Re: Gov't Orders Air Passenger Data for Test
... they can't really test how effective the system is ... Effective at what? Preventing people from traveling? The whole exercise ignores the question of whether the Executive Branch has the power to make a list of citizens (or lawfully admitted non-citizens) and refuse those people their constitutional right to travel in the United States. Doesn't matter whether there's 1, 19, 20,000, or 100,000 people on the list. The problem is the same: No court has judged these people. They have not been convicted of any crime. They have not been arrested. There is no warrant out for them. They all have civil rights. When they walk into an airport, there is nothing in how they look that gives reason to suspect them. They have every right to travel throughout this country. They have every right to refuse a government demand that they identify themselves. So why are armed goons keeping them off airplanes, trains, buses, and ships? Because the US constitution is like the USSR constitution -- nicely written, but unenforced? Because the public is too afraid of the government, or the terrorists, or Emmanuel Goldstein, or the boogie-man, to assert the rights their ancestors died to protect? John (under regional arrest) Gilmore PS: Oral argument in Gilmore v. Ashcroft will be coming up in the Ninth Circuit this winter. http://papersplease.org/gilmore
Re: Gov't Orders Air Passenger Data for Test
... they can't really test how effective the system is ... Effective at what? Preventing people from traveling? The whole exercise ignores the question of whether the Executive Branch has the power to make a list of citizens (or lawfully admitted non-citizens) and refuse those people their constitutional right to travel in the United States. Doesn't matter whether there's 1, 19, 20,000, or 100,000 people on the list. The problem is the same: No court has judged these people. They have not been convicted of any crime. They have not been arrested. There is no warrant out for them. They all have civil rights. When they walk into an airport, there is nothing in how they look that gives reason to suspect them. They have every right to travel throughout this country. They have every right to refuse a government demand that they identify themselves. So why are armed goons keeping them off airplanes, trains, buses, and ships? Because the US constitution is like the USSR constitution -- nicely written, but unenforced? Because the public is too afraid of the government, or the terrorists, or Emmanuel Goldstein, or the boogie-man, to assert the rights their ancestors died to protect? John (under regional arrest) Gilmore PS: Oral argument in Gilmore v. Ashcroft will be coming up in the Ninth Circuit this winter. http://papersplease.org/gilmore
Re: RIAA turns against Hollings bill
How does this latest development change the picture? If there is no Hollings bill, does this mean that Trusted Computing will be voluntary, as its proponents have always claimed? And if we no longer have such a threat of a mandated Trusted Computing technology, how bad is it for the system to be offered in a free market? The detailed RIAA statement tries to leave exactly this impression, but it's the usual smokescreen. Check the sentence in their 7 policy principles joint statement, principle 6: ... The role of government, if needed at all, should be limited to enforcing compliance with voluntarily developed functional specifications reflecting consensus among affected interests. I.e. it's the same old game. TCPA is such a voluntarily developed functional spec. So is the broadcast flag, and the HDCP copy protection of your video cable, and IBM's copy-protection for hard disk drives. Everything is all voluntary, until some competitor reverse engineers one of these, and builds a product that lets the information get out of the little consensus boxes. Consumers want that, but it can't be allowed to happen. THEN the role of government is to eliminate that competitor by outlawing them and their product. John
Re: AIR TRAVELER ID REQUIREMENT CHALLENGED
I was browsing some of my old mail when I came across this. What's the status of Gilmore's case? The regulations I'm challenging purport to require air and train travelers to show a government issued ID. Every traveler has been subjected to these requirements, but it turns out that they aren't really required by any published law or regulation. And if you refuse to meet the supposed requirements, you find out that there are alternative requirements, that they weren't telling you about. The government has responded, as have the airlines. Their response is to ask the court to dismiss the case, as expected. See the web site http://cryptome.org/freetotravel.htm for copies of their motions. The Federal one has the most interesting arguments. In summary, they argue that I can't challenge the no-fly list or anything other than the ID demand because, having not shown ID, the no-fly list was not applied to me; that I can't sue in a District Court anyway because the Court of Appeals is supposed to have original jurisdiction; that the government can make any rule it wants which relates to air security, and penalize the public over violations, without ever telling the public what the rule is; that being refused passage unless I present an ID does