(Posted with the permission of the author.--Andy) To: •••@••.••• From: "Timothy C. May" <•••@••.•••> Subject: Re: So, what crypto legislation (if any) is necessary? Sender: •••@••.••• Precedence: bulk At 4:14 PM 3/25/96, Simon Spero wrote: >If the Leahy bill is unacceptable, what legistlation is necessary? I >can't see how the use of cryptography in the commission of a crime needs >to be a separate offence, but I could see how it could be treated as a >special circumstance - that doesn't really needed a new law though. I don't see any compelling need for U.S. legislation. And given the pressures to attach all sorts of language to bills, I think it best that no legislation happen. Consider a few areas in turn: * DOMESTIC USE OF ENCRYPTION: Currently, no restrictions whatsoever. No laws saying messages can't be encrypted, no laws saying keys must be escrowed, no laws about permissable strength of ciphers, no special laws covering disclosure of keys. Just silence, blessed silence. The Constitution says there shall be no laws about permissable speech (what language one speaks in, or writes in), and other provisions about compelled testimony seem adequate. * EXPORT OF CRYPTO BEYOND U.S.: This is indeed a thorn in the sides of U.S. companies, but is not _per se_ an issue I worry about. So long as I have strong crypto, I don't really care too much about export. It would be nice to get the ITARs modified, but not at the risk of adding language (such as Leahy did) making use of encryption a possible crime (we've debated this, so I won't elaborate here). Besides, I think the best way to overturn the ITARs is through a court challenge; as I have noted, even the NSA's lawyers felt that the ITARs would not withstand court scrutiny. * KEY ESCROW: A matter of contract law, nothing more. If I want to give a copy of my key to my lawyer, fine. If I want to give a copy to Vince's Offshore Key Repository, no current U.S. laws stops me from doing so, and I can even get it to him securely without violating any ITARs by using the cipher that _he_ uses and then importing it here! (Michael Froomkin speculated in one of his articles, I don't recall which, that there might need to be certain guidelines or laws if a key escrow protocol were to invoke the U.S. court system. Maybe. But I think ordinary contract law, about what a contract says and what it means, is adequate. If I pay Joe's Key Warehouse a fee to store my key and it loses it, or gives it to another party, then damages can be collected.) IMPORTANT NOTE: It is often said, in a correct interpretation I think, that a third party holding a key (Joe's Key Warehouse) is _not_ covered by the 5th Amendment's protections against self-incrimination, and so must honor a subpoena. Sounds accurate to me. However, what if Joe is _also_ one's lawyer? Does attorney-client privilege apply here? Perhaps. A better solution is also fully legal at this time: use only offshore key storage. A U.S. subpoena to Vince's Offshore Key Repository will carry no weight in Anguilla. (Can I be compelled to ask Vince to send my key? Sure. But Vince and I could have a stipulation that such "duress requests" will not be honored, no matter how loudly I squawk.) * DIGITAL MONEY. Well, this is such a confusing muddle of competing systems, unclear interpretations, and hyped claims, that I won't address it. Nor do any of the current bills being considered address it. In conclusion, things are fine as they are. I see no compelling need to write a special law confirming the rights we already are enjoying. If the Congress wants to relax the ITARs (fat chance), they can direct that the language of specific sections be redrafted. (I'm not even sure when and how the original language was crafted, though it is part, I believe, of the ancient Munitions Act and/or Trading with the Enemy Act. The enabling legislation for the ITARs, and especially for the specific items actually ON the "Munitions List" could be trivially changed. Were this Leahy's intent, an easy thing to write a bill for. I doubt this was his intent, however. Last point: >I do feel that it should be possible for courts to sub poena crypto keys, >but that doesn't really need new law either (4th and 5th ammendments >become _really_ important though (hmmm- there advantages to writing down a >constitution after all :) I agree that subpoenas for keys are legit. While I may dislike giving up my key, in a criminal matter it seems like "just another document." If they can subpoena my diary, my phone records, my dentist bills, why not another this document? Nothing in the Constitution giving it special status. Still, one can store spare copies of keys with one's lawyer, which _may_ protect it against retrieval by subpoena, and one can store spare copies of keys in foreign jurisdictions, which almost certainly will protect against the retrieval (unless an international treaty on such things is passed!). Obviously things get more complicated when a private key or set of keys "is one's identity." That is, at some future time, when a key or set of keys is literally the key to one's identity, then this document is no longer "just another document." A law enforcement agency or court that obtains these keys could do much damage, beyond just the matter being investigated or tried in court. The release of the key cannot be undone. A thorny problem. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, •••@••.••• 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." ~=-=-=-=-=-=-=-=~=-=-=-=-=-=-=-=-=~-~=-=-=-=-=-=-=-=~=-=-=-=-=-=-=-=-=~ Posted by Andrew Oram - •••@••.••• - Moderator: CYBER-RIGHTS (CPSR) Cyber-Rights: http://www.cpsr.org/cpsr/nii/cyber-rights/ ftp://www.cpsr.org/cpsr/nii/cyber-rights/Library/ CyberJournal: (WWW or FTP) --> ftp://ftp.iol.ie/users/rkmoore Materials may be reposted in their _entirety_ for non-commercial use. ~=-=-=-=-=-=-=-=~=-=-=-=-=-=-=-=-=~-~=-=-=-=-=-=-=-=~=-=-=-=-=-=-=-=-=~
