By Mike Pereira
Over the past few months I have taken an interest in something called "encryption technology." I've until recently taken a passive interest in this area. I used to think high security sites, and encrypted documents were the stuff of Banks, Electronic Commerce, Large Corporations, and Spies! Several accounts have led me to think more on this issue. In my duties as Internet Commissioner of the University Students' Council of the University of Western Ontario I began to research into transmitting secure documents over the net and the possibility of setting up a secure Web server. The USC wanted some security in its correspondence, especially for its executive board. We also looked into obtaining a secure server for our Web server in order to conduct credit-card transactions over the net. I found out a few things in my research. First, getting your own secure server is very expensive. Most importantly, though, I began to see the importance of protecting sensitive documents and personal correspondence from external monitoring. Email, for example, is not very private at all. Sending an Email to someone may seem instantaneous, but the document one sends has a fantastic electronic journey through cyberspace. An Email posits a copy of itself in every server that came in contact with the Email in transit. When I send an Email to a friend with an account at AOL, for example, my Email is sent from my computer to Western's Julian server, then onto one of several routing servers, and finally into AOL's server to await download by the recipient. Most Email documents exist in plain text form, readable to all. If someone at Western with access to the mail server wanted to read what I sent out, they could. So could someone at AOL and anywhere along the way. Worse yet, some intercepting force can even set up a program that searches for "key words" within Email documents. If, for example, I talk about "corporate finance," a filter can flag my Email to be read if it contains those words. This brings to mind Gorge Orwell's 1984 - scary stuff. Then comes along encryption technology. I use a piece of software called Pretty Good Privacy (PGP). It uses "private/public key" encryption. Simply put, I use the program to electronically scramble my message with a complex mathematical algorithm generated by a password I enter. The resulting scrambled message is a garbled block of unintelligible text. It would take a super computer hours to unlock the message. Voila - instant privacy! The software works over Email by making me create a pass key. A key is a block of text generated by my software which I alone have a key to unlock. People I correspond with create pass keys of their own. We exchange those keys. I use the key of the person to whom I am sending the mail to scramble the messages I send them. I don't have the code to unlock the scrambled message, nobody does except the one who is supposed to receive it. The message is secure. When someone sends to me using my key to scramble the message up, I get the block of scrambled text, run it thorough my program, enter my password, and the message is unscrambled. Increasingly this technology is so powerful that governments and police agencies can incur great expense and time trying to crack encrypted material. This has lead to strict encryption laws in many countries. In the US, the FBI is putting pressure on the US government to place restrictions on the power of available encryption technology. This has lead to protests by many computer industry and civil rights groups. In Canada, we can consider ourselves fortunate to have a very liberal policy on the use of encryption. Privacy is something everyone is entitled to as a right.
What follows is a collection of material I find to relate to this issue.
Encryption Technology in this context is a means by which an individual can electronically hide, obfuscate, camouflage, encode, or authenticate the security of a document by means of verification. A person encrypts documents or electronic communications so that other unintended parties may not be privy to the information contained within that persons document. The paramount reason for this is the need for privacy and personal security. Privacy is a right. A group called the Global Internet Liberty Campaign are strong believers of this.
Here is an excerpt of their position:
The Importance of Cryptography
Emerging computer and communications technologies are radically altering the ways in which we communicate and exchange information. Along with the speed, efficiency, and cost-saving benefits of the "digital revolution" come new challenges to the security and privacy of communications and information traversing the global communications infrastructure.
In response to these challenges, the security mechanisms of traditional paper-based communications media -- envelopes and locked filing cabinets -- are being replaced by cryptographic security techniques. Through the use of cryptography, communication and information stored and transmitted by computers can be protected against interception to a very high degree. Until recently, there was little non-governmental demand for encryption capabilities. Modern encryption technology -- a mathematical process involving the use of formulas (or algorithms) -- was traditionally deployed most widely to protect the confidentiality of military and diplomatic communications.
With the advent of the computer revolution, and recent innovations in the science of encryption, a new market for cryptographic products has developed. Electronic communications are now widely used in the civilian sector and have become an integral component of the global economy. Computers store and exchange an ever-increasing amount of highly personal information, including medical and financial data. In this electronic environment, the need for privacy-enhancing technologies is apparent. Communications applications such as electronic mail and electronic fund transfers require secure means of encryption and authentication -- features that can only be provided if cryptographic know-how is widely available and unencumbered by government regulation.
Governmental regulation of cryptographic security techniques endangers personal privacy. Encryption ensures the confidentiality of personal records, such as medical information, personal financial data, and electronic mail. In a networked environment, such information is increasingly at risk of theft or misuse. In their "Resolution in Support of the Freedom to Use Cryptography," members of the Global Internet Liberty Campaign (GILC) noted that "the use of cryptography implicates human rights and matters of personal liberty that affect individuals around the world" and that "the privacy of communication is explicitly protected by Article 12 of the Universal Declaration of Human Rights, Article 17 of the International Covenant on Civil and Political Rights, and national law." See Resolution in Support of the Freedom to Use Cryptography, September 25, 1996 (Appendix B).
