or so I hear, though I can't cite actual laws-- with "burglar tools." (Some dispute this, pointing to the sale of lockpicks, books on locksmithing, etc. Still, see what happens if you try to publish a detailed book on how to counterfeit currency.) - Black's law term for this? + To some extent, it already is. Video encryption is this way. So is cellular. - attendees returning from a Bahamas conference on pirate video methods (guess why it was in the Bahamas) had their papers and demo materials seized by Customs - Counterfeiting is, I think, in this situation, too. Merely exploring certain aspects is verboten. (I don't claim that all aspects are, of course.) - Interception of broadcast signals may be illegal-- satellite or cellular phone traffic (and Digital Telephony Act may further make such intercepts illegal and punishable in draconian ways) + Outlawing of the breaking of encryption, a la the broadcast/scanner laws - (This came up in a thread with Steve Bellovin) + Aspects + PPL side...hard to convince a PPL agent to "enforce" this - but market sanctions against those who publically use the information are of course possible, just as with those who overhear conversations and then gossip widely (whereas the act of overhearing is hardly a crime) - statutory enforcement leads to complacency, to below- par security + is an unwelcome expansion of power of state to enforce laws against decryption of numbers - and may lead to overall restrictions on crypto use 10.21.2. wais, gopher, WWW, and implications - borders more transparent...not clear _where_ searches are taking place, files being transferrred, etc. (well, it is deterministic, so some agent or program presumably knows, but it's likely that humans don't) 10.21.3. "Why are so many prominent Cypherpunks interested in the law?" - Beats me. Nothing is more stultfyingly boring to me than the cruft and "found items" nature of the law. - However,, for a certain breed of hacker, law hacking is the ultimate challenge. And it's important for some Cypherpunks goals. 10.21.4. "How will crypto be fought?" - The usual suspects: porn, pedophilia, terrorists, tax evaders, spies + Claims that "national security" is at stake - As someone has said, "National security is the root password to the Constitution" + claims of discrimination - as but one example, crypto allows offshore bank accounts, a la carte insurance, etc...these are all things that will shake the social welfare systems of many nations 10.21.5. Stego may also be useful in providing board operators with "plausible deniabillity"--they can claim ignorance of the LSB contents (I'm not saying this will stand up in court very well, but any port in a storm, especially port 25). 10.21.6. Can a message be proved to be encrypted, and with what key? 10.21.7. Legality of digital signatures and timestamps? - Stu Haber confirms that this has not been tested, no precedents set 10.21.8. A legal issue about proving encryption exists - The XOR point. Any message can be turned into any other message, with the proper XOR intermediate message. Implications for stego as well as for legal proof (difficulty of). As bits leave no fingerprints, the mere presence of a particular XOR pad on a defendant's disk is no proof that he put it there...the cops could have planted the incriminating key, which turns "gi6E2lf7DX01jT$" into "Dope is ready." (I see issues of "chain of evidence" becoming even more critical, perhaps with use of independent "timestamping authorities" to make hashes of seized evidence--hashes in the cryptographic sense and not hashes in the usual police sense.) 10.21.9. "What are the dangers of standardization and official sanctioning?" - The U.S. has had a disturbing tendency to standardize on some technology and then punish deviations from the standard. Examples: telephones, cable (franchises granted, competitors excluded) - Franchises, standards... + My concern: Digital money will be blessed...home banking, Microsoft, other banks, etc. The Treasury folks will sign on, etc. - Competitors will have a hard time, as government throws roadblocks in front of them, as the U.S. makes international deals with other countries, etc. 10.21.10. Restrictions on voice encryption? + may arise for an ironic reason: people can use Net connections to talk worldwide for $1 an hour or less, rather than $1 a minute; this may cause telcos to clamor for restrictions - enforcing these restrictions then becomes problematic, unless channel is monitored - and if encrypted... 10.21.11. Fuzziness of laws - It may seem surprising that a nation so enmeshed in complicated legalese as the U.S., with more lawyers per capita than any other large nation and with a legal code that consists of hundreds of thousands of pages of regulations and interpretations, is actually a nation with a legal code that is hard to pin down. - Any system with formal, rigid rules can be "gamed against" be an adversary. The lawmakers know this, and so the laws are kept fuzzy enough to thwart mechanistic gaming; this doesn't stop there from being an army of lawyers (in fact, it guarantees it). Some would say that the laws are kept fuzzy to increase the power of lawmakers and regulators. - "Bank regulations in this country are kept deliberately somewhat vague. The regulator's word is the deciding principle, not a detailed interpretation of statute. The lines are fuzzy, and because they are fuzzy, the banks don't press on them nearly as hard as when there's clear statutory language available to be interpreted in a court. "The uncertainty in the regulatory environment _increases_ the hold the regulators have over the banks. And the regulators are known for being decidedly finicky. Their decisions are largely not subject to appeal (except for the flagrant stuff, which the regulators are smart enough not to do too often), and there's no protection against cross- linking issues. If a bank does something untoward in, say, mortgage banking, they may find, say, their interstate branching possibilities seem suddenly much dimmer. "The Dept. of Treasury doesn't want untraceable transactions." [Eric Hughes, Cypherpunks list, 1994-8-03] - Attempts to sneak around the laws, especially in the context of alternative currencies, Perry Metzger notes: "They are simply trying to stop you from playing games. The law isn't like geometry -- there aren't axioms and rules for deriving one thing from another. The general principle is that