[Cryptography] Security clearances and FOSS encryption?
Bear
bear at sonic.net
Fri Jul 11 16:30:08 EDT 2014
On Fri, 2014-07-11 at 13:20 +0100, ianG wrote:
> On 9/07/2014 17:18 pm, John Kelsey wrote:
> > To the extent clearances do what they're supposed to do, they should
> > indicate less risk of compromise to the project--less blackmail or
> > bribery potential, for example.
I think that is true only for the agency or company that actually
does the research into someone's background and approves the
security clearance, because of the Law Of Trust: (all together now)
"Trust is neither transferable nor transitive. "
A security clearance is evidence that someone trusts this person;
not evidence that any specific additional person has reason to.
> Of course, compromise is a relative term, as is conflict of interest.
That's very much to the point, because a security clearance represents
a possible conflict of interest; that is, the holder may value their
relationship with the issuer of the clearance more than the integrity
of their contribution to the project.
> > but no one trying to infiltrate your project will tell you about those.
> Sort of, maybe. Actually, anyone infiltrating your project will set it
> up so they don't need to tell you.
> Very different thing. You simply have to respond by making it mandatory
> for them to state such things. It's a common thing to have a policy
> requiring conflicts of interest to be disclosed, indeed it is even law
> in some circumstances.
I have seen this in practice in multiple places, and heard it
advocated by people whose business is to know the law. As a
condition of employment (or a condition on making contributions)
the employee or contributor is required to positively declare
any security clearances, employment relationships, potential
reserve activation obligations, potentially conflicting
contractual obligations, etc. And then, when turning in any
changes, positively and specifically declare that each member
of this list of potential conflicts of interest had neither
knowledge of nor input into the current or previous revisions
from that employee or contributor.
The rationale as I understand it is that someone with a clearance
who does something silently or passes along information silently
has a different legal status or poses a different organizational
risk than someone who does these things and then untruthfully
swears on record that they have not. The first way you have a
silent break or a suspicion that can never really be proved; the
second way you have the risk of a major scandal, legal challenge,
or even legal precedent creating permanently changed laws, at
some point when those specific sworn statements are shown to have
been lies.
That said, I'm not a lawyer. Further, I'm not sure American
citizens without some kind of clearance are even permitted to
know the law on this topic, which is disturbing on a whole
different level.
I recently ended a job with a security clearance myself; it was
with a government contractor whose employment agreement asserted
"we own any code you publish even in your hobby time", so I'd
been not contributing to FOSS projects during the time I worked
there. It is important to note that that feature of the employment
agreement had nothing specifically to do with the security
clearance; employment agreements with government contractors
are a separate consideration under law.
I was relatively sure that if push came to shove and a court
could show no connection with company business or security or my
duties there or information gained there, that clause wouldn't
hold up in court. I was also relatively sure that if push came
to shove I was going to have to hire a lawyer and spend a stupid
amount of money to bring a court to that conclusion. So it was
just much less trouble to not do anything that would bring the
question to court.
Bear
More information about the cryptography
mailing list