diff --git a/10-Legal-Issues/10-Legal-Issues.md b/10-Legal-Issues/10-Legal-Issues.md new file mode 100644 index 0000000..ccf956f --- /dev/null +++ b/10-Legal-Issues/10-Legal-Issues.md @@ -0,0 +1,1669 @@ +10. Legal Issues + + 10.1. copyright + THE CYPHERNOMICON: Cypherpunks FAQ and More, Version 0.666, + 1994-09-10, Copyright Timothy C. May. All rights reserved. + See the detailed disclaimer. Use short sections under "fair + use" provisions, with appropriate credit, but don't put your + name on my words. + + 10.2. SUMMARY: Legal Issues + 10.2.1. Main Points + 10.2.2. Connections to Other Sections + - Sad to say, but legal considerations impinge on nearly + every aspect of crypto + 10.2.3. Where to Find Additional Information + 10.2.4. Miscellaneous Comments + - "I'm a scientist, Jim, not an attorney." Hence, take my + legal comments here with a grain of salt, representing only + hints of the truth as I picked them up from the discussions + on the various forums and lists. + + 10.3. Basic Legality of Encryption + 10.3.1. "Is this stuff legal or illegal?" + - Certainly the _talking_ about it is mostly legal, at least + in the U.S. and at the time of this writing. In other + countries, you prison term may vary. + + The actions resulting from crypto, and crypto anarchy, may + well be illegal. Such is often the case when technology is + applied without any particular regard for what the laws say + is permitted. (Pandora's Box and all that.) + - Cypherpunks really don't care much about such ephemera as + the "laws" of some geographic region. Cypherpunks make + their own laws. + + There are two broad ways of getting things done: + - First, looking at the law and regulations and finding + ways to exploit them. This is the tack favored by + lawyers, of whic$are many in this country. + - Second, "just do it." In areas where the law hasn't + caught up, this can mean unconstrained technological + developement. Good examples are the computer and chip + business, where issues of legality rarely arose (except + in the usual areas of contract enforcement, etc.). More + recently the chip business has discovered lawyering, with + a vengeance. + - In other areas, where the law is centrally involved, + "just do it" can mean many technical violations of the + law. Examples: personal service jobs (maids and + babysitters), contracting jobs without licenses, + permissions, etc., and so on. Often these are "illegal + markets," putatively. + - And bear in mind that the legal system can be used to + hassle people, to pressure them to "plead out" to some + charges, to back off, etc. (In the firearms business, the + pressures and threats are also used to cause some + manufacturers, like Ruger, to back off on a radical pro-gun + stance, so as to be granted favors and milder treatment. + Pressure on crypto-producing companies are probably very + similar. Play ball, or we'll run you over in the parking + lot.) + 10.3.2. "Why is the legal status of crypto so murky?" + - First, it may be murkier to me than it it to actual lawyers + like Mike Godwin and Michael Froomkin, both of whom have + been on our list at times. (Though my impression from + talking to Godwin is that many or even most of these issues + have not been addressed in the courts, let alone resolved + definitively.) + - Second, crypto issues have not generally reached the + courts, reflecting the nascent status of most of the things + talked about it here. Things as "trivial" as digital + signatures and digital timestamping have yet to be + challenged in courts, or declared illegal, or anything + similar that might produce a precedent-setting ruling. (Stu + Haber agrees that such tests are lacking.) + - Finally, the issues are deep ones, going to the heart of + issues of self-incrimination (disclosure of keys, + contempt), of intellectual property and export laws (want + to jail someone for talking about prime numbers?), and the + incredibly byzantine world of money and financial + instruments. + - A legal study of crypto--which I hear Professor Froomkin is + doing--could be very important. + 10.3.3. "Has the basic legality of crypto and laws about crypto been + tested?" + - As usual, a U.S. focus here. I know little of the situation + in non-U.S. countries (and in many of them the law is + whatever the rulers say it is). + - And I'm not a lawyer. + + Some facts: + - no direct Constitutional statement about privacy (though + many feel it is implied) + - crypto was not a major issue (espionage was, and was + dealt with harshly, but encrypting things was not a + problem per se) + + only in the recent past has it become important...and it + will become much more so + - as criminals encrypt, as terrorists encrypt + - as tax is avoided via the techniques described here + - collusion of business ("crypto interlocking + directorates," price signalling) + - black markets, information markets + + Lawrence Tribe..new amendment + - scary, as it may place limits.... (but unlikely to + happen) + + Crypto in Court + - mostly untested + - can keys be compelled? + - Expect some important cases in the next several years + 10.3.4. "Can authorities force the disclosure of a key?" + + Mike Godwin, legal counsel for the EFF, has been asked this + queston _many_ times: + - "Note that a court could cite you for contempt for not + complying with a subpoena duces tecum (a subpoena + requiring you to produce objects or documents) if you + fail to turn over subpoenaed backups....To be honest, I + don't think *any* security measure is adequate against a + government that's determined to overreach its authority + and its citizens' rights, but crypto comes close." [Mike + Godwin, 1993-06-14] + + Torture is out (in many countries, but not all). Truth + serum, etc., ditto. + - "Rubber hose cryptography" + + Constitutional issues + - self-incrimination + + on the "Yes" side: + + is same, some say, as forcing combination to a safe + containing information or stolen goods + - but some say-and a court may have ruled on this-that + the safe can always be cut open and so the issue is + mostly moot + - while forcing key disclosure is compelled testimony + - and one can always claim to have forgotten the key + - i.e., what happens when a suspect simply clams up? + - but authorities can routinely demand cooperation in + investigations, can seize records, etc. + + on the "No" side: + - can't force a suspect to talk, whether about where he hid + the loot or where his kidnap victim is hidden + - practically speaking, someone under indictment cannot be + forced to reveal Swiss bank accounts....this would seem + to be directly analogous to a cryptographic key + - thus, the key to open an account would seem to be the + same thing + - a memorized key cannot be forced, says someone with EFF + or CPSR + + "Safe" analogy + + You have a safe, you won' tell the combination + - you just refuse + - you claim to have forgotten it + - you really don't know it + - cops can cut the safe open, so compelling a combination + is not needed + - "interefering with an investigation" + - on balance, it seems clear that the disclosure of + cryptographic keys cannot be forced (though the practical + penalty for nondisclosure could be severe) + + Courts + + compelled testimony is certainly common + - if one is not charged, one cannot take the 5th (may be + some wrinkles here) + - contempt + + What won't immunize disclosure: + + clever jokes about "I am guilty of money laundering" + - can it be used? + - does judge declaring immunity apply in this case? + - Eric Hughes has pointed out that the form of the + statement is key: "My key is: "I am a murderer."" is + not a legal admission of anything. + - (There may be some subtleties where the key does contain + important evidence--perhaps the location of a buried body- + -but I think these issues are relatively minor.) + - but this has not really been tested, so far as I know + - and many people say that such cooperation can be + demanded... + - Contempt, claims of forgetting + 10.3.5. Forgetting passwords, and testimony + + This is another area of intense speculation: + - "I forgot. So sue me." + - "I forgot. It was just a temporary file I was working on, + and I just can't remember the password I picked." (A less + in-your-face approach.) + + "I refuse to give my password on the grounds that it may + tend to incriminate me." + + Canonical example: "My password is: 'I sell illegal + drugs.'" + - Eric Hughes has pointed out this is not a real + admission of guilt, just a syntactic form, so it is + nonsense to claim that it is incriminating. I agree. + I don't know if any court tests have confirmed this. + + Sandy Sandfort theorizes that this example might work, or + at least lead to an interesting legal dilemma: + - "As an example, your passphrase could be: + + I shot a cop in the back and buried his body + under + the porch at 123 Main St., anywhere USA. The gun + is + wrapped in an oily cloth in my mother's attic. + + "I decline to answer on the grounds that my passphrase is + a statement which may tend to incriminate me. I will + only give my passphrase if I am given immunity from + prosecution for the actions to which it alludes." + + "Too cute, I know, but who knows, it might work." [S.S., + 1994-0727] + 10.3.6. "What about disavowal of keys? Of digital signatures? Of + contracts? + - In the short term, the courts are relatively silent, as few + of these issues have reached the courts. Things like + signatures and contract breaches would likely be handled as + they currently are (that is, the judge would look at the + circumstances, etc.) + + Clearly this is a major concern. There are two main avenues + of dealing with this" + - The "purist" approach. You *are* your key. Caveat emptor. + Guard your keys. If your signature is used, you are + responsible. (People can lessen their exposure by using + protocols that limit risk, analogous to the way ATM + systems only allow, say, $200 a day to be withdrawn.) + - The legal system can be used (maybe) to deal with these + issues. Maybe. Little of this has been tested in courts. + Conventional methods of verifying forged signatures will + not work. Contract law with digital signatures will be a + new area. + - The problem of *repudiation* or *disavowal* was recognized + early on in cryptologic circles. Alice is confronted with a + digital signature, or whatever. She says; "But I didn't + sign that" or "Oh, that's my old key--it's obsolete" or "My + sysadmin must have snooped through my files," or "I guess + those key escrow guys are at it again." + - I think that only the purist stance will hold water in the + long run.