10.1 copyright
THE CYPHERNOMICON: Cypherpunks FAQ and More, Version 0.666,
1994-09-10, Copyright Timothy C. May. All rights reserved.
See the detailed disclaimer. Use short sections under "fair
use" provisions, with appropriate credit, but don't put your
name on my words.
10.2 - SUMMARY: Legal Issues
10.2.1. Main Points
10.2.2. Connections to Other Sections
- Sad to say, but legal considerations impinge on nearly
every aspect of crypto
10.2.3. Where to Find Additional Information
10.2.4. Miscellaneous Comments
- "I'm a scientist, Jim, not an attorney." Hence, take my
legal comments here with a grain of salt, representing only
hints of the truth as I picked them up from the discussions
on the various forums and lists.
10.3 - Basic Legality of Encryption
10.3.1. "Is this stuff legal or illegal?"
- Certainly the _talking_ about it is mostly legal, at least
in the U.S. and at the time of this writing. In other
countries, you prison term may vary.
+ The actions resulting from crypto, and crypto anarchy, may
well be illegal. Such is often the case when technology is
applied without any particular regard for what the laws say
is permitted. (Pandora's Box and all that.)
- Cypherpunks really don't care much about such ephemera as
the "laws" of some geographic region. Cypherpunks make
their own laws.
+ There are two broad ways of getting things done:
- First, looking at the law and regulations and finding
ways to exploit them. This is the tack favored by
lawyers, of whic$are many in this country.
- Second, "just do it." In areas where the law hasn't
caught up, this can mean unconstrained technological
developement. Good examples are the computer and chip
business, where issues of legality rarely arose (except
in the usual areas of contract enforcement, etc.). More
recently the chip business has discovered lawyering, with
a vengeance.
- In other areas, where the law is centrally involved,
"just do it" can mean many technical violations of the
law. Examples: personal service jobs (maids and
babysitters), contracting jobs without licenses,
permissions, etc., and so on. Often these are "illegal
markets," putatively.
- And bear in mind that the legal system can be used to
hassle people, to pressure them to "plead out" to some
charges, to back off, etc. (In the firearms business, the
pressures and threats are also used to cause some
manufacturers, like Ruger, to back off on a radical pro-gun
stance, so as to be granted favors and milder treatment.
Pressure on crypto-producing companies are probably very
similar. Play ball, or we'll run you over in the parking
lot.)
10.3.2. "Why is the legal status of crypto so murky?"
- First, it may be murkier to me than it it to actual lawyers
like Mike Godwin and Michael Froomkin, both of whom have
been on our list at times. (Though my impression from
talking to Godwin is that many or even most of these issues
have not been addressed in the courts, let alone resolved
definitively.)
- Second, crypto issues have not generally reached the
courts, reflecting the nascent status of most of the things
talked about it here. Things as "trivial" as digital
signatures and digital timestamping have yet to be
challenged in courts, or declared illegal, or anything
similar that might produce a precedent-setting ruling. (Stu
Haber agrees that such tests are lacking.)
- Finally, the issues are deep ones, going to the heart of
issues of self-incrimination (disclosure of keys,
contempt), of intellectual property and export laws (want
to jail someone for talking about prime numbers?), and the
incredibly byzantine world of money and financial
instruments.
- A legal study of crypto--which I hear Professor Froomkin is
doing--could be very important.
10.3.3. "Has the basic legality of crypto and laws about crypto been
tested?"
- As usual, a U.S. focus here. I know little of the situation
in non-U.S. countries (and in many of them the law is
whatever the rulers say it is).
- And I'm not a lawyer.
+ Some facts:
- no direct Constitutional statement about privacy (though
many feel it is implied)
- crypto was not a major issue (espionage was, and was
dealt with harshly, but encrypting things was not a
problem per se)
+ only in the recent past has it become important...and it
will become much more so
- as criminals encrypt, as terrorists encrypt
- as tax is avoided via the techniques described here
- collusion of business ("crypto interlocking
directorates," price signalling)
- black markets, information markets
+ Lawrence Tribe..new amendment
- scary, as it may place limits.... (but unlikely to
happen)
+ Crypto in Court
- mostly untested
- can keys be compelled?
- Expect some important cases in the next several years
10.3.4. "Can authorities force the disclosure of a key?"
+ Mike Godwin, legal counsel for the EFF, has been asked this
queston _many_ times:
- "Note that a court could cite you for contempt for not
complying with a subpoena duces tecum (a subpoena
requiring you to produce objects or documents) if you
fail to turn over subpoenaed backups....To be honest, I
don't think *any* security measure is adequate against a
government that's determined to overreach its authority
and its citizens' rights, but crypto comes close." [Mike
Godwin, 1993-06-14]
+ Torture is out (in many countries, but not all). Truth
serum, etc., ditto.
- "Rubber hose cryptography"
+ Constitutional issues
- self-incrimination
+ on the "Yes" side:
+ is same, some say, as forcing combination to a safe
containing information or stolen goods
- but some say-and a court may have ruled on this-that
the safe can always be cut open and so the issue is
mostly moot
- while forcing key disclosure is compelled testimony
- and one can always claim to have forgotten the key
- i.e., what happens when a suspect simply clams up?
- but authorities can routinely demand cooperation in
investigations, can seize records, etc.
+ on the "No" side:
- can't force a suspect to talk, whether about where he hid
the loot or where his kidnap victim is hidden
- practically speaking, someone under indictment cannot be
forced to reveal Swiss bank accounts....this would seem
to be directly analogous to a cryptographic key
- thus, the key to open an account would seem to be the
same thing
- a memorized key cannot be forced, says someone with EFF
or CPSR
+ "Safe" analogy
+ You have a safe, you won' tell the combination
- you just refuse
- you claim to have forgotten it
- you really don't know it
- cops can cut the safe open, so compelling a combination
is not needed
- "interefering with an investigation"
- on balance, it seems clear that the disclosure of
cryptographic keys cannot be forced (though the practical
penalty for nondisclosure could be severe)
+ Courts
+ compelled testimony is certainly common
- if one is not charged, one cannot take the 5th (may be
some wrinkles here)
- contempt
+ What won't immunize disclosure:
+ clever jokes about "I am guilty of money laundering"
- can it be used?
- does judge declaring immunity apply in this case?
- Eric Hughes has pointed out that the form of the
statement is key: "My key is: "I am a murderer."" is
not a legal admission of anything.
- (There may be some subtleties where the key does contain
important evidence--perhaps the location of a buried body-
-but I think these issues are relatively minor.)
- but this has not really been tested, so far as I know
- and many people say that such cooperation can be
demanded...
- Contempt, claims of forgetting
10.3.5. Forgetting passwords, and testimony
+ This is another area of intense speculation:
- "I forgot. So sue me."
- "I forgot. It was just a temporary file I was working on,
and I just can't remember the password I picked." (A less
in-your-face approach.)
+ "I refuse to give my password on the grounds that it may
tend to incriminate me."
+ Canonical example: "My password is: 'I sell illegal
drugs.'"
- Eric Hughes has pointed out this is not a real
admission of guilt, just a syntactic form, so it is
nonsense to claim that it is incriminating. I agree.
I don't know if any court tests have confirmed this.
+ Sandy Sandfort theorizes that this example might work, or
at least lead to an interesting legal dilemma:
- "As an example, your passphrase could be:
I shot a cop in the back and buried his body
under
the porch at 123 Main St., anywhere USA. The gun
is
wrapped in an oily cloth in my mother's attic.
"I decline to answer on the grounds that my passphrase is
a statement which may tend to incriminate me. I will
only give my passphrase if I am given immunity from
prosecution for the actions to which it alludes."
"Too cute, I know, but who knows, it might work." [S.S.,
1994-0727]
10.3.6. "What about disavowal of keys? Of digital signatures? Of
contracts?
- In the short term, the courts are relatively silent, as few
of these issues have reached the courts. Things like
signatures and contract breaches would likely be handled as
they currently are (that is, the judge would look at the
circumstances, etc.)
+ Clearly this is a major concern. There are two main avenues
of dealing with this"
- The "purist" approach. You *are* your key. Caveat emptor.
Guard your keys. If your signature is used, you are
responsible. (People can lessen their exposure by using
protocols that limit risk, analogous to the way ATM
systems only allow, say, $200 a day to be withdrawn.)
- The legal system can be used (maybe) to deal with these
issues. Maybe. Little of this has been tested in courts.
Conventional methods of verifying forged signatures will
not work. Contract law with digital signatures will be a
new area.
