Saturday, August 25, 2007

The Marketplace of Ideas -- Part I

If Wikipedia is right (as has been known to happen, from time to time), then "The concept of [a] 'marketplace of ideas' is most often attributed to Justice Oliver Wendell Holmes'[s] dissenting opinion in Abrams v. U[nited] S[tates] , 250 U.S. 616 (1919). Interestingly, while Justice Holmes (1919) implied the idea in his dissenting opinion, he never used the term."

The "Marketplace of Ideas" page of Wikipedia (at least on August 25, 2007 -- I suspect somebody will do a better job with it, eventually) goes on to talk about the notion of a *classroom* as the "marketplace of ideas." There's a lot to unpack in just these introductory references. The really interesting idea, that prompted this post in the first place, is at the end (or may even wind up in Part II . . . forgive an old man his ramblings!). First, lets touch briefly on Holmes and classrooms.

At some point, I really need to write (and will write) something about Justice Holmes's jurisprudence of the First Amendment, including the Debs case (that's Eugene Debs -- who later was released from prison after the "Red Scare" cooled down a little, Warren Harding took office, and the federal government got a lot busier on subjects like crony capitalism, instead of the ideological obsessions that prevailed during Woodrow Wilson's administration), the Schenck case, and how Holmes's early thinking at least appears to relate to the Italian Hall Massacre. Also of related interest are Learned Hand's apparent influence on Holmes's thinking, and Holmes's eventual change of perspective, which ultimately led at least part of the way toward modern First Amendment jurisprudence. All these subjects are fascinating, and probably aid in a deep understanding of what a real "marketplace of ideas" should be all about. But this does not seem to be quite the time to go beyond spotting the issues. Deeper analysis can wait for later.

As to the issue of a "classroom" as the marketplace of ideas, I cannot seem to resist the impulse to get beneath the surface of this notion. First, I've recently been reading Lies My Teacher Told Me, by James W. Loewen (actually, the link is to the updated version, set to be released in October, 2007 -- I've been reading the 1996 version with great enthusiasm). Not to get too far into the subject (on which, again, I expect to write "really soon, now") of the difference between talking about facts and talking about metaphorical symbols, and how the latter can really get in the way of understanding when it comes to (1) understanding what *really* happened in history, or (2) having a conversation between two people who don't realize that each is talking about different things -- one about reality, the other about symbolic (though inaccurate) metaphors; or (3) actually thinking clearly about reality.

Too many Americans somehow have acquired (or have been indoctrinated since Kindergarten into) the bad habit of thinking about history in terms of symbolic imagery -- "Squanto the helpful Indian;" "The First Thanksgiving;" "The Mayflower Compact." Reality is far more instructive, and ought to be understood. For instance, Tisquantum (rendered a "Squanto" in schoolbooks) was quite a remarkable historical figure, was (before the "Pilgrims" met him) a polyglot who spoke several European languages, who had crossed the Atlantic several times (by 1620, he was far better-traveled than was, say, George W. Bush, in 2000), and who had probably learned that "plant a fish with your corn" trick, not from native Americans, but from Europeans in Cornwall. On the subject of what Europeans learned from the Natives, textbooks tend to focus on the trivial and the quaint, like the fish-and-corn story, while giving Europeans sole credit for things like . . . well, Constitutional Democracy. That had its origins in the Mayflower Compact, no? Well, perhaps to some degree, but it would be a mistake to disregard (to the extent that textbooks are predisposed to do) the much more substantial contribution of the example of the Iroquois Confederacy. And, while "The First Thanksgiving" makes for charming kindergarten pageants, it is probably a good idea to mention how the version we now know grew out of a morale-boosting propaganda effort initiated by the Lincoln Administration during the Civil War, or how the "Pilgrims" resorted to grave-robbing to survive (at least some survived) their first winter. Even more to the point, when we celebrate the so-called generosity shown by the European "hosts" to their native American "Guests," it is worth remembering that the traditional foodstuffs -- maize, turkey, cranberries -- were not European transplants. Somehow, the real direction of the generosity gets turned-around in the Europeans' re-telling of it.

The blog Mahablog does a quite remarkable job of framing the issue of how bizarre it is to engage in discourse by referring to historic events as metaphorical symbols, as our current leaders are inclined to do when they intone solemnly the phrases, "Churchill and Stalin at Yalta;" or "Ronald Reagan before the Berlin Wall;" or (as Bush 43 recently invoked) "Helicopters on the roof of the Vietnamese Embassy." As Mahablog goes on to explain (and the explanation is both cute, and so true):

The key to understanding right-wing rhetoric can be found in an episode of the television series Star Trek: The Next Generation.

In “Darmok” (originally aired 1991) the crew of the Enterprise encounters the Tamarians, a people with an incomprehensible language. “We come in peace,” say the Enterprise crew. “Darmok and Jalad at Tenagra,” reply the Tamarians. “Temba, his arms wide.” The Next Generationers are baffled.

But then Captain Picard and Dathon the Tamarian have an adventure together battling an invisible beast, and during this adventure Picard has a “Helen Keller at the water pump” moment and realizes that Tamarians speak in metaphors taken from stories. For example, “Darmok and Jalad at Tenagra” refers to two enemies, Darmok and Jalad, who became allies at Tenagra. As a phrase, it means “Let’s put aside our differences and be friends.” So after much suspense and drama and the death of the unfortunate Dathon, by the end of the episode Picard knows enough Tamarian to say, “Bye. It’s been real.”

