IP: some comments on the Key Escrow -- clipper II bill (I will

[David Farber <farber () cis upenn edu>]

I somehow am not feeling warm and comfortable with such waivers of my
privacy rights. Anyone want to bet that the rules will allow broad
opportunities for the citizen to get their privacy damaged with NO recourse.


Dave


Bob Fougner wrote:


  There are some interesting features of the bill which are not
  mentioned in the rhetorical reactions from the privacy rights
  advocates.


  First of all, the bill specifically states: "Participation in the
  key management infrastructure enabled by this Act is voluntary".


  However, the Netizens ignore this statement because of an intriguing


  feature, which provides:


  Quote:


  SEC. 406. COMPLIANCE DEFENSE.


  Compliance with this Act and the regulations promulgated thereunder
  is a complete defense, for Certificate Authorities registered under this
  Act and Key Recovery Agents registered under this Act, to any
  noncontractual civil action for damages based upon activities regulated
by this
  Act.


  Unquote:


  This language broadly suggests that, unless a CA or key recovery
  agent voluntarily accepts unlimited liability under its contracts with its
  customers, it can not be held liable for damages for negligence,
  invasion of privacy or any other "civil action" related to key
  recovery and CA activities if it registers under the Act and follows
  all of its regulations (to be written). This is an immense carrot
  for an underfinanced industry facing catastrophic potential liabilities
  for an as yet undefined legal responsibility (i.e. being a CA or key
  recovery agent).


  In other words, the privacy advocates rightly fear this tempting
  legal/commercial concession will draw industry into "voluntary"
  compliance and thus establish the Government infrastructure by
  choice - without making it mandatory. Notice the PR license the privacy
  advocates are taking by characterizing this as "compulsory". It is
  not.


  As for industry vendors, the act would cloak them with legal
  protection when they serve as a CA for their customers. They could
  then contractually state the limits of their liability in their
  contracts and sleep at nights. The alternative is an uncertain
  liability going forward for any errors or omissions in handling of
  CA certificates issued with their products or services.
 
  Obviously, some high profile industry vendors who must stay on the
  right side of political correctness may be forced to disavow any
  interest in this compromise, but I suspect attorneys who represent
  them (or at least their competitors) are secretly intrigued by this
  solution.


  Bob Fougner
  General Counsel
  Cylink Corporation