At 04:33 PM 9/4/2001 -0700, John Young wrote:
>And I am not as sanguine about the wisdom of providing technology
>to government on the same footing as the citizen. There is more
>than a bit of marketing opportunism is this view -- and government
>knows very well what power the purse has to seduce young firms
>into the world of secrecy.
>
>So I say again, that despite it being economic foolhardiness, indeed
>because it is that, there needs to be a code of practice for anonimyzer
>developers to state their policy of helping governments snoop on
>us without us knowing. Agnosticism in this matter is complicity
>when such a stance cloaks government intrusiveness.
>
>Look, I'll accept that we will all succumb to the power of the market,
>so limit my proposal for full disclosure to those over 30. After that
>age one should know there is no way to be truly open-minded.
I don't think the problem here is really the power of the market - it's the
ease of copying digital media, and the difficulty of keeping a secret. I
think a disclosure program like you discuss isn't an awful idea - and it
might make sense for crypto companies to include, as part of their sales
contracts with government agencies, explicit permission to disclose those
purchases for public awareness and marketing purposes.
But any such disclosure list is going to be incomplete, because the sellers
themselves don't know who they're selling to, or who their customers are
passing the goods along to.
It's the same old crypto export control problem - but now we're thinking of
the US government as the bad guys, instead of the government of Iraq - and
all of the practical objections to the export control nonsense still make
as much sense as they ever did. And the ease of circumventing the control
regime still makes it a laughingstock, or just a marketing exercise.
(See, for example, the PROMIS software package - licensed by Inslaw to DoJ,
and from there distributed far and wide, depending on who you believe. A
Google search on "promis inslaw casolaro" will provide a catalog of real or
imagined government abuses of small software sellers.)
I agree that we in the US have much more to fear from our government than
from the government of Iraq - and perhaps the moral or strategic questions
about arms control weigh even more heavily against giving the US government
strong privacy or encryption or monitoring tools - but those moral
questions are irrelevant given the speed and ease of distribution in the
modern world. We can't control the spread of drugs, or guns, or money, or
crypto, or surveillance tools - not as a government, and certainly not as
individuals or small companies.
Given those constraints on our abilities, publishers of crypto/privacy
tools must assume that, when they make any significant distribution of
their products, some of them will end up in the hands of government
agencies, who will use them (if they're useful) and disassemble/analyze
them to find exploitable weakness. That's not really different from what
others - like hostile foreign governments, or motivated criminals, will do
with them.
Similarly, citizens must assume that, if tools are available to anyone,
that they are available to governments, and to the least honest and least
honorable and least humanitarian people within those governments, and plan
their affairs accordingly.
There's no other realistic path - we can agree that it would be nice if
governments didn't perceive a need to mislead and deceive their own
citizens, and if governments would follow their own laws - just as it would
be nice if other humans would follow laws and act decently, too. But they
won't, not all of them. So we've got to make our plans assuming that the
worst people are going to get access, sooner or later, to the best tools,
and they're going to lie to us about it along the way.
And that's what we've got to work with - but we can have the good tools,
too, if we choose them.
--
Greg Broiles
[EMAIL PROTECTED]
"We have found and closed the thing you watch us with." -- New Delhi street kids