By the way, when Mahablog refers to "Helen Keller at the water pump," presumably, this is done in an ironic sense, because that, too, is a metaphor that gets in the way of reality. Somehow, the tellers of the Helen Keller story rarely get past the water pump, to talk about the real work of Keller's life. In this regard, Wikipedia actually turns out to be reasonably helpful (no wonder there's a movement afoot among self-identified "conservatives" to manufacture their own version of Wikipedia, where they don't have to be bothered by inconvenient things like facts):
Keller was a member of the Socialist Party and actively campaigned and wrote in support of the working classes from 1909 to 1921. She supported Socialist Party candidate Eugene V. Debs in each of his campaigns for the presidency.

Newspaper columnists who had praised her courage and intelligence before she expressed her socialist views now called attention to her disabilities. The editor of the Brooklyn Eagle wrote that her "mistakes sprung out of the manifest limitations of her development." Keller responded to that editor, referring to having met him before he knew of her political views:

"At that time the compliments he paid me were so generous that I blush to remember them. But now that I have come out for socialism he reminds me and the public that I am blind and deaf and especially liable to error. I must have shrunk in intelligence during the years since I met him...Oh, ridiculous Brooklyn Eagle! Socially blind and deaf, it defends an intolerable system, a system that is the cause of much of the physical blindness and deafness which we are trying to prevent."

Keller also joined the Industrial Workers of the World (IWW) in 1912, saying that parliamentary socialism was "sinking in the political bog." Keller wrote for the IWW between 1916 and 1918. In ([1]) Why I Became an IWW, Keller wrote that her motivation for activism came in part due to her concern about blindness and other disabilities:

"I was appointed on a commission to investigate the conditions of the blind. For the first time I, who had thought blindness a misfortune beyond human control, found that too much of it was traceable to wrong industrial conditions, often caused by the selfishness and greed of employers. And the social evil contributed its share. I found that poverty drove women to a life of shame that ended in blindness."
Conservapedia, conveniently (at least as of September 15, 2007), just disregards Hellen Keller entirely, and apparently consigns recollection of her accomplishments (and her politics) to the memory hole.

So, getting back to Mahablog's point about communicating with metaphor -- "Squanto and the Pilgrims at Plymouth," or "Churchill during the Battle of Britain," or "Mr. Gorbachev, Tear Down This Wall," or even "Helen Keller at the water pump" -- as used in too much (but not all) recent political discourse, does not necessarily refer to the historical reality of the event, but rather to all the baggage of symbolism and metaphor (and distortion) that people with an agenda have labored hard to manufacture and cultivate around the event (or the person -- too bad Peggy Noonan can't be more like John Dean, but that probably doesn't pay quite so well, or result in quite so many television appearances). The modern-day myth-makers are hardly the first to do it. Compare Hittite and Egyptian accounts of battles fought between them, or just read the Old Testament.

But the key point is this: It is worthwhile to recognize (and to equip students and citizens to recognize) what they're doing, so as to make it possible to step back and start unpacking the metaphorical baggage, so as to keep the buts with real value and to discard the rest in the trash.

So, with that distinction in mind between the habits of thought that *are* cultivated in the classroom, compared with the critical thinking skills that *ought* to be taught (I think George Carlin had a few choice words on this subject, too), it seems a good time to mention (and to respond to the Wikipedia "marketplace of ideas" page) that the *classroom* seems, quite recently, to have become nearly the farthest thing we have from a "marketplace of ideas" -- especially, with the Supreme Court upholding a content-based (indeed, viewpoint-based) restriction on even whimsical speech, without even bothering to apply the customary "strict scrutiny" compelling governmental interest / narrowly tailored and necessary / least restrictive means, test that ought to apply.

It seems rather odd and incongruous that -- at least in the eyes of *some* justices -- the Constitution provides so much protection for free speech, when a minor (apparently, flirting with white supremacist ideology) burns a cross in the yard of the minor's black neighbors, yet the same document (or Holy Writ, depending on your view) offers so little protection when a student of roughly the same age (perhaps a little older, in fact) happens to broach the apparently "taboo" subject of marijuana legalization (at least in the eyes of the disciplining school administrator, that was the viewpoint of the message) by unfurling a "BONG HiTS 4 JESUS" banner.

In 1992 (the tail end of the Bush 41 administration), Justice Scalia in R.A.V. v. St. Paul, correctly recognized that: "The First Amendment generally prevents government from proscribing speech, or even expressive conduct, because of disapproval of the ideas expressed. Content based regulations are presumptively invalid." Further, while recognizing that, "our society, like other free but civilized societies, has permitted restrictions upon the content of speech in a few limited areas, which are 'of such slight social value as a step to truth that any benefit that may be derived from them is clearly outweighed by the social interest in order and morality,'" Justice Scalia went on to recognize that cross-burning on a neighbor's yard, while offensive, evidently (in his view) had enough redeeming social value to outweigh any countervailing social interest in order and morality. In Scalia's view (in RAV) the "hate speech" ordinance went beyond mere content discrimination, to viewpoint discrimination -- in part because the legal prohibition tended to turn on the reaction of the intended audience: "In its practical operation, moreover, the ordinance goes even beyond mere content discrimination, to actual viewpoint discrimination. Displays containing some words--odious racial epithets, for example--would be prohibited to proponents of all views. But 'fighting words' that do not themselves invoke race, color, creed, religion, or gender -- aspersions upon a person's mother, for example -- would seemingly be usable ad libitum in the placards of those arguing in favor of racial, color, etc. tolerance and equality, but could not be used by that speaker's opponents. One could hold up a sign saying, for example, that all 'anti Catholic bigots' are misbegotten; but not that all 'papists' are, for that would insult and provoke violence 'on the basis of religion.' St. Paul has no such authority to license one side of a debate to fight freestyle, while requiring the other to follow Marquis of Queensbury Rules."