not infringe my constitutional right to travel anyway; that being prevented from traveling anoymously does not implicate any First Amendment interests; that every possible form of airport security is a fully constitutional 4th-Amendment search; and that since my right to travel is not being infringed, these searches give me equal protection just like all members of the public, because any 'rational' reason for singling out anonymous travelers will suffice. If everyone shows ID to fly, and they can get away with preventing anonymous travel, it becomes easy for the government to single out e.g. members of the Green Party. (If no ID was required, any persecuted minority would soon learn to book their tickets under assumed names.) The Nixon Administration had its enemies list, who it subjected to IRS audits and other harassment. But even that evil President didn't prevent his enemies from moving around the country to associate with anyone they liked. The Bush Administration's list interferes with freedom of association and with the constitutional right to travel. As my experience on July 4th, 2002, in the San Francisco airport demonstrated, citizens are free to not show ID to fly, if they spend half an hour arguing with security personnel over what the secret rules actually say. But then, catch-22, the citizen can board the plane only if they'll submit to a physical search like the ones that Green Party members and other on the list people are subjected to. So, you can identify yourself to them and be harassed for your political beliefs, unconstitutionally. Or you can stand up for your right to travel anonymously, and be searched unconstitutionally. Or you can just not travel. That's why I'm suing Mr. Ashcroft and his totalitarian buddies. The government motion to dismiss my case is filed at: http://cryptome.org/gilmore-v-usa-fmd.pdf The index to all the related documents is at: http://cryptome.org/freetotravel.htm Has there been a secret trial? No. We will file a response to this motion by approx Dec 1. Then they will file their reply in mid December or so. Both of those will go on the web site. (If anybody wants to OCR the PDFs of the gov't documents, please go for it and email me the text.) Then the court will read all this stuff, and we'll have a hearing, which is tentatively scheduled for mid-January. John
Re: AIR TRAVELER ID REQUIREMENT CHALLENGED
I was browsing some of my old mail when I came across this. What's the status of Gilmore's case? The regulations I'm challenging purport to require air and train travelers to show a government issued ID. Every traveler has been subjected to these requirements, but it turns out that they aren't really required by any published law or regulation. And if you refuse to meet the supposed requirements, you find out that there are alternative requirements, that they weren't telling you about. The government has responded, as have the airlines. Their response is to ask the court to dismiss the case, as expected. See the web site http://cryptome.org/freetotravel.htm for copies of their motions. The Federal one has the most interesting arguments. In summary, they argue that I can't challenge the no-fly list or anything other than the ID demand because, having not shown ID, the no-fly list was not applied to me; that I can't sue in a District Court anyway because the Court of Appeals is supposed to have original jurisdiction; that the government can make any rule it wants which relates to air security, and penalize the public over violations, without ever telling the public what the rule is; that being refused passage unless I present an ID does not infringe my constitutional right to travel anyway; that being prevented from traveling anoymously does not implicate any First Amendment interests; that every possible form of airport security is a fully constitutional 4th-Amendment search; and that since my right to travel is not being infringed, these searches give me equal protection just like all members of the public, because any 'rational' reason for singling out anonymous travelers will suffice. If everyone shows ID to fly, and they can get away with preventing anonymous travel, it becomes easy for the government to single out e.g. members of the Green Party. (If no ID was required, any persecuted minority would soon learn to book their tickets under assumed names.) The Nixon Administration had its enemies list, who it subjected to IRS audits and other harassment. But even that evil President didn't prevent his enemies from moving around the country to associate with anyone they liked. The Bush Administration's list interferes with freedom of association and with the constitutional right to travel. As my experience on July 4th, 2002, in the San Francisco airport demonstrated, citizens are free to not show ID to fly, if they spend half an hour arguing with security personnel over what the secret rules actually say. But then, catch-22, the citizen can board the plane only if they'll submit to a physical search like the ones that Green Party members and other on the list people are subjected to. So, you can identify yourself to them and be harassed for your political beliefs, unconstitutionally. Or you can stand up for your right to travel anonymously, and be searched unconstitutionally. Or you can just not travel. That's why I'm suing Mr. Ashcroft and his totalitarian buddies. The government motion to dismiss my case is filed at: http://cryptome.org/gilmore-v-usa-fmd.pdf The index to all the related documents is at: http://cryptome.org/freetotravel.htm Has there been a secret trial? No. We will file a response to this motion by approx Dec 1. Then they will file their reply in mid December or so. Both of those will go on the web site. (If anybody wants to OCR the PDFs of the gov't documents, please go for it and email me the text.) Then the court will read all this stuff, and we'll have a hearing, which is tentatively scheduled for mid-January. John