(A hint of this: untraceable cash means, for most + transactions of interest with digital cash, that once the + crypto stuff has been handled, whether the sig was stolen + or not is moot, because the money is gone...no court can + rule that the sig was invalid and then retrieve the cash!) + 10.3.7. "What are some arguments for the freedom to encrypt?" + - bans are hard to enforce, requiring extensive police + intrusions + - private letters, diaries, conversations + - in U.S., various provisions + - anonymity is often needed + 10.3.8. Restrictions on anonymity + - "identity escrow" is what Eric Hughes calls it + - linits on mail drops, on anonymous accounts, and--perhaps + ultimately--on cash purchases of any and all goods + 10.3.9. "Are bulletin boards and Internet providers "common carriers" + or not?" + - Not clear. BBS operators are clearly held more liable for + content than the phone company is, for example. + 10.3.10. Too much cleverness is passing for law + - Many schemes to bypass tax laws, regulations, etc., are, as + the British like to say, "too cute by half." For example, + claims that the dollar is defined as 1/35th of an ounce of + gold and that the modern dollar is only 1/10th of this. Or + that Ohio failed to properly enter the Union, and hence all + laws passed afterward are invalid. The same could be said + of schemes to deploy digital cash be claiming that ordinary + laws do not apply. Well, those who try such schemes often + find out otherwise, sometimes in prison. Tread carefully. + 10.3.11. "Is it legal to advocate the overthrow of governments or the + breaking of laws?" + - Although many Cypherpunks are not radicals, many others of + us are, and we often advocate "collapse of governments" and + other such things as money laundering schemes, tax evasion, + new methods for espionage, information markets, data + havens, etc. This rasises obvious concerns about legality. + - First off, I have to speak mainly of U.S. issues...the laws + of Russia or Japan or whatever may be completely different. + Sorry for the U.S.-centric focus of this FAQ, but that's + the way it is. The Net started here, and still is + dominantly here, and the laws of the U.S. are being + propagated around the world as part of the New World Order + and the collapse of the other superpower. + - Is it legal to advocate the replacement of a government? In + the U.S., it's the basic political process (though cynics + might argue that both parties represent the same governing + philosophy). Advocating the *violent overthrow* of the U.S. + government is apparently illegal, though I lack a cite on + this. + + Is it legal to advocate illegal acts in general? Certainly + much of free speech is precisely this: arguing for drug + use, for boycotts, etc. + + The EFF gopher site has this on "Advocating Lawbreaking, + Brandenburg v. Ohio. ": + - "In the 1969 case of Brandenburg v. Ohio, the Supreme + Court struck down the conviction of a Ku Klux Klan + member under a criminal syndicalism law and established + a new standard: Speech may not be suppressed or + punished unless it is intended to produce 'imminent + lawless action' and it is 'likely to produce such + action.' Otherwise, the First Amendment protects even + speech that advocates violence. The Brandenburg test is + the law today. " + + 10.4. Can Crypto be Banned? + 10.4.1. "Why won't government simply _ban such encryption methods?" + + This has always been the Number One Issue! + - raised by Stiegler, Drexler, Salin, and several others + (and in fact raised by some as an objection to my even + discussing these issues, namely, that action may then be + taken to head off the world I describe) + + Types of Bans on Encryption and Secrecy + - Ban on Private Use of Encryption + - Ban on Store-and-Forward Nodes + - Ban on Tokens and ZKIPS Authentication + - Requirement for public disclosure of all transactions + + Recent news (3-6-92, same day as Michaelangelo and + Lawnmower Man) that government is proposing a surcharge + on telcos and long distance services to pay for new + equipment needed to tap phones! + - S.266 and related bills + - this was argued in terms of stopping drug dealers and + other criminals + - but how does the government intend to deal with the + various forms fo end-user encryption or "confusion" + (the confusion that will come from compression, + packetizing, simple file encryption, etc.) + + Types of Arguments Against Such Bans + - The "Constitutional Rights" Arguments + + The "It's Too Late" Arguments + - PCs are already widely scattered, running dozens of + compression and encryption programs...it is far too + late to insist on "in the clear" broadcasts, whatever + those may be (is program code distinguishable from + encrypted messages? No.) + - encrypted faxes, modem scramblers (albeit with some + restrictions) + - wireless LANs, packets, radio, IR, compressed text and + images, etc....all will defeat any efforts short of + police state intervention (which may still happen) + + The "Feud Within the NSA" Arguments + - COMSEC vs. PROD + + Will affect the privacy rights of corporations + - and there is much evidence that corporations are in + fact being spied upon, by foreign governments, by the + NSA, etc. + + They Will Try to Ban Such Encryption Techniques + + Stings (perhaps using viruses and logic bombs) + - or "barium," to trace the code + + Legal liability for companies that allow employees to use + such methods + - perhaps even in their own time, via the assumption that + employees who use illegal software methods in their own + time are perhaps couriers or agents for their + corporations (a tenuous point) + 10.4.2. The long-range impossibility of banning crypto + - stego + - direct broadcast to overhead satellites + - samizdat + - compression, algorithms, ....all made plaintext hard to + find + 10.4.3. Banning crypto is comparable to + + banning ski masks because criminals can hide their identity + - Note: yes, there are laws about "going masked for the + purpose of being masked," or somesuch + + insisting that all speech be in languages understandable by + eavesdroppers + - (I don't mean "official languages" for dealing with the + Feds, or what employers may reasonably insist on) + - outlawing curtains, or at least requiring that "Clipper + curtains" be bought (curtains which are transparent at + wavelengths the governments of the world can use) + - position escrow, via electronic bracelets like criminals + wear + - restrictions on books that possibly help criminals + - banning body armor (proposed in several communities) + - banning radar detectors + - (Note that these bans become more "reasonable" when the + items like body armor and radar detectos are reached, at + least to many people. Not to me, of course.) + 10.4.4. So Won't Governments Stop These Systems? + - Citing national security, protection of private property, + common decency, etc. + + Legal Measures + - Bans on ownership and operation of "anonymous" systems + + Restrictions on cryptographic algorithms + - RSA patent may be a start + + RICO, civil suits, money-laundering laws + - FINCEN, Financial Crimes Information Center + - IRS, Justice, NSA, FBI, DIA, CIA + - attempts to force other countries to comply with U.S. + banking laws + 10.4.5. Scenario for a ban on encryption + - "Paranoia is cryptography's occupational hazard." [Eric + Hughes, 1994-05-14] + + There are many scenarios. Here is a graphic one from Sandy + Sandfort: + - "Remember the instructions for cooking a live frog. The + government does not intend to stop until they have + effectively eliminated your privacy. + + STEP 1: Clipper becomes the de facto encryption + standard. + + STEP 2: When Cypherpunks and other "criminals" eschew + Clipper in favor of trusted strong crypto, the government + is "forced" to ban non-escrowed encryption systems. + (Gotta catch those pedophiles, drug dealers and + terrorists, after all.) + + STEP 3: When Cypherpunks and other criminals use + superencryption with Clipper or spoof LEAFs, the + government will regretably be forced to engage in random + message monitoring to detect these illegal techniques. + + Each of these steps will be taken because we wouldn't + passively accept such things as unrestricted wiretaps and + reasonable precautions like + digital telephony. It will portrayed as our fault. + Count on it." [Sandy Sandfort, 6-14-94] + + 10.4.6. Can the flow of bits be stopped? Is the genie really out of + the bottle? + - Note that Carl Ellison has long argued that the genie was + never _in_ the bottle, at least not in the U.S. in non- + wartime situations (use of cryptography, especially in + communications, in wartime obviously raises eyebrows) + + 10.5. Legal Issues with PGP + 7.12.1. "What is RSA Data Security Inc.'s position on PGP?" + I. They were strongly opposed to early versions + II. objections + - infringes on PKP patents (claimed infringements, not + tested in court, though) + - breaks the tight control previously seen + - brings unwanted attention to public key approaches (I + think PGP also helped RSA and RSADSI) + - bad blood between Zimmermann and Bidzos + III. objections + - infringes on PKP patents (claimed infringements, not + tested in court, though) + - breaks the tight control previously seen + - brings unwanted