..Kawika Daguio said...
>>> "Black Unicorn" <[EMAIL PROTECTED]> 01/20/99 11:22PM >>>
> -----Original Message-----
> From: Kawika Daguio [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, January 20, 1999 8:00 PM
> To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: RE: France Allows 128 Bit Crypto
>
>
> I believe that it is appropriate for governments to require the
> delivery of electronic documents (unencrypted)when appropriate
> due process mechanisms are in place that mirror protections given
> to physical documents.
Oh, come on. You've been in the United States too long or something.
No one is denying the need of government to compel testimony or production
of documents. This threatens to be much worse than that.
Think very hard about the circumstance you are setting up. If you go down
the road of compelling the disclosure of plaintext rather than a crypto key
and you provide a mechanism to penalize via criminal contempt (jail) you are
compelling more than just testimony. You are compelling a certain set of
actions. You are putting someone in the position of having a positive duty
to produce plaintext. This may be irrespective of the ability or inability
of the person to decrypt ciphertext in his or her possession. Or it may
impose an effective presumption that the holder of encrypted data can
decrypt it. The only effective way to even come close to verifying
someone's inability to decrypt a file is, in this case, for a court to toss
them in the clink for awhile. What circumstance might this put a system
administrator who has encrypted data to which he does not have the key in?
What provisions are you now going to have to take to insure you have the
keys for all of the ciphertext on your various systems?
...We have found more often than anyone feels comfortable that the information desired
by law enforcement (and requested in a due process generated piece of paper) did not
exist anymore (lost or destroyed) or is difficult to retrieve (read slow). While no
one is happy when this happens, no one goes to jail either. The people who operate
widely deployed infrastructures employing cryptography for secrecy will not allow law
or regulation to punish them when there is no intent to obstruct justice.
This is precisely the problem that many of the telecos in the United States
were concerned about when it came to Digital Telephony back when.
...I unfortunately was the only non-government, non-telco negotiator in the Digital
Telephony drafting process other then the EFF (now CDT) representatives and the only
representative of a commercial user community in the room to represent deployers of
private networks. I regularly oppose and help stop initiatives that would provide the
government with direct access or inappropriate access to our systems and information.
We frequently produce results that both work for us and benefit the wider user
community.
Having greater direct participation (physical bodies, not petitions) in these types of
issues is essential to good outcomes. I encourage you to continue to do so and to get
others to do the same or it will only get worse for all of us.
...I am not a fan of unrestricted government access as a policy nor naive about the
real world. Some of my family members (blood, but not immediate) spent time in
Manzanar because they identified themselves as Americans of Japanese Ancestry to
census takers. Others were given tatoos in German concentration camps based on
information about their race. There are other relatively recent examples that are
almost as bad on three or four continents. I personally once told an IRS CID employee
to go away when they wanted information without complying with the requirements of the
RFPA. I know that some bad apples are out there and that the policy and practices are
not perfect. However, unwarranted and inappropriate requests for financial
information by government officials to depository institutions are regularly turned
away when they are presented. LEOs often push us but we push back directly and
indirectly. Protecting our freedoms requires wide participation and long term
investment in relationships with policymakers. Thats why lobbyists and activists have
to be involved in the policy making processes pursuing strategic goals.
All this is getting ahead of the game. It's not at all clear that France
has taken this position, although it does appear so from the (limited)
documentation I have seen.
...I would hope that the French pursue this approach rather than continuing to
restrict unescrowed encryption. I spent a little time in France on the issue almost 4
years ago making our case and worked with many others with closer ties to them to
continue to argue the points I made, but was absolutely convinced of their
closemindedness when they told us to stop wasting our time and money trying to change
their policies.
> Our industry takes great care to prevent unwarranted and
> inappropriate fishing expeditions into our records. We have
> duties to our customers. Our customers have expectations of us.
> And information retrieval is not a trivial matter. In addition,
> the Right to Financial Privacy Act provides a relatively
> reasonable hurdle, visibility, and accountability when the
> information holder is a depository institution in the US.
You either _must_ be kidding or you have little idea about the real and
practical aspects of the Right to Financial Privacy Act and the Bank Secrecy
Act. I find this absolutely astounding given your position and the (former)
level of respect I had for your contributions to this and other lists.
... I am sorry I wasn't clear or disappointed you.
My point was that the rules are relatively clear when depository institutions in the
US are involved and not clear at all when the RFPA does not apply. I believe that the
RFPA guided rules we operate under are better than the arbitrary and ad hoc "rules"
everyone else will face. Even more importantly, law enforcement officials understand
that we expect that they will have a piece of paper with them when they come looking
for information and that they should have reasonable expectations relating to the
retrieval and delivery of the information requested. Law enforcement agents in the
field are pretty practical about the whole matter as they and our folks have a lot of
experience dealing with each other. I am afraid that that may not be the case when
the rules are less clear. I suggest that several someones work out their version of
"reasonable and acceptable rules" and offer them to the community and various
governments as a basis for negotiation.
...I still respect you, but disagree with you about our prospects of making this work
for everyone everywhere.
...Kawika....
The above are my personal views