- The problem of *repudiation* or *disavowal* was recognized
early on in cryptologic circles. Alice is confronted with a
digital signature, or whatever. She says; "But I didn't
sign that" or "Oh, that's my old key--it's obsolete" or "My
sysadmin must have snooped through my files," or "I guess
those key escrow guys are at it again."
- I think that only the purist stance will hold water in the
long run.(A hint of this: untraceable cash means, for most
transactions of interest with digital cash, that once the
crypto stuff has been handled, whether the sig was stolen
or not is moot, because the money is gone...no court can
rule that the sig was invalid and then retrieve the cash!)
10.3.7. "What are some arguments for the freedom to encrypt?"
- bans are hard to enforce, requiring extensive police
intrusions
- private letters, diaries, conversations
- in U.S., various provisions
- anonymity is often needed
10.3.8. Restrictions on anonymity
- "identity escrow" is what Eric Hughes calls it
- linits on mail drops, on anonymous accounts, and--perhaps
ultimately--on cash purchases of any and all goods
10.3.9. "Are bulletin boards and Internet providers "common carriers"
or not?"
- Not clear. BBS operators are clearly held more liable for
content than the phone company is, for example.
10.3.10. Too much cleverness is passing for law
- Many schemes to bypass tax laws, regulations, etc., are, as
the British like to say, "too cute by half." For example,
claims that the dollar is defined as 1/35th of an ounce of
gold and that the modern dollar is only 1/10th of this. Or
that Ohio failed to properly enter the Union, and hence all
laws passed afterward are invalid. The same could be said
of schemes to deploy digital cash be claiming that ordinary
laws do not apply. Well, those who try such schemes often
find out otherwise, sometimes in prison. Tread carefully.
10.3.11. "Is it legal to advocate the overthrow of governments or the
breaking of laws?"
- Although many Cypherpunks are not radicals, many others of
us are, and we often advocate "collapse of governments" and
other such things as money laundering schemes, tax evasion,
new methods for espionage, information markets, data
havens, etc. This rasises obvious concerns about legality.
- First off, I have to speak mainly of U.S. issues...the laws
of Russia or Japan or whatever may be completely different.
Sorry for the U.S.-centric focus of this FAQ, but that's
the way it is. The Net started here, and still is
dominantly here, and the laws of the U.S. are being
propagated around the world as part of the New World Order
and the collapse of the other superpower.
- Is it legal to advocate the replacement of a government? In
the U.S., it's the basic political process (though cynics
might argue that both parties represent the same governing
philosophy). Advocating the *violent overthrow* of the U.S.
government is apparently illegal, though I lack a cite on
this.
+ Is it legal to advocate illegal acts in general? Certainly
much of free speech is precisely this: arguing for drug
use, for boycotts, etc.
+ The EFF gopher site has this on "Advocating Lawbreaking,
Brandenburg v. Ohio. ":
- "In the 1969 case of Brandenburg v. Ohio, the Supreme
Court struck down the conviction of a Ku Klux Klan
member under a criminal syndicalism law and established
a new standard: Speech may not be suppressed or
punished unless it is intended to produce 'imminent
lawless action' and it is 'likely to produce such
action.' Otherwise, the First Amendment protects even
speech that advocates violence. The Brandenburg test is
the law today. "
10.4 - Can Crypto be Banned?
10.4.1. "Why won't government simply _ban such encryption methods?"
+ This has always been the Number One Issue!
- raised by Stiegler, Drexler, Salin, and several others
(and in fact raised by some as an objection to my even
discussing these issues, namely, that action may then be
taken to head off the world I describe)
+ Types of Bans on Encryption and Secrecy
- Ban on Private Use of Encryption
- Ban on Store-and-Forward Nodes
- Ban on Tokens and ZKIPS Authentication
- Requirement for public disclosure of all transactions
+ Recent news (3-6-92, same day as Michaelangelo and
Lawnmower Man) that government is proposing a surcharge
on telcos and long distance services to pay for new
equipment needed to tap phones!
- S.266 and related bills
- this was argued in terms of stopping drug dealers and
other criminals
- but how does the government intend to deal with the
various forms fo end-user encryption or "confusion"
(the confusion that will come from compression,
packetizing, simple file encryption, etc.)
+ Types of Arguments Against Such Bans
- The "Constitutional Rights" Arguments
+ The "It's Too Late" Arguments
- PCs are already widely scattered, running dozens of
compression and encryption programs...it is far too
late to insist on "in the clear" broadcasts, whatever
those may be (is program code distinguishable from
encrypted messages? No.)
- encrypted faxes, modem scramblers (albeit with some
restrictions)
- wireless LANs, packets, radio, IR, compressed text and
images, etc....all will defeat any efforts short of
police state intervention (which may still happen)
+ The "Feud Within the NSA" Arguments
- COMSEC vs. PROD
+ Will affect the privacy rights of corporations
- and there is much evidence that corporations are in
fact being spied upon, by foreign governments, by the
NSA, etc.
+ They Will Try to Ban Such Encryption Techniques
+ Stings (perhaps using viruses and logic bombs)
- or "barium," to trace the code
+ Legal liability for companies that allow employees to use
such methods
- perhaps even in their own time, via the assumption that
employees who use illegal software methods in their own
time are perhaps couriers or agents for their
corporations (a tenuous point)
10.4.2. The long-range impossibility of banning crypto
- stego
- direct broadcast to overhead satellites
- samizdat
- compression, algorithms, ....all made plaintext hard to
find
10.4.3. Banning crypto is comparable to
+ banning ski masks because criminals can hide their identity
- Note: yes, there are laws about "going masked for the
purpose of being masked," or somesuch
+ insisting that all speech be in languages understandable by
eavesdroppers
- (I don't mean "official languages" for dealing with the
Feds, or what employers may reasonably insist on)
- outlawing curtains, or at least requiring that "Clipper
curtains" be bought (curtains which are transparent at
wavelengths the governments of the world can use)
- position escrow, via electronic bracelets like criminals
wear
- restrictions on books that possibly help criminals
- banning body armor (proposed in several communities)
- banning radar detectors
- (Note that these bans become more "reasonable" when the
items like body armor and radar detectos are reached, at
least to many people. Not to me, of course.)
10.4.4. So Won't Governments Stop These Systems?
- Citing national security, protection of private property,
common decency, etc.
+ Legal Measures
- Bans on ownership and operation of "anonymous" systems
+ Restrictions on cryptographic algorithms
- RSA patent may be a start
+ RICO, civil suits, money-laundering laws
- FINCEN, Financial Crimes Information Center
- IRS, Justice, NSA, FBI, DIA, CIA
- attempts to force other countries to comply with U.S.
banking laws
10.4.5. Scenario for a ban on encryption
- "Paranoia is cryptography's occupational hazard." [Eric
Hughes, 1994-05-14]
+ There are many scenarios. Here is a graphic one from Sandy
Sandfort:
- "Remember the instructions for cooking a live frog. The
government does not intend to stop until they have
effectively eliminated your privacy.
STEP 1: Clipper becomes the de facto encryption
standard.
STEP 2: When Cypherpunks and other "criminals" eschew
Clipper in favor of trusted strong crypto, the government
is "forced" to ban non-escrowed encryption systems.
(Gotta catch those pedophiles, drug dealers and
terrorists, after all.)
STEP 3: When Cypherpunks and other criminals use
superencryption with Clipper or spoof LEAFs, the
government will regretably be forced to engage in random
message monitoring to detect these illegal techniques.
Each of these steps will be taken because we wouldn't
passively accept such things as unrestricted wiretaps and
reasonable precautions like
digital telephony. It will portrayed as our fault.
Count on it." [Sandy Sandfort, 6-14-94]
10.4.6. Can the flow of bits be stopped? Is the genie really out of
the bottle?
- Note that Carl Ellison has long argued that the genie was
never _in_ the bottle, at least not in the U.S. in non-
wartime situations (use of cryptography, especially in
communications, in wartime obviously raises eyebrows)
10.5 - Legal Issues with PGP
7.12.1. "What is RSA Data Security Inc.'s position on PGP?"
I. They were strongly opposed to early versions
II. objections
- infringes on PKP patents (claimed infringements, not
tested in court, though)
- breaks the tight control previously seen
- brings unwanted attention to public key approaches (I
think PGP also helped RSA and RSADSI)
- bad blood between Zimmermann and Bidzos
III. objections
- infringes on PKP patents (claimed infringements, not
tested in court, though)
- breaks the tight control previously seen
- brings unwanted attention to public key approaches (I
think PGP also helped RSA and RSADSI)
- bad blood between Zimmermann and Bidzos
IV. Talk of lawsuits, actions, etc.
V. The 2.6 MIT accomodation may have lessened the tension;
purely speculative
7.12.2. "Is PGP legal or illegal"?