attention to public key approaches (I + think PGP also helped RSA and RSADSI) + - bad blood between Zimmermann and Bidzos + IV. Talk of lawsuits, actions, etc. + V. The 2.6 MIT accomodation may have lessened the tension; + purely speculative + 7.12.2. "Is PGP legal or illegal"? + 7.12.3. "Is there still a conflict between RSADSI and PRZ?" + - Apparently not. The MIT 2.6 negotiations seem to have + buried all such rancor. At least officially. I hear there's + still animosity, but it's no longer at the surface. (And + RSADSI is now facing lawsuits and patent suits.) + + 10.6. Legal Issues with Remailers + 8.9.1. What's the legal status of remailers? + - There are no laws against it at this time. + - No laws saying people have to put return addresses on + messages, on phone calls (pay phones are still legal), etc. + - And the laws pertaining to not having to produce identity + (the "flier" case, where leaflet distributors did not have + to produce ID) would seem to apply to this form of + communication. + + However, remailers may come under fire: + + Sysops, MIT case + - potentially serious for remailers if the case is + decided such that the sysop's creation of group that + was conducive to criminal pirating was itself a + crime...that could make all involved in remailers + culpable + 8.9.2. "Can remailer logs be subpoenaed?" + - Count on it happening, perhaps very soon. The FBI has been + subpoenaing e-mail archives for a Netcom customer (Lewis De + Payne), probably because they think the e-mail will lead + them to the location of uber-hacker Kevin Mitnick. Had the + parties used remailers, I'm fairly sure we'd be seeing + similar subpoenas for the remailer logs. + - There's no exemption for remailers that I know of! + + The solutions are obvious, though: + - use many remailers, to make subpoenaing back through the + chain very laborious, very expensive, and likely to fail + (if even one party won't cooperate, or is outside the + court's jurisdiction, etc.) + - offshore, multi-jurisdictional remailers (seleted by the + user) + - no remailer logs kept...destroy them (no law currently + says anybody has to keep e-mail records! This may + change....) + - "forward secrecy," a la Diffie-Hellman forward secrecy + 8.9.3. How will remailers be harassed, attacked, and challenged? + 8.9.4. "Can pressure be put on remailer operators to reveal traffic + logs and thereby allow tracing of messages?" + + For human-operated systems which have logs, sure. This is + why we want several things in remailers: + * no logs of messages + * many remailers + * multiple legal jurisdictions, e.g., offshore remailers + (the more the better) + * hardware implementations which execute instructions + flawlessly (Chaum's digital mix) + 8.9.5. Calls for limits on anonymity + + Kids and the net will cause many to call for limits on + nets, on anonymity, etc. + - "But there's a dark side to this exciting phenomenon, one + that's too rarely understood by computer novices. + Because they + offer instant access to others, and considerable + anonymity to + participants, the services make it possible for people - + especially computer-literate kids - to find themselves in + unpleasant, sexually explicit social situations.... And + I've gradually + come to adopt the view, which will be controversial among + many online + users, that the use of nicknames and other forms of + anonymity + must be eliminated or severly curbed to force people + online into + at least as much accountability for their words and + actions as + exists in real social encounters." [Walter S. Mossberg, + Wall Street Journal, 6/30/94, provided by Brad Dolan] + - Eli Brandt came up with a good response to this: "The + sound-bite response to this: do you want your child's + name, home address, and phone number available to all + those lurking pedophiles worldwide? Responsible parents + encourage their children to use remailers." + - Supreme Court said that identity of handbill distributors + need not be disclosed, and pseudonyms in general has a long + and noble tradition + - BBS operators have First Amendment protections (e.g.. + registration requirements would be tossed out, exactly as + if registration of newspapers were to be attempted) + 8.9.6. Remailers and Choice of Jurisdictions + - The intended target of a remailed message, and the subject + material, may well influence the set of remailers used, + especially for the very important "last remailer' (Note: it + should never be necessary to tell remailers if they are + first, last, or others, but the last remailer may in fact + be able to tell he's the last...if the message is in + plaintext to the recipient, with no additional remailer + commands embedded, for example.) + - A message involving child pornography might have a remailer + site located in a state like Denmark, where child porn laws + are less restrictive. And a message critical of Islam might + not be best sent through a final remailer in Teheran. Eric + Hughes has dubbed this "regulatory arbitrage," and to + various extents it is already common practice. + - Of course, the sender picks the remailer chain, so these + common sense notions may not be followed. Nothing is + perfect, and customs will evolve. I can imagine schemes + developing for choosing customers--a remailer might not + accept as a customer certain abusers, based on digital + pseudonyms < hairy). + 8.9.7. Possible legal steps to limit the use of remailers and + anonymous systems + - hold the remailer liable for content, i.e., no common + carrier status + - insert provisions into the various "anti-hacking" laws to + criminalize anonymous posts + 8.9.8. Crypto and remailers can be used to protect groups from "deep + pockets" lawsuits + - products (esp. software) can be sold "as is," or with + contracts backed up by escrow services (code kept in an + escrow repository, or money kept there to back up + committments) + + jurisdictions, legal and tax, cannot do "reach backs" which + expose the groups to more than they agreed to + - as is so often the case with corporations in the real + world, which are taxed and fined for various purposes + (asbestos, etc.) + - (For those who panic at the thought of this, the remedy for + the cautious will be to arrange contracts with the right + entities...probably paying more for less product.) + 8.9.9. Could anonymous remailers be used to entrap people, or to + gather information for investigations? + - First, there are so few current remailers that this is + unlikely. Julf seems a non-narc type, and he is located in + Finland. The Cypherpunks remailers are mostly run by folks + like us, for now. + - However, such stings and set-ups have been used in the past + by narcs and "red squads." Expect the worse from Mr. + Policeman. Now that evil hackers are identified as hazards, + expect moves in this direction. "Cryps" are obviously + "crack" dealers. + - But use of encryption, which CP remailers support (Julf's + does not), makes this essentially moot. + + 10.7. Legal Issues with Escrowed Encryption and Clipper + 9.17.1. As John Gilmore put it in a guest editorial in the "San + Francisco Examiner," "...we want the public to see a serious + debate about why the Constitution should be burned in order + to save the country." [J.G., 1994-06-26, quoted by S. + Sandfort] + 9.17.2. "I don't see how Clipper gives the government any powers or + capabilities it doesn't already have. Comments?" + 9.17.3. Is Clipper really voluntary? + 9.17.4. If Clipper is voluntary, who will use it? + 9.17.5. Restrictions on Civilian Use of Crypto + 9.17.6. "Has crypto been restricted in the U.S.?" + 9.17.7. "What legal steps are being taken?" + - Zimmermann + - ITAR + 9.17.8. reports that Department of Justice has a compliance + enforcement role in the EES [heard by someone from Dorothy + Denning, 1994-07], probably involving checking the law + enforcement agencies... + 9.17.9. Status + + "Will government agencies use Clipper?" + - Ah, the embarrassing question. They claim they will, but + there are also reports that sensitive agencies will not + use it, that Clipper is too insecure for them (key + lenght, compromise of escrow data, etc.). There may also + be different procedures (all agencies are equal, but some + are more equal than others). + - Clipper is rated for unclassified use, so this rules out + many agencies and many uses. An interesting double + standard. + + "Is the Administration backing away from Clipper?" + + industry opposition surprised them + - groups last summer, Citicorp, etc. + - public opinion + - editorial remarks + - so they may be preparing alternative + - and Gilmore's FOIA, Blaze's attack, the Denning + nonreview, the secrecy of the algortithm + + will not work + - spies won't use it, child pornographers probably won't + use it (if alternatives exist, which may be the whole + point) + - terrorists won't use it + - Is Clipper in trouble? + 9.17.10. "Will Clipper be voluntary?" + - Many supporters of Clipper have cited the voluntary nature + of Clipper--as expressed in some policy statements--and + have used this to counter criticism. + + However, even if truly voluntary, some issues + + improper role for government to try to create a + commercial standard + - though the NIST role can be used to counter this point, + partly + - government can and does make it tough for competitors + - export controls (statements by officials on this exist) + + Cites for voluntary status: + - original statement says it will be voluntary + - (need to get some statements here) + + Cites for eventual mandatory status: + - "Without this initiative, the government will eventually + become helpless to defend the nation." [Louis Freeh, + director of the FBI, various sources] + - Steven Walker of Trusted Information Systems is one of + many who think so: "Based on his analysis, Walker added, + "I'm convinced that five years from now they'll say 'This + isn't working,' so we'll have to change the