Encryption and Human Rights
In many countries in the world, human rights organizations, journalists and political dissidents are the most common targets of surveillance by government intelligence and law enforcement agencies and other non-governmental groups. The U.S. Department of State, in its 1996 Country Reports on Human Rights Practices, reported widespread illegal or uncontrolled use of wiretaps by both government and private groups in over 90 countries. In some countries, such as Honduras and Paraguay, the state-owned telecommunications companies were active participants in helping the security services monitor human rights advocates. These problems are not limited to developing countries. French counter-intelligence agents wiretapped the telephones of
prominent journalists and opposition party leaders. The French Commission Nationale de Contrôle des Interceptions de Securité estimated that there are some 100,000 illegal taps conducted each year in France. There have been numerous cases in the United Kingdom which revealed that the British intelligence services monitor social activists, labor unions and civil liberties organizations. A recent UK bill was enacted that allows for the
surveillance of lawyers and priests. In Germany, a bill is currently pending that would allow, for the first time since the Nazi era, the ability to bug journalists' offices. The European Parliament issued a report in January 1998 revealing that the U.S. National Security Agency was conducting massive monitoring of European communications.
Many human rights groups currently use encryption to protect their files and communications from seizure and interception by the governments they monitor for abuses. These include Guatemala, Ethiopia, Haiti, Mexico, South Africa, Hong Kong and Turkey. Other groups such as Amnesty International USA also use cryptographic techniques to digitally sign messages that they send over the Internet to ensure that the messages are not altered in transmission.
Additional information on the use of encryption technology by international human rights organizations is contained in the briefing paper "Encryption in the Service of Human Rights," produced by Human Rights Watch (http://www.aaas.org/SPP/DSPP/CSTC/briefings/crypto/dinah.htm).
I found this current article on MSNBC - Here is an excerpt:
"Coalition to fight encryption policy Group will contest Clinton position via advertising campaign" By Brock N. Meeks, MSNBC
WASHINGTON, Feb. 24 -- A new coalition is forming to contest the White House policies on computer encryption. The group, called Americans for Computer Privacy, has recruited prominent lobbyists to push their cause on Capitol Hill and a media team to bring an expensive campaign into America's living room. Noticeably absent, however, are the civil liberties groups traditionally found at the forefront of the encryption debate.
AT ISSUE ARE proposals by the FBI, backed by the White House, that would mandate that every coded message place a "decoding key" with a third party. These "escrow keys" would then be made available to any law enforcement officer, foreign or domestic, in the course of a criminal investigation. The proposals also restrict what types of encryption products can be exported. Civil liberty and privacy groups say the proposals are a threat to privacy. And industry groups maintain that restricting encryption exports to only those products with a U.S. approved built-in decoding key will all but kill their efforts to capture a part of the multibillion dollar global market.
TAKING IT TO THE STREETS
The Americans for Computer Privacy, or ACP, plans a formal launch for
March 4, according to Sue Richards, a spokeswoman with the Dittus Group,
which is handling ACP's public relations. She said the coalition, whose
membership is not yet set, intends to draw in consumer and health-care
groups, privacy rights activists, human rights organizations and industry
players. The coalition has hired top political operatives with ties to
Democrats and Republicans to press its case with Congress. Jack Quinn,
former legal counsel to President Bill Clinton and now with the law firm
of Arnold & Porter, will act as legal adviser. Ed Gillespie, president
of Policy Impact Communications, will help shape political and public strategies.
And Goddard-Claussen, the advertising firm that created the "Harry and
Louise" commercials opposing the Clinton Health Care plan, will try to
make the arcane subject of encryption understandable to Americans. Mindshare
Internet Campaigns will handle the Web site and Internet lobbying duties.
"The bottom line is that this is not a computer issue, it's a consumer
issue, it's a health-care issue, it's a privacy issue, it's an economic
growth issue," said Gillespie, who will act as ACP's executive director.
Gillespie's challenge will be to put a human face on a complex issue. Encryption,
he says, matters to every American. "I think when members start to see
that and start to hear it from back home and start to understand it that
way, that it's going to move out of Congress and the administration will
reevaluate its policy," he said.
- From MSNBC
A friend of mine is studying in France on an exchange programme. We regularly correspond via Email. A topic of discussion of ours has been the tough anti-privacy stance of the French government. Out of curiosity I have compared Encryption policy in France to that of Canada. France's encryption, or should I say "anti-encryption" policy is almost as tough as that of China according to a survey conducted by the Global Internet Liberty Campaign (GILC).
The Embassy of France in Washington, D.C. informed us that the Service Central de la Sécurité des Systemes d'Information (SCSSI) is the regulatory body in France as far as cryptography is concerned.
SCSSI reports directly to the office of the Prime Minister of France. We contacted that agency in order to ascertain the laws on exports, imports, and domestic usage controls. No response was received.