7.12.3. "Is there still a conflict between RSADSI and PRZ?"
- Apparently not. The MIT 2.6 negotiations seem to have
buried all such rancor. At least officially. I hear there's
still animosity, but it's no longer at the surface. (And
RSADSI is now facing lawsuits and patent suits.)
10.6 - Legal Issues with Remailers
8.9.1. What's the legal status of remailers?
- There are no laws against it at this time.
- No laws saying people have to put return addresses on
messages, on phone calls (pay phones are still legal), etc.
- And the laws pertaining to not having to produce identity
(the "flier" case, where leaflet distributors did not have
to produce ID) would seem to apply to this form of
communication.
+ However, remailers may come under fire:
+ Sysops, MIT case
- potentially serious for remailers if the case is
decided such that the sysop's creation of group that
was conducive to criminal pirating was itself a
crime...that could make all involved in remailers
culpable
8.9.2. "Can remailer logs be subpoenaed?"
- Count on it happening, perhaps very soon. The FBI has been
subpoenaing e-mail archives for a Netcom customer (Lewis De
Payne), probably because they think the e-mail will lead
them to the location of uber-hacker Kevin Mitnick. Had the
parties used remailers, I'm fairly sure we'd be seeing
similar subpoenas for the remailer logs.
- There's no exemption for remailers that I know of!
+ The solutions are obvious, though:
- use many remailers, to make subpoenaing back through the
chain very laborious, very expensive, and likely to fail
(if even one party won't cooperate, or is outside the
court's jurisdiction, etc.)
- offshore, multi-jurisdictional remailers (seleted by the
user)
- no remailer logs kept...destroy them (no law currently
says anybody has to keep e-mail records! This may
change....)
- "forward secrecy," a la Diffie-Hellman forward secrecy
8.9.3. How will remailers be harassed, attacked, and challenged?
8.9.4. "Can pressure be put on remailer operators to reveal traffic
logs and thereby allow tracing of messages?"
+ For human-operated systems which have logs, sure. This is
why we want several things in remailers:
* no logs of messages
* many remailers
* multiple legal jurisdictions, e.g., offshore remailers
(the more the better)
* hardware implementations which execute instructions
flawlessly (Chaum's digital mix)
8.9.5. Calls for limits on anonymity
+ Kids and the net will cause many to call for limits on
nets, on anonymity, etc.
- "But there's a dark side to this exciting phenomenon, one
that's too rarely understood by computer novices.
Because they
offer instant access to others, and considerable
anonymity to
participants, the services make it possible for people -
especially computer-literate kids - to find themselves in
unpleasant, sexually explicit social situations.... And
I've gradually
come to adopt the view, which will be controversial among
many online
users, that the use of nicknames and other forms of
anonymity
must be eliminated or severly curbed to force people
online into
at least as much accountability for their words and
actions as
exists in real social encounters." [Walter S. Mossberg,
Wall Street Journal, 6/30/94, provided by Brad Dolan]
- Eli Brandt came up with a good response to this: "The
sound-bite response to this: do you want your child's
name, home address, and phone number available to all
those lurking pedophiles worldwide? Responsible parents
encourage their children to use remailers."
- Supreme Court said that identity of handbill distributors
need not be disclosed, and pseudonyms in general has a long
and noble tradition
- BBS operators have First Amendment protections (e.g..
registration requirements would be tossed out, exactly as
if registration of newspapers were to be attempted)
8.9.6. Remailers and Choice of Jurisdictions
- The intended target of a remailed message, and the subject
material, may well influence the set of remailers used,
especially for the very important "last remailer' (Note: it
should never be necessary to tell remailers if they are
first, last, or others, but the last remailer may in fact
be able to tell he's the last...if the message is in
plaintext to the recipient, with no additional remailer
commands embedded, for example.)
- A message involving child pornography might have a remailer
site located in a state like Denmark, where child porn laws
are less restrictive. And a message critical of Islam might
not be best sent through a final remailer in Teheran. Eric
Hughes has dubbed this "regulatory arbitrage," and to
various extents it is already common practice.
- Of course, the sender picks the remailer chain, so these
common sense notions may not be followed. Nothing is
perfect, and customs will evolve. I can imagine schemes
developing for choosing customers--a remailer might not
accept as a customer certain abusers, based on digital
pseudonyms < hairy).
8.9.7. Possible legal steps to limit the use of remailers and
anonymous systems
- hold the remailer liable for content, i.e., no common
carrier status
- insert provisions into the various "anti-hacking" laws to
criminalize anonymous posts
8.9.8. Crypto and remailers can be used to protect groups from "deep
pockets" lawsuits
- products (esp. software) can be sold "as is," or with
contracts backed up by escrow services (code kept in an
escrow repository, or money kept there to back up
committments)
+ jurisdictions, legal and tax, cannot do "reach backs" which
expose the groups to more than they agreed to
- as is so often the case with corporations in the real
world, which are taxed and fined for various purposes
(asbestos, etc.)
- (For those who panic at the thought of this, the remedy for
the cautious will be to arrange contracts with the right
entities...probably paying more for less product.)
8.9.9. Could anonymous remailers be used to entrap people, or to
gather information for investigations?
- First, there are so few current remailers that this is
unlikely. Julf seems a non-narc type, and he is located in
Finland. The Cypherpunks remailers are mostly run by folks
like us, for now.
- However, such stings and set-ups have been used in the past
by narcs and "red squads." Expect the worse from Mr.
Policeman. Now that evil hackers are identified as hazards,
expect moves in this direction. "Cryps" are obviously
"crack" dealers.
- But use of encryption, which CP remailers support (Julf's
does not), makes this essentially moot.
10.7 - Legal Issues with Escrowed Encryption and Clipper
9.17.1. As John Gilmore put it in a guest editorial in the "San
Francisco Examiner," "...we want the public to see a serious
debate about why the Constitution should be burned in order
to save the country." [J.G., 1994-06-26, quoted by S.
Sandfort]
9.17.2. "I don't see how Clipper gives the government any powers or
capabilities it doesn't already have. Comments?"
9.17.3. Is Clipper really voluntary?
9.17.4. If Clipper is voluntary, who will use it?
9.17.5. Restrictions on Civilian Use of Crypto
9.17.6. "Has crypto been restricted in the U.S.?"
9.17.7. "What legal steps are being taken?"
- Zimmermann
- ITAR
9.17.8. reports that Department of Justice has a compliance
enforcement role in the EES [heard by someone from Dorothy
Denning, 1994-07], probably involving checking the law
enforcement agencies...
9.17.9. Status
+ "Will government agencies use Clipper?"
- Ah, the embarrassing question. They claim they will, but
there are also reports that sensitive agencies will not
use it, that Clipper is too insecure for them (key
lenght, compromise of escrow data, etc.). There may also
be different procedures (all agencies are equal, but some
are more equal than others).
- Clipper is rated for unclassified use, so this rules out
many agencies and many uses. An interesting double
standard.
+ "Is the Administration backing away from Clipper?"
+ industry opposition surprised them
- groups last summer, Citicorp, etc.
- public opinion
- editorial remarks
- so they may be preparing alternative
- and Gilmore's FOIA, Blaze's attack, the Denning
nonreview, the secrecy of the algortithm
+ will not work
- spies won't use it, child pornographers probably won't
use it (if alternatives exist, which may be the whole
point)
- terrorists won't use it
- Is Clipper in trouble?
9.17.10. "Will Clipper be voluntary?"
- Many supporters of Clipper have cited the voluntary nature
of Clipper--as expressed in some policy statements--and
have used this to counter criticism.
+ However, even if truly voluntary, some issues
+ improper role for government to try to create a
commercial standard
- though the NIST role can be used to counter this point,
partly
- government can and does make it tough for competitors
- export controls (statements by officials on this exist)
+ Cites for voluntary status:
- original statement says it will be voluntary
- (need to get some statements here)
+ Cites for eventual mandatory status:
- "Without this initiative, the government will eventually
become helpless to defend the nation." [Louis Freeh,
director of the FBI, various sources]
- Steven Walker of Trusted Information Systems is one of
many who think so: "Based on his analysis, Walker added,
"I'm convinced that five years from now they'll say 'This
isn't working,' so we'll have to change the rules." Then,
he predicted, Clipper will be made mandatory for all
encoded communications." [
+ Parallels to other voluntary programs
- taxes
10.8 - Legal Issues with Digital Cash
10.8.1. "What's the legal status of digital cash?"