rules." Then, + he predicted, Clipper will be made mandatory for all + encoded communications." [ + + Parallels to other voluntary programs + - taxes + + 10.8. Legal Issues with Digital Cash + 10.8.1. "What's the legal status of digital cash?" + - It hasn't been tested, like a lot of crypto protocols. It + may be many years before these systems are tested. + 10.8.2. "Is there a tie between digital cash and money laundering?" + - There doesn't have to be, but many of us believe the + widespread deployment of digital, untraceable cash will + make possible new approaches + - Hence the importance of digital cash for crypto anarchy and + related ideas. + - (In case it isn't obvious, I consider money-laundering a + non-crime.) + 10.8.3. "Is it true the government of the U.S. can limit funds + transfers outside the U.S.?" + - Many issues here. Certainly some laws exist. Certainly + people are prosecuted every day for violating currency + export laws. Many avenues exist. + - "LEGALITY - There isn't and will never be a law restricting + the sending of funds outside the United States. How do I + know? Simple. As a country dependant on international + trade (billions of dollars a year and counting), the + American economy would be destroyed." [David Johnson, + privacy@well.sf.ca.us, "Offshore Banking & Privacy," + alt.privacy, 1994-07-05] + 10.8.4. "Are "alternative currencies" allowed in the U.S.? And what's + the implication for digital cash of various forms? + - Tokens, coupons, gift certificates are allowed, but face + various regulations. Casino chips were once treated as + cash, but are now more regulated (inter-casino conversion + is no longer allowed). + - Any attempt to use such coupons as an alternative currency + face obstacles. The coupons may be allowed, but heavily + regulated (reporting requirements, etc.). + - Perry Metzger notes, bearer bonds are now illegal in the + U.S. (a bearer bond represented cash, in that no name was + attached to the bond--the "bearer" could sell it for cash + or redeem it...worked great for transporting large amounts + of cash in compact form). + + Note: Duncan Frissell claims that bearer bonds are _not_ + illegal. + - "Under the Tax Equity and Fiscal Responsibility Act of + 1982 (TEFRA), any interest payments made on *new* issues + of domestic bearer bonds are not deductible as an + ordinary and necessary business expense so none have been + issued since then. At the same time, the Feds + administratively stopped issuing treasury securities in + bearer form. Old issues of government and corporate debt + in bearer form still exist and will exist and trade for + 30 or more years after 1982. Additionally, US residents + can legally buy foreign bearer securities." [Duncan + Frissell, 1994-08-10] + - Someone else has a slightly different view: "The last US + Bearer Bond issues mature in 1997. I also believe that to + collect interest, and to redeem the bond at maturity, you + must give your name and tax-id number to the paying + agent. (I can check with the department here that handles + it if anyone is interested in the pertinent OCC regs that + apply)" [prig0011@gold.tc.umn.edu, 1994-08-10] + - I cite this gory detail to give readers some idea about + how much confusion there is about these subjects. The + usual advice is to "seek competent counsel," but in fact + most lawyers have no clear ideas about the optimum + strategies, and the run-of-the-mill advisor may mislead + one dangerously. Tread carefully. + - This has implications for digital cash, of course. + 10.8.5. "Why might digital cash and related techologies take hold + early in illegal markets? That is, will the Mob be an early + adopter?" + - untraceability needed + - and reputations matter to them + - they've shown in the past that they will try new + approaches, a la the money movements of the drug cartels, + novel methods for security, etc. + 10.8.6. "Electronic cash...will it have to comply with laws, and + how?" + - Concerns will be raised about the anonymity aspects, the + usefulness for evading taxes and reporting requirements, + etc. + - a messy issue, sure to be debated and legislated about for + many years + + split the cash into many pieces...is this "structuring"? is + it legal? + - some rules indicate the structuring per se is not + illegal, only tax evasion or currency control evasion + - what then of systems which _automatically_, as a basic + feature, split the cash up into multiple pieces and move + them? + 10.8.7. Currency controls, flight capital regulations, boycotts, + asset seizures, etc. + - all are pressures to find alternate ways for capital to + flow + - all add to the lack of confidence, which, paradoxically to + lawmakers, makes capital flight all the more likely + 10.8.8. "Will banking regulators allow digital cash?" + - Not easily, that's for sure. The maze of regulations, + restrictions, tax laws, and legal rulings is daunting. Eric + Hughes spent a lot of time reading up on the laws regarding + banks, commercial paper, taxes, etc., and concluded much + the same. I'm not saying it's impossible--indeed, I believe + it will someday happen, in some form--but the obstacles are + formidable. + + Some issues: + + Will such an operation be allowed to be centered or based + in the U.S.? + - What states? What laws? Bank vs. Savings and Loan vs. + Credit Union vs. Securities Broker vs. something else? + + Will customers be able to access such entities offshore, + outside the U.S.? + - strong crypto makes communication possible, but it may + be difficult, not part of the business fabric, etc. + (and hence not so useful--if one has to send PGP- + encrypted instructions to one's banker, and can't use + the clearing infrastructure....) + + Tax collection, money-laundering laws, disclosure laws, + "know your customer" laws....all are areas where a + "digital bank" could be shut down forthwith. Any bank not + filling out the proper forms (including mandatory + reporting of transactions of certain amounts and types, + and the Social Security/Taxpayer Number of customers) + faces huge fines, penalties, and regulatory sanctions. + - and the existing players in the banking and securities + business will not sit idly by while newcomers enter + their market; they will seek to force newcomers to jump + through the same hoops they had to (studies indicate + large corporations actually _like_ red tape, as it + helps them relative to smaller companies) + - Concluson: Digital banks will not be "launched" without a + *lot* of work by lawyers, accountants, tax experts, + lobbyists, etc. "Lemonade stand digital banks" (TM) will + not survive for long. Kids, don't try this at home! + - (Many new industries we are familiar with--software, + microcomputers--had very little regulation, rightly so. But + the effect is that many of us are unprepared to understand + the massive amount of red tape which businesses in other + areas, notably banking, face.) + 10.8.9. Legal obstacles to digital money. If governments don't want + anonymous cash, they can make things tough. + + As both Perry Metzger and Eric Hughes have said many times, + regulations can make life very difficult. Compliance with + laws is a major cost of doing business. + - ~"The cost of compliance in a typical USA bank is 14% of + operating costs."~ [Eric Hughes, citing an "American + Banker" article, 1994-08-30] + + The maze of regulations is navigable by larger + institutions, with staffs of lawyers, accountants, tax + specialists, etc., but is essentially beyond the + capabilities of very small institutions, at least in the + U.S. + - this may or may not remain the case, as computers + proliferate. A "bank-in-a-box" program might help. My + suspicion is that a certain size of staff is needed just + to handle the face-to-face meetings and hoop-jumping. + + "New World Order" + - U.S. urging other countries to "play ball" on banking + secrecy, on tax evasion extradition, on immigration, etc. + - this is closing off the former loopholes and escape + hatches that allowed people to escape repressive + taxation...the implications for digital money banks are + unclear, but worrisome. + + 10.9. Legality of Digital Banks and Digital Cash? + 10.9.1. In terms of banking laws, cash reporting regulations, money + laundering statutes, and the welter of laws connected with + financial transactions of all sorts, the Cypherpunks themes + and ideas are basically _illegal_. Illegal in the sense that + anyone trying to set up his own bank, or alternative currency + system, or the like would be shut down quickly. As an + informal, unnoticed _experiment_, such things are reasonably + safe...until they get noticed. + 10.9.2. The operative word here is "launch," in my opinion. The + "launch" of the BankAmericard (now VISA) in the 1960s was not + done lightly or casually...it required armies of lawyers, + accountants, and other bureacrats to make the launch both + legal and successful. The mere 'idea" of a credit card was + not enough...that was essentially the easiest part of it all. + (Anyone contemplating the launch of a digital cash system + would do well to study BankAmericard as an example...and + several other examples also.) + 10.9.3. The same will be true of any digital cash or similar system + which intends to operate more or less openly, to interface + with existing financial institutions, and which is not + explicity intended to be a Cypherpunkish underground + activity. + +10.10. Export of Crypto, ITAR, and Similar Laws + 10.10.1. "What are the laws and regulations about export of crypto, + and where can I find more information?" + - "The short answer is that the Department of State, Office + of Defense Trade Controls (DOS/DTC) and the National + Security Administration (NSA) won't allow unrestricted + export (like is being done with WinCrypt) for any + encryption program that the NSA can't crack with less than + a certain amount (that they are loathe to reveal) of + effort. For the