they want to track all your transactions, and if you make it difficult they will either use existing law to jail you, or will produce a new law to try to do the same." [Perry Metzger, 1994-08-10] - This fuzziness and regulatory discretion is closely related to those wacky schemes to avoid taxes by claiming , for example, that the "dollar" is defined as 1/35th of an ounce of gold (and that hence one's earnings in "real dollars" are a tiny fraction of the ostensible earnings), that Ohio did not legally enter the Union and thus the income tax was never properly ratified,, etc. Lots of these theories have been tested--and rejected. I mention this because some Cypherpunks show signs of thinking "digital cash" offers similar opportunities. (And I expect to see similar scams.) - (A related example. Can one's accumulation of money be taken out of the country? Depending on who you ask, "it depends." Taking it out in your suitcase rasises all kind of possibilies of seizure (violation of currency export laws, money laundering, etc.). Wiring it out may invoke FinCEN triggers. The IRS may claim it is "capital flight" to avoid taxes--which it may well be. Basically, your own money is no longer yours. There may be ways to do this--I hope so--but the point remains that the rules are fuzzy, and the discretionary powers to seize assets are great. Seek competent counsel, and then pray.) 10.21.12. role of Uniform Commercial Code (UCC) - not discussed in crypto circles much, but the "rules of the road" - in many way, an implementation of anarcho-capitalism, in that the UCC is a descendant (modulo some details) of the "Law Merchant" that handled relations between sovereign powers, trade at sea, etc. - things like electronic funds transfere, checks, liablities for forged sigs, etc. - I expect eventual UCC involvement in digital money schemes 10.21.13. "What about the rush to legislate, to pass laws about cyberspace, the information superduperhighway, etc.? + The U.S. Congress feels it has to "do something" about things that many of us feel don't need regulation or "help" from Congress. - crypto legislation - set-top boxes, cable access, National Information Infrastructure (Cable Version) - information access, parental lock-outs, violence ratings, sexually explicit materials, etc. - Related to the "do something!" mentality on National Health Care, guns, violence, etc. - Why not just not do anything? + Scary possibilities being talked about: + giving television sets unique IDs ("V chips") with cable access through these chips - tying national ID cards to these, e.g., Joe Citizen, of Provo, Utah, would be "allowed" to view an NC-17 violence-rated program - This would be disastrous: records, surveillance, dossiers, permission, centralization - The "how can we fix it?" mindset is very damaging. Many things just cannot be "fixed" by central planners....look at economies for an example. The same is usually true of technologies. 10.21.14. on use of offshore escrow agents as protection against seizures - contempt laws come into play, but the idea is to make yourself powerless to alter the situation, and hence not willfully disobeying the court + Can also tell offshore agents what to do with files, and when to release them - Eric Hughes proposes: "One solution to this is to give the passphrase (or other access information) to someone who won't give it back to you if you are under duress, investigation, court order, etc. One would desire that this entity be in a jurisdiction other than where an investigation might happen." [E.H., 1994-07-26] - Sandy Sandfort adds: "Prior to seizure/theft, you would make an arrangement with an offshore "escrow agent." After seizure you would send your computer the instruction that says, "encrypt my disk with the escrow agents public key." After that, only the escrow agent could decrypt your disk. Of course, the escrow agent would only do that when conditions you had stipulated were in effect." [S. S., 1994-07-27] - related to data havens and offshore credit/P.I. havens 10.21.15. Can the FCC-type Requirements for "In the clear" broadcasting (or keys supplied to Feds) be a basis for similar legislation of private networks and private use of encryption? - this would seem to be impractical, given the growth of cellular phones, wireless LANs, etc....can't very well mandate that corporations broadcast their internal communications in the clear! - compression, packet-switching, and all kinds of other "distortions" of the data...requiring transmissions to be readable by government agencies would require providing the government with maps (of where the packets are going), with specific decompression algorithms, etc....very impractical 10.21.16. Things that could trigger a privacy flap or limitations on crypto - Anonymously publishing adoption records [suggested by Brian Williams, 1994-08-22] - nuclear weapons secrets (true secrets, not just the titillating stuff that any bright physics student can cobble together) - repugant markets (assassinations, organ selling, etc.) 10.21.17. Pressures on civilians not to reveal crypto knowledge + Example: mobile phone crypto standards. - "This was the official line until a few months ago - that A5 was strong and A5X a weakened export version....However, once we got hold of A5 we found that it was not particularly strong there is an easy 2^40 attack. The government's line then changed to `you mustn't discuss this in public because it would harm British export sales'....Perhaps it was all a ploy to get Saddam to buy A5 chips off some disreputable arms dealer type. [Ross Anderson, "mobil phone in europe <gms- standard>, a precedence?," sci.crypt, 1994-08-15] - Now this example comes from Britain, where the intelligence community has always had more lattitude than in the U.S. (an Official Secrets Act, limits on the press, no pesky Constitution to get in the way, and even more of an old boy's network than we have in the U.S. mil-industrial complex). - And the threat by NSA officials to have Jim Bidzos, the president of RSA Data Security, Inc., killed if he didn't play ball. {"The Keys to the Kingdom," San Jose Mercury News] 10.21.18. "identity escrow", Eric Hughes, for restrictions on e-mail accounts and electronic PO boxes (has been talked about, apparently...no details)
Next Page: 11. Surveillance, Privacy, And Intelligence Agencies
Previous Page: 10.20 Escrow Agents
By Tim May, see README
HTML by Jonathan Rochkind