Status of Cryptography Research in implementation of the EUCD

Owen Lewis oml at sysrx.uk.com
Fri, 16 Aug 2002 13:02:52 +0100 

> -----Original Message-----
> From: ukcrypto-admin@chiark.greenend.org.uk
> [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of Ian Miller
> Sent: 15 August 2002 22:33
> To: ukcrypto@chiark.greenend.org.uk
> Cc: ukcrypto@chiark.greenend.org.uk
> Subject: RE: Status of Cryptography Research in implementation of the
> EUCD
>
> >1. Markets are largely self balancing.
> Only where the participants in the market have the information to make
> rational choices.  Where the law allows someone to suppress the truth they
> don't 'balance' at all.
>

I don't share your view. Market balance has nothing to do with truth. It has
to do with balances of profit and risk. It has to do with what one can
produce and another will buy. It has to do with competition between
suppliers. The law's place in this is to maintain a large and strong ring
within which the many interactions must take place (laws of contract,
anti-monopoly, sale of goods etc.). It is not, in my view, the place of the
law to micromanage the interactions. Where it attempts to do so the results
are usually the same:

		-	Reduced supplier competition.
		-	Reduced product choice.
		-	Sometimes, loss of availability of entire product categories.
		-	Higher prices.
		-	Sometimes an improved level of safety for buyers. And sometimes this
improvement is real and sometimes it is notional or even illusory. In any of
the three possible alternatives that *may* arise, the direct result of all
three is higher prices.

Have you ever lived in a controlled economy, where the law is used to direct
market interaction? I have. I largely grew up in one and have since lived in
one elsewhere for a few years. It's pathetic; a daily continuance of insult
to human intelligence, needs, desires and endeavours.

> >2. If the law is a bad tool to redress market balance,
> vigilantism is surely
> >worse.
> In this case, the law isn't redressing market balance, it is creating
> market inbalance.
>
> Vigilantism (in the form of hackers exchanging information about
> weaknesses
> in private) is going to happen anyway.

:-))

That is a bit like saying that robbery is going to happen anyway (which is
true) and therefore one might as well place robbers within the law.

> The question is whether the public
> relying on the security products will have access to same information.
> Responsible researchers telling the supplier first and then, after a
> suitable delay, going public are doing a public service.  They should be
> encouraged, not out-lawed.

That is one way of looking at it. Not all act as you say.

Yet once again, the harm lies not in discovery of a method of circumvention
(etc) but in its publication or in its direct application, by the discover
in person or, equally, by others who have read his publication. Telling the
manufacturer in the first instance is courteous but will often be
insufficient to prevent harm by the subsequent publication. For harm to
surely avoided, publication would need to be delayed unit its content
retained only academic interest and had lost all commercial value for
criminal purposes. That piece of string may be longer or shorter. It may
sometimes be very long indeed.

And you too, do not address the key issue of whether the vigilante had acted
lawfully in obtaining his knowledge. If, as may well be the case, he did not
act lawfully, how can one then argue that he should be allowed the
protection of the law to profit directly from his unlawful act?

There is another way to obtain the good ends that come from such research;
to do so lawfully and remove harm from the process.

	-	Do the research under NDA and with the manufacturers consent.

	-	Charge the manufacturer for the benefit he will obtain from a report on
successful research as opposed to the true market cost of the research.

	-	Obtain the maximum research opportunities by operating on a 'no crack -
no fee' basis.

	-	Forgo the traditional academic kudos of being the first kid in class to
wave his hand and shout, "I done it!".

	-	Obtain academic kudos, improved career prospects (and enjoy the envy of
others) simply by having a facility that is remarkably well funded and
outside whose door the queue of household-name manufacturers stretches
around the block. A facility whose work is *the* sine qua non imprimatur of
global excellence in its field.

	-	The facility need not be localised and thus only be able to draw on a
limited pool of talent. It could be virtualised and global in nature.
However is would have to run to certain strict rules (confidentiality etc)
which all joining must agree and abide by and also to show that they are
capable of doing this (proven talent, secure systems etc.).

All one needs to do is to be willing to stay schtumm (and have the smarts).
As the immortal Costner plagiarised, 'Provide the facility and people will
come'.

Owen