- It hasn't been tested, like a lot of crypto protocols. It
may be many years before these systems are tested.
10.8.2. "Is there a tie between digital cash and money laundering?"
- There doesn't have to be, but many of us believe the
widespread deployment of digital, untraceable cash will
make possible new approaches
- Hence the importance of digital cash for crypto anarchy and
related ideas.
- (In case it isn't obvious, I consider money-laundering a
non-crime.)
10.8.3. "Is it true the government of the U.S. can limit funds
transfers outside the U.S.?"
- Many issues here. Certainly some laws exist. Certainly
people are prosecuted every day for violating currency
export laws. Many avenues exist.
- "LEGALITY - There isn't and will never be a law restricting
the sending of funds outside the United States. How do I
know? Simple. As a country dependant on international
trade (billions of dollars a year and counting), the
American economy would be destroyed." [David Johnson,
privacy@well.sf.ca.us, "Offshore Banking & Privacy,"
alt.privacy, 1994-07-05]
10.8.4. "Are "alternative currencies" allowed in the U.S.? And what's
the implication for digital cash of various forms?
- Tokens, coupons, gift certificates are allowed, but face
various regulations. Casino chips were once treated as
cash, but are now more regulated (inter-casino conversion
is no longer allowed).
- Any attempt to use such coupons as an alternative currency
face obstacles. The coupons may be allowed, but heavily
regulated (reporting requirements, etc.).
- Perry Metzger notes, bearer bonds are now illegal in the
U.S. (a bearer bond represented cash, in that no name was
attached to the bond--the "bearer" could sell it for cash
or redeem it...worked great for transporting large amounts
of cash in compact form).
+ Note: Duncan Frissell claims that bearer bonds are _not_
illegal.
- "Under the Tax Equity and Fiscal Responsibility Act of
1982 (TEFRA), any interest payments made on *new* issues
of domestic bearer bonds are not deductible as an
ordinary and necessary business expense so none have been
issued since then. At the same time, the Feds
administratively stopped issuing treasury securities in
bearer form. Old issues of government and corporate debt
in bearer form still exist and will exist and trade for
30 or more years after 1982. Additionally, US residents
can legally buy foreign bearer securities." [Duncan
Frissell, 1994-08-10]
- Someone else has a slightly different view: "The last US
Bearer Bond issues mature in 1997. I also believe that to
collect interest, and to redeem the bond at maturity, you
must give your name and tax-id number to the paying
agent. (I can check with the department here that handles
it if anyone is interested in the pertinent OCC regs that
apply)" [prig0011@gold.tc.umn.edu, 1994-08-10]
- I cite this gory detail to give readers some idea about
how much confusion there is about these subjects. The
usual advice is to "seek competent counsel," but in fact
most lawyers have no clear ideas about the optimum
strategies, and the run-of-the-mill advisor may mislead
one dangerously. Tread carefully.
- This has implications for digital cash, of course.
10.8.5. "Why might digital cash and related techologies take hold
early in illegal markets? That is, will the Mob be an early
adopter?"
- untraceability needed
- and reputations matter to them
- they've shown in the past that they will try new
approaches, a la the money movements of the drug cartels,
novel methods for security, etc.
10.8.6. "Electronic cash...will it have to comply with laws, and
how?"
- Concerns will be raised about the anonymity aspects, the
usefulness for evading taxes and reporting requirements,
etc.
- a messy issue, sure to be debated and legislated about for
many years
+ split the cash into many pieces...is this "structuring"? is
it legal?
- some rules indicate the structuring per se is not
illegal, only tax evasion or currency control evasion
- what then of systems which _automatically_, as a basic
feature, split the cash up into multiple pieces and move
them?
10.8.7. Currency controls, flight capital regulations, boycotts,
asset seizures, etc.
- all are pressures to find alternate ways for capital to
flow
- all add to the lack of confidence, which, paradoxically to
lawmakers, makes capital flight all the more likely
10.8.8. "Will banking regulators allow digital cash?"
- Not easily, that's for sure. The maze of regulations,
restrictions, tax laws, and legal rulings is daunting. Eric
Hughes spent a lot of time reading up on the laws regarding
banks, commercial paper, taxes, etc., and concluded much
the same. I'm not saying it's impossible--indeed, I believe
it will someday happen, in some form--but the obstacles are
formidable.
+ Some issues:
+ Will such an operation be allowed to be centered or based
in the U.S.?
- What states? What laws? Bank vs. Savings and Loan vs.
Credit Union vs. Securities Broker vs. something else?
+ Will customers be able to access such entities offshore,
outside the U.S.?
- strong crypto makes communication possible, but it may
be difficult, not part of the business fabric, etc.
(and hence not so useful--if one has to send PGP-
encrypted instructions to one's banker, and can't use
the clearing infrastructure....)
+ Tax collection, money-laundering laws, disclosure laws,
"know your customer" laws....all are areas where a
"digital bank" could be shut down forthwith. Any bank not
filling out the proper forms (including mandatory
reporting of transactions of certain amounts and types,
and the Social Security/Taxpayer Number of customers)
faces huge fines, penalties, and regulatory sanctions.
- and the existing players in the banking and securities
business will not sit idly by while newcomers enter
their market; they will seek to force newcomers to jump
through the same hoops they had to (studies indicate
large corporations actually _like_ red tape, as it
helps them relative to smaller companies)
- Concluson: Digital banks will not be "launched" without a
*lot* of work by lawyers, accountants, tax experts,
lobbyists, etc. "Lemonade stand digital banks" (TM) will
not survive for long. Kids, don't try this at home!
- (Many new industries we are familiar with--software,
microcomputers--had very little regulation, rightly so. But
the effect is that many of us are unprepared to understand
the massive amount of red tape which businesses in other
areas, notably banking, face.)
10.8.9. Legal obstacles to digital money. If governments don't want
anonymous cash, they can make things tough.
+ As both Perry Metzger and Eric Hughes have said many times,
regulations can make life very difficult. Compliance with
laws is a major cost of doing business.
- ~"The cost of compliance in a typical USA bank is 14% of
operating costs."~ [Eric Hughes, citing an "American
Banker" article, 1994-08-30]
+ The maze of regulations is navigable by larger
institutions, with staffs of lawyers, accountants, tax
specialists, etc., but is essentially beyond the
capabilities of very small institutions, at least in the
U.S.
- this may or may not remain the case, as computers
proliferate. A "bank-in-a-box" program might help. My
suspicion is that a certain size of staff is needed just
to handle the face-to-face meetings and hoop-jumping.
+ "New World Order"
- U.S. urging other countries to "play ball" on banking
secrecy, on tax evasion extradition, on immigration, etc.
- this is closing off the former loopholes and escape
hatches that allowed people to escape repressive
taxation...the implications for digital money banks are
unclear, but worrisome.
10.9 - Legality of Digital Banks and Digital Cash?
10.9.1. In terms of banking laws, cash reporting regulations, money
laundering statutes, and the welter of laws connected with
financial transactions of all sorts, the Cypherpunks themes
and ideas are basically _illegal_. Illegal in the sense that
anyone trying to set up his own bank, or alternative currency
system, or the like would be shut down quickly. As an
informal, unnoticed _experiment_, such things are reasonably
safe...until they get noticed.
10.9.2. The operative word here is "launch," in my opinion. The
"launch" of the BankAmericard (now VISA) in the 1960s was not
done lightly or casually...it required armies of lawyers,
accountants, and other bureacrats to make the launch both
legal and successful. The mere 'idea" of a credit card was
not enough...that was essentially the easiest part of it all.
(Anyone contemplating the launch of a digital cash system
would do well to study BankAmericard as an example...and
several other examples also.)
10.9.3. The same will be true of any digital cash or similar system
which intends to operate more or less openly, to interface
with existing financial institutions, and which is not
explicity intended to be a Cypherpunkish underground
activity.
10.10 - Export of Crypto, ITAR, and Similar Laws
10.10.1. "What are the laws and regulations about export of crypto,
and where can I find more information?"
- "The short answer is that the Department of State, Office
of Defense Trade Controls (DOS/DTC) and the National
Security Administration (NSA) won't allow unrestricted
export (like is being done with WinCrypt) for any
encryption program that the NSA can't crack with less than
a certain amount (that they are loathe to reveal) of
effort. For the long answer, see
ftp://ftp.csn.net/cryptusa.txt.gz and/or call DOS/DTC at
703-875-7041." [Michael Paul Johnson, sci.crypt, 1994-07-
08]
10.10.2. "Is it illegal to send encrypted stuff out of the U.S.?"
