from the pages of../

Cyberspace: Pandora's Mailbox, RC4 a secret no longer

Mark Chen


On September 9 there appeared on the Cypherpunks' Internet mailing list a short piece of computer source code purporting to be RSA Data Security's secret RC4 cipher algorithm. RC4 is one of the most widely used commercial ciphers, but its internals have for years been a guarded trade secret--a status that changed within hours, as the program fragment, which simple tests revealed to be the genuine article, traversed the farthest corners of the Net via e-mail, bulletin boards, and file transfer. State Department export regulations, as well as intellectual property laws, were smoothly rendered moot. As Cypherpunk founder Tim May says, "National borders are just speed bumps on the information superhighway."

Soon after RC4 hit the Net, RSA Data Security (RSADSI) issued a statement that read in part: "It has come to RSA Data Security's attention that certain RSA trade secrets, in the form of confidential and proprietary source code, have been misappropriated and disclosed..."

... Not only is this act a violation of law, but its publication is a gross abuse of the Internet. RSA has begun an investigation and will proceed with legal action against anyone found to have violated its intellectual property rights."

Setting aside the questionable legal basis of these threats, why doesn't RSADSI bring charges against the person who originally released the code? The answer is they don't know who did it. The code was distributed through a mechanism called a "mailing list," a system that distributes e-mail to people who have signed up to receive messages on a given topic. For example, if you were interested in fish, you might sign up for an aquarium hobbyists' list. People could then send e-mail to the list server, and the e-mail would be forwarded to everyone on the list. RC4 was posted to the Cypherpunks' "anonymous remailers," list. When an anonymous remailer receives a message, it strips off all of the sender information and remails the message under an anonymous pseudonym. This effectively breaks the link between sender and recipients, and makes tracing impossible.

The intended purpose of these remailers is to allow free distribution of various intellectual "commodities," whose distribution is ordinarily discouraged by law or custom. A Cypherpunk faction called the Information Liberation Front has long used anonymous remailing to distribute inaccessible, expensive, copyrighted literature. Moreover, the remailers serve as technological guarantee of the right to free speech. They allow unpopular opinions to be voiced, while protecting the authors of those opinions from retribution.

Far from being a "gross abuse of the Internet," as RSADSI maintains, the distribution of RC4 was a case of the Internet doing what it does best--propagating ideas. While this act may or may not have been a violation of human-made laws, it was a faithful exercise of the natural laws of information flow, as expressed by Thomas Jefferson, parent of the American patent system, in an August 13, 1813 letter to Isaac McPherson: "If nature has made any one thing less susceptible than all others of exclusive property, it is the action of the thinking power called an idea, which an individual may exclusively possess as long as he keeps it to himself; but the moment it is divulged, it forces itself into the possession of everyone, and the receiver cannot dispossess himself of it. Its peculiar character, too, is that no one possesses the less, because every other possesses the whole of it. He who receives an idea from me, receives instruction himself without lessening mine; as he who lights his taper at mine, receives light without darkening me. That ideas should freely spread from one to another over the globe, for the moral and mutual instruction of man, and improvement of his condition, seems to have been peculiarly and benevolently designed by nature, when she made them, like fire, expandable over all space, without lessening their density at any point, and like the air in which we breathe, move, and have our physical being, incapable of confinement or exclusive appropriation. Inventions then cannot, in nature, be a subject of property."

So to the dismay of RSADSI and many others, 21st century technology is catching up to Thomas Jefferson's 18th century natural philosophy, and turning "intellectual property" into an oxymoron. The question of "What can be done?" about truly unrestricted free speech--that is, the freedom to distribute any intellectual products at all, including those that supposedly "belong" to someone else--is a matter of controversy.

The fear among the commissars is that the force of Jefferson's laws of infodynamics may well prove to be absolute. This fear is so profound that the Administration's techno-evangelists are still in a state of denial--a fact well-illustrated by the Information Infrastructure Task Force's extraordinary 150-page draft report on "Intellectual Property and the National Information Infrastructure." Beginning with the Panglossian assertion that "with no more than minor clarification and amendment, the Copyright Act, like the Patent Act, will provide the necessary protection of rights" on the Infobahn, the report goes on to make various pronouncements on how intellectual "property" is to be defended technologically--none of which can withstand cursory inspection by any engineer with more intelligence than a bivalve. Sensing, perhaps, the dearth of substance in their work, the authors quickly move on to discuss more practical matters. First, some moral training: "There seems to be an attitude by some on the Internet...that you check your copyright at the door when you enter that domain. There is a general lack of awareness...about intellectual property."

