I.          Today’s Tech

A.      Ethernet jacks at the desks are not active.  Use the hubs.  But if you don’t have a HLS roaming-registered network card, don’t plug in at all!

B.      “Remote” comments – via http://cyber.law.harvard.edu/is99/ask

II.       Today

A.      MIT students

B.      Danny Weitzner

1.       First joint meeting of MIT and HLS class

C.     Alan Davidson- crypto expert from D.C.

D.     Jonah Seiger- voice of net in crypto policy

III.    James Calstrom channeling (via DW)

A.      Dangerous world

1.       FBI world challenging

2.       globalization of crime, terrorism, money laundering

3.       criminals sophisticated, take advantage

4.       threat to infrastructures of all sorts

5.       put basic public services at risk

B.      Challenges to law enforcement

1.       High tech companies/interests

2.       small band of civil libertarians

·     radicals who argue for rights to ultimate privacy

·     veil of absolute secrecy

3.       Technology is sophisticated enough to achieve complete veil

C.     Law enforcement needs wiretapping capability

D.     JZ critique of this

1.       People used to being surveilled

2.       Information gained use to stop threats

3.       He says crypto is new weapons

4.       FBI just wants status quo

E.      Alan: why this isn’t so

1.       Internet is new media

2.       Internet is the most insecure medium

·     Messages travel through many locations/computers

·     Trivial to read these messages—plaintext

·     No 4^th Amendment outside of U.S.

3.       Encryption essential tool

·     Sensitive info on-line

·     Businesses need it

·     Nation needs it to protect infrastructure

4.       Perceived threat to law enforcement

·     Golden age of wiretapping

·     No way that any conversation can go unlistened to

·     Encryption 1 chance to have secure communication

·     Used to be possible frequently

F.      JC: Golden Age of Wiretapping- Why?

1.       Congressional bounds on wiretapping

2.       Not that many wiretaps done

G.    AD: Lots of ways of surveilling

1.       FBI wants to be able to listen to all communications

H.     JZ: FBI wants to do this with legal process

1.       The FBI needs wiretap authority to look at communications on internet now

I.           AD: There are no legal controls outside of the United States

1.       Human rights orgs use encryption devices to avoid threats of oppressive governments

IV.   Remote Comments

A.      Who protects us from the FBI?

1.       Fourth Amendment

·     FBI training

·     Process lengthy to get order

2.       Outside U.S.

·     FBI doesn’t surveil outside U.S.

·     Non-U.S. citizens being tapped also

·     Other agencies, foreign can tap

3.       What if U.S. wants to search outside U.S.

·     We have technology to protect communications world wide

·     We may not trust foreign surveillance organizations

·     FBI advocates strong encryption with legitimate law enforcement access

·     FBI does not purport to control encryption all over the world, but that is no excuse to give up on all control

V.      Key Escrow

A.      What is it

1.       Techniques for secure communication with possibility for third party access with an encryption key.

B.      Important commercial applications

·     Companies do not want to provide complete security with no 3^rd party access

·     Employees could lose encryption keys

·     Lots of commercial applications

C.     Industry work with law enforcement to access where legitimate

1.       Trusted third party?

·     Pick who we want to be the third party

·     Law enforcement goes to that person for access

·     No different than normal wiretapping-telephone company could do this now

·     ISPs also serve this function

2.       AD: backdoor built in to any encryption system creates huge security problems

·     This requires a level of trust to the third party

·     Notice – the people being surveilled do not know it under the key escrow system

·     Backdoor encryption systems less secure on technology level

·     Hackers go for key recovery systems when they try to break codes

D.     JS:  Another Voice: Computer Industry

·     Companies like Microsoft, AOL, Novell,…

·     Market value for key escrow may exist, but there is in reality little demand for it

·     Consumer market place is afraid of Key Escrow

·     Selling to global market, but FBI is tying high-tech industry’s hands by restricting international sale

2.       Hannah: Not FBI’s place to dictate private interests

E.      Is there impending doom in either scenario?

1.       No disaster from allowing encryption

2.       No disaster from allowing key escrow

·     There will still be opportunity for law enforcement even when communications are secure

·     Is it really worth sacrificing all of our privacy and nationally and internationally to aid a small number of law enforcement situations

F.      Leave this to an encryption arms race?

1.       Doesn’t turn into an arms race because U.S. systems are already really good, difficult to stop

2.       Steady erosion of 4^th amendment protections in name of dealing with social problems

3.       Encryption is a chance to boost protections

VI.   What happened last Thursday

VII.     How is policy actually created

VIII.  Class comments

A.      Confusion between communication and data storage.

1.       Stored data- you might keep your key

2.       Communication- little reason to store keys for that. 

B.      4^th Amendment step function, 4^th=expectation of privacy.  Does building in access mean no expectation of privacy?