- This has come up several times, with folks claiming they've
heard this.
- In times of war, real war, sending encrypted messages may
indeed be suspect, perhaps even illegal.
- But the U.S. currently has no such laws, and many of us
send lots of encrypted stuff outside the U.S. To remailers,
to friends, etc.
- Encrypted files are often tough to distinguish from
ordinary compressed files (high entropy), so law
enforcement would have a hard time.
- However, other countries may have different laws.
10.10.3. "What's the situation about export of crypto?"
+ There's been much debate about this, with the case of Phil
Zimmermann possibly being an important test case, should
charges be filed.
- as of 1994-09, the Grand Jury in San Jose has not said
anything (it's been about 7-9 months since they started
on this issue)
- Dan Bernstein has argued that ITAR covers nearly all
aspects of exporting crypto material, including codes,
documentation, and even "knowledge." (Controversially, it
may be in violation of ITAR for knowledgeable crypto people
to even leave the country with the intention of developing
crypto tools overseas.)
- The various distributions of PGP that have occurred via
anonymous ftp sources don't imply that ITAR is not being
enforced, or won't be in the future.
10.10.4. Why and How Crypto is Not the Same as Armaments
- the gun comparison has advantages and disadvantages
- "right to keep and bear arms"
- but then this opens the door wide to restrictions,
regulations, comparisons of crypto to nuclear weapons, etc.
-
+ "Crypto is not capable of killing people directly. Crypto
consists
- entirely of information (speech, if you must) that cannot
be
- interdicted. Crypto has civilian use.
- -
- , 4-11-94, sci.crypt>
10.10.5. "What's ITAR and what does it cover?"
+ ITAR, the International Trafficking in Arms Regulations, is
the defining set of rules for export of munitions--and
crypto is treated as munitions.
- regulations for interpreting export laws
+ NSA may have doubts that ITAR would hold up in court
- Some might argue that this contravenes the Constitution,
and hence would fail in court. Again, there have been few
if any solid tests of ITAR in court, and some indications
that NSA lawyers are reluctant to see it tested, fearing
it would not pass muster.
- doubts about legality (Carl Nicolai saw papers, since
confirmed in a FOIA)
- Brooks statement
- Cantwell Bill
- not fully tested in court
+ reports of NSA worries that it wouldn't hold up in court if
ever challenged
- Carl Nicolai, later FOIA results, conversations with Phil
+ Legal Actions Surrounding ITAR
- The ITAR laws may be used to fight hackers and
Cypherpunks...the outcome of the Zimmermann indictment
will be an important sign.
+ What ITAR covers
- "ITAR 121.8(f): ``Software includes but is not limited to
the system functional design, logic flow, algorithms,
application programs, operating systems and support
software for design, implementation, test, operation,
diagnosis and repair.'' [quoted by Dan Bernstein,
talk.politics.crypto, 1994-07-14]
- joke by Bidzos about registering as an international arms
dealer
+ ITAR and code (can code be published on the Net?)
- "Why does ITAR matter?"
- Phil Karn is involved with this, as are several others
here
+ Dan Bernstein has some strongly held views, based on his
long history of fighting the ITAR
- "Let's assume that the algorithm is capable of
maintaining secrecy of information, and that it is not
restricted to decryption, banking, analog scrambling,
special smart cards, user authentication, data
authentication, data compression, or virus protection.
"The algorithm is then in USML Category XIII(b)(1).
"It is thus a defense article. ITAR 120.6. " [Dan
Bernstein, posting code to sci.crypt,
talk.politics.crypto, 1994-08-22]
- "Sending a defense article out of the United States in
any manner (except as knowledge in your head) is
export. ITAR 120.17(1).
"So posting the algorithm constitutes export. There are
other forms of export, but I won't go into them here.
"The algorithm itself, without any source code, is
software." [Dan Bernstein, posting code to sci.crypt,
talk.politics.crypto, 1994-08-22]
- "The statute is the Arms Export Control Act; the
regulations are the
International Traffic in Arms Regulations. For precise
references, see
my ``International Traffic in Arms Regulations: A
Publisher's Guide.''" [Dan Bernstein, posting code to
sci.crypt, talk.politics.crypto, 1994-08-22]
+ "Posting code is fine. We do it all the time; we have
the right to do it; no one seems to be trying to stop us
from doing it." [Bryan G. Olson, posting code to
sci.crypt, talk.politics.crypto, 1994-08-20]
- Bernstein agrees that few busts have occurred, but
warns: "Thousands of people have distributed crypto in
violation of ITAR; only two, to my knowledge, have been
convicted. On the other hand, the guv'mint is rapidly
catching up with reality, and the Phil Zimmermann case
may be the start of a serious crackdown." [Dan
Bernstein, posting code to sci.crypt,
talk.politics.crypto, 1994-08-22]
- The common view that academic freedom means one is OK is
probably not true.
+ Hal Finney neatly summarized the debate between Bernstein
and Olsen:
- "1) No one has ever been prosecuted for posting code on
sci.crypt. The Zimmermann case, if anything ever comes
of it, was not about posting code on Usenet, AFAIK.
"2) No relevant government official has publically
expressed an opinion on whether posting code on
sci.crypt would be legal. The conversations Dan
Bernstein posted dealt with his requests for permission
to export his algorithm, not to post code on sci.crypt.
"3) We don't know whether anyone will ever be
prosecuted for posting code on sci.crypt, and we don't
know what the outcome of any such prosecution would
be." [Hal Finney, talk.politics.crypto, 1994-008-30]
10.10.6. "Can ITAR and other export laws be bypassed or skirted by
doing development offshore and then _importing_ strong crypto
into the U.S.?"
- IBM is reportedly doing just this: developing strong crypto
products for OS/2 at its overseas labs, thus skirting the
export laws (which have weakened the keys to some of their
network security products to the 40 bits that are allowed).
+ Some problems:
- can't send docs and knowhow to offshore facilities (some
obvious enforcement problems, but this is how the law
reads)
- may not even be able to transfer knowledgeable people to
offshore facilities, if the chief intent is to then have
them develop crypto products offshore (some deep
Constitutional issues, I would think...some shades of how
the U.S.S.R. justified denying departure visas for
"needed" workers)
- As with so many cases invovling crypto, there are no
defining legal cases that I am aware of.
10.11 - Regulatory Arbitrage
10.11.1. Jurisdictions with more favorable laws will see claimants
going there.
10.11.2. Similar to "capital flight" and "people voting with their
feet."
10.11.3. Is the flip side of "jurisdiction shopping." wherein
prosecutors shop around for a jurisdiction that will be
likelier to convict. (As with the Amateur Action BBS case,
tried in Memphis, Tennessee, not in California.)
10.12 - Crypto and Pornography
10.12.1. There's been a lot of media attention given to this,
especially pedophilia (pedophilia is not the same thing as
porn, of course, but the two are often discussed in articles
about the Net). As Rishab Ghosh put it: "I think the
pedophilic possibilities of the Internet capture the
imaginations of the media -- their deepest desires, perhaps."
[R.G., 1994-07-01]
10.12.2. The fact is, the two are made for each other. The
untraceability of remailers, the unbreakability of strong
crypto if the files are intercepted by law enforcement, and
the ability to pay anonymously, all mean the early users of
commercial remailers will likely be these folks.
10.12.3. Avoid embarrassing stings! Keep your job at the elementary
school! Get re-elected to the church council!
10.12.4. pedophilia, bestiality, etc. (morphed images)
10.12.5. Amateur Action BBS operator interested in crypto....a little
bit too late
10.12.6. There are new prospects for delivery of messages as part of
stings or entrapment attacks, where the bits decrypt into
incriminating evidence when the right key is used. (XOR of
course)
10.12.7. Just as the law enforcement folks are claiming, strong crypto
and remailers will make new kinds of porn networks. The nexus
or source will not be known, and the customers will not be
known.
- (An interesting strategy: claim customers unknown, and
their local laws. Make the "pickup" the customer's
responsibility (perhaps via agents).
10.13 - Usenet, Libel, Local Laws, Jurisdictions, etc.
10.13.1. (Of peripheral importance to crypto themes, but important for
issues of coming legislation about the Net, attempts to
"regain control," etc. And a bit of a jumble of ideas, too.)
10.13.2. Many countries, many laws. Much of Usenet traffic presumably
violates various laws in Iran, China, France, Zaire, and the
U.S., to name f ew places which have laws about what thoughts
can be expressed.
10.13.3. Will this ever result in attempts to shut down Usenet, or at
least the feeds into various countries?
