Cyphernomicon Top
Cyphernomicon 16.26

Crypto Anarchy:
How Crypto Anarchy Will Be Fought


  16.26.1. The Direct Attack: Restrictions on Encryption
           + "Why won't government simply ban  such encryption methods?"
             + This has always been the Number One Issue!
               - raised by Stiegler, Drexler, Salin, and several others
                  (and in fact raised by some as an objection to my even
                  discussing these issues, namely, that action may then
                  be taken to head off the world I describe)
             + Types of Bans on Encryption and Secrecy
               - Ban on Private Use of Encryption
               - Ban on Store-and-Forward Nodes
               - Ban on Tokens and ZKIPS Authentication
               - Requirement for public disclosure of all transactions
               + Recent news (3-6-92, same day as Michaelangelo and
                  Lawnmower Man) that government is proposing a surcharge
                  on telcos and long distance services to pay for new
                  equipment needed to tap phones!
                 - S.266 and related bills
                 - this was argued in terms of stopping drug dealers and
                    other criminals
                 - but how does the government intend to deal with the
                    various forms fo end-user encryption or "confusion"
                    (the confusion that will come from compression,
                    packetizing, simple file encryption, etc.)
             + Types of Arguments Against Such Bans
               - The "Constitutional Rights" Arguments
               + The "It's Too Late" Arguments
                 - PCs are already widely scattered, running dozens of
                    compression and encryption programs...it is far too
                    late to insist on "in the clear" broadcasts, whatever
                    those may be (is program code distinguishable from
                    encrypted messages? No.)
                 - encrypted faxes, modem scramblers (albeit with some
                    restrictions)
                 - wireless LANs, packets, radio, IR, compressed text
                    and images, etc....all will defeat any efforts short
                    of police state intervention (which may still happen)
               + The "Feud Within the NSA" Arguments
                 - COMSEC vs. PROD
               + Will affect the privacy rights of corporations
                 - and there is much evidence that corporations are in
                    fact being spied upon, by foreign governments, by the
                    NSA, etc.
             + They Will Try to Ban Such Encryption Techniques
               + Stings (perhaps using viruses and logic bombs)
                 - or "barium," to trace the code
               + Legal liability for companies that allow employees to
                  use such methods
                 - perhaps even in their own time, via the assumption
                    that employees who use illegal software methods in
                    their own time are perhaps couriers or agents for
                    their corporations (a tenuous point)
           - restrictions on: use of codes and ciphers
           + there have long been certain restrictions on the use of
              encryption
             - encryption over radio waves is illegal (unless the key is
                provided to the government, as with Morse code)
             + in war time, many restrictions (by all governments)
               - those who encrypt are ipso facto guilty and are shot
                  summarily, in many places
             - even today, use of encryption near a military base or
                within a defense contractor could violate laws
           + S.266 and similar bills to mandate "trapdoors"
             + except that this will be difficult to police and even to
                detect
               - so many ways to hide messages
               - so much ordinary compression, checksumming, etc.
           + Key Registration Trail Balloon
             - cite Denning's proposal, and my own postings
  16.26.2. Another Direct Attack: Elimination of Cash
           + the idea being that elimination of cash, with credit cards
              replacing cash, will reduce black markets
             - "one person, one ID" (goal of many international
                standards organizations)
           - this elimination of cash may ultimately be tied in to the
              key registration ideas...government becomes a third party
              in all transactions
           + a favorite of conspiracy theorists
             - in extreme form: the number of the Beast tattooed on us
                (credit numbers, etc.)
             - currency exchanges (rumors on the Nets about the imminent
                recall of banknotes, ostensibly to flush out ill-gotten
                gains and make counterfeiting easier)
             + but also something governments like to do at times, sort
                of to remind us who's really in charge
               - Germany, a couple of times
               - France, in the late 1950s
               - various other devaluations and currency reforms
           + Partial steps have already been made
             - cash transactions greater than some value-$10,000 at this
                time, though "suspicious" sub-$10K transactions must be
                reported-are banned
             + large denomination bills have been withdrawn from
                circulation
               - used in drug deals, the argument goes
             - Massachussetts has demanded that banks turn over all
                account records, SS numbers, balances, etc.
           + "If what you're doing is legal, why do you need cash for
              it?"
             - part of the old American dichotomy: privacy versus "What
                have you got to hide?"
           + But why the outlawing of cash won't work
             + if a need exists, black markets will arise
               - i.e., the normal tradeoff between risk and reward:
                  there may be some "discounts" on the value, but cah
                  will still circulate
             + too many other channels exist: securities, secrets, goods
               + from trading in gold or silver, neither of which are
                  outlawed any longer, to trading in secrets, how can the
                  government stop this?
                 - art being used to transfer money across international
                    borders (avoids Customs)
                 - "consideration" given, a la the scam to hide income
               + total surveillance?
                 - it doesn't even work in Russia
                 - on the other hand, Russia lacks the "point of sale"
                    infrastructure to enforce a cashless system
  16.26.3. Another Direct Attack: Government Control of Encryption,
            Networks,  and Net Access
           - a la the old Bell System monopoly, which limited what could
              be hooked up to a phone line
           + the government may take control of the networks in several
