Cyphernomicon Top
Cyphernomicon 10.21

Legal Issues:
Loose Ends


  10.21.1. Legality of trying to break crypto systems
           + "What's the legality of breaking cyphers?"
             - Suppose I find some random-looking bits and find a way to
                apparently decrease their entropy, perhaps turning them
                into the HBO or Playboy channel? What crime have I
                committed?
             - "Theft of services" is what they'll get me for. Merely
                listening to broadcasts can now be a crime (cellular,
                police channels, satellite broadcasts). In my view, a
                chilling developemt, for practical reasons (enforcement
                means invasive monitoring) and for basic common sense
                ethics reasons: how can listening to what lands on your
                property be illegal?
             - This also opens the door for laws banning listening to
                certain "outlaw" or "unlicensed" braodcast stations.
                Shades of the Iron Curtain. (I'm not talking about FCC
                licensing, per se.)
           + "Could it ever be illegal to try to break an encryption
              scheme, even if the actual underlying data is not
              "stolen"?"
             + Criminalizing *tools* rather than actions
               - The U.S. is moving in the direction of making mere
                  possession of certain tools and methods illegal, rather
                  than criminalizing actual actions. This has been the
                  case--or so I hear, though I can't cite actual laws--
                  with "burglar tools." (Some dispute this, pointing to
                  the sale of lockpicks, books on locksmithing, etc.
                  Still, see what happens if you try to publish a
                  detailed book on how to counterfeit currency.)
               - Black's law term for this?
             + To some extent, it already is. Video encryption is this
                way. So is cellular.
               - attendees returning from a Bahamas conference on pirate
                  video methods (guess why it was in the Bahamas) had
                  their papers and demo materials seized by Customs
             - Counterfeiting is, I think, in this situation, too.
                Merely exploring certain aspects is verboten. (I don't
                claim that all aspects are, of course.)
             - Interception of broadcast signals may be illegal--
                satellite or cellular phone traffic (and Digital
                Telephony Act may further make such intercepts illegal
                and punishable in draconian ways)
           + Outlawing of the breaking of encryption, a la the
              broadcast/scanner laws
             - (This came up in a thread with Steve Bellovin)
             + Aspects
               + PPL side...hard to convince a PPL agent to "enforce"
                  this
                 - but market sanctions against those who publically use
                    the information are of course possible, just as with
                    those who overhear conversations and then gossip
                    widely (whereas the act of overhearing is hardly a
                    crime)
               - statutory enforcement leads to complacency, to below-
                  par security
               + is an unwelcome expansion of power of state to enforce
                  laws against decryption of numbers
                 - and may lead to overall restrictions on crypto use
  10.21.2. wais, gopher, WWW, and implications
           - borders more transparent...not clear _where_ searches are
              taking place, files being transferrred, etc. (well, it is
              deterministic, so some agent or program presumably knows,
              but it's likely that humans don't)
  10.21.3. "Why are so many prominent Cypherpunks interested in the
            law?"
           - Beats me. Nothing is more stultfyingly boring to me than
              the cruft and "found items" nature of the law.
           - However,, for a certain breed of hacker, law hacking is the
              ultimate challenge. And it's important for some Cypherpunks
              goals.
  10.21.4. "How will crypto be fought?"
           - The usual suspects: porn, pedophilia, terrorists, tax
              evaders, spies
           + Claims that "national security" is at stake
             - As someone has said, "National security is the root
                password to the Constitution"
           + claims of discrimination
             - as but one example, crypto allows offshore bank accounts,
                a la carte insurance, etc...these are all things that
                will shake the social welfare systems of many nations
  10.21.5. Stego may also be useful in providing board operators with
            "plausible deniabillity"--they can claim ignorance of the LSB
            contents (I'm not saying this will stand up in court very
            well, but any port in a storm, especially port 25).
  10.21.6. Can a message be proved to be encrypted, and with what key?
  10.21.7. Legality of digital signatures and timestamps?
           - Stu Haber confirms that this has not been tested, no
              precedents set
  10.21.8. A legal issue about proving encryption exists
           - The XOR point. Any message can be turned into any other
              message, with the proper XOR intermediate message.
              Implications for stego as well as for legal proof
              (difficulty of). As bits leave no fingerprints, the mere
              presence of a particular XOR pad on a defendant's disk is
              no proof that he put it there...the cops could have planted
              the incriminating key, which turns "gi6E2lf7DX01jT$" into
              "Dope is ready." (I see issues of "chain of evidence"
              becoming even more critical, perhaps with use of
              independent "timestamping authorities" to make hashes of
              seized evidence--hashes in the cryptographic sense and not
              hashes in the usual police sense.)
  10.21.9. "What are the dangers of standardization and official
            sanctioning?"
           - The U.S. has had a disturbing tendency to standardize on
              some technology and then punish deviations from the
              standard. Examples: telephones, cable (franchises granted,
              competitors excluded)
           - Franchises, standards...
           + My concern: Digital money will be blessed...home banking,
              Microsoft, other banks, etc. The Treasury folks will sign
              on, etc.
             - Competitors will have a hard time, as government throws
                roadblocks in front of them, as the U.S. makes
                international deals with other countries, etc.
 10.21.10. Restrictions on voice encryption?
           + may arise for an ironic reason: people can use Net
              connections to talk worldwide for $1 an hour or less,
              rather than $1 a minute; this may cause telcos to clamor
              for restrictions
             - enforcing these restrictions then becomes problematic,
                unless channel is monitored
             - and if encrypted...
 10.21.11. Fuzziness of laws
           - It may seem surprising that a nation so enmeshed in
              complicated legalese as the U.S., with more lawyers per
              capita than any other large nation and with a legal code
              that consists of hundreds of thousands of pages of
              regulations and interpretations, is actually a nation with
              a legal code that is hard to pin down.
           - Any  system with formal, rigid rules can be "gamed against"
              be an adversary. The lawmakers know this, and so the laws
              are kept fuzzy enough to thwart mechanistic gaming; this
              doesn't stop there from being an army of lawyers (in fact,
              it guarantees it). Some would say that the laws are kept
              fuzzy to increase the power of lawmakers and regulators.
           - "Bank regulations in this country are kept deliberately
              somewhat vague.  The regulator's word is the deciding
              principle, not a detailed interpretation of statute.  The
              lines are fuzzy, and because they are fuzzy, the banks
              don't press on them nearly as hard as when there's clear
              statutory language available to be interpreted in a court.
              