long answer, see + ftp://ftp.csn.net/cryptusa.txt.gz and/or call DOS/DTC at + 703-875-7041." [Michael Paul Johnson, sci.crypt, 1994-07- + 08] + 10.10.2. "Is it illegal to send encrypted stuff out of the U.S.?" + - This has come up several times, with folks claiming they've + heard this. + - In times of war, real war, sending encrypted messages may + indeed be suspect, perhaps even illegal. + - But the U.S. currently has no such laws, and many of us + send lots of encrypted stuff outside the U.S. To remailers, + to friends, etc. + - Encrypted files are often tough to distinguish from + ordinary compressed files (high entropy), so law + enforcement would have a hard time. + - However, other countries may have different laws. + 10.10.3. "What's the situation about export of crypto?" + + There's been much debate about this, with the case of Phil + Zimmermann possibly being an important test case, should + charges be filed. + - as of 1994-09, the Grand Jury in San Jose has not said + anything (it's been about 7-9 months since they started + on this issue) + - Dan Bernstein has argued that ITAR covers nearly all + aspects of exporting crypto material, including codes, + documentation, and even "knowledge." (Controversially, it + may be in violation of ITAR for knowledgeable crypto people + to even leave the country with the intention of developing + crypto tools overseas.) + - The various distributions of PGP that have occurred via + anonymous ftp sources don't imply that ITAR is not being + enforced, or won't be in the future. + 10.10.4. Why and How Crypto is Not the Same as Armaments + - the gun comparison has advantages and disadvantages + - "right to keep and bear arms" + - but then this opens the door wide to restrictions, + regulations, comparisons of crypto to nuclear weapons, etc. + - + + "Crypto is not capable of killing people directly. Crypto + consists + - entirely of information (speech, if you must) that cannot + be + - interdicted. Crypto has civilian use. + - - + - , 4-11-94, sci.crypt> + 10.10.5. "What's ITAR and what does it cover?" + + ITAR, the International Trafficking in Arms Regulations, is + the defining set of rules for export of munitions--and + crypto is treated as munitions. + - regulations for interpreting export laws + + NSA may have doubts that ITAR would hold up in court + - Some might argue that this contravenes the Constitution, + and hence would fail in court. Again, there have been few + if any solid tests of ITAR in court, and some indications + that NSA lawyers are reluctant to see it tested, fearing + it would not pass muster. + - doubts about legality (Carl Nicolai saw papers, since + confirmed in a FOIA) + - Brooks statement + - Cantwell Bill + - not fully tested in court + + reports of NSA worries that it wouldn't hold up in court if + ever challenged + - Carl Nicolai, later FOIA results, conversations with Phil + + Legal Actions Surrounding ITAR + - The ITAR laws may be used to fight hackers and + Cypherpunks...the outcome of the Zimmermann indictment + will be an important sign. + + What ITAR covers + - "ITAR 121.8(f): ``Software includes but is not limited to + the system functional design, logic flow, algorithms, + application programs, operating systems and support + software for design, implementation, test, operation, + diagnosis and repair.'' [quoted by Dan Bernstein, + talk.politics.crypto, 1994-07-14] + - joke by Bidzos about registering as an international arms + dealer + + ITAR and code (can code be published on the Net?) + - "Why does ITAR matter?" + - Phil Karn is involved with this, as are several others + here + + Dan Bernstein has some strongly held views, based on his + long history of fighting the ITAR + - "Let's assume that the algorithm is capable of + maintaining secrecy of information, and that it is not + restricted to decryption, banking, analog scrambling, + special smart cards, user authentication, data + authentication, data compression, or virus protection. + + "The algorithm is then in USML Category XIII(b)(1). + + "It is thus a defense article. ITAR 120.6. " [Dan + Bernstein, posting code to sci.crypt, + talk.politics.crypto, 1994-08-22] + - "Sending a defense article out of the United States in + any manner (except as knowledge in your head) is + export. ITAR 120.17(1). + + "So posting the algorithm constitutes export. There are + other forms of export, but I won't go into them here. + + "The algorithm itself, without any source code, is + software." [Dan Bernstein, posting code to sci.crypt, + talk.politics.crypto, 1994-08-22] + - "The statute is the Arms Export Control Act; the + regulations are the + International Traffic in Arms Regulations. For precise + references, see + my ``International Traffic in Arms Regulations: A + Publisher's Guide.''" [Dan Bernstein, posting code to + sci.crypt, talk.politics.crypto, 1994-08-22] + + "Posting code is fine. We do it all the time; we have + the right to do it; no one seems to be trying to stop us + from doing it." [Bryan G. Olson, posting code to + sci.crypt, talk.politics.crypto, 1994-08-20] + - Bernstein agrees that few busts have occurred, but + warns: "Thousands of people have distributed crypto in + violation of ITAR; only two, to my knowledge, have been + convicted. On the other hand, the guv'mint is rapidly + catching up with reality, and the Phil Zimmermann case + may be the start of a serious crackdown." [Dan + Bernstein, posting code to sci.crypt, + talk.politics.crypto, 1994-08-22] + - The common view that academic freedom means one is OK is + probably not true. + + Hal Finney neatly summarized the debate between Bernstein + and Olsen: + - "1) No one has ever been prosecuted for posting code on + sci.crypt. The Zimmermann case, if anything ever comes + of it, was not about posting code on Usenet, AFAIK. + + "2) No relevant government official has publically + expressed an opinion on whether posting code on + sci.crypt would be legal. The conversations Dan + Bernstein posted dealt with his requests for permission + to export his algorithm, not to post code on sci.crypt. + + "3) We don't know whether anyone will ever be + prosecuted for posting code on sci.crypt, and we don't + know what the outcome of any such prosecution would + be." [Hal Finney, talk.politics.crypto, 1994-008-30] + 10.10.6. "Can ITAR and other export laws be bypassed or skirted by + doing development offshore and then _importing_ strong crypto + into the U.S.?" + - IBM is reportedly doing just this: developing strong crypto + products for OS/2 at its overseas labs, thus skirting the + export laws (which have weakened the keys to some of their + network security products to the 40 bits that are allowed). + + Some problems: + - can't send docs and knowhow to offshore facilities (some + obvious enforcement problems, but this is how the law + reads) + - may not even be able to transfer knowledgeable people to + offshore facilities, if the chief intent is to then have + them develop crypto products offshore (some deep + Constitutional issues, I would think...some shades of how + the U.S.S.R. justified denying departure visas for + "needed" workers) + - As with so many cases invovling crypto, there are no + defining legal cases that I am aware of. + +10.11. Regulatory Arbitrage + 10.11.1. Jurisdictions with more favorable laws will see claimants + going there. + 10.11.2. Similar to "capital flight" and "people voting with their + feet." + 10.11.3. Is the flip side of "jurisdiction shopping." wherein + prosecutors shop around for a jurisdiction that will be + likelier to convict. (As with the Amateur Action BBS case, + tried in Memphis, Tennessee, not in California.) + +10.12. Crypto and Pornography + 10.12.1. There's been a lot of media attention given to this, + especially pedophilia (pedophilia is not the same thing as + porn, of course, but the two are often discussed in articles + about the Net). As Rishab Ghosh put it: "I think the + pedophilic possibilities of the Internet capture the + imaginations of the media -- their deepest desires, perhaps." + [R.G., 1994-07-01] + 10.12.2. The fact is, the two are made for each other. The + untraceability of remailers, the unbreakability of strong + crypto if the files are intercepted by law enforcement, and + the ability to pay anonymously, all mean the early users of + commercial remailers will likely be these folks. + 10.12.3. Avoid embarrassing stings! Keep your job at the elementary + school! Get re-elected to the church council! + 10.12.4. pedophilia, bestiality, etc. (morphed images) + 10.12.5. Amateur Action BBS operator interested in crypto....a little + bit too late + 10.12.6. There are new prospects for delivery of messages as part of + stings or entrapment attacks, where the bits decrypt into + incriminating evidence when the right key is used. (XOR of + course) + 10.12.7. Just as the law enforcement folks are claiming, strong crypto + and remailers will make new kinds of porn networks. The nexus + or source will not be known, and the customers will not be + known. + - (An interesting strategy: claim customers unknown, and + their local laws. Make the "pickup" the customer's + responsibility (perhaps via agents). + +10.13. Usenet, Libel, Local Laws, Jurisdictions, etc. + 10.13.1. (Of peripheral importance to crypto themes, but important for + issues of coming legislation about the Net, attempts to + "regain control," etc. And a bit of a jumble of ideas, too.) + 10.13.2. Many countries, many laws. Much of Usenet traffic presumably + violates various laws in Iran, China, France, Zaire, and the + U.S., to name f ew places which have laws about what thoughts + can be expressed. + 10.13.3. Will this ever result in attempts to shut down Usenet, or at + least the feeds into various countries? + 10.13.4. On the subject of Usenet possibly being shut-down in the U.K. + (a recent rumor, unsubstantiated), this comment: " What you + have to grasp is that USENET type networks and the whole + structure of the law on publshing are fundamentally + incompatiable. With USENT anyone can untracably distribute + pornographic, libelous, blasphemous, copyright or even + officially secret information. Now, which do you think HMG + and, for that matter, the overwhealming majority of oridnary + people in this country think is most important. USENET or + those laws?" [Malcolm McMahon, malcolm@geog.leeds.ac.uk, + comp.org.eff.talk, 1994--08-26] + 10.13.5. Will it succeed? Not completely, as e-mail, gopher, the Web, + etc., still offers access. But the effects could reach most + casual users, and certainly affect the structure as we know + it today. + 10.13.6. Will crypto help? Not directly--see above. + +10.14. Emergency Regulations + 10.14.1. Emergency Orders + - various NSDDs and the like + - "Seven Days in May" scenario + 10.14.2. Legal, secrecy orders + - George Davida, U. oif Wisconsin, received letter in 1978 + threatening a $10K per day fine + - Carl Nicolai, PhasorPhone + - The NSA has confirmed that parts of the EES are patented, + in secrecy, and that the patents will be made public and + then used to stop competitors should the algorithm become + known. + 10.14.3. Can the FCC-type Requirements for "In the clear" broadcasting + (or keys supplied to Feds) be a basis for similar legislation + of private networks and private use of encryption? + - this would seem to be impractical, given the growth of + cellular phones, wireless LANs, etc....can't very well + mandate that corporations broadcast their internal + communications in the clear! + - compression, packet-switching, and all kinds of other + "distortions" of the data...requiring transmissions to be + readable by government agencies would require providing the + government with maps (of where the packets are going), with + specific decompression algorithms, etc....very impractical + +10.15. Patents and Copyrights + 10.15.1. The web of patents + - what happens is that everyone doing anything substantive + spends much of his time and money seeking patents + - patents are essential bargaining chips in dealing with + others + - e.g., DSS, Schnorr, RSADSI, etc. + - e.g., Stefan Brands is seeking patents + - Cylink suing... + 10.15.2. Role of RSA, Patents, etc. + + Bidzos: "If you make money off RSA, we make money" is the + simple rule + - but of course it goes beyond this, as even "free" uses + may have to pay + - Overlapping patents being used (apparently) to extent the + life of the portfolio + + 4/28/97 The first of several P-K and RSA patents expires + + U.S. Patent Number: 4200770 + - Title: Cryptographic Apparatus and Method + - Inventors: Hellman, Diffie, Merkle + - Assignee: Stanford University + - Filed: September 6, 1977 + - Granted: April 29, 1980 + - [Expires: April 28, 1997] + + remember that any one of these several patents held by + Public Key Partners (Stanford and M.I.T., with RSA Data + Security the chief dispenser of licenses) can block an + effort to bypass the others + - though this may get fought out in court + + 8/18/97 The second of several P-K and RSA patents expires + + U.S. Patent Number: 4218582 + - Title: Public Key Cryptographic Apparatus and Method + - Inventors: Hellman, Merkle + - Assignee: The Board of Trustees of the Leland Stanford + Junior University + - Filed: October 6, 1977 + - Granted: August 19, 1980 + - [Expires: August 18, 1997] + - this may be disputed because it describe algortihms in + broad terms and used the knapsack algorithm as the chief + example + + 9/19/00 The main RSA patent expires + + U.S. Patent Number: 4405829 + - Title: Cryptographic Communications System and Method + - Inventors: Rivest, Shamir, Adleman + - Assignee: Massachusetts Institute of Technology + - Filed: December 14, 1977 + - Granted: September 20, 1983 + - [Expires: September 19, 2000] + 10.15.3. Lawsuits against RSA patents + + several are brewing + - Cylink is suing (strange rumors that NSA was involved) + - Roger Schlafly + 10.15.4. "What about the lawsuit filed by Cylink against RSA Data + Security Inc.?" + - Very curious, considering they are both part of Public Key + Partners, the consortium of Stanford, MIT, Cylink, and RSA + Data Security Inc. (RSADSI) + - the suit was filed in the summer of 1994 + + One odd rumor I heard, from a reputable source, was that + the NSA had asked PKP to do something (?) and that Cylink + had agreed, but RSADSI had refused, helping to push the + suit along + - any links with the death threats against Bidzos? + 10.15.5. "Can the patent system be used to block government use of + patents for purposes we don't like?" + - Comes up especially in the context of S. Micali's patent on + escrow techniques + - "Wouldn't matter. The government can't be enjoined from + using a patent. The federal government, in the final + analysis, can use any patent they want, without permission, + and the only recourse of the patent owner is to sue for + royalties in the Court of Claims." [Bill Larkins, + talk.politics.crypto, 1994-07-14] + +10.16. Practical Issues + 10.16.1. "What if I tell the authorities I Forgot My Password?" + - (or key, or passphrase...you get the idea) + - This comes up repeatedly, but the answer remains murky + 10.16.2. Civil vs. Criminal + + "This is a civil mattep, and the pights of ppivaay one haq + in cpiminal mattepq + - tend to vaniqh in aivil litigation. The paptieq to a + lawquit hate + - tpemeldouq powepq to dopae the othep qide to peteal + ildopmatiol peletalt + - to the aaqe, <@pad Templetol, 4-1-94, aomp,opg,edd,tal + 10.16.3. the law is essentially what the courts say it is + +10.17. Free Speech is Under Assault + 10.17.1. Censorship comes in many forms. Tort law, threats of grant or + contract removal, all are limiting speech. (More reasons for + anonymous speech, of course.) + 10.17.2. Discussions of cryptography could be targets of future + crackdowns. Sedition laws, conspiracy laws, RICO, etc. How + long before speaking on these matters earns a warning letter + from your university or your company? (It's the "big stick" + of ultimate government action that spurs these university and + company policies. Apple fears being shut down for having + "involvement" with a terrorist plot, Emory University fears + being sued for millions of dollars for "conspiring" to + degrade wimmin of color, etc.) + + How long before "rec.guns" is no longer carried at many + sites, as they fear having their universities or companies + linked to discussions of "assault weapons" and "cop-killer + bullets"? Prediction: Many companies and universities, under + pressure from the Feds, will block groups in which encrypted + files are posted. After all, if one encrypts, one must have + something to hide, and that could expose the university to + legal action from some group that feels aggrieved. + 10.17.3. Free speech is under assault across the country. The tort + system is being abused to stifle dissenting views (and lest + you think I am only a capitalist, only a free marketeer, the + use of "SLAPP suits"--"Strategic Lawsuits Against Public + Participation"--by corporations or real estate developers to + threaten those who dare to publicly speak against their + projects is a travesty, a travesty that the courts have only + recently begun to correct). + + We are becoming a nation of sheep, fearing the midnight raid, + the knock on the door. We fear that if we tell a joke, + someone will glare at us and threaten to sue us _and_ our + company! And so companies are adopting "speech codes" and + other such baggage of the Orwell's totalitarian state. + Political correctness is extending its tendrils into nearly + every aspect of life in America. + +10.18. Systems, Access, and the Law + 10.18.1. Legal issues regarding access to systems + + Concerns: + - access by minors to sexually explicit material + + access from regions where access "should not be + permitted" + - export of crypto, for example + - the Memphis access to California BBS + + Current approach: taking the promise of the accessor + - "I will not export this outside the U.S. or Canada." + - "I am of legal age to access this material." + + Possible future approaches: + + Callbacks, to ensure accessor is from region stated + - easy enough to bypass with cut-outs and remailers + + "Credentials" + - a la the US Postal Service's proposed ID card (and + others) + + cryptographically authenticated credentials + - Chaum's credentials system (certainly better than + many non-privacy-preserving credentials systems) + 10.18.2. "What is a "common carrier" and how does a service become + one?" + - (This topic has significance for crypto and remailers, vis + a vis whether remailers are to be treated as common + carriers.) + - Common carriers are what the phone and package delivery + services are. They are not held liable for the contents of + phone calls, for the contents of packages (drugs, + pornography, etc.), or for illegal acts connected with + their services. One of the deals is that common carriers + not examine the insides of packages. Common carriers + essentially agree to take all traffic that pays the fee and + not to discriminate based on content. Thus, a phone service + will not ask what the subject of a call is to be, or listen + in, to decide whether to make the connection. + - Some say that to be a common carrier requires a willingness + to work with law enforcement. That is, Federal Express is + not responsible for contents of packages, but they have to + cooperate in reasonable ways with law enforcement to open + or track suspicious packages. Anybody have a cite for this? + Is it true? + - Common carrier status is also cited for bookstores, which + are not presumed to have read each and every one of the + books they sell...so if somebody blows their hand off in a + an experiment, the bookstore is not liable. (The + author/publisher may be, but that's aƤnt issue.) + - How does one become a common carrier? Not clear. One view + is that a service should "behave like" a common carrier and + then hope and pray that a court sees it that way. + + Are computer services common carriers? A topic of great + interest. + - "According to a discussion I had with Dave Lawrence + (postmaster at UUNET, as well as moderator of + news.admin.newgroups), UUNET is registered with the FCC + as an "Enhanced Service Provider," which, according to + Dave, amounts to similar protection as "Common Carrier." + ("Common Carrier" seems to not be appropriate yet, since + Congress is so behind the tech curve)." [L. Todd Masco, + 1994-08-11] + - As for remailer networks being treated as common carriers, + totally unclear at this time. Certainly the fact that + packets are fully encrypted and unreadabel goes to part of + the issue about agreeing not to screen. + + More on the common carrier debate: + - "Ah, the eternal Common Carrier debate. The answer is + the same as the last few times. "Common Carrier" status + has little to do with exemption from liability. It has + most to do with being unable to reject passengers, goods, + or phone calls......Plenty of non-common carrier entities + are immune from prosecution for ideas that they + unkowingly communicate -- bookstores for example (unless + they are *knowingly* porno bookstores in the wrong + jurisdiction)....Compuserve was held not liable for an + (alleged) libel by one of its sysops. Not because of + common carrier but because they had no knowledge or + control....Remailers have no knowledge or control hence + no scienter (guilty knowledge) hence no liability as a + matter of law---not a jury question BTW." [Duncan + Frissell, 1994-08-11] + +10.19. Credentials + 10.19.1. "Are credentials needed? Will digital methods be used?" + 10.19.2. I take a radical view. Ask yourself why credentials are + _ever_ needed. Maybe for driving a car, and the like, but in + those cases anonymity is not needed, as the person is in the + car, etc. + + Credentials for drinking age? Why? Let the parents enforce + this, as the argument goes about watching sex and violence on + t.v. (If one accepts the logic of requiring bars to enforce + children's behavior, then one is on a slippery slope toward + requiring television set makers to check smartcards of + viewers, or of requiring a license to access the Internet, + etc.) + + In almost no cases do I see the need to carry "papers" with + me. Maybe a driver's license, like I said. In other areas, + why? + 10.19.3. So Cypherpunks probably should not spend too much time + worrying about how permission slips and "hall passes" will be + handled. Little need for them. + 10.19.4. "What about credentials for specific job performance, or for + establishing time-based contracts?" + - Credentials that prove one has completed certain classes, + or reached certain skill levels, etc.? + - In transactions where "future performance" is needed, as in + a contract to have a house built, or to do some similar + job, then of course the idea of on-line or immediate + clearing is bogus...like paying a stranger a sum of money + on his promise that he'll be back the next day to start + building you a house. + + Parties to such long-term, non-locally-cleared cases may + contract with an escrow agent, as I described above. This + is like the "privately-produced law" we've discussed so + many times. The essence: voluntary arrangements. + + Maybe proofs of identity will be needed, or asked for, + maybe not. But these are not the essence of the deal. + +10.20. Escrow Agents + 10.20.1. (the main discussion of this is under Crypto Anarchy) + 10.20.2. Escrow Agents as a way to deal with contract renegging + - On-line clearing has the possible danger implicit in all + trades that Alice will hand over the money, Bob will verify + that it has cleared into hisaccount (in older terms, Bob + would await word that his Swiss bank account has just been + credited), and then Bob will fail to complete his end of + the bargain. If the transaction is truly anonymous, over + computer lines, then of course Bob just hangs up his modem + and the connection is broken. This situation is as old as + time, and has always involved protcols in which trust, + repeat business, etc., are factors. Or escrow agents. + - Long before the "key escrow" of Clipper, true escrow was + planned. Escrow as in escrow agents. Or bonding agents. + - Alice and Bob want to conduct a transaction. Neither trusts + the other; + indeed, they are unknown to each other. In steps "Esther's + Escrow Service." She is _also utraceable_, but has + established a digitally-signed presence and a good + reputation for fairness. Her business is in being an escrow + agent, like a bonding agency, not in "burning" either + party. (The math of this is interesting: as long as the + profits to be gained from any small set of transactions is + less than her "reputation capital," it is in her interest + to forego the profits from burning and be honest. It is + also possible to arrange that Esther cannot profit from + burning either Alice or Bob or both of them, e.g., by + suitably encrypting the escrowed stuff.) + - Alice can put her part of the transaction into escrow with + Esther, Bob can do the same, and then Esther can release + the items to the parties when conditions are met, when both + parties agree, when adjudication of some sort occurs, etc. + (There a dozen issues here, of course, about how disputes + are settled, about how parties satisfy themselves that + Esther has the items she says she has, etc.) + +10.21. Loose Ends + 10.21.1. Legality of trying to break crypto systems + + "What's the legality of breaking cyphers?" + - Suppose I find some random-looking bits and find a way to + apparently decrease their entropy, perhaps turning them + into the HBO or Playboy channel? What crime have I + committed? + - "Theft of services" is what they'll get me for. Merely + listening to broadcasts can now be a crime (cellular, + police channels, satellite broadcasts). In my view, a + chilling developemt, for practical reasons (enforcement + means invasive monitoring) and for basic common sense + ethics reasons: how can listening to what lands on your + property be illegal? + - This also opens the door for laws banning listening to + certain "outlaw" or "unlicensed" braodcast stations. + Shades of the Iron Curtain. (I'm not talking about FCC + licensing, per se.) + + "Could it ever be illegal to try to break an encryption + scheme, even if the actual underlying data is not + "stolen"?" + + Criminalizing *tools* rather than actions + - The U.S. is moving in the direction of making mere + possession of certain tools and methods illegal, rather + than criminalizing actual actions. This has been the + case--or so I hear, though I can't cite actual laws-- + with "burglar tools." (Some dispute this, pointing to + the sale of lockpicks, books on locksmithing, etc. + Still, see what happens if you try to publish a + detailed book on how to counterfeit currency.) + - Black's law term for this? + + To some extent, it already is. Video encryption is this + way. So is cellular. + - attendees returning from a Bahamas conference on pirate + video methods (guess why it was in the Bahamas) had + their papers and demo materials seized by Customs + - Counterfeiting is, I think, in this situation, too. + Merely exploring certain aspects is verboten. (I don't + claim that all aspects are, of course.) + - Interception of broadcast signals may be illegal-- + satellite or cellular phone traffic (and Digital + Telephony Act may further make such intercepts illegal + and punishable in draconian ways) + + Outlawing of the breaking of encryption, a la the + broadcast/scanner laws + - (This came up in a thread with Steve Bellovin) + + Aspects + + PPL side...hard to convince a PPL agent to "enforce" + this + - but market sanctions against those who publically use + the information are of course possible, just as with + those who overhear conversations and then gossip + widely (whereas the act of overhearing is hardly a + crime) + - statutory enforcement leads to complacency, to below- + par security + + is an unwelcome expansion of power of state to enforce + laws against decryption of numbers + - and may lead to overall restrictions on crypto use + 10.21.2. wais, gopher, WWW, and implications + - borders more transparent...not clear _where_ searches are + taking place, files being transferrred, etc. (well, it is + deterministic, so some agent or program presumably knows, + but it's likely that humans don't) + 10.21.3. "Why are so many prominent Cypherpunks interested in the + law?" + - Beats me. Nothing is more stultfyingly boring to me than + the cruft and "found items" nature of the law. + - However,, for a certain breed of hacker, law hacking is the + ultimate challenge. And it's important for some Cypherpunks + goals. + 10.21.4. "How will crypto be fought?" + - The usual suspects: porn, pedophilia, terrorists, tax + evaders, spies + + Claims that "national security" is at stake + - As someone has said, "National security is the root + password to the Constitution" + + claims of discrimination + - as but one example, crypto allows offshore bank accounts, + a la carte insurance, etc...these are all things that + will shake the social welfare systems of many nations + 10.21.5. Stego may also be useful in providing board operators with + "plausible deniabillity"--they can claim ignorance of the LSB + contents (I'm not saying this will stand up in court very + well, but any port in a storm, especially port 25). + 10.21.6. Can a message be proved to be encrypted, and with what key? + 10.21.7. Legality of digital signatures and timestamps? + - Stu Haber confirms that this has not been tested, no + precedents set + 10.21.8. A legal issue about proving encryption exists + - The XOR point. Any message can be turned into any other + message, with the proper XOR intermediate message. + Implications for stego as well as for legal proof + (difficulty