Re: Seth on TCPA at Defcon/Usenix
It reminds me of an even better way for a word processor company to make money: just scramble all your documents, then demand ONE MILLION DOLLARS for the keys to decrypt them. The money must be sent to a numbered Swiss account, and the software checks with a server to find out when the money has arrived. Some of the proposals for what companies will do with Palladium seem about as plausible as this one. Isn't this how Windows XP and Office XP work? They let you set up the system and fill it with your data for a while -- then lock up and won't let you access your locally stored data, until you put the computer on the Internet and register it with Microsoft. They charge less than a million dollars to unhand your data, but otherwise it looks to me like a very similar scheme. There's a first-person report about how Office XP made the computers donated for the 9/11 missing persons database useless after several days of data entry -- so the data was abandoned, and re-entered into a previous (non-DRM) Microsoft word processor. The report came through this very mailing list. See: http://www.mail-archive.com/cryptography@wasabisystems.com/msg02134.html This scenario of word processor vendors denying people access to their own documents until they do something to benefit the vendor is not just plausible -- it's happening here and now. John
Re: Seth on TCPA at Defcon/Usenix
It reminds me of an even better way for a word processor company to make money: just scramble all your documents, then demand ONE MILLION DOLLARS for the keys to decrypt them. The money must be sent to a numbered Swiss account, and the software checks with a server to find out when the money has arrived. Some of the proposals for what companies will do with Palladium seem about as plausible as this one. Isn't this how Windows XP and Office XP work? They let you set up the system and fill it with your data for a while -- then lock up and won't let you access your locally stored data, until you put the computer on the Internet and register it with Microsoft. They charge less than a million dollars to unhand your data, but otherwise it looks to me like a very similar scheme. There's a first-person report about how Office XP made the computers donated for the 9/11 missing persons database useless after several days of data entry -- so the data was abandoned, and re-entered into a previous (non-DRM) Microsoft word processor. The report came through this very mailing list. See: http://www.mail-archive.com/cryptography@wasabisystems.com/msg02134.html This scenario of word processor vendors denying people access to their own documents until they do something to benefit the vendor is not just plausible -- it's happening here and now. John
Re: responding to claims about TCPA
I asked Eric Murray, who knows something about TCPA, what he thought of some of the more ridiculous claims in Ross Anderson's FAQ (like the SNRL), and he didn't respond. I believe it is because he is unwilling to publicly take a position in opposition to such a famous and respected figure. Many of the people who know something about TCPA are constrained by NDA's with Intel. Perhaps that is Eric's problem -- I don't know. (I have advised Intel about its security and privacy initiatives, under a modified NDA, for a few years now. Ross Anderson has also. Dave Farber has also. It was a win-win: I could hear about things early enough to have a shot at convincing Intel to do the right things according to my principles; they could get criticized privately rather than publicly, if they actually corrected the criticized problems before publicly announcing. They consult me less than they used to, probably because I told them too many things they didn't want to hear.) One of the things I told them years ago was that they should draw clean lines between things that are designed to protect YOU, the computer owner, from third parties; versus things that are designed to protect THIRD PARTIES from you, the computer owner. This is so consumers can accept the first category and reject the second, which, if well-informed, they will do. If it's all a mishmash, then consumers will have to reject all of it, and Intel can't even improve the security of their machines FOR THE OWNER, because of their history of security projects that work against the buyer's interest, such as the Pentium serial number and HDCP. TCPA began in that protect third parties from the owner category, and is apparently still there today. You won't find that out by reading Intel's modern public literature on TCPA, though; it doesn't admit to being designed for, or even useful for, DRM. My guess is that they took my suggestion