How things change in fifteen years, when the subject turns to drugs instead of white supremacy. Justice Scalia, of course, did not write the majority opinion in Morse v Fredrick -- that was Justice Roberts. Justice Scalia only signed on whole-heartedly to the Court's pro-censorship decision. According to Roberts, the "BONG HiTS" speech can be punished -- not only based on the speaker's viewpoint -- but even based on a government official's subjective perception about the message that (in the listener's mind) the speaker might mean to convey. Especially if that perceived communicative (and, in the Morse case, core political) expression happens to favor a change in public policy in the form of marijuana decriminalization -- well, then -- such ideas are simply beyond the pale, and we cannot have students competing for mindshare with government-subsidized expression promoting the opposite viewpoint: "But Principal Morse thought the banner would be interpreted by those viewing it as promoting illegal drug use, and that interpretation is plainly a reasonable one. As Morse later explained in a declaration, when she saw the sign, she thought that 'the reference to a "bong hit" would be widely understood by high school students and others as referring to smoking marijuana.' App. 24. . . . We agree with Morse. At least two interpretations of the words on the banner demonstrate that the sign advocated the use of illegal drugs."

To use Scalia's analysis from the R.A.V. case, Justice Roberts's attempt to hang his hat on perceived advocacy of "illegal drug use," as opposed to perceived advocacy of the view that the activity should not even be illegal in the first place, is nothing more than "word play."

The real point I meant to get around to, and will in Part II, is one about the differences and similarities between the commercial marketplace, and the "marketplace of ideas."

The mere commercial success of a particular source of information (say, a news channel, or a shrill author who routinely accuses well-meaning and intelligent people of treason and heresy) ought not to be considered a measure of the accuracy or informative value of the information conveyed by that source -- any more so than the commercial success of flavored tortilla chips or pizza (compared with, say, spinach or asparagus) should be considered the best way to judge the nutritional value of supermarket products.

Let me suggest, just briefly, that Roger Ailes recognized something important about the time that Rush Limbaugh's radio show became a huge, and unexpected, commercial success. Prior to that time, the assumption seemed to be that news outlets should compete (in what was thought of as the "marketplace of ideas" -- especially in Supreme Court cases like Red Lion) largely on the basis of accuracy and journalistic standards and airing "both sides of the issue." The best job of journalism ought to win, in "the market-place of ideas." According to Red Lion: "It is the purpose of the First Amendment to preserve an uninhibited market-place of ideas in which truth will ultimately prevail, rather than to countenance monopolization of that market, whether it be by the Government itself or a private licensee."

If the commercial marketplace and the "marketplace of ideas" work the same way, and the commercial marketplace works the way envisioned by the Supreme Court, then, presumably, broccoli ought to win in the "marketplace of the grocery store," and outsell junk food by wide margins. That's not exactly what we observe -- either in the grocery store, or television, or the bookstore.

What if a large segment of the broader audience wants (and strongly demands) something else entirely -- having little to do with making sure that "truth will ultimately prevail" -- such as validation. What if (like visitors to the Creation Museum) they desperately crave to be misinformed, and to have their pre-existing prejudices validated by the media they consume. That's also a demand that can be (and, today, is) filled quite profitably.

The really disingenuous part of it all is when the shareholders and management of what used to be legitimate news outlets (remember the *old* CNN that was worth watching?), insist on pretending that ratings comparisons between Fox and the *old* CNN somehow constitute(d) apples-to-apples comparisons. If the two are targeting completely different audiences -- Fox news, by targeting those who crave validation, while the *old* CNN targeted people who actually wanted news -- then Wall Street's insistence that CNN (to compete in a phony "ratings war") must somehow start emulating a completely different category of enterprise, seems only calculated to cause CNN not only to fail to capture the "validation" audience, but also to turn off the "news" audience as well. And that's why, today, to get the news on television, one must turn either to an hourly show on cable television (there's no all-news cable channel anymore that has not substituted either entertainment or right-wing-validation for the news), or to Comedy Central's 11-midnight lineup of Colbert and John Stewart.

Some marketplace. More on this later.

Friday, August 24, 2007

IronKey -- Clipper Chip revisited?

Can there be any doubt what music these guys were listening to (with the amp turned up to 11) as they developed their core packaging and brand-image concepts? As products marketed to technology geeks go, this one practically exudes faux testosterone from its microscopic and epoxy-hardened metallic pores.

Plus, IronKey is more affordable and easier to park than a Hummer (not one of those newer girlie-man models, mind you, but the good old military-wannabe war-wagons that became the late-1990s ride of choice for cigar-chomping multi-millionaires, whose Austrian accents -- whether imitated or real -- seem so doggone corny, in retrospect).

Gizmodo describes the IronKey product as follows:

"Designed to be the world's most secure flash drive, the IronKey employs military-grade AES hardware-based encryption using its IronKey Cryptochip. The encryption keys are stored on the drive itself and your password is required in conjunction with the keys to access and decrypt files. If you forget your password, you may be in trouble; after ten consecutive failed password attempts, the IronKey self-destructs (internally) and erases everything on the drive using "flash-trash" technology that physically overwrites every byte, making the data completely unrecoverable."

In other words, the tough-as-nails military-rugged guts of this gadget have been dressed by the marketing department in an elegant and sexy, shaken-not-stirred dinner jacket of espionage-chic, almost as seductive as Peter Graves's self-incinerating tape recorder -- a prop from back in the day when the "Mission Impossible" brand (queue the original Lalo Schifrin theme song) had not been corrupted by (queue record scratch) Scientology.

Wired magazine certainly were on to something when they assigned the name fetish to their monthly envy-column for gadget-enthusiasts. Gadget-philia always has tapped into instinct and the subconscious, down in the limbic system, to bypass rational, prefrontal cortex concerns about mere pedestrian practicality. Many gadget people will confess that, much like the nearest housecat, they just simply cannot help but respond to certain stimuli.