And such a deplorable circumstance obviously calls for a massive program of indoctrination: "Effective education of the public about intellectual property rights is crucial....Therefore, the principles of intellectual property law must be taught in our schools and libraries."

And it goes downhill from there.

While this official pabulum may frighten laypersons (lacking, as we do, the moral fiber afforded by a proper education in intellectual property law), it must be conceded that desperate times call for desperate measures. What is a government to do? Suppose, for example, that to put an end to the kind of hanky-panky that allowed the release of RC4, Congress decided to outlaw anonymous remailers. Well, then, what about the ones overseas? Any computer attached to the Internet is just as accessible as any other; neither national borders nor geographical distances make a whit of difference. It might further propose that the NSA monitor all overseas traffic and have the FBI visit anyone who transmits items from a stipulated verboten list. This, too, fails because unbreakable cryptography is now widely available, and would render such transmissions opaque even to the NSA. Okay, then, let's suppose that we prohibit transmission of encrypted data altogether. Unfortunately, encrypted data can be made virtually impossible to detect. Through a technique called "steganography," encrypted messages can be imbedded in other, normal-looking data so that they appear to be nothing more than, say, graphics or audio files. And as a further complication, a technology called "DC-nets" (invented by David Chaum) now enables people to create anonymous messages that are mathematically impossible to trace--with or without remailers. Practical implementations of this technology have not yet been devised, but they are not far off.

Some analysts are now advocating a scheme called "superdistribution," based on the premise that while it is difficult to control software's duplication, it is easy to control its behavior. It implicitly recognizes that past attempts at control have been dismal failures, due largely to the fact that they tried to treat ideas like physical goods. So in stark contrast to such silly measures as copy protection, superdistribution encourages aggressive, free dissemination of software. Control happens not at the point of duplication, but at the point of use. The user may freely obtain a program from a bulletin board, a public file server, or e-mail; but when they run it, the program requests payment in order to function.

Various mechanisms have been proposed for enabling this "revenue collection," ranging from specialized hardware that accumulates usage fees for monthly billing (like a gas meter) to on-the-spot digital cash payment via e-mail. Whether or not computer users are ultimately willing to submit to such a regimen of capitalist genuflection is an open question; but the fact that these solutions are being proposed underscores the magnitude of the problem.

It is impossible to judge what shape an eventual solution will take. Schemes like superdistribution apply only to binary programs, not source code, and as yet, no one has made even a plausible conjecture about how to regulate static data like text or artwork. What is clear is that some of the fundamental assumptions of capitalism, like the relationship of supply to demand, cannot survive in cyberspace without drastic modification. In the words of John Perry Barlow: "Notions of property, value, ownership, and the nature of wealth itself are changing more fundamentally than at any time since the Sumerians first poked cuneiform into wet clay and called it stored grain. Only a very few people are aware of the enormity of this shift, and fewer of them are lawyers or public officials."

In today's virtual world, property cannot be bolted down and speech cannot be curtailed. The Espionage Act cannot enforce obedience; employers cannot "discipline" employees for complaining about management ineptitude or paternalism. There is no identifiable author to throw in jail or to fire. There is no press to shut down.

These facts have direct implications for our existing system of ideological hegemony. On September 1, for instance, NBC aired a "Dateline" segment (demurely entitled "Dial in for Mayhem") about peripatetic youths who had lost fingers while trying to follow pyrotechnic recipes from terrorist manuals found on computer bulletin boards. Viewers were treated to the spectacle of Deborah Roberts expressing shock and dismay at the easy accessibility of such titles as Anarchy for Fun and Profit and Uncle Fester's Home Workshop Explosives. The segment closed with Congressman Ed Markey fuming, "This is an open network that sends sewage...into the homes and minds of children without any safeguards whatsoever....We are now going to have to construct a new set of laws to give parents the power they need to protect their children," thus deftly adapting the NSA's "pederast in the computer" argument (featured recently in the Clipper Chip debate) to our newest national security threat.

The message? Knowledge can kill, folks, so be sure to get yours from a licensed retailer



Z Magazine

ZNet Watch Sites ZNet Crisis Sections The Parecon Site