as marketing advice rather than as a design separation issue. Pitch all your protect-third-party products as if they are protect-the-owner products was the opposite of what I suggested, but it's the course they (and the rest of the DRM industry) are on. E.g. see the July 2002 TCPA faq at: http://www.trustedcomputing.org/docs/TPM_QA_071802.pdf 3. Is the real goal of TCPA to design a TPM to act as a DRM or Content Protection device? No. The TCPA wants to increase the trust ... [blah blah blah] I believe that No is a direct lie. Intel has removed the first public version 0.90 of the TCPA spec from their web site, but I have copies, and many of the examples in the mention DRM, e.g.: http://www.trustedcomputing.org/docs/TCPA_first_WP.pdf (still there) This TCPA white paper says that the goal is ubiquity. Another way to say that is monopoly. The idea is to force any other choices out of the market, except the ones that the movie record companies want. The first scenario (PDF page 7) states: For example, before making content available to a subscriber, it is likely that a service provider will need to know that the remote platform is trustworthy. http://www.trustedpc.org/home/pdf/spec0818.pdf (gone now) Even this 200-page TCPA-0.90 specification, which is carefully written to be obfuscatory and misleading, leaks such gems as: These features encourage third parties to grant access to by the platform to information that would otherwise be denied to the platform (page 14). The 'protected store' feature...can hold and manipulate confidential data, and will allow the release or use of that data only in the presence of a particular combination of access rghts and software environment. ... Applications that might benefit include ... delivery of digital content (such as movies and songs). (page 15). Of course, they can't help writing in the DRM mindset regardless of their intent to confuse us. In that July 2002 FAQ again: 9. Does TCPA certify applications and OS's that utilize TPMs? No. The TCPA has no plans to create a certifying authority to certify OS's or applications as trusted. The trust model the TCPA promotes for the PC is: 1) the owner runs whatever OS or applications they want; 2) The TPM assures reliable reporting of the state of the platform; and 3) the two parties engaged in the transaction determine if the other platform is trusted for the intended transaction. The transaction? What transaction? They were talking about the owner getting reliable reporting on the security of their applications and OS's and -- uh -- oh yeah, buying music or video over the Internet. Part of their misleading technique has apparently been to present no clear layman's explanations of the actual workings of the technology. There's a huge gap between the appealing marketing sound bites -- or FAQ lies -- and the deliberately dry and uneducational 400-page technical specs. My own judgement is that this is probably deliberate, since if the public had an accurate 20-page
Re: responding to claims about TCPA
I asked Eric Murray, who knows something about TCPA, what he thought of some of the more ridiculous claims in Ross Anderson's FAQ (like the SNRL), and he didn't respond. I believe it is because he is unwilling to publicly take a position in opposition to such a famous and respected figure. Many of the people who know something about TCPA are constrained by NDA's with Intel. Perhaps that is Eric's problem -- I don't know. (I have advised Intel about its security and privacy initiatives, under a modified NDA, for a few years now. Ross Anderson has also. Dave Farber has also. It was a win-win: I could hear about things early enough to have a shot at convincing Intel to do the right things according to my principles; they could get criticized privately rather than publicly, if they actually corrected the criticized problems before publicly announcing. They consult me less than they used to, probably because I told them too many things they didn't want to hear.) One of the things I told them years ago was that they should draw clean lines between things that are designed to protect YOU, the computer owner, from third parties; versus things that are designed to protect THIRD PARTIES from you, the computer owner. This is so consumers can accept the first category and reject the second, which, if well-informed, they will do. If it's all a mishmash, then consumers will have to reject all of it, and Intel can't even improve the security of their machines FOR THE OWNER, because of their history of security projects that work against the buyer's interest, such as the Pentium serial number and HDCP. TCPA began in that protect third parties from the owner category, and is apparently still there today. You won't find that out by reading Intel's modern public literature on TCPA, though; it doesn't admit to being designed for, or even useful for, DRM. My guess is that they took my suggestion as marketing advice rather than as a design separation issue. Pitch all your protect-third-party products as if they are protect-the-owner products was the opposite of what I suggested, but it's the course they (and the rest of the DRM industry) are on. E.g. see the July 2002 TCPA faq at: http://www.trustedcomputing.org/docs/TPM_QA_071802.pdf 3. Is the real goal of TCPA to design a TPM to act as a DRM or Content