True Names and the Opening of the Cyberspace Frontier (7 page)

An example of an item offered for sale early on, in plaintext, was proof that African diplomats were being blackmailed by the CIA in Washington and New York. A public key for later communications was included.

There are reports that U.S. authorities have investigated this market because of its presence on networks at Defense Department research labs. There's not much they can do about it, of course, and more such entities are expected. The implications such tools hold for espionage are profound, and their impact largely unstoppable. Anyone with a home computer and access to the Net or the Web, in various forms, can use these methods to communicate securely, anonymously or pseudonymously, and with little fear of detection. “Digital dead drops” can be used to post information obtained, far more securely than the old physical dead drops … no more messages left in Coke cans at the bases of trees on remote roads. Payments can also be made untraceably; this of course opens up the possibility that anyone in any government agency may act as a part-time spy.

Matching buyers and sellers of organs is another example of such a market, although one that clearly involves some real-world transfers (and so it cannot be as untraceable as purely cyberspatial transactions can be). There is huge demand for such transfers, but various laws tightly control such markets, thus forcing them into Third World nations. Fortunately, strong cryptography allows market needs to be met without interference by governments. (Those who are repelled by such markets are of course free not to patronize them.)

Whistleblowing is another growing use of anonymous remailers, with those fearing retaliation using remailers to publicly post their incriminating information. The Usenet newsgroups “alt.whistleblowing” and “alt.anonymous.messages” are places where anonymously remailed messages blowing the whistle have appeared. Of course, there's a fine line between whistleblowing, revenge, and espionage. The same is true for “leaks” from highly placed sources. “Digital Deep Throats” will multiply, and anyone in Washington, or Paris, or wherever, can make his case safely and anonymously by digitally leaking material to the press. William Gibson foresaw a similar situation in his novel
Count Zero
(1987), in which employees of high-tech corporations agree to be ensconced in remote labs, disconnected from the Nets and other leakage paths. We may see a time when those with security clearances are explicitly forbidden from using the Net except through firewalled machines, with monitoring programs running.

Information selling by employees may even take whimsical forms, such as the selling of topless images of women who flashed for the video cameras on “Splash Mountain” at Disneyland (now called “Flash Mountain” by some). Employees of the ride swiped copies of the digital images and uploaded them anonymously to various Web sites. Such thievery and exposure has also been committed with the medical records of famous persons. DMV records have also been stolen by state employees with access, and sold to information brokers, private investigators, and even curious fans. The DMV records of notoriously reclusive author Thomas Pynchon showed up on the Net. It's been rumored that information brokers are prepared to pay handsomely for a CD-ROM containing the U.S. government's “key escrow” database.

The larger issue is that mere laws are not adequate to deal with such sales of personal, corporate, or other private information. The bottom line is this: if one wants something kept secret, it must be kept secret. In a free society, few personal secrets are compelled. Unfortunately, we have for too long been in a situation where governments insist that people give out their true names, their various government identification numbers, their medical situations, and so on. “And who shall guard the guardians?” The technology of privacy protection can change this balance of power. Cryptography provides for “personal empowerment,” to use the current phrasing.

Holding Up the Walls of Cyberspace

In the virtual worlds described in the science fiction of Vinge, Gibson, Stephenson, and others, what holds up the “walls”? What keeps these worlds from collapsing, from crumbling to cyberdust as users poke around, as hackers try to penetrate systems? The virtual gates and doors and stone walls described in
True Names
are persistent, robust data structures, not flimsy constructs ready to collapse.

Certainly the robustness does not come from the hand-waving “consensual hallucination” referred to by some cyberspace pioneers such as Gibson (though he got it mostly right with his “ice”). Psychology and mental states will of course be important in virtual worlds, as is already so obviously the case on the Net and the Web, but true solidity and structure will come from more basic protocols.

Security and cryptography provide the ontological support for these cyberspatial worlds, for enduring structures that permit “colonization” of these spaces and structures. More precisely, the “owners” of a chunk of cyberspace—e.g., someone maintaining a virtual world on their owned machines and networks—establish the structure, persistence, access policies, and other rules. “My house, my rules.” Those who disagree with the rules will be welcome to stay away. And those who disagree with the rules but want governments to change the rules will face an uphill battle. Owners can always re-site their machines in more favorable jurisdictions or choose to operate behind a veil of anonymity. The owners of cyberspaces will use cryptography and security measures to ensure against tampering by others.

Cryptography is not just about building the kinds of virtual realities described in
True Names.
The security of ordinary networks depends on cryptography. And yet the deployment of strong cryptography is being hobbled by the various laws and regulations limiting the use of cryptography, including export laws that affect domestic encryption products in several ways, especially because they decree that liability exists if a “foreign person” is “exposed” to an export-controlled product, even if he buys it in a U.S. store or sees it in a U.S. university lab! The U.S. is even limiting export and placement on public sites of virus protection and general security software, strongly suggesting they want the ability to knock out foreign sites and don't want Americans to protect foreign sites. Is the U.S. planning for information warfare?

Proposals for mandatory “key escrow,” where the government gets access to a kind of spare key left with it, will weaken confidence in digital commerce, and could provide the “keys to the kingdom” to a spy or hostile power able to gain access to the master database. Unfortunately, the government's plans to put “Big Brother Inside” the networks and to restrict access to proper security measures means these hostile agents will face an easier job. When considering the “bad” implications of strong cryptography, keep this in mind.