              ways:
             + FCC-type restrictions, though it is hard to see how a
                private network, on private property, could be restricted
               - as it is not using part of the "public spectrum"
               - but it is hard to build a very interesting network that
                  stays on private property....and as soon as it crosses
                  public property, BINGO!
             + "National Data Highway" could be so heavily subsidized
                that alternatives will languish (for a while)
               - the Al Gore proposals for a federally funded system
                  (and his wife, Tipper, is of course a leader of the
                  censorship wing)
               - and then the government can claim the right and duty to
                  set the "traffic" laws: protocols, types of encryption
                  allowed, etc.
             - key patents, a la RSA (if in fact gov't.  is a silent
                partner in RSA Data Security)
  16.26.4. An Indirect Attack: Insisting that all  economic transactions
            be "disclosed" (the "Full Disclosure Society" scenario)
           + this sounds Orwellian, but the obvious precedent is that
              businesses must keep records of all financial transactions
              (and even some other records, to see if they're colluding
              or manipulating something)
             - for income and sales tax reasons
             - and OSHA inspections, INS raids, etc.
             + there is currently no requirement that all transactions
                be fully documented with the identies of all parties,
                except in some cases like firearms purchases, but this
                could change
               - especially as electronic transactions become more
                  common: the IRS may someday insist on such records,
                  perhaps even insisting on escrowing of such records, or
                  time-stamping
               + this will hurt small businesses, due to the entry cost
                  and overhead of such systems, but big businesses will
                  probably support it (after some grumbling)
                 - big business always sees bureaucracy as one of their
                    competitive advantages
             + and individuals have not been hassled by the IRS on minor
                personal transactions, though the web is tightening:
                1099s are often required (when payments exceed some
                amount, such as $500)
               - small scale barter transactions
           + but the nature of CA is that many transactions can be
              financial while appearing to be something else (like the
              transfer of music or images, or even the writing of
              letters)
             - which is why a cusp is coming: full disclosure is one
                route, protection of privacy is another
           + the government may cite the dangers of a "good old boy
              network" (literally) that promulgates racist, sexist, and
              ableist discrimination via computer networks
             - i.e., that the new networks are "under-representing
                people of color"
             - and how can quotas be enforced in an anonymous system?
           - proposals in California (7-92) that consultants file
              monthly tax statements, have tax witheld, etc.
           - a strategy for the IRS: require all computer network users
              to have a "taxpayer ID number" for all transactions, so
              that tax evasion can be checked
  16.26.5. Attempts to discredit reputation-based systems by deceit,
            fraud, nonpayment, etc.
           - deliberate attacks on the reputation of services the
              government doesn't want to see
           - there may be government operations to sabotage  businesses,
              to undermine such efforts before they get started
           - analogous to "mail-bombing" an anonymous remailer
  16.26.6. Licensing of software developers may be one method used to
            try to control the spread of anonymous systems and
            information markets
           - by requiring a "business license" attached to any and all
              chunks of code
           + implemented via digital signatures, a la the code signing
              protocols mentioned by Bob Baldwin as a means of reducing
              trapdoors, sabotage, and other modifications by spies,
              hackers, etc.
             - proposals to require all chunks of code to be signed,
                after the Sililcon Valley case in mid-80s, where
                spy/saboteur went to several s/w companies and meddled
                with code
           - "seals" from some group such as "Software Writers
              Laboratories," with formal specs required, source code
              provided to a trusted keeper, etc.
           + such licensing and inspection will also serve to lock-in
              the current players (Microsoft will love it) and make
              foreign competition in software more difficult
             - unless the foreign competition is "sanctioned," e.g.,
                Microsoft opens a code facility in India
  16.26.7. RICO-like seizures of computers and bulletin board systems
           - sting operations and setups
           - Steve Jackson Games is obvious example
           - for illegal material (porno, drug advocacy, electronic
              money, etc.) flowing through their systems
           - even when sysop can prove he did not know illegal acts were
              being committed on his system (precedents are the yachts
              seized because a roach was found)
           + these seizures can occur even when a trial is never held
             - e.g., the "administrative seizure" of cars in Portland in
                prostitution cases
             - and the seizures are on civil penalties, where the
                standards of proof are much lower
           + in some cases a mere FBI investigation is enough to get
              employees fired, renters kicked out, IRS audits started
             + reports that a woman in Georgia who posted some "ULs"
                (unlisted numbers?) was fired by her company after the
                FBI got involved, told by her landlord that her lease was
                not being extended, and so forth
               - "We don't truck with no spies"
             - the IRS audit would not ostensibly be for harassment, but
                for "probable cause" (or whatever term they use) that tax
                avoidance, under-reporting, even money-laundering might
                be involved
  16.26.8. Outlawing of Digital Pseudonyms and Credentialling
           + may echoe the misguided controversy over Caller ID
             - misguided because the free market solution is clear: let
                those who wish to hide their numbers-rape and battering
                support numbers, police, detectives, or even just
                citizens requesting services or whatever-do so