And I, too, confess. Military-grade corniness aside, there's still something almost irresistibly appealing about this product, as can be seen from how each shipment of the 4GB model seems to sell out even before the new cargo-container arrives.

After seeing the IronKey on Gizmodo and Slashdot, how could I possibly resist? Mine should arrive within the week.

So this is *not* a product review. Just some observations about a product of interest. Reviews are available on other sites, if that's what you are after.

Likewise, despite the title, those looking for an announcement that the sky is falling and the Apocalypse is upon us, because some sinister government cabal is out to impose mandatory key-escrow on all our cryptographic applications, or that the IronKey is just the first step down the slippery slope to the Panopticon, Big Brother, surveillance society, will inevitably be disappointed. They'll be disappointed for two reasons.

The first reason is this: A mass-market flash drive (no matter how sophisticated) is hardly the best or most ideal way to spearhead the relentless drive toward Total Information Awareness. Much better and more effective methods to establish universal surveillance as a norm already are in place, or well on their way to implementation, both in government, and in private industry. So, getting all alarmed about IronKey is a little like a resident of New Orleans, during or shortly after Katrina, getting worked up about the urgent need to fix a leaky roof. That roof is not the main reason you're up to your armpits in water, snakes and toxic chemicals. Indeed, on balance, a customer using the IronKey is probably substantially better off than someone who uses a flash drive with no cryptographic features at all. (Interestingly, a similar argument also could be made that -- even today -- two people using phones with Clipper Chips in them, to enable secure communications, on balance would be better off than comparable people using phones without any encryption capability at all).

The second reason the conspiracy crowd will be disappointed, is that the only "Clipper Chip" criticism I have to level against the IronKey, relates to a technical issue, not a public policy issue. Simply put, for technical reasons (analogous in some ways to the technical -- not policy -- criticisms leveled against Clipper), the IronKey and the services that come bundled with it, appear to be somewhat less secure than they could be. From the standpoint of "security by design," IronKey has (for whatever reason) elected to make its customers at least marginally more vulnerable to unauthorized disclosure of their information to third-parties, than could be the case. Since IronKey differentiates its product from potential competitors, principally, on the basis of security, it would seem to make sense that such technical issues might matter to some prospective customers. That said, I've decided to become a customer, anyway. Caveat emptor.

Returning to the merits of the IronKey (apart from the way it tempts your inner Steve Austin, by stimulating that vicarious Bourne Redundancy, Übermensch daydream that gadget-geeks universally have known since childhood), the practical selling-point of this device, in reality, simply is not all the Desmond Llewellyn cryptochip techno-wizardry but rather, the built-in access to a souped-up TOR network -- which enables customers to access the Internet in a (relatively) secure manner, even if using a public terminal at a coffee shop or hotel.

Other products *are* available, that can enable similar (but not identical) functionality using *any* flash drive -- such as XeroBank's XB Browser (free trials available on XeroBank Website). Since I'm not presently in a position to compare IronKey's product with that of XeroBank, I'll refrain from offering any comparison of product functionality. Moreover, in the interest of full disclosure, I've done some trademark-related work for XeroBank, and therefore I will not purport to offer a completely objective opinion. One point of comparison that certainly will matter for some prospective customers, however, is that XeroBank's infrastructure is located mostly outside the United States. The location of IronKey's infrastructure, at least according to their Privacy Policy, appears to be primarily in California.

If you are concerned (even if it is just as a matter of principle) about the U.S. government (or even some other government) paying unwanted attention to your personal communications and data, then it makes sense to look at the "fine print" in IronKey's Privacy Policy (minor edits have been made to promote clarity, but not to change the intended meaning):

"Will IronKey share my information with other companies or people?

* * * *

"[W]e disclose personal information
[but] only in the good faith belief that we are required to do so by law, or that doing so is reasonably necessary to: (i) comply with legal process; (ii) respond to any spamming or Internet crimeware abuses; or (iii) to protect the rights, property or personal safety of IronKey, our customers, or the public.

"Note to United States customers: IronKey complies fully with all laws of the United States and the State of California. If required by law, through subpoena or other legal requirement, we will release information in our possession about members that are the subject of an investigation.

"Note to European customers:
The information you provide us will be transferred outside the European Economic Area for the purpose of processing by IronKey, Inc., its affiliates and agents. By submitting your information, you agree to that international transfer."

Not to put too fine a point on it, but XeroBank's Client Secrecy Guarantee (excerpted below) appears to embody an entirely different category of thinking about privacy issues than the perspective expressed by IronKey (i.e., engineer the thing in the first place to minimize the amount of data that can be given or lost to a third-party, even in the absolutely most cataclysmic conceivable worst-case scenario):

"Requests from Authorities

"XeroBank has built its privacy networks to have client account data separated, segregated, and encrypted on multiple servers in multiple countries so no single party can compromise a client and their data. Most internal account transaction details are not mathematically reversible due to one-way operations. Subsequently, XeroBank does not have specific client data to share with network providers, legal authorities, or law enforcement of any jurisdiction. In the case that such authorities can validate claims of violation of XeroBank's Terms of Service, we will attempt to terminate the client account the abuse originated from. If XeroBank is served with court orders of all appropriate jurisdictions for all specific servers, we may be forced to attempt to trace live data connections. A coordinated multijurisdictional effort is highly unlikely, even in the most improbable of circumstances. Violation of XeroBank's Terms of Service invalidates the Client Secrecy Guarantee. XeroBank will not aid or protect criminals. If fraud or hacking is detected within XeroBank's networks, we will proactively notify and cooperate with authorities to track and identify the criminals involved. XeroBank is not a service to mask abusive or threatening actions; thieves and criminals beware."