Protection device? No. The TCPA wants to increase the trust ... [blah blah blah] I believe that No is a direct lie. Intel has removed the first public version 0.90 of the TCPA spec from their web site, but I have copies, and many of the examples in the mention DRM, e.g.: http://www.trustedcomputing.org/docs/TCPA_first_WP.pdf (still there) This TCPA white paper says that the goal is ubiquity. Another way to say that is monopoly. The idea is to force any other choices out of the market, except the ones that the movie record companies want. The first scenario (PDF page 7) states: For example, before making content available to a subscriber, it is likely that a service provider will need to know that the remote platform is trustworthy. http://www.trustedpc.org/home/pdf/spec0818.pdf (gone now) Even this 200-page TCPA-0.90 specification, which is carefully written to be obfuscatory and misleading, leaks such gems as: These features encourage third parties to grant access to by the platform to information that would otherwise be denied to the platform (page 14). The 'protected store' feature...can hold and manipulate confidential data, and will allow the release or use of that data only in the presence of a particular combination of access rghts and software environment. ... Applications that might benefit include ... delivery of digital content (such as movies and songs). (page 15). Of course, they can't help writing in the DRM mindset regardless of their intent to confuse us. In that July 2002 FAQ again: 9. Does TCPA certify applications and OS's that utilize TPMs? No. The TCPA has no plans to create a certifying authority to certify OS's or applications as trusted. The trust model the TCPA promotes for the PC is: 1) the owner runs whatever OS or applications they want; 2) The TPM assures reliable reporting of the state of the platform; and 3) the two parties engaged in the transaction determine if the other platform is trusted for the intended transaction. The transaction? What transaction? They were talking about the owner getting reliable reporting on the security of their applications and OS's and -- uh -- oh yeah, buying music or video over the Internet. Part of their misleading technique has apparently been to present no clear layman's explanations of the actual workings of the technology. There's a huge gap between the appealing marketing sound bites -- or FAQ lies -- and the deliberately dry and uneducational 400-page technical specs. My own judgement is that this is probably deliberate, since if the public had an accurate 20-page
Re: FreeSWAN US export controls
Or is there something we should be doing to get RedHat, and Debian, and other US-based distributions to include it? Absolutely. It's already pretty secure. We should just make it trivial to install, automatic, transparent, self-configuring, painless to administer, and free of serious bugs. Then they'll have every reason to drop it in. John
Re: FreeSWAN US export controls
Anonymous said: The major problem that holds back the development of FreeS/WAN is with its management. [Management that cares more about sitting on its pulpit, than getting useful software into the hands of people.] Unless things have changed recently, they still won't accept contributions from the US. This makes no sense. GPG is shipping with every Linux distribution I know of, and the German's take contributions from the US. (From the pulpit:) Once we kick John Asscroft's unconstitutional ash outta town, bush George Bust along with more than a thousand other innocents, and eliminate the spectre of Judd Gregg and other retrograde stalinists 're-regulating' US crypto, then we'll think about polluting the precious bodily fluids of worldwide freeware privacy protection with the stench of US crypto policy. It probably won't happen for a few months. Or hadn't you noticed that the US government is not in much of a mood to follow the constitution or to tolerate dissent or privacy among the sleepy sheeplike citizens? They're doing their best to stamp that radical stuff out right here in the USSA, let alone let it cross the border into parts of the world that they don't have firmly under their thumb. Less than 100% support for every paranoid and senseless twitch of the current Administration is a demonstration not not only of treason but of active support for terrorism, which everyone knows is a terrible thing except when the US or Israel or Great Britain does it. Anybody reading this mailing list is already gonna be first up against the wall once the joy of arresting immigrant movers as 'terrorists' fades, and spying on 'domestic political groups' become fair game. Your packets are already in the lint screen on that big, big vacuum cleaner. And our new policy of maximum sentences for trivial 'crimes', like forgetting to file some form, reduces the expense and bother of actually trying suspects for the crimes that the agencies suspect them of. Of course you can confront your accusers! Did you or did you not jaywalk across Route 1 last July, Mr. May? The primary kernel developers have been willing to integrate crypto into the kernel since the crypto regs were lowered. It's the policy of no US contributions that's holding back Linux IPSEC. The reason I started the IPSEC-for-Linux project those many years ago was because Linux kernel releases used to be built in free countries, unlike the releases of most other operating systems. Now they aren't. Oops. Perhaps mr. or ms. 