10.13.4. On the subject of Usenet possibly being shut-down in the U.K.
(a recent rumor, unsubstantiated), this comment: " What you
have to grasp is that USENET type networks and the whole
structure of the law on publshing are fundamentally
incompatiable. With USENT anyone can untracably distribute
pornographic, libelous, blasphemous, copyright or even
officially secret information. Now, which do you think HMG
and, for that matter, the overwhealming majority of oridnary
people in this country think is most important. USENET or
those laws?" [Malcolm McMahon, malcolm@geog.leeds.ac.uk,
comp.org.eff.talk, 1994--08-26]
10.13.5. Will it succeed? Not completely, as e-mail, gopher, the Web,
etc., still offers access. But the effects could reach most
casual users, and certainly affect the structure as we know
it today.
10.13.6. Will crypto help? Not directly--see above.
10.14 - Emergency Regulations
10.14.1. Emergency Orders
- various NSDDs and the like
- "Seven Days in May" scenario
10.14.2. Legal, secrecy orders
- George Davida, U. oif Wisconsin, received letter in 1978
threatening a $10K per day fine
- Carl Nicolai, PhasorPhone
- The NSA has confirmed that parts of the EES are patented,
in secrecy, and that the patents will be made public and
then used to stop competitors should the algorithm become
known.
10.14.3. Can the FCC-type Requirements for "In the clear" broadcasting
(or keys supplied to Feds) be a basis for similar legislation
of private networks and private use of encryption?
- this would seem to be impractical, given the growth of
cellular phones, wireless LANs, etc....can't very well
mandate that corporations broadcast their internal
communications in the clear!
- compression, packet-switching, and all kinds of other
"distortions" of the data...requiring transmissions to be
readable by government agencies would require providing the
government with maps (of where the packets are going), with
specific decompression algorithms, etc....very impractical
10.15 - Patents and Copyrights
10.15.1. The web of patents
- what happens is that everyone doing anything substantive
spends much of his time and money seeking patents
- patents are essential bargaining chips in dealing with
others
- e.g., DSS, Schnorr, RSADSI, etc.
- e.g., Stefan Brands is seeking patents
- Cylink suing...
10.15.2. Role of RSA, Patents, etc.
+ Bidzos: "If you make money off RSA, we make money" is the
simple rule
- but of course it goes beyond this, as even "free" uses
may have to pay
- Overlapping patents being used (apparently) to extent the
life of the portfolio
+ 4/28/97 The first of several P-K and RSA patents expires
+ U.S. Patent Number: 4200770
- Title: Cryptographic Apparatus and Method
- Inventors: Hellman, Diffie, Merkle
- Assignee: Stanford University
- Filed: September 6, 1977
- Granted: April 29, 1980
- [Expires: April 28, 1997]
+ remember that any one of these several patents held by
Public Key Partners (Stanford and M.I.T., with RSA Data
Security the chief dispenser of licenses) can block an
effort to bypass the others
- though this may get fought out in court
+ 8/18/97 The second of several P-K and RSA patents expires
+ U.S. Patent Number: 4218582
- Title: Public Key Cryptographic Apparatus and Method
- Inventors: Hellman, Merkle
- Assignee: The Board of Trustees of the Leland Stanford
Junior University
- Filed: October 6, 1977
- Granted: August 19, 1980
- [Expires: August 18, 1997]
- this may be disputed because it describe algortihms in
broad terms and used the knapsack algorithm as the chief
example
+ 9/19/00 The main RSA patent expires
+ U.S. Patent Number: 4405829
- Title: Cryptographic Communications System and Method
- Inventors: Rivest, Shamir, Adleman
- Assignee: Massachusetts Institute of Technology
- Filed: December 14, 1977
- Granted: September 20, 1983
- [Expires: September 19, 2000]
10.15.3. Lawsuits against RSA patents
+ several are brewing
- Cylink is suing (strange rumors that NSA was involved)
- Roger Schlafly
10.15.4. "What about the lawsuit filed by Cylink against RSA Data
Security Inc.?"
- Very curious, considering they are both part of Public Key
Partners, the consortium of Stanford, MIT, Cylink, and RSA
Data Security Inc. (RSADSI)
- the suit was filed in the summer of 1994
+ One odd rumor I heard, from a reputable source, was that
the NSA had asked PKP to do something (?) and that Cylink
had agreed, but RSADSI had refused, helping to push the
suit along
- any links with the death threats against Bidzos?
10.15.5. "Can the patent system be used to block government use of
patents for purposes we don't like?"
- Comes up especially in the context of S. Micali's patent on
escrow techniques
- "Wouldn't matter. The government can't be enjoined from
using a patent. The federal government, in the final
analysis, can use any patent they want, without permission,
and the only recourse of the patent owner is to sue for
royalties in the Court of Claims." [Bill Larkins,
talk.politics.crypto, 1994-07-14]
10.16 - Practical Issues
10.16.1. "What if I tell the authorities I Forgot My Password?"
- (or key, or passphrase...you get the idea)
- This comes up repeatedly, but the answer remains murky
10.16.2. Civil vs. Criminal
+ "This is a civil mattep, and the pights of ppivaay one haq
in cpiminal mattepq
- tend to vaniqh in aivil litigation. The paptieq to a
lawquit hate
- tpemeldouq powepq to dopae the othep qide to peteal
ildopmatiol peletalt
- to the aaqe, <@pad Templetol, 4-1-94, aomp,opg,edd,tal
10.16.3. the law is essentially what the courts say it is
10.17 - Free Speech is Under Assault
10.17.1. Censorship comes in many forms. Tort law, threats of grant or
contract removal, all are limiting speech. (More reasons for
anonymous speech, of course.)
10.17.2. Discussions of cryptography could be targets of future
crackdowns. Sedition laws, conspiracy laws, RICO, etc. How
long before speaking on these matters earns a warning letter
from your university or your company? (It's the "big stick"
of ultimate government action that spurs these university and
company policies. Apple fears being shut down for having
"involvement" with a terrorist plot, Emory University fears
being sued for millions of dollars for "conspiring" to
degrade wimmin of color, etc.)
How long before "rec.guns" is no longer carried at many
sites, as they fear having their universities or companies
linked to discussions of "assault weapons" and "cop-killer
bullets"? Prediction: Many companies and universities, under
pressure from the Feds, will block groups in which encrypted
files are posted. After all, if one encrypts, one must have
something to hide, and that could expose the university to
legal action from some group that feels aggrieved.
10.17.3. Free speech is under assault across the country. The tort
system is being abused to stifle dissenting views (and lest
you think I am only a capitalist, only a free marketeer, the
use of "SLAPP suits"--"Strategic Lawsuits Against Public
Participation"--by corporations or real estate developers to
threaten those who dare to publicly speak against their
projects is a travesty, a travesty that the courts have only
recently begun to correct).
We are becoming a nation of sheep, fearing the midnight raid,
the knock on the door. We fear that if we tell a joke,
someone will glare at us and threaten to sue us _and_ our
company! And so companies are adopting "speech codes" and
other such baggage of the Orwell's totalitarian state.
Political correctness is extending its tendrils into nearly
every aspect of life in America.
10.18 - Systems, Access, and the Law
10.18.1. Legal issues regarding access to systems
+ Concerns:
- access by minors to sexually explicit material
+ access from regions where access "should not be
permitted"
- export of crypto, for example
- the Memphis access to California BBS
+ Current approach: taking the promise of the accessor
- "I will not export this outside the U.S. or Canada."
- "I am of legal age to access this material."
+ Possible future approaches:
+ Callbacks, to ensure accessor is from region stated
- easy enough to bypass with cut-outs and remailers
+ "Credentials"
- a la the US Postal Service's proposed ID card (and
others)
+ cryptographically authenticated credentials
- Chaum's credentials system (certainly better than
many non-privacy-preserving credentials systems)
10.18.2. "What is a "common carrier" and how does a service become
one?"
- (This topic has significance for crypto and remailers, vis
a vis whether remailers are to be treated as common
carriers.)
- Common carriers are what the phone and package delivery
services are. They are not held liable for the contents of
phone calls, for the contents of packages (drugs,
pornography, etc.), or for illegal acts connected with
their services. One of the deals is that common carriers
not examine the insides of packages. Common carriers
essentially agree to take all traffic that pays the fee and
not to discriminate based on content. Thus, a phone service
will not ask what the subject of a call is to be, or listen
in, to decide whether to make the connection.
- Some say that to be a common carrier requires a willingness
to work with law enforcement. That is, Federal Express is
not responsible for contents of packages, but they have to
cooperate in reasonable ways with law enforcement to open
or track suspicious packages. Anybody have a cite for this?