So, why -- exactly -- does the article title refer to the Clipper Chip? Principally because I had written most of it before I realized the ultimate point could be made much more easily by comparing IronKey's privacy policy with the approach taken by another company. But I also believe that the "Clipper Chip" hook offers a chance to tell an interesting story or two. At least, I find this stuff interesting. If you do, too, read on.

To begin, presumably not all readers were paying close attention to crypto policy in the first term of the Clinton administration (1993-96). Nor has everyone read Steven Levy's wonderful book, Crypto: How the Code Rebels Beat the Government -- And Saved Privacy In The Digital Age (Penguin 2001). So it probably makes sense to say a little bit about what the Clipper Chip is (or was) (that's clipper *chip* -- not a wind-propelled vessel with lots of sails, like the Cutty Sark).

As an aside, from today's perspective (August, 2007), Levy's book -- about "How the Code Rebels . . . Saved Privacy In the Digital Age" -- is roughly analogous to a history of George Lucas's Star Wars universe, published in late 1979. Not everyone, in 1979 -- having recently seen the Death Star explode, and Darth Vader's spaceship spin out of control, off into empty space -- had any idea that the Empire might soon strike back.

This year's Computers Freedom and Privacy conference (where quite few of those "Code Rebels" hang out together), in Montreal, was held several weeks before things got even worse (specifically, Judges Batchelder and Gibbons issued a decision about illegal wiretapping that would make even Franz Kafka marvel at the triumph of the will over reason. Yet, I think it is fair to report that -- compared with, say, the 2001 CFP in Boston -- CFP 2007 had a somewhat more somber vibe (something some Code Rebels might even describe as more of a hanging by the knees underneath the Cloud City of Bespin, with one hand cut off, atmosphere). That's not to say that the "Code Rebels" are completely demoralized. It is just fair to say that . . . uh, challenges remain.

At this year's CFP in Montreal, I had the personal honor (I suppose you might call it that) of accepting a Privacy International Big Brother Award, a fetching image of a boot stomping on a human face, forever -- in the category of Worst Public Official (which really ought to have gone to the recipient's former colleague Shannen Coffin, or perhaps to Coffin's new boss) -- on behalf of my good friend (and former boss) Stewart A. Baker. I first met Stewart, and did some work for him, after he returned to private practice, following his stint as general counsel for the NSA. In a subsequent post, I've got more stories to relate about Stewart, but for now I'll resist the impulse to digress. It was at the NSA (just before I met him) that Stewart's name became forever inseparable from the Clipper Chip fiasco.

In a C|Net news article about Stewart's recent appointment to a key policy role at the Homeland Security Department, Declan McCullagh summarizes:

"In a famous article published in the June 1994 issue of Wired Magazine, Baker warned against the ready availability of strong, secure encryption products without backdoors. 'One of the earliest users of (Pretty Good Privacy) was a high-tech pedophile in Santa Clara, California,' Baker wrote. 'He used PGP to encrypt files that, police suspect, include a diary of his contacts with susceptible young boys using computer bulletin boards all over the country.'"

To be fair, neither Baker personally, nor the Clinton Administration ever (to my knowledge) expressly advocated any government ban on private encryption technology; nor did they ever propose any government mandate of "back-doors" or the mandatory use of the Clipper Chip. That said, Declan is absolutely right that Stewart's hyperbole about pedophiles really is (and remains) a cheap shot, and that somebody as smart as Baker really ought to know better.

What the 1994 Wired article, titled "Don't Worry; Be Happy" (an allusion to the Bush 41 administration that undoubtedly endeared the article's author, a Bush 41 hold-over, with his new Clinton Administration bosses), really was about, was dismissing what Stewart characterized as certain "myths" then in circulation about the Clipper Chip.

At that time, the U.S. had imposed excessively stringent export controls, to prohibit U.S. individuals and companies from shipping strong encryption technology (hardware or software) overseas. There was no outright ban on the use of such technology by private individuals within the U.S. (and now, of course, SSL is built into just about any Web browser, and SSH is in widespread use, not to mention other useful ways to employ crypto -- such as PGP / GPG -- that have become widely available).

Although there was no domestic ban, the export control regime widely was viewed outside government (and even inside the government, to a substantial degree) as the metaphorical camel's nose; the first step down a slippery slope of probable widespread U.S. domestic surveillance, accompanied by the erection of government obstacles to domestic adoption of effective privacy-protection technology.

These disputes over privacy and crypto did not start suddenly in 1992; they had been going on for some time, already.

The Clinton Administration, roughly three months after assuming office, proceeded naïvely to march right into the political minefield by issuing this announcement to say that the National Security Administration had been developing, in secret, for quite some time (since before Ronald Reagan left office), a hardware-based crypto technology, that was very inexpensive. The Clipper Chip was so inexpensive, according to the announcement, that it would enable telephone manufacturers (among others) to bring secure telephony to the masses. No longer would secure phone equipment (like the good old STU-III) be found only in Fort Meade, the Pentagon, the halls of government, and offices of specialized contractors and think-tanks.

Just after Clinton took office, the Administration started to appreciate the benefit of export controls and Clipper, thorugh alarmist briefings from the intel community about how "crypto" was very dangerous technology for ordinary people to have. Hence, the Clipper announcement probably did not seem so controversial in April, 1993, just before Clipper was introduced to the public (meaning, for the first time made known to people without security clearances).

As product launches go, the Clipper announcement does not compare very favorably with the way products ought to be revealed for the first time in public. No doubt, I'm hardly the first to make this observation. Presumably, more than a few people from the Regan and Bush 41 administrations, had committed this lesson to memory before returning (at one time or another, or, in some cases, over and over again) to government service after the 2000 election. Others, perhaps, missed the memo, or misunderstood the lesson.