'anonymous' and the primary kernel developers didn't spend seven years making a principled tilt at the windmill of NSA's export controls. We overturned them by a pretty thin margin. The government managed to maneuver such that no binding precedents were set: if they unilaterally change the regulations tomorrow to block the export of public domain crypto, they wouldn't be violating any court orders or any judicial decisions. I.e. they are not BOUND by the policy change. They changed it voluntarily, in order to sneak out of the court cases by the back door. Even today it is sometimes said that once Dan Bernstein ends his court case (which still continues today), the NSA is ready, willing, and able to slap the controls right back on. And it would take months or years in court -- and lots more volunteer citizen money spent for freedom, while the bastards spend tax money to lock us up -- to get the controls removed again. If the judges haven't changed their minds in the meantime. (You may have noticed that last month, the Second Circuit Court of Appeals accpted Judge Kaplan's half-lies-half-truth judgment 3-0 in the 2600 case appeal: Yes, absolutely, software is First Amendment protected speech. But no, somehow the First Amendment really doesn't mean what it means elsewhere; of *course* they can regulate the publication of software on flimsy grounds. Like that sometime later, somebody somewhere might potentially be somewhat hurt by something somebody else does with the software, if we don't eliminate that option by restricting the publication of that software now. Suppose the next crypto export court case happens in NY rather than CA? EFF would be proud to defend John Young and Perry Metzger, but all its lawyers might be in prison, charged by John Asscroft with aiding terrorists by eroding our national unity and diminishing our resolve.) IMHO: If Freeswan had never been created, an alternate, more mature implementation would already exist in the mainline Linux kernel. Make my day. John Gilmore PS: Of course, the only software worth wasting your time on comes from those macho dudes of the U.S. of A. Those furriners don't even know how to speek the lingua proper, let alone write solid buggy code like Microsoft. High crypto math is all Greek to them. It's just lucky for Linus that he moved to the US, otherwise we'd all know his furrin software was crap too, even tho he tricked us by cloning it from
Re: FreeSWAN unnatural monopolies
FreeS/WAN occupies a position very rarely found in efficient markets, such as open source software. While the position is rarely encountered, it can nonetheless exist: I believe that FreeS/WAN is a natural monopoly. ... But for whatever reasons, FreeS/WAN has been holding such a natural monopoly position in by far the largest market in which I have ever seen such a beast. I find this fascinating. I wonder if economists will some day study the case to determine what factors brought it about. I doubt it. The Linux kernels released by Linus Torvalds hold a similar 'natural monopoly' over every other variant of free operating system kernel. What could explain this puzzling economic phenomenon? Certainly the BSD folks have been puzzled by it. I mean, half a dozen people have rewritten 'grep', because it's just not that hard. And troff was cloned even though it was hard, because the original was such a piece of unmaintainable (and nonfree) crud. But you and you and you are all free to make your own variant of the Linux kernel, and keep maintaining it and throwing in improvements. Why don't you? Even big companies keep following Linus's version. Perhaps the puzzle results from someone who does a sufficiently hard job, sufficiently well, that nobody who is actually capable of competing WANTS to compete. They have better things to do. What puzzles me is how the mediocre X Window System has attracted no competitors. Yes, it's a hard job supporting all those hardware variants by all those lovely undocumented proprietary companies. But the X model sucks on SO many fronts, breaking typeahead/mouseahead, performance, display independence, having dozens of puzzling and incompatible window managers, etc. And have you looked at the 'object oriented' stuff layered on top of it? 743 root 17 0 50896 44M 6320 S 0.7 36.0 15292m X 874 gnu 11 0 14648 10M 3148 S 0.3 8.6 13:30 gnome-terminal That's a 50Mbyte process (44M resident) of window drivers, and a 14Mbyte (10M resident) terminal window that I'm typing into. I've seen the terminal window get as high as 60 Mbytes, with more than 50 resident. John
Re: Just because it is made public doesn't mean it's declassified
Just because it is public DOES mean it's declassified. There are Supreme Court cases on this. If the government can recover all the copies, then it can REclassify it. But if it can't, then the document is not classified. I ran into this situation when digging up some of William Friedman's early work from the government. I sued under FOIA to get copies, the gov't declared that the documents were top secret, and I got copies from public libraries and filed them with the court. The government complained bitterly, but a day after the New York Times story broke, they dropped the issue. Thus: Shine a bright, bright light ANYTIME they start to pull this sort of garbage. And make sure you've stashed copies of the document in half a dozen unlikely places, before letting the government know you have the document. It's completely likely that they'll send their bully-boys to steal it from you so they can reclassify it, if you have the only copy. John
