Cryptography and Liberty 1999: An
International Survey of Encryption Policy, by Electronic Privacy
Information Center, Washington, DC is now available through http://www.epic.org/reports/crypto1999.html
Executive Summary
Most countries in the world today have no controls on the use of
cryptography. In the vast majority of countries, cryptography may
be freely used, manufactured, and sold without restriction. This
is true for both leading industrial countries and for developing
countries. There is a movement towards international relaxation
of regulations relating to encryption products, coupled with a
rejection of key escrow and recovery policies. Many countries
have recently adopted policies expressly rejecting requirements
for key escrow systems and a few countries, most notably France,
have dropped their escrow systems. There are a small number of
countries where strong domestic controls on the use of
cryptography exist. These are mostly countries where human rights
command little respect.
Recent trends in international law and policy point toward continued relaxation of controls on cryptography. The Organization for Economic Cooperation and Development's Cryptography Policy Guidelines and the Ministerial Declaration of the European Union, both released in 1997, argue for the liberalization of controls on cryptography and the development of market-based, user driven cryptography products and services. There is a growing awareness worldwide of encryption and an increasing number of countries have developed policies, driven by the OECD guidelines.
Export controls remain the most powerful obstacle to the development and free flow of encryption. The revised December 1998 Wassenaar Arrangement may roll back some of the liberalization sought by the OECD, particularly by restricting the key lengths of encryption products that can be exported without approval licenses. However, several major countries have already indicated that they do not plan to adopt new restrictions.
The United States government continues to lead efforts for encryption controls around the world. The U.S. government has exerted economic and diplomatic pressure on other countries in an attempt to force them into adopting restrictive policies. The U.S. position may be explained, in part, by the dominant role that national intelligence and federal law enforcement agencies hold in the development of encryption policy.
FOCUS-UK axes tough e-commerce laws as trade booms
LONDON, May 26 (Reuters) - Britain said on
Wednesday it was axing plans for tough electronic commerce
regulation, as it set new targets for 'UK Plc' to cash in on
booming global sales expected to be worth 500 billion pounds
($800 billion) by 2002. The move confirmed a marked shift in
government policy away from burdensome red tape towards a more
minimalist approach to help British firms profit on-line.
"It means we have a strategy which strikes a balance between
protecting society from criminals and creating the best
environment in the world to do e-business," Prime Minister
Tony Blair said in a statement. Trade and Industry Minister
Michael Wills said the government's forthcoming Electronic
Commerce Bill had jettisoned a central element designed to boost
security and cut fraud.
The key escrow provision -- a procedure under which encryption
keys used to protect information have to be registered with a
third party which can be accessed by the police -- was dropped
after fierce lobbying by business. New e-commerce laws
"should not include any requirement for mandatory storage of
encryption keys," said Wills, in a written answer to a
parliamentary question. Ministers decided key escrow would not
necessarily provide complete security and could end up
restricting e-commerce growth. Instead a government/industry
forum will be used to counter crime.
At the same time, Wills' boss, the Trade and Industry Secretary
Stephen Byers set new targets for British firms to do business on
the Internet.Byers said e-commerce in Britain was already ahead
of government targets, with buying and selling on-line trebling
in two years and the number of UK firms with websites doubling.
The DTI added the number of small businesses going on-line was
ahead of targets and Britain was now closing in on the U.S..
Britain aims to have 1.5 million small and medium-sized companies
on the Net and one million trading on-line by 2002. Byers warned
against complacency: "While the UK is still ahead of France
and Italy, very rapid growth in Germany over the last year has
put it on a par with the UK on most measures of information and
communication technology uptake."
The government has signed up major firms to help it set up an
accreditation scheme for advisors working with companies on IT.
British Telecommunications Plc <BT.L>, Microsoft
<MSFT.O>, Intel Corp <INTC.O> and Compaq Computer
Corp <CPQ.N> have joined the DTI's initiative.
Government-sponsored research showed that despite progress some
firms are still lagging behind in electronic business. London is
the most advanced region, with 74 percent of companies well
versed in e-commerce technology, followed by the West Midlands,
South East, North West and Eastern regions. Other parts of
Britain, like Northern Ireland and Wales have only 43 percent and
48 percent penetration, however. New laws in Britain governing
e-commerce, due to be unveiled next month, will have to tally
with measures adopted by international organisations such as the
Organisation for Economic Cooperation and Development (OECD) and
the World Trade Organisation (WTO).
The UK
Government through the Department of Trade and Industry published
on 05 March, 1999, yet another consultation paper on the
regulation of encryption entitled: "Building
Confidence in Electronic Commerce." The
full document as a PDF
file is available here. The DTI wants your
comments by 1 April (it must be a joke), 1999. The paper states
the following and the intentions of the UK government in relation
to law enforcement issues remain somehow unclear:
Serious criminals, including drug traffickers, paedophiles and terrorists, are turning to encryption to conceal their activities. Unchecked, this will make the work of law enforcement increasingly difficult. The Government therefore intends to provide the agencies responsible for tackling serious crime with the ability to acquire lawful access to material necessary to decrypt communications or stored data.