Without getting into the question of whether the market for private telephone devices, in 1993, was actually experiencing any grass-roots demand for intel-grade hardware-based, anti-eavesdropping technology (I seem to remember that Disney and AT&T had rather different ideas about what customers wanted in their phones), it is fair to say that the reception the Clipper product received was -- well -- less than enthusiastic.

Honestly, the product was designed for government crypto engineers -- not for the consumer market. The NSA cares deeply about such matters as chip packaging, and making sure that a would-be attacker cannot compromise the security of a crypto chip by sanding down the chip packaging and probing the silicon guts. Frankly, this kind of stuff tends to make eyes glaze over in the consumer market. I won't get into the "user interface" of a clipper phone, but suffice it to say that most end-users would have found it about as simple and intuitive to use (and appealing to learn) as a UNIX or DOS command line. But really, from the standpoint of a crypto engineer, the Clipper was a thing of beauty -- something that anyone ought to be proud of. No doubt, Baker, who is a really smart guy (and who, after all, came in at the end of the process -- after it had already been developed -- and then got saddled with the task of persuading both the market and the Clinton Adminsitration to understand and appreciate the brilliance of the design) rather quickly was seduced by all the careful thought and engineering prowess that went into Clipper.

The most important "feature" of Clipper, of course, was "key escrow" -- in theory, a way to protect privacy, yet still to ensure that the government could wiretap phones when it needed to do so. The "key escrow" mechanism was, as one might expect, designed by engineers and lawyers with IQs at least 4 or 5 standard deviations above the mean. Accordingly, explaining to the average consumer how "key escrow" works and what it is for, requires rather more than a bumper-sticker. The bumper-sticker version (and all that the average 100 IQ person takes away from the explanation, no matter how hard the explainer tries to compress the message into an intuitive format) is this: "The government is going to tap your phones!" I won't bore the reader with the non-bumper-sticker version.

Returning to the less-than-enthusiastic public reception that Clipper received after introduction-- in particular, John Perry Barlow of the EFF, and Marc Rotenberg of EPIC (then with CPSR), recognized a lot of problems with Clipper (not the least of which is that it probably did represent the "camel's nose" of mandatory key escrow for all crypto in the U.S.), and became instant opponents of it. Whitfield Diffie, of Sun Microsystems, also helped explain -- fortunately, in laypersons' terms that don't require an engineering degree -- many of the problems with the way in which Clipper was developed and proposed for general adoption.

Without getting into a long explanation of all the technical problems with a "key escrow" scheme (those interested can find all the answers they need, through Google), lets just skip ahead to a good stopping-point. The Clipper Chip episode (I think it is now called Episode IV: A New Hope) metaphorically ends with the Death Star exploding (or was that the Clipper Chip sinking?), and Darth Vader spiraling off into empty space, attempting to regain control of his spaceship. No Ewoks, yet.

Without spoiling the ending, I think it is fair to say that the bad guys eventually returned, in a brand-new (or, perhaps the word is "reconstituted") Death Star, to crate a whole lot of new problems.

In retrospect, had Clipper been adopted, it may well have led to somewhat more widespread hardware-based secure telephony, than we currently enjoy today (which would not necessarily be a bad thing). Granted, the technology was less than ideal, and the slippery-slope fear of setting the wrong "key escrow" precedent was genuine.

I think it is fair to say that many lessons were learned in the course of the Clipper episode, both by opponents and advocates, and that those lessons have not been forgotten by those who were directly involved.

So, with that background in mind, we can return to the IronKey. Some of the following is speculation, to be honest, but I think the big-picture overview is largely correct.

Upon first hearing of the IronKey, I noticed that certain aspects of it (each of which undoubtedly has an effect on price) were not exactly consistent with the kind of product that is initially designed for consumers or businesses, but that also (like, say, a photocopier or laser printer) just might happen to scratch a government itch, as an afterthought. Rather, IronKey is a lot more consistent with the kind of product (like Clipper) that originally is designed to meet (or to anticipate) a government specification, and then subsequently re-purposed for introduction to the general consumer/business market.

For instance, IronKey employs hardware encryption, which heavy government users of crypto demand, but the benefits of which would be challenging to explain to ordinary end-users, using any known form of customary advertising medium. Hardware encryption can increase costs. Does it really produce a corresponding increase in sales? Next, not only is the IronKey waterproof and housed in metal (which is probably enough to give regular end-users a fuzzy feeling of "security" and to close the deal), but the cryptochip also is encased in epoxy -- to fend off the kind of physical attacks on the cryptosystem that few adversaries other than enemy governments would have both the means and the resolve to mount. That kind of overkill costs extra money, and does not necessarily increase sales enough to justify it.

My initial instinct was to look for a connection to NSA or In-Q-Tel, but after a couple of Google searches relating to IronKey, it appeared that Homeland Security might be a more likely candidate for IronKey's government sugar-daddy (more on this, later).

Then, interestingly enough, while deciding whether to get an IronKey (or, perhaps, a bunch of them for several colleagues at work, who neither know, nor want to know, much about network security), I had the same question that Gizmodo raises -- namely, "If I forget my password, and enter the wrong one ten times, how do I ever get my data back?"

One plausible answer (which I might have accepted, and which Gizmodo appears even to have assumed) would be, "Tough for you. You never get it back; so always back the data up yourself -- someplace that you feel is secure." Turns out that IronKey has a different answer.

Specifically, I asked one of IronKey's channel reps about this issue on the phone. His answer left me with an unsettling good news / bad news reaction. The good news is that IronKey actually has thought about this issue and has developed an answer to it.

