[Cryptography] Security clearances and FOSS encryption?

Bear bear at sonic.net
Fri Jul 11 16:30:08 EDT 2014 

On Fri, 2014-07-11 at 13:20 +0100, ianG wrote:
> On 9/07/2014 17:18 pm, John Kelsey wrote:

> > To the extent clearances do what they're supposed to do, they should
> > indicate less risk of compromise to the project--less blackmail or
> > bribery potential, for example.

I think that is true only for the agency or company that actually 
does the research into someone's background and approves the 
security clearance, because of the Law Of Trust: (all together now) 

     "Trust is neither transferable nor transitive. "

A security clearance is evidence that someone trusts this person; 
not evidence that any specific additional person has reason to.

> Of course, compromise is a relative term, as is conflict of interest.

That's very much to the point, because a security clearance represents
a possible conflict of interest; that is, the holder may value their
relationship with the issuer of the clearance more than the integrity
of their  contribution to the project.  

> > but no one trying to infiltrate your project will tell you about those.  
 
>  Sort of, maybe.  Actually, anyone infiltrating your project will set it
>  up so they don't need to tell you.

>  Very different thing.  You simply have to respond by making it mandatory 
>  for them to state such things.  It's a common thing to have a policy
>  requiring conflicts of interest to be disclosed, indeed it is even law
>  in some circumstances.

I have seen this in practice in multiple places, and heard it 
advocated by people whose business is to know the law.  As a 
condition of employment (or a condition on making contributions) 
the employee or contributor is required to positively declare 
any security clearances, employment relationships, potential
reserve activation obligations, potentially conflicting 
contractual obligations, etc.  And then, when turning in any 
changes, positively and specifically declare that each member 
of this list of potential conflicts of interest had neither 
knowledge of nor input into the current or previous revisions 
from that employee or contributor. 

The rationale as I understand it is that someone with a clearance 
who does something silently or passes along information silently 
has a different legal status or poses a different organizational 
risk than someone who does these things and then untruthfully 
swears on record that they have not.  The first way you have a 
silent break or a suspicion that can never really be proved; the 
second way you have the risk of a major scandal, legal challenge, 
or even legal precedent creating permanently changed laws, at 
some point when those specific sworn statements are shown to have 
been lies.

That said, I'm not a lawyer.  Further, I'm not sure American 
citizens without some kind of clearance are even permitted to 
know the law on this topic, which is disturbing on a whole 
different level.

I recently ended a job with a security clearance myself; it was 
with a government contractor whose employment agreement asserted
"we own any code you publish even in your hobby time", so I'd 
been not contributing to FOSS projects during the time I worked 
there. It is important to note that that feature of the employment
agreement had nothing specifically to do with the security 
clearance; employment agreements with government contractors 
are a separate consideration under law.

I was relatively sure that if push came to shove and a court 
could show no connection with company business or security or my 
duties there or information gained there, that clause wouldn't 
hold up in court.  I was also relatively sure that if push came 
to shove I was going to have to hire a lawyer and spend a stupid 
amount of money to bring a court to that conclusion.  So it was 
just much less trouble to not do anything that would bring the 
question to court. 

				Bear

More information about the cryptography mailing list