Re: Criminalizing crypto criticism
Much of the hysteria regarding the DMCA's supposed ability to quash free speech by cryptographic researchers is being whipped up by opponents to the DMCA who are misrepresenting the DMCA in a calculated fashion in order to promote opposition. The anonymous poster's legal analysis was not particularly novel. It states that the exemptions in the DMCA actually cover the things that they were supposedly intended to cover. That would be a refreshing change if it were true, but the law is full of weasel words and exemptions to the exemptions. Only accredited researchers, not cypherpunks, can do research, for example. And you're only exempt if you tell the company first, so they know to sue you before you do the research, rather than after the results are leaking out to the public. Neither my opinion nor the poster's opinion controls, though. What matters is what the judges will say, and how expensive it is to ordinary researchers to find out. In the 2600 case, what the judge said is that even if Jon Johansen might have been able to reverse- engineer DVD players under an exemption (an issue that he didn't decide), 2600 Magazine was unable, under the statute, to publish even *A LINK* to Jon's results. The judge swept aside all the clauses like: 1201(c)(4): Nothing in this section shall enlarge or diminish any rights of free speech or the press for activities using consumer electronics, telecommunications, or computing products. Clearly publication of cryptographic results is a fundamental part of free speech and will not be infringed by the DMCA. The other side argued in the 2600 appeal that this was a standard savings clause inserted in the legislation and was not intended to mean anything. It goes like this: either the law is constitutional or it isn't. If it is constitutional, this clause is inoperative, since clearly those Constitutional rights weren't diminished. If the law violates the Constitution, then the Constitution, not the statute, controls what rights the public has; again this clause doesn't. The judge agreed with the government and Hollywood that it was clearly put in there to buy off some opponents of the DMCA and didn't have any legal effect. The only minor issue is that THOSE SUCKERS ACTUALLY BELIEVED IT, dropped their opposition, and let the DMCA become law. But that wasn't the judge's problem -- only the defendant's. In fact the RIAA takes that same position now, as seen in http://www.eff.org/Legal/Cases/Felten_v_RIAA/20010606_riaa_statement.html. Because the Felten case so clearly shows what's wrong with the DMCA, RIAA is desparately trying to convince the court that it need not, indeed cannot, make any decision in the Felten case. Therefore SDMI/RIAA is lying to the public and the court by saying that it never, *ever*, intended to sue or threaten. It was merely informing people about their rights, you see. They have moved to dismiss the case on the grounds that we agree with the other side's legal analysis, so there's no issue for a court to decide. They only agree long enough to get out of that courtroom, then they'll find some way to be disagreeable again. The judge will decide whether to believe them or not; the papers are still being filed about that. Princeton Professor Edward Felten and his research team were prevented from presenting their results regarding flaws in SDMI at the Information Hiding Workshop, based on a letter from the Recording Industry Association of America which claimed that such publication would violate the DMCA. In this case, the RIAA was mistaken about the application of the DMCA, as the above analysis makes clear. Their mistakenness didn't prevent the RIAA from sending legal threats to every author of the Felten paper, every member of the conference committee that had decided to publish it, AND ALL OF THEIR BOSSES (one of whom, a US Navy commander, shamefully abandoned the soldier-under- fire who was reporting to him). It didn't prevent Adobe from getting its competitor Elcomsoft kicked off of four different spineless ISPs, by sending lawyer letters alleging copyright infringement TO THE ISP, when there was no copyright infringement going on. Mistakes in analysis, reconsidered a week later by Adobe, didn't prevent a US Attorney's office from bringing charges against Dmitry. Attorney General Ashcroft just announced that they're setting up a dozen more similar computer-and-copyright-prosecution task forces around the country -- none of which will have any practical experience with the DMCA yet. Their mistakes are your problem, not their problem, until YOU sue THEM. Will everyone in the infrastructure on whom you depend be as strong as you are in protecting your rights? After you lose your job, your Internet access, and your freedom of motion, because your scientific work threatened some lawyer-infested company's business model, if you have lots of spare money or raise lots of money somehow, you can have