of). As bits leave no fingerprints, the mere + presence of a particular XOR pad on a defendant's disk is + no proof that he put it there...the cops could have planted + the incriminating key, which turns "gi6E2lf7DX01jT$" into + "Dope is ready." (I see issues of "chain of evidence" + becoming even more critical, perhaps with use of + independent "timestamping authorities" to make hashes of + seized evidence--hashes in the cryptographic sense and not + hashes in the usual police sense.) + 10.21.9. "What are the dangers of standardization and official + sanctioning?" + - The U.S. has had a disturbing tendency to standardize on + some technology and then punish deviations from the + standard. Examples: telephones, cable (franchises granted, + competitors excluded) + - Franchises, standards... + + My concern: Digital money will be blessed...home banking, + Microsoft, other banks, etc. The Treasury folks will sign + on, etc. + - Competitors will have a hard time, as government throws + roadblocks in front of them, as the U.S. makes + international deals with other countries, etc. + 10.21.10. Restrictions on voice encryption? + + may arise for an ironic reason: people can use Net + connections to talk worldwide for $1 an hour or less, + rather than $1 a minute; this may cause telcos to clamor + for restrictions + - enforcing these restrictions then becomes problematic, + unless channel is monitored + - and if encrypted... + 10.21.11. Fuzziness of laws + - It may seem surprising that a nation so enmeshed in + complicated legalese as the U.S., with more lawyers per + capita than any other large nation and with a legal code + that consists of hundreds of thousands of pages of + regulations and interpretations, is actually a nation with + a legal code that is hard to pin down. + - Any system with formal, rigid rules can be "gamed against" + be an adversary. The lawmakers know this, and so the laws + are kept fuzzy enough to thwart mechanistic gaming; this + doesn't stop there from being an army of lawyers (in fact, + it guarantees it). Some would say that the laws are kept + fuzzy to increase the power of lawmakers and regulators. + - "Bank regulations in this country are kept deliberately + somewhat vague. The regulator's word is the deciding + principle, not a detailed interpretation of statute. The + lines are fuzzy, and because they are fuzzy, the banks + don't press on them nearly as hard as when there's clear + statutory language available to be interpreted in a court. + + "The uncertainty in the regulatory environment _increases_ + the hold the regulators have over the banks. And the + regulators are known for being decidedly finicky. Their + decisions are largely not subject to appeal (except for the + flagrant stuff, which the regulators are smart enough not + to do too often), and there's no protection against cross- + linking issues. If a bank does something untoward in, say, + mortgage banking, they may find, say, their interstate + branching possibilities seem suddenly much dimmer. + + "The Dept. of Treasury doesn't want untraceable + transactions." [Eric Hughes, Cypherpunks list, 1994-8-03] + - Attempts to sneak around the laws, especially in the + context of alternative currencies, Perry Metzger notes: + "They are simply trying to stop you from playing games. The + law isn't like geometry -- there aren't axioms and rules + for deriving one thing from another. The general principle + is that they want to track all your transactions, and if + you make it difficult they will either use existing law to + jail you, or will produce a new law to try to do the same." + [Perry Metzger, 1994-08-10] + - This fuzziness and regulatory discretion is closely related + to those wacky schemes to avoid taxes by claiming , for + example, that the "dollar" is defined as 1/35th of an ounce + of gold (and that hence one's earnings in "real dollars" + are a tiny fraction of the ostensible earnings), that Ohio + did not legally enter the Union and thus the income tax was + never properly ratified,, etc. Lots of these theories have + been tested--and rejected. I mention this because some + Cypherpunks show signs of thinking "digital cash" offers + similar opportunities. (And I expect to see similar scams.) + - (A related example. Can one's accumulation of money be + taken out of the country? Depending on who you ask, "it + depends." Taking it out in your suitcase rasises all kind + of possibilies of seizure (violation of currency export + laws, money laundering, etc.). Wiring it out may invoke + FinCEN triggers. The IRS may claim it is "capital flight" + to avoid taxes--which it may well be. Basically, your own + money is no longer yours. There may be ways to do this--I + hope so--but the point remains that the rules are fuzzy, + and the discretionary powers to seize assets are great. + Seek competent counsel, and then pray.) + 10.21.12. role of Uniform Commercial Code (UCC) + - not discussed in crypto circles much, but the "rules of the + road" + - in many way, an implementation of anarcho-capitalism, in + that the UCC is a descendant (modulo some details) of the + "Law Merchant" that handled relations between sovereign + powers, trade at sea, etc. + - things like electronic funds transfere, checks, liablities + for forged sigs, etc. + - I expect eventual UCC involvement in digital money schemes + 10.21.13. "What about the rush to legislate, to pass laws about + cyberspace, the information superduperhighway, etc.? + + The U.S. Congress feels it has to "do something" about + things that many of us feel don't need regulation or "help" + from Congress. + - crypto legislation + - set-top boxes, cable access, National Information + Infrastructure (Cable Version) + - information access, parental lock-outs, violence ratings, + sexually explicit materials, etc. + - Related to the "do something!" mentality on National Health + Care, guns, violence, etc. + - Why not just not do anything? + + Scary possibilities being talked about: + + giving television sets unique IDs ("V chips") with cable + access through these chips + - tying national ID cards to these, e.g., Joe Citizen, of + Provo, Utah, would be "allowed" to view an NC-17 + violence-rated program + - This would be disastrous: records, surveillance, + dossiers, permission, centralization + - The "how can we fix it?" mindset is very damaging. Many + things just cannot be "fixed" by central planners....look + at economies for an example. The same is usually true of + technologies. + 10.21.14. on use of offshore escrow agents as protection against + seizures + - contempt laws come into play, but the idea is to make + yourself powerless to alter the situation, and hence not + willfully disobeying the court + + Can also tell offshore agents what to do with files, and + when to release them + - Eric Hughes proposes: "One solution to this is to give + the passphrase (or other access information) to someone + who won't give it back to you if you are under duress, + investigation, court order, etc. One would desire that + this entity be in a jurisdiction other than where an + investigation might happen." [E.H., 1994-07-26] + - Sandy Sandfort adds: "Prior to seizure/theft, you would + make an arrangement with an offshore "escrow agent." + After seizure you would send your computer the + instruction that says, "encrypt my disk with the escrow + agents public key." After that, only the escrow agent + could decrypt your disk. Of course, the escrow agent + would only do that when conditions you had stipulated + were in effect." [S. S., 1994-07-27] + - related to data havens and offshore credit/P.I. havens + 10.21.15. Can the FCC-type Requirements for "In the clear" broadcasting + (or keys supplied to Feds) be a basis for similar legislation + of private networks and private use of encryption? + - this would seem to be impractical, given the growth of + cellular phones, wireless LANs, etc....can't very well + mandate that corporations broadcast their internal + communications in the clear! + - compression, packet-switching, and all kinds of other + "distortions" of the data...requiring transmissions to be + readable by government agencies would require providing the + government with maps (of where the packets are going), with + specific decompression algorithms, etc....very impractical + 10.21.16. Things that could trigger a privacy flap or limitations on + crypto + - Anonymously publishing adoption records [suggested by Brian + Williams, 1994-08-22] + - nuclear weapons secrets (true secrets, not just the + titillating stuff that any bright physics student can + cobble together) + - repugant markets (assassinations, organ selling, etc.) + 10.21.17. Pressures on civilians not to reveal crypto knowledge + + Example: mobile phone crypto standards. + - "This was the official line until a few months ago - that + A5 was strong and A5X a weakened export + version....However, once we got hold of A5 we found that + it was not particularly strong there is an easy 2^40 + attack. The government's line then changed to `you + mustn't discuss this in public because it would harm + British export sales'....Perhaps it was all a ploy to get + Saddam to buy A5 chips off some disreputable arms dealer + type. [Ross Anderson, "mobil phone in europe , a precedence?," sci.crypt, 1994-08-15] + - Now this example comes from Britain, where the + intelligence community has always had more lattitude than + in the U.S. (an Official Secrets Act, limits on the + press, no pesky Constitution to get in the way, and even + more of an old boy's network than we have in the U.S. + mil-industrial complex). + - And the threat by NSA officials to have Jim Bidzos, the + president of RSA Data Security, Inc., killed if he didn't + play ball. {"The Keys to the Kingdom," San Jose Mercury + News] + 10.21.18. "identity escrow", Eric Hughes, for restrictions on e-mail + accounts and electronic PO boxes (has been talked about, + apparently...no details)