[Cryptography] Gilmore response to NSA mathematician's "make rules for NSA" appeal

james hughes hughejp at mac.com
Wed Sep 25 02:52:54 EDT 2013

Je n'ai fait celle-ci plus longue que parce que je n’ai pas eu le loisir de la faire plus courte.

On Sep 23, 2013, at 12:45 PM, John Kelsey <crypto.jmk at gmail.com> wrote:
> On Sep 18, 2013, at 3:27 PM, Kent Borg <kentborg at borg.org> wrote:
>> You foreigners actually have a really big vote here.  
> It needs to be in their business interest to convince you that they *can't* betray you in most ways.  

Many, if not all, service providers can provide the government valuable information regarding their customers. This is not limited to internet service providers. It includes banks, health care providers, insurance companies, airline companies, hotels, local coffee shops, book sellers, etc. where providing a service results in personal information being exchanged. The US has no corner on the ability to get information from almost any type of service provider. This is the system that the entire world uses, and should not be our focus.

This conversation should be on the ability for honest companies to communicate securely to their customers. Stated differently, it is valuable that these service providers know the information they have given to the government. Google is taking steps to be transparent. What Google can not say is anything about the traffic that was possibly decrypted without Google's knowledge.

Many years ago (1995?), I personally went to a Swiss bank very well known for their high levels of security and their requirement that -all- data leaving their datacenter, in any form (including storage), must be encrypted. I asked the chief information security officer of the bank if he would consider using Clipper enabled devices -if- the keys were escrowed by the Swiss government. His answer was both unexpected and still echoes with me today. He said "We have auditors crawling all over the place. All the government has to do is to [legally] ask and they will be given what they ask for. There is absolutely no reason for the government to access our network traffic without our knowledge." We ultimately declined to implement Clipper.

Service providers are, and will always be, required to respond to legal warrants. A company complying with a warrant knows what they provided. They can fight the warrants, they can lobby their government, they can participate in the discussion (even if that participation takes place behind closed doors). 

The real challenge facing us at the moment is to restore confidence in the ability of customers to privately communicate with their service providers and for service providers to know the full extent of the information they are providing governments. 

More information about the cryptography mailing list