Is it true?
- Common carrier status is also cited for bookstores, which
are not presumed to have read each and every one of the
books they sell...so if somebody blows their hand off in a
an experiment, the bookstore is not liable. (The
author/publisher may be, but that's aänt issue.)
- How does one become a common carrier? Not clear. One view
is that a service should "behave like" a common carrier and
then hope and pray that a court sees it that way.
+ Are computer services common carriers? A topic of great
interest.
- "According to a discussion I had with Dave Lawrence
(postmaster at UUNET, as well as moderator of
news.admin.newgroups), UUNET is registered with the FCC
as an "Enhanced Service Provider," which, according to
Dave, amounts to similar protection as "Common Carrier."
("Common Carrier" seems to not be appropriate yet, since
Congress is so behind the tech curve)." [L. Todd Masco,
1994-08-11]
- As for remailer networks being treated as common carriers,
totally unclear at this time. Certainly the fact that
packets are fully encrypted and unreadabel goes to part of
the issue about agreeing not to screen.
+ More on the common carrier debate:
- "Ah, the eternal Common Carrier debate. The answer is
the same as the last few times. "Common Carrier" status
has little to do with exemption from liability. It has
most to do with being unable to reject passengers, goods,
or phone calls......Plenty of non-common carrier entities
are immune from prosecution for ideas that they
unkowingly communicate -- bookstores for example (unless
they are *knowingly* porno bookstores in the wrong
jurisdiction)....Compuserve was held not liable for an
(alleged) libel by one of its sysops. Not because of
common carrier but because they had no knowledge or
control....Remailers have no knowledge or control hence
no scienter (guilty knowledge) hence no liability as a
matter of law---not a jury question BTW." [Duncan
Frissell, 1994-08-11]
10.19 - Credentials
10.19.1. "Are credentials needed? Will digital methods be used?"
10.19.2. I take a radical view. Ask yourself why credentials are
_ever_ needed. Maybe for driving a car, and the like, but in
those cases anonymity is not needed, as the person is in the
car, etc.
Credentials for drinking age? Why? Let the parents enforce
this, as the argument goes about watching sex and violence on
t.v. (If one accepts the logic of requiring bars to enforce
children's behavior, then one is on a slippery slope toward
requiring television set makers to check smartcards of
viewers, or of requiring a license to access the Internet,
etc.)
In almost no cases do I see the need to carry "papers" with
me. Maybe a driver's license, like I said. In other areas,
why?
10.19.3. So Cypherpunks probably should not spend too much time
worrying about how permission slips and "hall passes" will be
handled. Little need for them.
10.19.4. "What about credentials for specific job performance, or for
establishing time-based contracts?"
- Credentials that prove one has completed certain classes,
or reached certain skill levels, etc.?
- In transactions where "future performance" is needed, as in
a contract to have a house built, or to do some similar
job, then of course the idea of on-line or immediate
clearing is bogus...like paying a stranger a sum of money
on his promise that he'll be back the next day to start
building you a house.
Parties to such long-term, non-locally-cleared cases may
contract with an escrow agent, as I described above. This
is like the "privately-produced law" we've discussed so
many times. The essence: voluntary arrangements.
Maybe proofs of identity will be needed, or asked for,
maybe not. But these are not the essence of the deal.
10.20 - Escrow Agents
10.20.1. (the main discussion of this is under Crypto Anarchy)
10.20.2. Escrow Agents as a way to deal with contract renegging
- On-line clearing has the possible danger implicit in all
trades that Alice will hand over the money, Bob will verify
that it has cleared into hisaccount (in older terms, Bob
would await word that his Swiss bank account has just been
credited), and then Bob will fail to complete his end of
the bargain. If the transaction is truly anonymous, over
computer lines, then of course Bob just hangs up his modem
and the connection is broken. This situation is as old as
time, and has always involved protcols in which trust,
repeat business, etc., are factors. Or escrow agents.
- Long before the "key escrow" of Clipper, true escrow was
planned. Escrow as in escrow agents. Or bonding agents.
- Alice and Bob want to conduct a transaction. Neither trusts
the other;
indeed, they are unknown to each other. In steps "Esther's
Escrow Service." She is _also utraceable_, but has
established a digitally-signed presence and a good
reputation for fairness. Her business is in being an escrow
agent, like a bonding agency, not in "burning" either
party. (The math of this is interesting: as long as the
profits to be gained from any small set of transactions is
less than her "reputation capital," it is in her interest
to forego the profits from burning and be honest. It is
also possible to arrange that Esther cannot profit from
burning either Alice or Bob or both of them, e.g., by
suitably encrypting the escrowed stuff.)
- Alice can put her part of the transaction into escrow with
Esther, Bob can do the same, and then Esther can release
the items to the parties when conditions are met, when both
parties agree, when adjudication of some sort occurs, etc.
(There a dozen issues here, of course, about how disputes
are settled, about how parties satisfy themselves that
Esther has the items she says she has, etc.)
10.21 - Loose Ends
10.21.1. Legality of trying to break crypto systems
+ "What's the legality of breaking cyphers?"
- Suppose I find some random-looking bits and find a way to
apparently decrease their entropy, perhaps turning them
into the HBO or Playboy channel? What crime have I
committed?
- "Theft of services" is what they'll get me for. Merely
listening to broadcasts can now be a crime (cellular,
police channels, satellite broadcasts). In my view, a
chilling developemt, for practical reasons (enforcement
means invasive monitoring) and for basic common sense
ethics reasons: how can listening to what lands on your
property be illegal?
- This also opens the door for laws banning listening to
certain "outlaw" or "unlicensed" braodcast stations.
Shades of the Iron Curtain. (I'm not talking about FCC
licensing, per se.)
+ "Could it ever be illegal to try to break an encryption
scheme, even if the actual underlying data is not
"stolen"?"
+ Criminalizing *tools* rather than actions
- The U.S. is moving in the direction of making mere
possession of certain tools and methods illegal, rather
than criminalizing actual actions. This has been the
case--or so I hear, though I can't cite actual laws--
with "burglar tools." (Some dispute this, pointing to
the sale of lockpicks, books on locksmithing, etc.
Still, see what happens if you try to publish a
detailed book on how to counterfeit currency.)
- Black's law term for this?
+ To some extent, it already is. Video encryption is this
way. So is cellular.
- attendees returning from a Bahamas conference on pirate
video methods (guess why it was in the Bahamas) had
their papers and demo materials seized by Customs
- Counterfeiting is, I think, in this situation, too.
Merely exploring certain aspects is verboten. (I don't
claim that all aspects are, of course.)
- Interception of broadcast signals may be illegal--
satellite or cellular phone traffic (and Digital
Telephony Act may further make such intercepts illegal
and punishable in draconian ways)
+ Outlawing of the breaking of encryption, a la the
broadcast/scanner laws
- (This came up in a thread with Steve Bellovin)
+ Aspects
+ PPL side...hard to convince a PPL agent to "enforce"
this
- but market sanctions against those who publically use
the information are of course possible, just as with
those who overhear conversations and then gossip
widely (whereas the act of overhearing is hardly a
crime)
- statutory enforcement leads to complacency, to below-
par security
+ is an unwelcome expansion of power of state to enforce
laws against decryption of numbers
- and may lead to overall restrictions on crypto use
10.21.2. wais, gopher, WWW, and implications
- borders more transparent...not clear _where_ searches are
taking place, files being transferrred, etc. (well, it is
deterministic, so some agent or program presumably knows,
but it's likely that humans don't)
10.21.3. "Why are so many prominent Cypherpunks interested in the
law?"
- Beats me. Nothing is more stultfyingly boring to me than
the cruft and "found items" nature of the law.
- However,, for a certain breed of hacker, law hacking is the
ultimate challenge. And it's important for some Cypherpunks
goals.
10.21.4. "How will crypto be fought?"
- The usual suspects: porn, pedophilia, terrorists, tax
evaders, spies
+ Claims that "national security" is at stake
- As someone has said, "National security is the root
password to the Constitution"
+ claims of discrimination
- as but one example, crypto allows offshore bank accounts,
a la carte insurance, etc...these are all things that
will shake the social welfare systems of many nations
10.21.5. Stego may also be useful in providing board operators with
"plausible deniabillity"--they can claim ignorance of the LSB
contents (I'm not saying this will stand up in court very
well, but any port in a storm, especially port 25).
10.21.6. Can a message be proved to be encrypted, and with what key?
10.21.7. Legality of digital signatures and timestamps?
- Stu Haber confirms that this has not been tested, no
precedents set
10.21.8. A legal issue about proving encryption exists
- The XOR point. Any message can be turned into any other
message, with the proper XOR intermediate message.