             - and let those who refuse to deal with these anonymous
                callers also do so (a simple enough programming of
                answering machines and telephones)
           - for example, to prevent minors and felons from using the
              systems, "true names" may be required, with heavy fines and
              forfeitures of equipment and assets for anybody that fails
              to comply (or is caught in stings and setups)
           + minors may get screened out of parts of cyberspace by
              mandatory "age credentialing" ("carding")
             - this could be a major threat to such free and open
                systems, as with the various flaps over minors logging on
                to the Internet and seeing X-rated images (however poorly
                rendered) or reading salacious material in alt.sex
             - there may be some government mood to insist that only
                "true names" be used, to facillitate such age screening
                (Fiat-Shamir passports, papers, number of the Beast?)
           + the government may argue that digital pseudonyms are
              presumptively considered to be part of a conspiracy, a
              criminal enterprise, tax evasion, etc.
             - the old "what have you got to hide" theory
             - closely related to the issue of whether false IDs can be
                used even when no crimes are being committed (that is,
                can Joe Average represent himself by other than his True
                Name?)
           - civil libertarians may fight this ban, arguing that
              Americans are not required to present "papers" to
              authorities unless under direct suspicion for a crime
              (never mind the loitering laws, which take the other view)
  16.26.9. Anonymous systems may be restricted on the grounds that they
            constitute a public nuisance
           - or that they promote crime, espionage, etc.
           + especially after a few well-publicized abuses
             - possibly instigated by the government?
           - operators may have to post bonds that effectively drive
              them out of business
 16.26.10. Corporations may be effectively forbidden to hire consultants
            or subcontractors as individuals
           + the practical issue: the welter of tax and benefit laws
              make individuals unable to cope with the mountains of forms
              that have to be filed
             - thus effectively pricing individuals out of this market
           + the tax law side: recall the change in status of
              consultants a few years back...this may be extended further
             - a strategy for the IRS: require all computer network
                users to have a "taxpayer ID number" for all
                transactions, so that tax evasion can be checked
             - not clear how this differs from the point above, but I
                feel certain more such pressures will be applied (after
                all, most corporations tend to see independent
                contractors as more of a negative than a positive)
           - this may be an agenda of the already established companies:
              they see consultants and free lancers as thieves and
              knaves, stealing their secrets and disseminating the crown
              jewels (to punningly mix some metaphors)
           - and since the networks discussed here facilitate the use of
              consultants, more grounds to limit them
 16.26.11. There may be calls for U.N. control of the world banking
            system in the wake of the BCCI and similar scandals
           - to "peirce the veil" on transnationals
           - calls for an end to banking secrecy
           - talk about denying access to the money centers of New York
              (but will this push the business offshore, in parallel to
              the Eurodollar market?)
           + motivations and methods
             - recall the UNESCO attempt a few years back to credential
                reporters, ostensibly to prevent chaos and "unfair"
                reporting...well, the BCCI and nuclear arms deals
                surfacing may reinvigorate the efforts of
                "credentiallers"
             + the USSR and other countries entering the world community
                may sense an opportunity to get in on the formation of
                "boards of directors" of these kinds of banks and
                corporations and so may push the idea in the U.N.
               - sort of like a World Bank or IMF with even more power
                  to step in and take control of other banks, and with
                  the East Bloc and USSR having seats!
 16.26.12. "National security"
           - if the situation gets serious enough, a la a full-blown
              crypto anarchy system, mightn't the government take the
              step of declaring a kind of national emergency?
           - provisions exist: "401 Emergency" and FEMA plans
           - of course, the USSR tried to intitiate emergency measures
              and failed
           - recall that a major goal of crypto anarchy is that the
              systems described here will be so widely deployed as to be
              essential or critical to the overall economy...any attempt
              to "pull the plug" will also kill the economy
 16.26.13. Can authorities force the disclosure of a key?
           + on the "Yes" side:
             + is same, some say,  as forcing combination to a safe
                containing information or stolen goods
               - but some say-and a court may have ruled on this-that
                  the safe can always be cut open and so the issue is
                  mostly moot
               - while forcing key disclosure is compelled testimony
             - and one can always claim to have forgotten the key
             - i.e., what happens when a suspect simply clams up?
             - but authorities can routinely demand cooperation in
                investigations, can seize records, etc.
           + on the "No" side:
             - can't force a suspect to talk, whether about where he hid
                the loot or where his kidnap victim is hidden
             - practically speaking, someone under indictment cannot be
                forced to reveal Swiss bank accounts....this would seem
                to be directly analogous to a cryptographic key
             - thus, the key to open an account would seem to be the
                same thing
             - a memorized key cannot be forced, says someone with EFF
                or CPSR
           - on balance, it seems clear that the disclosure of
              cryptographic keys cannot be forced (though the practical
              penalty for nondisclosure could be severe)
           - but this has not really been tested, so far as I know
           - and many people say that such cooperation can be
              demanded...


Next Page: 16.27 How Crypto Anarchy Advocates Will Fight Back
Previous Page: 16.25 Predictions vs. Implications

By Tim May, see README

HTML by Jonathan Rochkind