Some years back, the National Security Agency was explicitly divided into two functions, one function doing signals and communications intelligence (SIGINT and COMINT), and the other doing communications security and information security (COMSEC and INFOSEC), i.e., working on mechanisms to better secure the nation's communications. At about this time, circa 1988, the NSA's COMSEC folks were
explicitly
warning that DES, the Data Encryption Standard, was long overdue for replacement and that new measures were urgently needed to secure the nation's communications and financial infrastructure. Yet, a decade later, with warnings of an impending “digital Pearl Harbor,” the NSA and FBI are doing everything they can to limit access to strong cryptography and are throwing up roadblocks to hinder the deployment of strong and secure systems.

It looks like the user community will have to ignore their demands and secure things themselves. John Gilmore's SWAN program seeks to make links between machines on the Net routinely encrypted.

Virtual Communities

Virtual communities, mentioned earlier, are networks of individuals or groups which are not necessarily closely connected geographically. The word “virtual” is meant to imply a nonphysical linking, but should not be taken to mean that these are any less community-like than are conventional physical communities.

The “Coven” in
True Names
is such a virtual community. Other examples include churches, service organizations, clubs, criminal gangs, cartels, fan groups, etc. The Catholic Church and the Boy Scouts are both examples of well-established virtual communities that span the globe, transcend national borders, and create a sense of allegiance, of belonging—a sense of “community.” Likewise, the Mafia, with its enforcement mechanisms, its own extralegal rules, etc., is a virtual community. There are many other examples: Masons, Triads, Red Cross, Interpol, religions, drug cartels, terrorist groups, political movements, to name a few. In an academic setting, “invisible colleges” are the communities of researchers. Linked by computer networks, these virtual communities are often of greater importance to members than are their physical communities, or even their universities.

There are undoubtedly many more such virtual communities than there are nation-states, and the ties that bind them are for the most part much stronger than are chauvinistic nationalist impulses. Each community will have its own rules, its own access policies, initiation rituals, censure policies, and so forth. Governments have had little power to penetrate such private groups, and even less penetration is likely when strong cryptography provides a new topology for connectivity. Essential to these communities is their essentially
voluntary
nature: it is difficult to coerce membership or interaction, though there are some obvious examples of such coercion. Self-selection and self-enforcement of rules are important aspects. Virtual communities may be attacked by those who disagree with their policies, or have some bone to pick; the Cypherpunks list has been attacked by spam attacks, subscribing the list to other high-volume lists, creating mail loops, posting of incredibly long rants on unrelated topics, and so forth. It is to be expected that hardening techniques will evolve to better protect such virtual communities. For the time being, kill files and twit filters are the best protection. Some on the Cypherpunks list choose to contract with others to filter for them, e.g., by creating “best of” compilations. This is the free market in action.

The corporation is a prime example of a virtual community, having scattered sites, private communication channels (generally inaccessible to the outside world, including governmental authorities), its own security forces and punishment systems (within limits), and its own goals and methods. In fact, many “cyberpunk” (not cypherpunk) fiction authors make a mistake in assuming the future world will be dominated by transnational megacorporate “states.” Corporations are just one of many examples of such virtual communities that will be effectively on a par with nation-states.

These virtual communities are typically “opaque” to outsiders. Attempts to gain access to the internals of these communities are rarely successful. Law-enforcement and intelligence agencies may infiltrate such groups and use electronic surveillance (ELINT) to monitor these virtual communities. Not surprisingly, these communities are early adopters of encryption technology, ranging from scrambled cell phones to full-blown PGP encryption. Strong cryptography is already being used by various revolutionary and antigovernment movements, including rebels in Burma and Mexico. Usage is mounting daily; strong crypto makes for an ideal “revolutionary cell” system.

In addition to their own rules and access procedures, virtual communities typically have their own moral codes and ethical standards. Revolutionary or so-called terrorist groups are just one example; unbreakable cryptographic communications mean that the potential for coordinated activity by groups having their own moral standards is greatly increased.

A “politically incorrect” usage of these virtual communities is to use “race bits” to bar membership by certain races in such communities. This can even be done without violating the protection of a nym, using the idea of a “credential without identity.” For example, the Aryan Cybernation could demand that a credential be displayed showing one to be a Caucasian. Ironically, an equivalent example, but one which is deemed politically correct by many, is the example of “women-only” forums on the Net. In this case, a woman could gain access to a women-only forum by demonstrating possession of a credential with the appropriate gender bit set. (At the simplest level, this can be done by having other women “vouch” for a candidate, digitally signing a statement the candidate presents.) A more robust system, with less opportunity for false use or false transfer, would be to implement Chaum's credentials-without-identity scheme. But the point is to show how virtual communities can establish their own access rules and their own enforcement mechanisms.

In this example, if the nexus of the virtual community is not known to be in a specific jurisdiction, but is “virtual,” enforcement of national laws is problematic. Nations can ban membership in such unapproved groups, of course, but then members will access them through remailers, etc. (Which would inevitably lead to the next step: banning remailed messages, banning encrypted messages, registering personal computers and software, etc.)

The use of encryption by “evil” groups, such as child pornographers, terrorists, money launderers, and racists, is cited by those who wish to limit civilian access to crypto tools. I call these the “Four Horseman of the Infocalypse,” as they are so often cited as the reason why ordinary citizen-units of a nation-state are not to have access to crypto. Newspaper headlines scream “Child Pornography Ring Using Secret Codes to Communicate,” and the U.S. Department of Justice and the FBI send spokesmen out to speak at public conferences on the dangers of encryption.

This is clearly a dangerous argument to make, for various good reasons. The basic right of free speech is the right to speak in a language one's neighbors or governing leaders may not find comprehensible: encrypted speech.