While the Government remains keen to promote the development and use of encryption technologies that meet law enforcement requirements, it recognises industry concerns that making key escrow and third party key recovery a requirement for licensing could hinder the development of electronic commerce in the UK. It is therefore consulting on the basis that this will not be a requirement for licensing. However, the Government is looking to industry to help identify ways of meeting law enforcement requirements while promoting the growth of electronic commerce.
Cyber-Rights
& Cyber-Liberties (UK) launches new local campaign on the
Wassenaar Arrengements
See the press
release of the campaign and the new report entitled "Wassenaar
Controls, Cyber-Crime and Information Terrorism"
launched on 15 September, 1998 by Cyber-Rights &
cyber-Liberties (UK). The report written by Dr Brian Gladman,
Crypto Policy Co-ordinator for Cyber Rights & Cyber-Liberties
(UK) which concluded that "far from hampering criminal and
terrorist activities, controls on civil cryptographic products
are promoting the evolution of a global information
infrastructure that provides many easy targets for cyber-crime
and information terrorism."
SEPTEMBER 1998 - FIND MORE ABOUT THIS NEW CAMPAIGN
See also the Global Internet Liberty Campaign statement issued together with this new report and which was signed by CR&CL(UK). The Global Internet Liberty Campaign Wassenaar page is at http://www.gilc.org/crypto/wassenaar/.. The English language version of the statement is up at http://www.gilc.org/crypto/wassenaar/gilc-statement-998.html and the German version is at http://www.gilc.org/crypto/wassenaar/gilc-statement-998-de.html.
Eleven leading cryptographers issued a 1998
update of "The
Risks of Key Recovery, Key Escrow, and Trusted Third-Party
Encryption," report and argue that the
backdoor key recovery systems proposed by the federal government
will introduce tremendous new vulnerabilities and costs that
jeopardize Internet privacy and security - June 1998.
GILC
Submits Comments on Canadian Crypto Policy. 22 members
of GILC submitted comments to Industry Canada on April 20, 1998
opposing suggestions to place domestic and export controls on
encyption. This submission is signed by Cyber-Rights &
Cyber-Liberties (UK).
Yet another speech by the FBI Director Louis
Freeh. This time on Encryption Use in International Crime and
Terrorism, 23 April 1998. Freeh's full speech is not yet
available but for a summary of his speech see http://www.techlawjournal.com/encrypt/80423.htm.
Freeh warned a Senate Appropriation Subcommittee on Tuesday that
the use of encryption by international terrorists and drug
dealers is frustrating FBI law enforcement efforts. Didn't we all
hear this before ?
ACLU Special Report, Big Brother in the Wires: Wiretapping in the Digital Age, March 1998.
Charging that the Clinton Administration is using scare tactics to acquire vast new powers to spy on all Americans, the ACLU has begun circulating a white paper on the escalating battles over wiretapping in the digital age to key members of Congress. The new ACLU report -- Big Brother in the Wires -- states that the current struggle over cryptography policy holds far-reaching and possibly irrevocable consequences for all Americans. It makes an impassioned case for limiting the government's ability to seize and review private communications -- whether they are telephone conversations, FAX messages, electronic mail, electronic fund transfers or medical records -- by permitting the use of strong encryption.
"We are now at an historic crossroads," the report says. "We can use emerging technologies to protect our personal privacy, or we can succumb to scare tactics and to exaggerated claims about the law enforcement value of electronic surveillance and give up our cherished rights, perhaps forever."
The ACLU report can be found at: http://www.aclu.org/issues/cyber/wiretap_brother.html
U.S.
OFFICIAL CONCEDES THAT "KEY RECOVERY" ENCRYPTION IS
INFERIOR TO ALTERNATIVE PRIVACY TECHNIQUES
Wednesday, March 25, 1998 David Sobel/Dave Banisar (202) 544-9240
WASHINGTON, DC—A top U.S. official acknowledged more than a year ago that the Internet privacy technique championed by the Clinton Administration is "more costly and less efficient" than alternative methods that the government seeks to suppress. The concession is contained in a newly-released high-level document on encryption policy obtained by the Electronic Privacy Information Center (EPIC).
In a November 1996 memorandum to other government officials, William A. Reinsch, the Commerce Department’s Under Secretary for Export Administration, discussed the Administration’s efforts to promote "escrowed" or "recoverable" encryption techniques in overseas markets. Such techniques enable government agents to unscramble encrypted information and they form the cornerstone of current U.S. encryption policy.