Implications for stego as well as for legal proof
(difficulty of). As bits leave no fingerprints, the mere
presence of a particular XOR pad on a defendant's disk is
no proof that he put it there...the cops could have planted
the incriminating key, which turns "gi6E2lf7DX01jT$" into
"Dope is ready." (I see issues of "chain of evidence"
becoming even more critical, perhaps with use of
independent "timestamping authorities" to make hashes of
seized evidence--hashes in the cryptographic sense and not
hashes in the usual police sense.)
10.21.9. "What are the dangers of standardization and official
sanctioning?"
- The U.S. has had a disturbing tendency to standardize on
some technology and then punish deviations from the
standard. Examples: telephones, cable (franchises granted,
competitors excluded)
- Franchises, standards...
+ My concern: Digital money will be blessed...home banking,
Microsoft, other banks, etc. The Treasury folks will sign
on, etc.
- Competitors will have a hard time, as government throws
roadblocks in front of them, as the U.S. makes
international deals with other countries, etc.
10.21.10. Restrictions on voice encryption?
+ may arise for an ironic reason: people can use Net
connections to talk worldwide for $1 an hour or less,
rather than $1 a minute; this may cause telcos to clamor
for restrictions
- enforcing these restrictions then becomes problematic,
unless channel is monitored
- and if encrypted...
10.21.11. Fuzziness of laws
- It may seem surprising that a nation so enmeshed in
complicated legalese as the U.S., with more lawyers per
capita than any other large nation and with a legal code
that consists of hundreds of thousands of pages of
regulations and interpretations, is actually a nation with
a legal code that is hard to pin down.
- Any system with formal, rigid rules can be "gamed against"
be an adversary. The lawmakers know this, and so the laws
are kept fuzzy enough to thwart mechanistic gaming; this
doesn't stop there from being an army of lawyers (in fact,
it guarantees it). Some would say that the laws are kept
fuzzy to increase the power of lawmakers and regulators.
- "Bank regulations in this country are kept deliberately
somewhat vague. The regulator's word is the deciding
principle, not a detailed interpretation of statute. The
lines are fuzzy, and because they are fuzzy, the banks
don't press on them nearly as hard as when there's clear
statutory language available to be interpreted in a court.
"The uncertainty in the regulatory environment _increases_
the hold the regulators have over the banks. And the
regulators are known for being decidedly finicky. Their
decisions are largely not subject to appeal (except for the
flagrant stuff, which the regulators are smart enough not
to do too often), and there's no protection against cross-
linking issues. If a bank does something untoward in, say,
mortgage banking, they may find, say, their interstate
branching possibilities seem suddenly much dimmer.
"The Dept. of Treasury doesn't want untraceable
transactions." [Eric Hughes, Cypherpunks list, 1994-8-03]
- Attempts to sneak around the laws, especially in the
context of alternative currencies, Perry Metzger notes:
"They are simply trying to stop you from playing games. The
law isn't like geometry -- there aren't axioms and rules
for deriving one thing from another. The general principle
is that they want to track all your transactions, and if
you make it difficult they will either use existing law to
jail you, or will produce a new law to try to do the same."
[Perry Metzger, 1994-08-10]
- This fuzziness and regulatory discretion is closely related
to those wacky schemes to avoid taxes by claiming , for
example, that the "dollar" is defined as 1/35th of an ounce
of gold (and that hence one's earnings in "real dollars"
are a tiny fraction of the ostensible earnings), that Ohio
did not legally enter the Union and thus the income tax was
never properly ratified,, etc. Lots of these theories have
been tested--and rejected. I mention this because some
Cypherpunks show signs of thinking "digital cash" offers
similar opportunities. (And I expect to see similar scams.)
- (A related example. Can one's accumulation of money be
taken out of the country? Depending on who you ask, "it
depends." Taking it out in your suitcase rasises all kind
of possibilies of seizure (violation of currency export
laws, money laundering, etc.). Wiring it out may invoke
FinCEN triggers. The IRS may claim it is "capital flight"
to avoid taxes--which it may well be. Basically, your own
money is no longer yours. There may be ways to do this--I
hope so--but the point remains that the rules are fuzzy,
and the discretionary powers to seize assets are great.
Seek competent counsel, and then pray.)
10.21.12. role of Uniform Commercial Code (UCC)
- not discussed in crypto circles much, but the "rules of the
road"
- in many way, an implementation of anarcho-capitalism, in
that the UCC is a descendant (modulo some details) of the
"Law Merchant" that handled relations between sovereign
powers, trade at sea, etc.
- things like electronic funds transfere, checks, liablities
for forged sigs, etc.
- I expect eventual UCC involvement in digital money schemes
10.21.13. "What about the rush to legislate, to pass laws about
cyberspace, the information superduperhighway, etc.?
+ The U.S. Congress feels it has to "do something" about
things that many of us feel don't need regulation or "help"
from Congress.
- crypto legislation
- set-top boxes, cable access, National Information
Infrastructure (Cable Version)
- information access, parental lock-outs, violence ratings,
sexually explicit materials, etc.
- Related to the "do something!" mentality on National Health
Care, guns, violence, etc.
- Why not just not do anything?
+ Scary possibilities being talked about:
+ giving television sets unique IDs ("V chips") with cable
access through these chips
- tying national ID cards to these, e.g., Joe Citizen, of
Provo, Utah, would be "allowed" to view an NC-17
violence-rated program
- This would be disastrous: records, surveillance,
dossiers, permission, centralization
- The "how can we fix it?" mindset is very damaging. Many
things just cannot be "fixed" by central planners....look
at economies for an example. The same is usually true of
technologies.
10.21.14. on use of offshore escrow agents as protection against
seizures
- contempt laws come into play, but the idea is to make
yourself powerless to alter the situation, and hence not
willfully disobeying the court
+ Can also tell offshore agents what to do with files, and
when to release them
- Eric Hughes proposes: "One solution to this is to give
the passphrase (or other access information) to someone
who won't give it back to you if you are under duress,
investigation, court order, etc. One would desire that
this entity be in a jurisdiction other than where an
investigation might happen." [E.H., 1994-07-26]
- Sandy Sandfort adds: "Prior to seizure/theft, you would
make an arrangement with an offshore "escrow agent."
After seizure you would send your computer the
instruction that says, "encrypt my disk with the escrow
agents public key." After that, only the escrow agent
could decrypt your disk. Of course, the escrow agent
would only do that when conditions you had stipulated
were in effect." [S. S., 1994-07-27]
- related to data havens and offshore credit/P.I. havens
10.21.15. Can the FCC-type Requirements for "In the clear" broadcasting
(or keys supplied to Feds) be a basis for similar legislation
of private networks and private use of encryption?
- this would seem to be impractical, given the growth of
cellular phones, wireless LANs, etc....can't very well
mandate that corporations broadcast their internal
communications in the clear!
- compression, packet-switching, and all kinds of other
"distortions" of the data...requiring transmissions to be
readable by government agencies would require providing the
government with maps (of where the packets are going), with
specific decompression algorithms, etc....very impractical
10.21.16. Things that could trigger a privacy flap or limitations on
crypto
- Anonymously publishing adoption records [suggested by Brian
Williams, 1994-08-22]
- nuclear weapons secrets (true secrets, not just the
titillating stuff that any bright physics student can
cobble together)
- repugant markets (assassinations, organ selling, etc.)
10.21.17. Pressures on civilians not to reveal crypto knowledge
+ Example: mobile phone crypto standards.
- "This was the official line until a few months ago - that
A5 was strong and A5X a weakened export
version....However, once we got hold of A5 we found that
it was not particularly strong there is an easy 2^40
attack. The government's line then changed to `you
mustn't discuss this in public because it would harm
British export sales'....Perhaps it was all a ploy to get
Saddam to buy A5 chips off some disreputable arms dealer
type. [Ross Anderson, "mobil phone in europe , a precedence?," sci.crypt, 1994-08-15]
- Now this example comes from Britain, where the
intelligence community has always had more lattitude than
in the U.S. (an Official Secrets Act, limits on the
press, no pesky Constitution to get in the way, and even
more of an old boy's network than we have in the U.S.
mil-industrial complex).
- And the threat by NSA officials to have Jim Bidzos, the
president of RSA Data Security, Inc., killed if he didn't
play ball. {"The Keys to the Kingdom," San Jose Mercury
News]
10.21.18. "identity escrow", Eric Hughes, for restrictions on e-mail
accounts and electronic PO boxes (has been talked about,
apparently...no details)