1.       Subjective and objective legal expectation of privacy.  Comes down to what people are entitled to expect.

2.       From policy perspective, FBI will not live with whatever the high tech community comes up with.  Who knows how big the next step is?  Policy decisions should be made about what to accept and what not to.

C.     Why does the FBI need keys when it can seize keys?

1.       Real time access to communications and stored data.

D.     Difference between search of a house, wiretapping and key escrow.  All comes down to accountability.  Notice. 

E.      Asking citizens to trust U.S. government, but what about when you don’t?

1.       Some say history of law enforcement abuses.

2.       To create a system that is easily abused invites abuse.

3.       Natural check from the cost of surveilling, now cost is going to be lowered.  Why status quo of now, and not the status quo of before?

F.      Privacy needs to be increased from status quo??  Why do our policies have anything to do with Guatamala and/or Serbia? 

1.       Global medium-impact of U.S. policy will have big impact.

2.       Requirement of Key recovery is that it only works with other key recovery systems.  Meant to drive the global market into key recovery.  World wide key recovery regime.

3.       What are the standards for keys held in other countries?  How does anyone, any agency get access?

G.    Key recovery troubling because they want strong encryption and key recovery.  Insidiousness of locking everyone out except the federal govt.

1.       FBI doesn’t want to look at everyone’s communications

2.       Only wants access to communications of criminals

3.       Only wants to do it through detached and neutral magistrates

4.       One way to get into communications is through surveillance, other way is physically breaking down doors.  The physical is dangerous. 

5.       Companies don’t care about crime, they care about money.

6.       Civil libertarians just want expansive reading of 4^th Amendment.

IX.   Who cares about this, who are the interested parties?

A.      Debate has been going on for five years

B.      Starting point:  Computer industry feels boxed.  They want to sell technology to global market.  Believe security important in real time data and in stored data. 

1.       tried to pursue a legislative strategy to push back limitations on export of strong encryption.

C.     Similar interests of civil libertarians and commercial interests.

1.       Markets respond to what civil libertarians say about commercial interests

D.     Commercial interests care much more about export controls than about key escrow.

E.      Significant support in government for the commercial interests and civil libertarian position

F.      Administration keeps giving in

X.      What happened last Thursday

A.      Administration blinked on this issue: export controls

1.       They liberalized the export controls

2.       Subject to minimal review (1 time) the government would allow export of strongest encryption software. 

3.       Very significant change.

B.      Reasons behind export controls

1.       Keep people outside of states from having access to strong encryptions

2.       Keep people in US from having access.

·     So that it doesn’t get out of country

3.       It isn’t hard to get strong encryption, was control effective

4.       Laws broken everyday.  We don’t only pass laws that are perfectly enforceable. 

5.       Is the current system the honor system?

·     There are lots of places to get strong encryption

·     PGP=pretty good privacy.  Public domain encryption software. 

·     Sophisticated terrorists legally have access to the strongest encryption.  Only law abiding citizens do not have the access

·     FBI wants to give citizens better security.  Key recovery is not too hard for technology. 

·     [tech problems] – may be fighting for perfect privacy, but for who?  Created a debate where we go way up the step function or we keep ourselves locked in a situation where average user has lousy security.

6.       Who actually wants this privacy? 

·     Ground rules for how much privacy people will actually have.

·     People who aren’t even on the net yet

·     Uses of the future that people don’t know they care about yet

·     One thing we will not have is the status quo

C.     Administration new support for key proposals

1.       What are circumstances under which law enforcement can get access?

2.       Their standards are not the full fourth amendment protections civil libertarians want

XI.   Questions

A.      Afraid of the government or afraid of deviants/criminals.  Any happy medium? 

1.       Medium is a lot of encryption available but lots of opportunity for law enforcement to function. 

·     Users can actually get virtually unbreakable encryption and no disaster yet

·     FBI beginning to find other ways to enforce

2.       Everyone empowered to do things by the internet.  You can’t trust government to protect your privacy.  Can’t trust the industry to protect you.  Individuals finding ways to make sure they feel secure.  Looking to standards and resolving legal questions.

