Interesting People mailing list archives
IP: some comments on the Key Escrow -- clipper II bill (I will
From: David Farber <farber () cis upenn edu>
Date: Sun, 30 Mar 1997 09:25:33 -0500
I somehow am not feeling warm and comfortable with such waivers of my privacy rights. Anyone want to bet that the rules will allow broad opportunities for the citizen to get their privacy damaged with NO recourse. Dave Bob Fougner wrote: There are some interesting features of the bill which are not mentioned in the rhetorical reactions from the privacy rights advocates. First of all, the bill specifically states: "Participation in the key management infrastructure enabled by this Act is voluntary". However, the Netizens ignore this statement because of an intriguing feature, which provides: Quote: SEC. 406. COMPLIANCE DEFENSE. Compliance with this Act and the regulations promulgated thereunder is a complete defense, for Certificate Authorities registered under this Act and Key Recovery Agents registered under this Act, to any noncontractual civil action for damages based upon activities regulated by this Act. Unquote: This language broadly suggests that, unless a CA or key recovery agent voluntarily accepts unlimited liability under its contracts with its customers, it can not be held liable for damages for negligence, invasion of privacy or any other "civil action" related to key recovery and CA activities if it registers under the Act and follows all of its regulations (to be written). This is an immense carrot for an underfinanced industry facing catastrophic potential liabilities for an as yet undefined legal responsibility (i.e. being a CA or key recovery agent). In other words, the privacy advocates rightly fear this tempting legal/commercial concession will draw industry into "voluntary" compliance and thus establish the Government infrastructure by choice - without making it mandatory. Notice the PR license the privacy advocates are taking by characterizing this as "compulsory". It is not. As for industry vendors, the act would cloak them with legal protection when they serve as a CA for their customers. They could then contractually state the limits of their liability in their contracts and sleep at nights. The alternative is an uncertain liability going forward for any errors or omissions in handling of CA certificates issued with their products or services. Obviously, some high profile industry vendors who must stay on the right side of political correctness may be forced to disavow any interest in this compromise, but I suspect attorneys who represent them (or at least their competitors) are secretly intrigued by this solution. Bob Fougner General Counsel Cylink Corporation
Current thread:
- IP: some comments on the Key Escrow -- clipper II bill (I will David Farber (Mar 30)