The Commerce/NSA report states that "France has the most comprehensive cryptologic control and use regime in Europe, and possibly worldwide." On December 29, 1990, France enacted a new law (90-1170) regulating the telecommunications industry. Article 28 of the law specifically addresses encryption and adopts a control and export regime that is far more restrictive than that applied by Wassenaar and its predecessor, COCOM. The law, in order to "preserve the interests of national defense and of internal or external State security" regulates the "supply, export, or use of cryptologic methods or devices." Thus, although foreign cryptographic products may be imported into France without a license they may not be supplied to French users nor used in France without authorization by the Prime Minister.
Based on Decree 92-1358 of December 28, 1992, cryptographic equipment is separated into two categories. The first category includes equipment which "can have no other purpose than authenticating a communication or ensuring the integrity of a transmitted message." Such equipment requires the submission of a statement or declaration to SCSSI. SCSSI routinely allows the supply and use of authentication equipment for use within France and also for export with a minimum of red tape. However, the statement or declaration submitted for supply, use, or export of these devices must provide a "description of the security functions or mechanisms, including a detailed description of the cryptologic algorithm(s) (mathematical formulae) used and the system for the creation, development, and protection of the secret conventions; the software must be provided . . . in the source language."
The second category includes cryptographic methods or devices, which provide for the confidentiality of data or
transmissions and cryptologic analysis methods. Supply, use, or export of devices in this category requires prior authorization. The authorization, if provided, will either be a general authorization (i.e., an authorization to supply or export devices to any user) or a private use authorization which restricts supply, export, or use to specifically named individuals or communities. Data that is submitted by the supplier, user, or exporter in order to obtain such authorization is extensive. In general, the information submitted must "describe not only the algorithm for generating a sequence or pseudo-random block, but all the hardware or software facilities, transforming an intelligible plain signal into an unintelligible cryptogram, including generating keys, storing them, managing them, etc."
As far as importing and using cryptography in France is concerned, there are no restrictions on imports of encryption technology. However, the use and sales must be authorized either through a license application or by a declaration to the office of the Prime Minister, i.e., SCSSI. Users importing encryption software must register the encryption keys with the French government.
On June 18, 1996, the French legislature passed a new law on cryptography, Loi de réglementation des télécommunications , which amended the 1990 law. The law slightly liberalized the use of authentication-only encryption but also introduced the requirement for trusted third party (TTP) systems. However, the law was never enacted and the new Socialist government of Prime Minister Lionel Jospin seemed to change course on France's
strict policies on cryptography usage. On August 29, 1997, Industry Minister Christian Pierret said that France would liberalize its encryption policies. "This liberalization of encrypting technology will allow French companies to fully enter the market of electronic commerce currently dominated by U.S. companies," he said.
On July 8, 1997, Christian Pierret, the French Secretary of State for Industry, endorsed the communiqué of the European Ministerial Conference on Global Information Networks in Bonn, Germany. The communiqué stated the participating ministers "will work to achieve international availability and free choice of cryptography products and interoperable services, subject to applicable law." The ministers also declared that "if countries take measures in order to protect legitimate needs of lawful access, they should be proportionate and effective and respect
applicable provisions relating to privacy." The ministers also took note of the recently agreed OECD Guidelines on Cryptography policy as a basis for national policies and international co-operation. The ministers also emphasized "the need for a legal and technical framework at European and international levels which ensures compatibility and creates confidence in digital signatures."
Ref: Embassy of France fax dated June 23, 1997. A Study of the International Market for Computer Software with Encryption , U.S. Department of Commerce and the National Security Agency, July 1995.
According to the Commerce/NSA report, the Export and Import Permits Act (EIPA), the Export Control List (ECL) and the Area Control List (ACL) are the mechanisms by which Canada controls exports. The EIPA authorizes the Government to exercise export controls to ensure that military or strategic goods are not exported to destinations representing a strategic threat to Canada. The Ministry of External Affairs is responsible for implementation of the act.
Canada was a member of COCOM and continues to adhere to the Wassenaar Arrangement. Canada has, therefore, issued guidelines for the exportof information security related equipment and technologies that are reflected in Group 1 of the Export Control List. Accordingly, export licenses are required for export to all
destinations except the United States. The Foreign Affairs Export Controls Division works closely with Canada's Communications Security Establishment (CSE), the NSA's Canadian SIGINT partner, regarding export decisions on cryptographic products. The Division stated that the CSE works closely with the NSA, the UK's Government Communications Headquarters (GCHQ), and Australia's DSD on cryptographic export policies.
There are no import controls imposed by Canada and there are no laws restricting the private use of cryptography. Canada's homologation regulations require that cryptographic equipment conform to public network technical requirements.
Ref: A Study of the International Market for Computer Software with Encryption , U.S. Department of Commerce and the
National Security Agency, July 1995.
Here are some Internet Sites relating to Encryption and Privacy.
SITES:
http://www.computerprivacy.org/
Compiled by Mike Pereira, February 1998