B.      Bank Account and need 128 bit browser to access account on line, can I take it to Spain legally?

1.       Yes, because of personal use exception

2.       Wasn’t legal a few years ago.

3.       Under personal use exception you must be diligent and keep your laptop secure from foreign nationals and keep records of travel with encryption for seven years.

C.     Bill is a surprise, roll back from previous administrative position.  What is the real reason for the roll-back?  Numbers in terms of income that companies make from this change in policy?

1.       Building to this announcement for a very long time.  Typical of the history of police.

2.       SAFE- Bill w/ 260 co-sponsors and majority and minority leaders.  About to be debated and passed on house floor.  Chances in senate questionable.  Chance of amendments possible.  But it had momentum.  Heading into election year.  Both parties want tech interests on their side.  White House reluctant to have to take sides in congressional debate.   JS: skeptical of actual significance of this announcement.

3.       The debate in congress not over. 

4.       JC:  several political dynamics.  Recognized by Clinton administration since day 1 as a no-win issue.  Law enforcement community: hard to step back and take long view of issue.  Compromise opens community up to severe criticism at next terrorist incident that uses encryption. 

5.       Administration has been under constant pressure to do something. 

6.       JC: easy way or hard way.  Easy way=technology fix that allows law enforcement.  Hard way=real threat of draconian legislation after next terrorist incident. 

7.       Law enforcement would have liked to use the CALEA model and just fix it up.  Used to dealing with telephone industry.  Have someone to go to solve their problems.  Net is simply not like that.  There is no one to call.

8.       Pendulum (point 6) swings other way too.  FBI in trouble because of Waco right now.  May be evidence of pendulum the other way.

9.       Possible that policy changed because it was the right thing to do.  Long time arguing that export controls unsustainable.  Can’t stop an idea at the border and encryption is an idea.  Ideas about encryption are not unique to the U.S. 

10.     Bill moving forward w/ staggering number of co-sponsors.  Dramatic change from a few years ago in terms of awareness in Congress/on Capitol Hill.  Tremendous amount of work by civil liberties and industry community.  Politics of internet issues bigger.  AD: change for the better. 

D.     Policy says: subpoenas requiring that individuals turn over keys.  Seizure of computers for notice.

1.       Very close to the current policy.  Currently requires turn over of keys and also plaintext.

2.       FBI wants to be able to get keys without notice.

3.       Leaves open opportunity to not turn over keys and go to jail instead.

·     Part of 4^th Amendment that you might choose to go to jail instead of complying with what is required by law.  Also 5^th Amendment

E.      What does turning over the keys mean?

1.       Password.  Something you say.  What about pleading the 5^th Amendment. 

2.       Govt could immunize you.  Then you give the word.   The immunity only covers the word, not the things that they find from the words.  Can be introduced in court.  Only word and fact that you knew the word that can’t be introduced in court.

3.       Justice Department position: unless you have memorized entire encryption key, being required to provide the key is not a testimonial act.  Equivalent of turning over a record.  Analogy is to safe deposit box cases.

F.      Other voice missing: actual programmer.  Everything seems to be policy based, not taking tech into account.  Programs not perfect.  How can you guarantee complete security for a key bank?

1.       This is one of the fundamental questions

2.       Answer is that you can’t secure it.

3.       When you build a backdoor in it is impossible to keep it from being hacked.

4.       In a world where your encryption key could be the most valuable thing you own, is it reasonable to ask people to turn that over to a third party. 

5.       Not complete security vs. no security, but having pretty good security, such that it would really slow people down in trying to look at your stuff.  Pretty good privacy might be good enough for most. 

6.       Complicated debate.  Difficult to explain/educate in political policy making arena. 

·     Web casting – senator talk  

7.       Internet itself has been an important medium in educating senators and congresspeople about these issues. 

8.       Evangelical point: desperate need in Washington for people who understand and feel comfortable talking about tech issues and can operate in a policy space.  These issues only becoming more important over time. 

XII.     Rotisserie question: do it in real live person

A.      Question 3A – Division by party

1.       Two future world scenario.  FBI has keys w/ warrant requirement.  Govt can’t get in, routine use.

2.       Law students- majority but not consensus on world one

3.       MIT- consensus on world two. 

XIII.  Unsubscribing from names list

XIV.