              "The uncertainty in the regulatory environment _increases_
              the hold the regulators have over the banks.  And the
              regulators are known for being decidedly finicky.  Their
              decisions are largely not subject to appeal (except for the
              flagrant stuff, which the regulators are smart enough not
              to do too often), and there's no protection against cross-
              linking issues.  If a bank does something untoward in, say,
              mortgage banking, they may find, say, their interstate
              branching possibilities seem suddenly much dimmer.
              
              "The Dept. of Treasury doesn't want untraceable
              transactions." [Eric Hughes, Cypherpunks list, 1994-8-03]
           - Attempts to sneak around the laws, especially in the
              context of alternative currencies, Perry Metzger notes:
              "They are simply trying to stop you from playing games. The
              law isn't like geometry -- there aren't axioms and rules
              for deriving one thing from another. The general principle
              is that they want to track all your transactions, and if
              you make it difficult they will either use existing law to
              jail you, or will produce a new law to try to do the same."
              [Perry Metzger, 1994-08-10]
           - This fuzziness and regulatory discretion is closely related
              to those wacky schemes to avoid taxes by claiming , for
              example, that the "dollar" is defined as 1/35th of an ounce
              of gold (and that hence one's earnings in "real dollars"
              are a tiny fraction of the ostensible earnings), that Ohio
              did not legally enter the Union and thus the income tax was
              never properly ratified,, etc. Lots of these theories have
              been tested--and rejected. I mention this because some
              Cypherpunks show signs of thinking "digital cash" offers
              similar opportunities. (And I expect to see similar scams.)
           - (A related example. Can one's accumulation of money be
              taken out of the country? Depending on who you ask, "it
              depends." Taking it out in your suitcase rasises all kind
              of possibilies of seizure (violation of currency export
              laws, money laundering, etc.). Wiring it out may invoke
              FinCEN triggers. The IRS may claim it is "capital flight"
              to avoid taxes--which it may well be. Basically, your own
              money is no longer yours. There may be ways to do this--I
              hope so--but the point remains that the rules are fuzzy,
              and the discretionary powers to seize assets are great.
              Seek competent counsel, and then pray.)
 10.21.12. role of Uniform Commercial Code (UCC)
           - not discussed in crypto circles much, but the "rules of the
              road"
           - in many  way, an implementation of anarcho-capitalism, in
              that the UCC is a descendant (modulo some details) of the
              "Law Merchant" that handled relations between sovereign
              powers, trade at sea, etc.
           - things like electronic funds transfere, checks, liablities
              for forged sigs, etc.
           - I expect eventual UCC involvement in digital money schemes
 10.21.13. "What about the rush to legislate, to pass laws about
            cyberspace, the information superduperhighway, etc.?
           + The U.S. Congress feels it has to "do something" about
              things that many of us feel don't need regulation or "help"
              from Congress.
             - crypto legislation
             - set-top boxes, cable access, National Information
                Infrastructure (Cable Version)
             - information access, parental lock-outs, violence ratings,
                sexually explicit materials, etc.
           - Related to the "do something!" mentality on National Health
              Care, guns, violence, etc.
           - Why not just not do anything?
           + Scary possibilities being talked about:
             + giving television sets unique IDs ("V chips") with cable
                access through these chips
               - tying national ID cards to these, e.g., Joe Citizen, of
                  Provo, Utah, would be "allowed" to view an NC-17
                  violence-rated program
               - This would be disastrous: records, surveillance,
                  dossiers, permission, centralization
