How to ban crypto?

John Denker jsd at research.att.com
Sun Sep 16 18:41:09 EDT 2001


At 06:58 PM 9/16/01 +0200, Axel H Horns wrote:

>During the
>past years I managed to convince a handful of clients and colleagues
>to make use of PGP in order to protect confidential information when
>sending e-mail messages.
>
>Of course, if PGP would be banned in Germany by some legislation I
>would not be able to recommend any client or colleague to continue
>with PGP usage.

That's narrowly true as stated, but it's misleading because it's not the 
whole story.

Let's not speak as if the only two options were PGP or nothing.  In fact 
there is a wide continuum, of which three particularly interesting points are
   A) Anything you want, including PGP.
   B) Mandatory GAK.
   C) Mandatory plaintext.

Nobody is going to ban crypto.  Nobody is going to impose plan (C).  Given 
the choice between (B) and (C), we and our customers could adopt plan (B) 
and get along pretty much as we do now.

>... a ban of non-GAK strong crypto would not be a suitable
>measure to fight terrorism. It would only stabilize the present
>SIGINT hybris.

This says GAK is unsuitable, doesn't clearly say why.  I don't know whether 
it is a philosophical point, a political point, a technical point, or whatever.

The two most common anti-GAK arguments are:
   1a) It can't be done well.
   1b) If it can't be done well, it shouldn't be done at all.
   1c) Specifically, the risk of wholesale key-compromise is too great.

   2a) It won't really detect/deter typical crime, because typical 
criminals will find ways around it.
   2b) It won't really detect/deter terrorism, because dedicated terrorists 
will find ways around it.


I'm dubious about argument (1) in all its forms.  I suspect that if we 
wanted to make it work, we could make it work.

I'm certain that argument (2a) is mostly false as stated.  The typical 
prosecution involves putting together a lot of facts, most of which are not 
by themselves obviously illegal.  For instance, imagine a world where GAK 
is mandatory.  Then when somebody encrypts a private note such as
         Dear Monica -
           Meet me at 11:00, you know where.
         Love, Bill

he doesn't think he is doing anything illegal.  Just because it's private 
doesn't mean it's illegal.  Much later somebody, perhaps as part of a civil 
suit, shows probable cause sufficient to overcome the right to privacy, and 
poof! GAK is exploited to decrypt the message.  At this point two 
possibilities must be considered:
   a) either Bill superencrypted the message, to defeat GAK, or
   b) he didn't.

In case (b) all they get is the message.  They may or may not be able to 
put that together with a zillion other micro-facts to prove wrongdoing.  He 
might get acquitted.

In case (a) they've got him dead to rights for violating the mandatory-GAK 
laws.  Klink!

Given this choice, most people will opt for no superencryption.  I'm not 
asking you to _like_ this scenario.  But the rules are that one should 
consider all the plausible scenarios, to see where they lead.  There's 
nothing implausible about this scenario.

The situation changes if you are a dedicated evildoer.  Suppose you are 
planning something so heinous that the penalty for being caught is more 
severe than the penalty for violating the mandatory-GAK laws.  Then 
superencryption might be a good idea.  Even then it won't help much, 
because if they can get subpoena for GAK one day, they can get a subpoena 
to bug your premises the next day.  You increase their costs a little, but 
the cost to you is going to be much higher.

==============

So we continue the search for a robust anti-GAK argument.

One part of the argument is this:  Terrorists don't need fancy 
superencryption to defeat GAK.  Indeed they hardly need encryption at 
all.  They can formulate the basic plan in a cave somewhere, and thereafter 
communicate in the clear:
         "Dear Uncle:  Please send another $10,000 so I can
          continue my training."

         "Dear Cousin: I will be taking flight AA73 tomorrow.
          I understand you will be taking UA175, right?"

Some people are speaking as if the recent attack required vast resources 
and sophisticated communications.  It didn't.  Just because the US Army has 
adopted a communications-intensive battle doctrine doesn't mean everybody 
else will follow suit.

==============

Conclusions:

1) The Subject: line of this thread is misleading.  The issue is not 
mandatory plaintext.  The issue is whether or not we want mandatory GAK.

2) There are AFAICT no convincing technical arguments against GAK.

3) The ultra-serious crimes such as occurred last week are irrelevant to 
the GAK debate, and vice versa.

4) Therefore it comes down to a routine policy decision:  We get to choose 
a tradeoff somewhere in the gray area between
  -- extreme privacy, and
  -- extremely easy solution of some minor crimes.

The real world operates in shades of gray, not at either extreme.  It 
always has, and always will.  The US Constitution, for example, provides 
some guidance.  Innumerable minor crimes go undetected every day, directly 
because of the 4th and 5th amendments.
   http://memory.loc.gov/const/bor.html

We can argue about whether the standard for "probable cause" should be 
raised a bit or lowered a bit, but the infinitely-high setting is just as 
unrealistic as the infinitely-low setting.  We need a more nuanced discussion.




---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com




More information about the cryptography mailing list