After noting that government regulations permit the export of non-escrowed encryption products only to "safe end-users" such as foreign police and security agencies, Reinsch recognized the inferiority of the Administration’s favored technology:
Police forces are reluctant to use "escrowed" encryption products (such as radios in patrol cars). They are more costly and less efficient than non-escrowed products. There can be long gaps in reception due to the escrow features—sometimes as long as a ten second pause. Our own police do not use recoverable encryption products; they buy the same non-escrowable products used by their counterparts in Europe and Japan.
Ironically, Reinsch’s concession is contained in a memorandum that discusses the Administration’s strategy to "help the market transition from non-recoverable products to recoverable products." According to EPIC Legal Counsel David Sobel, the newly released document "suggests that the Clinton Administration is trying to sell key recovery technology while quietly recognizing its inferiority. This approach will ultimately weaken the global position of the American computer industry and hold back the development of the privacy protections so badly needed on the Internet."
EPIC and other critics of current U.S. encryption policy have long maintained that "key escrow" and "key recovery" approaches compromise the security of private information by providing "backdoor" access to encrypted data.
The Reinsch memo was released in response to a Freedom of Information Act request EPIC submitted to the Department of State concerning the international activities of former U.S. "crypto czar" David Aaron. That request is the subject of a pending federal lawsuit initiated by EPIC last year.
The memorandum is available at the EPIC website at:
http://www.epic.org/crypto/key_escrow/reinsch_memo.html
BBC News Coverage of the GILC member statement, "UK government dithers on encryption regulation," February 20, 1998. See also the other sections "Background: The great encryption debate," "Security and law enforcement: the government view," and "Digital freedom: the case for civil liberties on the Net".
GILC
released, "Cryptography and Liberty: An International Survey
of Encryption Policy,"
- Feb. 98
WASHINGTON - An international coalition of civil
liberties organisations has released the first comprehensive
review of cryptography policies around the globe.
"Cryptography and Liberty: An International Survey of
Encryption Policy" is based on a survey of more than two
hundred countries and regions. The purpose of the survey was to
determine whether countries are limiting the availability of new
technologies that are used by Internet users and others to
protect personal privacy.
The survey was conducted by the Global Internet Liberty Campaign ("GILC"). The GILC favours the unrestricted use of cryptography to protect personal privacy. The group has urged national governments not to adopt controls on the technology. According to the GILC report, most countries in the world do not have controls on the use of cryptography. "In the vast majority of countries, cryptography may be freely used, manufactured and sold without restriction." The report says that recent trends in cryptography policy suggest greater liberalisation in the use of this technology, which was originally controlled during the Cold War for reasons of national security.
A rough breakdown of the countries into five categories—from "Red" through "Yellow" to "Green"—indicating how restrictive the policies toward encryption are, found that most countries are grouped toward the "Green" end of the spectrum, while a handful of countries fall in the "Red" category. Those countries are Belarus, China, Israel, Pakistan, Russia and Singapore. The GILC report notes the "surprising" policies of the United States, given that "virtually all of the other democratic, industrial nations have few if any controls on the use of cryptography."
The report suggest that the U.S. position may be explained by "the dominant role that state security agencies in the United States hold in the development of encryption policy." But the group warns that law enforcement agencies in the U.S. and elsewhere will continue to push for an encryption "key management infrastructure" that would expand electronic surveillance of private communications. The group urges the development of a public education campaign to inform various political, labour and social groups on the benefits of and techniques for using encryption.
GILC is an international coalition of civil liberties and human rights organisations concerned with protection of political liberty in the on-line world. GILC has members in more than twenty countries, and maintains a web site at http://www.gilc.org/ The GILC encryption survey is available on the Internet at: http://www.gilc.org/crypto/crypto-survey.html
BBC News, Labour reverses policy on Net encryption, January 30, 1998
BBC News - The key debate on encryption, January 30, 1998
BBC News - Analysis: Free speech key to encryption debate, January 20, 1998
BBC News - Should governments control Internet encryption? Your reaction, January 20, 1998
BBC News - Should governments control Internet encryption? January 16, 1998
BBC News - G8 wages war on cyber-crime, December 11, 1997
Threats to U.S. National Security. Statement for the record Louis J. Freeh, Director Federal Bureau of Investigation before the Senate Select Committee on Intelligence, Washington, D.C. January 28, 1998.
The Impact of Encryption on Public Safety. Statement of Louis J. Freeh, Director Federal Bureau of Investigation Before the Permanent Select Committee on Intelligence United States House of Representatives Washington, D. C. September 9, 1997.
Encryption. Statement of Louis J. Freeh, Director Federal Bureau of Investigation Before the Senate Judiciary Committee Hearing on Encryption United States Senate, Washington, D. C., July 9, 1997.
Protect Privacy Online:
Join the Golden Key Campaign!