           - The "how can we fix it?" mindset is very damaging. Many
              things just cannot be "fixed" by central planners....look
              at economies for an example. The same is usually true of
              technologies.
 10.21.14. on use of offshore escrow agents as protection against
            seizures
           - contempt laws come into play, but the idea is to make
              yourself powerless to alter the situation, and hence not
              willfully disobeying the court
           + Can also tell offshore agents what to do with files, and
              when to release them
             - Eric Hughes proposes: "One solution to this is to give
                the passphrase (or other access information) to someone
                who won't give it back to you if you are under duress,
                investigation, court order, etc.  One would desire that
                this entity be in a jurisdiction other than where an
                investigation might happen." [E.H., 1994-07-26]
             - Sandy Sandfort adds: "Prior to seizure/theft, you would
                make an  arrangement with an offshore "escrow agent."
                After seizure you would send your computer the
                instruction that says, "encrypt my disk with the escrow
                agents public key."  After that, only the escrow agent
                could decrypt your disk.  Of course, the escrow agent
                would only do that when conditions you had stipulated
                were in effect." [S. S., 1994-07-27]
           - related to data havens and offshore credit/P.I. havens
 10.21.15. Can the FCC-type Requirements for "In the clear" broadcasting
            (or keys supplied to Feds) be a basis for similar legislation
            of private networks and private use of encryption?
           - this would seem to be impractical, given the growth of
              cellular phones, wireless LANs, etc....can't very well
              mandate that corporations broadcast their internal
              communications in the clear!
           - compression, packet-switching, and all kinds of other
              "distortions" of the data...requiring transmissions to be
              readable by government agencies would require providing the
              government with maps (of where the packets are going), with
              specific decompression algorithms, etc....very impractical
 10.21.16. Things that could trigger a privacy flap or limitations on
            crypto
           - Anonymously publishing adoption records [suggested by Brian
              Williams, 1994-08-22]
           - nuclear weapons secrets (true secrets, not just the
              titillating stuff that any bright physics student can
              cobble together)
           - repugant markets (assassinations, organ selling, etc.)
 10.21.17. Pressures on civilians not to reveal crypto knowledge
           + Example: mobile phone crypto standards.
             - "This was the official line until a few months ago - that
                A5 was strong and A5X a weakened export
                version....However, once we got hold of A5 we found that
                it was not particularly strong there is an easy 2^40
                attack. The government's line then changed to `you
                mustn't discuss this in public because it would harm
                British export sales'....Perhaps it was all a ploy to get
                Saddam to buy A5 chips off some disreputable arms dealer
                type. [Ross Anderson, "mobil phone in europe <gms-
                standard>, a precedence?," sci.crypt, 1994-08-15]
             - Now this example comes from Britain, where the
                intelligence community has always had more lattitude than
                in the U.S. (an Official Secrets Act, limits on the
                press, no pesky Constitution to get in the way, and even
                more of an  old boy's network than we have in the U.S.
                mil-industrial complex).
           - And the threat by NSA officials to have Jim Bidzos, the
              president of RSA Data Security, Inc., killed if he didn't
              play ball. {"The Keys to the Kingdom," San Jose Mercury
              News]
 10.21.18. "identity escrow", Eric Hughes, for restrictions on e-mail
            accounts and electronic PO boxes (has been talked about,
            apparently...no details)


Next Page: 11. Surveillance, Privacy, And Intelligence Agencies
Previous Page: 10.20 Escrow Agents

By Tim May, see README

HTML by Jonathan Rochkind