The bad news is that IronKey's answer to the "lost password" problem (and also, presumably, the "stolen key" problem) is that they'll keep your password for you -- as if in escrow. (Oops, did I say "escrow?").

Moreover, IronKey will even keep a complete copy of all your data on their server, at -- and if you lose or forget your password, you can still get access to all your backed-up data (and the password, too), by answering some security questions that are supposed to determine that you are really you.

Now, in the case of Clipper, the way the "escrow" worked was to divide up each person's secret key into two parts -- neither of which was good enough, alone, to open the "backdoor" and to allow snooping. One of the part-keys was to be held by the Attorney General (at the time of Clipper, Janet Reno). (Thank God, that plan, never was implemented!). The other key-part was to be held by a completely separate government agency. That way, the only way the keys could be combined (and the only way the "backdoor" could be opened for snooping) would be to secure a court order (a warrant) authorizing the two key-parts, for the specific equipment in question, to be combined.

Suffice it to say that I have no reason to believe that IronKey has implemented (or plans to implement) any comparable institutional safeguard to protect against improper access (not just the government, but hypothetically, even by a "rogue employee") to a customer's data. The mere fact that a "security question" procedure has been implemented, leads me strongly to believe, that no such institutional safeguards (the computer equivalent of making sure that your books are not kept by the same person who handles all the cash) even have been considered.

Maybe the next question I asked would not occur to everyone, but I represent Internet service providers, who (from time to time) get served with warrants, subpoenas or national security letters -- sometimes the subpoenas come from law enforcement, sometimes from private litigants. Needless to say, sometimes the government really does go on completely bogus "snooping" expeditions.

"So," I asked the channel rep, "What happens to my data stored on, if somebody, without my authorization, gets interested in my data, and serves IronKey with a subpoena or a national security letter?" (And remember, with "national security letters," often the customer is not even informed that his or her data has been accessed.). The channel rep's answer was essentially the same as what IronKey's Website says.

According to the Website, the following are included among IronKey's core values:

Respecting the law
  • IronKey complies fully with all laws of the United States and the State of California.
  • If required by law, through subpoena or other legal requirement, we will release information in our possession about members that are the subject of an investigation.
Their privacy policy contains the same warning.

The bottom line is simply this -- IronKey's FAQs strongly suggest that your data is accessible to you and only you. However, the reality with IronKey (especially if you back-up everything to their server) is that your data is potentially accessible with anyone who can correctly answer your "security questions." Moreover, the "security question" protocol can be bypassed entirely, if certain legal procedures are followed.

The situation with IronKey, thus, turns out to have some rather remarkable similarities to the clipper chip "key escrow" scheme peddled in the early 1990s by the Clinton Administration.

One other thing worth noting, in relation to IronKey's "core values" disclosure, is this: They specifically use the word "subpoena," not "warrant." To a lawyer, the difference is significant. A warrant can only be obtained by law enforcement by requesting one from a judge -- who is supposed to require a showing of "probable cause" as a pre-condition for issuing the warrant. Subpoenas do not require the signature of a judge. Whose signature is required, for any particular subpoena, depends on the kind of subpoena.

Access to certain kinds of "stored electronic communications," according to federal law, requires a warrant -- in other words, judicial approval. See 18 U.S.C. secs. 2701-2712.

Presumably, IronKey has gone through the analysis, to determine when -- precisely -- a subpoena is good enough, and when it would be a crime for IronKey to hand over data with anything less than a warrant for cover. Id. All the ISPs I advise, after all, have had drilled into them, which kinds of information require warrants and must not be accessed or disclosed in any manner, based on any legal process short of a warrant.

I haven't gone through the full analysis of how the statute governing wiretaps and stored electronic communications might apply to the various information stored by Ironkey on customers' behalf. But the issue is interesing enough that I just may do it sometime for grins (probably won't post the conclusions drawn from the exercise however).

In the end, I think it would be a mistake to assume that IronKey is quite so bullet-proof as their marketing materials seem to suggest (except on a very careful reading).

Of course, my point is not to criticize IronKey for their commitment to obeying the law. Nor do I want to criticize them for cooperating with legitimate law enforcement investigations.

According to the IronKey Website, one of the company's Board members served as "National Cyber Security Division director of the United States Department of Homeland Security." And at least one member of the "management team" also touts his DHS ties on the IronKey Website. Certainly, if the Department of Homeland Security is a likely customer, one would hardly expect IronKey to bite the hand of an agency that might feed it business.

(Incidentally, while this 2006 report shows IronKey doing some other DHS-related work, I do not have good information one way or the other as to the extent (if any) that IronKey could be DHS-funded. Does anyone have good information on this subject?).

I'd like to close with some speculation about why the U.S. government might actually consider it a good thing, and worth promoting, to promote the widespread (consumer market) distribution of devices that enable access to TOR networks (including the IronKey). I have no present idea, one way or the other, at present as to whether the IronKey originally was developed for a government application, and then re-packaged for consumer applications, or whether it took a different path to market. Again, this is mostly speculation.

Somewhat like the original Hummer (which found itself, at least temporarily, enjoying a kind of popular mass-market demand), but unlike, say, the product line of Augmentix (conspicuously absent from their site is any way for the public to get their hands on one easily), the IronKey appears not only to be developed for certain niche applications (healthcare, financial services, and government leap to mind as viable niche applications for it), but also developed with enough potential mass-market appeal that the manufacturer appears to expect to bring per-unit costs down significantly for core customers, by attempting to achieve mass-market economies of scale.

It is always worth remembering that the U.S. government (please click the link!) not only invests a lot snooping on others, sometimes illegally, but that certain agencies also are tasked with the job of keeping U.S. government information and communications more or less snoop-resistant. Indeed, the Clipper Chip itself came out of the U.S. government's rather extensive "codemaking" efforts to secure its own communications against potential eavesdroppers.

