Re: Euro-move to key-escrow encryption


Henry Huang


On Sep 25,  3:37, OLmaniac wrote:
> With this post, I will show my ignorance, but humor me, please. Say in the
> future, most nations outlaw any encryption system which cannot be cracked by
> government officials. How would they know you are encrypting your
> communications unless they in fact tried to intercept your communications and
> were thwarted by the encryption. With the volume of electronic communications

There have been interesting arguments about what qualifies as "code" and
what doesn't.  Practically speaking, if you communicated with someone in
a foreign language, and Gov't wiretappers couldn't figure out what the hell
you were saying, then that should count as a code.  Plus, messages which
are perfectly encrypted should be statistically indistinguishable from
white noise.  Although there's no such thing as "perfect" encryption,
it does raise your question of how the Gov't can distinguish between code
and white noise without banning both (which would be silly).

My answer to this is that you *can't* tell whether something is in code
or not without:

a.) knowing the code, or being able to recognize certain patterns
    indicative of certain types of encryption,

b.) wiretapping your lines to steal portions of ciphertext (which is a

c.) failing a.), having some notion of *intent* -- i.e. that you INTEND
    to send your messages in an obscure format for the express purpose
    of making them hard to read.  After all, that's the *whole point*
    to cryptography, isn't it?

This is why outlawing encryption in general is, as a rule, unworkable.
Legalizing *certain types* of encryption ala key-escrow, however, is
much clearer in terms of defining what "legal code" is -- i.e. if it
can be proven (again, through wiretapping and other unsavory means)
that you're NOT sending white noise, and that what you are sending
cannot be decrypted using legalized algorithms, then you have
circumstantial evidence for stating that you're breaking the law.

One would then have to combine this with traffic analysis (i.e. seeing
who you've sent this suspicious material to), and other evidence to
build a workable case.

This is another reason why anonymous remailers tend to get so much
heat -- if you use remailers which don't assign unique anon-identities
to senders and don't keep logs of who uses them, and chain enough of
these together, you can post/mail anonymously at will without fear
of being traced.  Traffic analysis can be as effective as breaking
code in many situations -- especially when it's relatively obvious
what you're sending and why.  Most people don't realize this ...
and when they do, the whole idea of encryption loses its sheen
because it's such a *pain* to do it right (i.e. securely).

Frankly, I'm not sure why the Gov't would even want to bother banning
non-escrowed encryption.  It's not like it's actually used much now.
And their actions only serve to draw increasing suspicion to their
motives (which, as revealed by EPIC, are *extremely* unsavory).

> on encryption use? Assume most governments use the key escrow system, what is
> to prevent individuals from developing encryption techniques which aren't
> revealed to the governmental agencies? (Besides being illegal. Most highways
> have a speed limit, but who obeys those laws?) What would the penalties be,

"When encryption is outlawed, only outlaws will have encryption."

Ever heard of civil disobedience?  Go read alt.religion.scientology for some
shining examples.

> and are there any proposals out that mention possible punishment? One final

Yeesh, who knows.  Not like it matters; the whole concept is flawed.

> question and y'all can flame away on this newbie net-head wanna-be, What's
> the big deal on encryption anyway? If you're silly enough to put all you're
> business' secrets into an  e-mail message which as even the "virgin" users of
> elctronic communications know isn't all that safe from determined prying
> eyes, then dont you deserve to get burned. If it absolutly positivly has to
> get there in seconds, wouldn't a fax be easier? There are ways to secure
> phone lines right? Oh well, I've got BBQ sauce smeared all over me so flame

"Secure phone lines"?!?  Ah well, you said you didn't know what you were
talking about, so I'll clarify this:

There is *no such thing* as a secure phone line.  The only way to secure
a phone line is to make sure that the material you're sending over it
is encrypted.  And even then, you have to be careful (read the docs for
PGPfone for an outline of some of the possible attacks).

However, you are correct in that sending a fax is no more secure than
sending E-mail -- and in some situations, it's a lot easier (i.e. when
you need to send an image of a document).

And yes, if you're stupid enough to send your most critical business
secrets unencrypted (or key-escrow encrypted), then you deserve to get
burned.  AT&T makes Clipper phones now, and we're all still waiting
for those alleged brain-cell-deprived terrorists/drug dealers to buy
one and incriminate themselves.

- -H

P.S. The digital signature attached to this message will also be
     outlawed under key-escrow.  Think about it -- if you use weak
     public-key encryption to sign your messages, then your signature
     is essentially useless.  So, in a way, this DEFEATS the notion
     of secure identity.  (Or maybe not ... it depends on how you
     obtain your public keys.)

This message signed with PGP 2.6.2.
     Key ID# 85785FD9 "Henry Huang <•••@••.•••>"
          Key fingerprint =  7F 18 28 F1 19 97 2A 70  7E 48 B9 14 9D 25 51 C1 

To verify that these stats are correct, finger •••@••.•••.

Version: 2.6.2


  For subscription info, archived postings/documents, and other useful
  material, visit the CPSR Cyber-Rights Web Page at:

  The CPSR Cyber-Rights Library is available via FTP at:

  You are encouraged to forward and cross-post messages and online
  materials, pursuant to any contained copyright & redistribution