Presumably, it is not entirely accidental that TOR was made widely available (and also made available for commercial applications) by the Office of Naval Research. As explained here, "The variety of people who use Tor is actually part of what makes it so secure. Tor hides you among the other users on the network, so the more populous and diverse the user base for Tor is, the more your anonymity will be protected."

Simply put, the more widely TOR can be implemented for relatively innocuous applications (such as hobbyist applications or file-sharing, or just making sure that your visits to somebody's Website cannot be traced back to you), the less susceptible the TOR network and its nodes will be to attacks such as traffic analysis.

This expansion of the users of the secure network is good not only for people who use snoop-resistant means of communications for government and enterprise purposes, but also for folks like human rights activists (be sure to check out NGO in a Box, Security Edition), who would prefer not to attract suspicion to themselves whenever, originating from -- say, Saudi Arabia or China or Myanmar -- an SSH pipe opens to a known TOR node.

Assuming that the government has an interest in these IronKey devices (no doubt, the IronKey will eventually find its way into at least a few government niches), it certainly seems reasonable that the government could well see the advantage of (1) bringing its own costs down by piggy-backing its own purchases on mass-market economies of scale (I think this is how the Clipper Chip was expected to be so cheap, too), and (2) at the same time, rendering its own use of TOR networks more secure and more difficult to detect, by multiplying the number of TOR users all over the world who are not affiliated with the U.S. government.

Is there a vast government conspiracy to propagate TOR and to multiply the number of users? I have no idea; again, this is all speculation. But I certainly hope there is. And if so, I'm all in favor of it. Happy (safe) surfing!

Welcome / First Post!

Pseudonymous speech is great (and, as the Electronic Frontier Foundation routinely points out, worth preserving). Oddly enough, my first couple of posts will refer, at least tangentially, first to Lewis Carroll, and later, to George Orwell -- respectively, pseudonyms for Rev. Charles Lutwidge Dodgson, and for Eric Arthur Blair.

My intention is to publish pseudonymously, although I do not expect to enjoy nearly as much success as Fake Steve Jobs in keeping my "secret identity" private for any period of time. At least it will be interesting to see how long it takes before some busy-body actually invests the (admittedly modest) time and effort it will take to "unmask" the author.

The Lewis Carroll reference, of course, relates to the title of this blog, which is inspired (albeit for different reasons) by the same chapter of Alice's Adventures in Wonderland (Project Gutenberg Etext 11 - I love Project Gutenberg), that propelled Grace Slick on an adventure of her own. (For readers who are a little younger, perhaps Trinity's "Follow the white rabbit" message, from the Matrix, and the white rabbit tattoo, will serve as allusions to Carroll's work that are a little more familiar than Jefferson Airplane). I've always assumed that The Who also made a musical allusion to the Caterpillar's first question, but I've never been quite certain about that . . . .

The full text of the poem Father William, as recited by Alice to the Caterpillar, can be found at the end of this post. In the meantime, the inspiration for this blog (in part, a "blawg," but hardly devoted exclusively to legal subjects), is this stanza:
  `In my youth,' said his father, `I took to the law,
And argued each case with my wife;
And the muscular strength, which it gave to my jaw,
Has lasted the rest of my life.'
Fully intending to publish a Web-log site, using the name "Father William," I secured several Internet addresses to publish it, months ago (in some instances, years ago). Then other things came up and (fortunately for all of you, perhaps) nothing really got done until today. Better late than never, I suppose. Come to think of it, I also suppose that means anyone keeping historic DNS and "Whois" data (such as the guy who initiated the "save iridium" movement) may already have the means to identify this site's author. Thus, any semblance of real pseudonymity is out the window, even if I secure a "private" registration at this point. C'est la vie.

The ultimate intention, for this site, is to migrate the whole kit and caboodle (or at least the content) to a private server running Moveable Type, but for now Blogger will do just fine. Some stories are so worth telling, that it just makes sense to have a place to publish them, and in this case I'm tired of waiting to find the free time to set up a server, just in order to accomplish the real objective -- which is to share ideas with others.

Here's the full text of "You are Old, Father William" (courtesy of Project Gutenberg and of >limited Times for copyrights<, both here and in Great Britain -- at least until the inmates manage to secure enough pull in the asylum, to change the rules):

`Repeat, "YOU ARE OLD, FATHER WILLIAM,"' said the Caterpillar.

Alice folded her hands, and began:--

`You are old, Father William,' the young man said,
`And your hair has become very white;
And yet you incessantly stand on your head--
Do you think, at your age, it is right?'

`In my youth,' Father William replied to his son,
`I feared it might injure the brain;
But, now that I'm perfectly sure I have none,
Why, I do it again and again.'

`You are old,' said the youth, `as I mentioned before,
And have grown most uncommonly fat;
Yet you turned a back-somersault in at the door--
Pray, what is the reason of that?'

`In my youth,' said the sage, as he shook his grey locks,
`I kept all my limbs very supple
By the use of this ointment--one shilling the box--
Allow me to sell you a couple?'

`You are old,' said the youth, `and your jaws are too weak
For anything tougher than suet;
Yet you finished the goose, with the bones and the beak--
Pray how did you manage to do it?'

`In my youth,' said his father, `I took to the law,
And argued each case with my wife;
And the muscular strength, which it gave to my jaw,
Has lasted the rest of my life.'

`You are old,' said the youth, `one would hardly suppose
That your eye was as steady as ever;
Yet you balanced an eel on the end of your nose--
What made you so awfully clever?'

`I have answered three questions, and that is enough,'
Said his father; `don't give yourself airs!
Do you think I can listen all day to such stuff?
Be off, or I'll kick you down stairs!'