Feeds

EPIC surveys state of global encryption and snooping

Documents regulations, relaxations

  • alert
  • submit to reddit

Remote control for virtualized desktops

Analysis Efforts by governments to regulate encryption have largely been defeated, for three reasons: political action; a realisation that it was becoming increasingly impossible to enforce encryption controls; and most of all because of the rise of electronic commerce. The third annual report on the worldwide state of encryption, issued earlier this month by EPIC, the Electronic Privacy Information Center in Washington DC, documents the relaxations that have occurred, and gives a very interesting review of encryption regulation. Although encryption has declined as a primary issue, there appears to be no relaxation of back-door security checking mechanisms for police and intelligence agencies. Easy key cracking has gone considerably beyond 64 bits, which had been allowed in some countries. With smart card encryption security compromised, as well as the RSA code, the next step is seen to be 2048-bit encryption. The present problems for hackers and spooks are not over whether encryption can be cracked, but how long it would take. There have been several significant liberalisation steps recently, with perhaps the most significant being the US decision to relax encryption export regulations from January and the knock-on effect that this has had on other countries. Those countries that tried to enforce encryption controls, whether on trade or the compulsory depositing of encryption keys, have nearly all relaxed their policies, or are not enforcing them. In the UK, however, Home Secretary Jack Straw has called for more restrictions on cryptography. Countries that have the strongest desire to control encryption include many of the former Warsaw Pact countries, together with those with a troubled history of civil rights. No international agreement It has proved impossible to get any universal agreement about encryption, so the debate has taken place in a number of sub-universal bodies such as the OECD, the European Union, and the Council of Europe. The civil rights aspect is considered to be covered by the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights. The OECD has produced its Guidelines on Cryptography Policy, which influenced the European Commission decision to support the unrestricted development of encryption products and services. Canada, Germany, Ireland and Finland were enthusiastic supporters. US pressure for the OECD to adopt key escrow was not successful. The European Commission has shown itself to be opposed to restrictions on encryption, and opposes any national controls being used in trade between member states. The G-8 industrialised countries adopted the OECD guidelines. Enforcement of encryption laws could be by lawful access using encryption keys, or through forced disclosure, as in Singapore and Malaysia, for example. The Council of Europe, now with 40 member states, is working with the Computer Crime Division of the US Department of Justice with a view to producing a draft convention on computer crime by the end of this year. This will include provision for built-in wire tapping capabilities for all telecommunications and networking equipment. Nor is the work confined to European countries: apart from the USA, there is liaison with Canada, Japan, South Africa, UNESCO, and other agencies. Key escrow or key recovery has generally fallen from favour, says the EPIC report, because key access systems introduced security weaknesses, costs were often high, and they could be circumvented. The demise of key escrow, which had been advocated by US envoy David Aaron, was precipitated when the Wassenaar Arrangement group rejected it at the end of 1998. This Group of 33 industrialised countries, which evolved from the cold-war COCOM, agreed to restrict "dual use" technology which could be used for peaceful and military purposes. The weakness of the arrangement was that it was discretionary and not mandatory, so it was ultimately ineffective - especially as it did not apply to Web downloads. Spooks still busy Some countries have a strong desire to monitor human rights advocates - in Honduras and Paraguay for example - as well as groups such as journalists and political opposition party leaders, as happened in France where the Commission Nationale de Contrôle des Interceptions de Securité estimated that there were 100,000 intercepts a year. In the UK social activists, unions and civil liberties organisations have been monitored by the security services, as detailed in the 1998 STOA report of the European Parliament. The same report drew attention to the massive monitoring of worldwide communications by the US National Security Agency, via Echelon. In February it was claimed in the European Parliament that Echelon was also being used for economic espionage. There was little demand for non-governmental encryption until secure electronic communication was required for business reasons, and encryption became a major issue as email replaced telephone calls in communications. Governments in certain countries had a strong desire to be able to monitor all communications as part of a stated desire to control dissidents, while individuals wanted privacy, especially for medical, financial and personal communications. A particular requirement by dissident groups was the need to ensure that messages were not altered in transit. Countries that still have significant restrictions on the private use of encryption include much of the former Soviet Union, Burma, China, Pakistan, Tunisia, and Vietnam. So far as the future is concerned, the EPIC report notes that police and intelligence organisations are seeking new powers to obtain encryption keys, and are getting increased budgets, so raising concerns about the expansion of surveillance and the need for public accountability. ® Related Stories Gates, Gerstner help NSA snoop - Congressman RSA-155 code cracked France braces for smart card fraud onslaught

Remote control for virtualized desktops

More from The Register

next story
Facebook pays INFINITELY MORE UK corp tax than in 2012
Thanks for the £3k, Zuck. Doh! you're IN CREDIT. Guess not
Big Content outs piracy hotbeds: São Paulo, Beijing ... TORONTO?
MPAA calls Canadians a bunch of bootlegging movie thieves
Google Glassholes are UNDATEABLE – HP exec
You need an emotional connection, says touchy-feely MD... We can do that
Lawyers mobilise angry mob against Apple over alleged 2011 Macbook Pro crapness
We suffered 'random bouts of graphical distortion' - fanbois
Just don't blame Bono! Apple iTunes music sales PLUMMET
Cupertino revenue hit by cheapo downloads, says report
US court SHUTS DOWN 'scammers posing as Microsoft, Facebook support staff'
Netizens allegedly duped into paying for bogus tech advice
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Internet Security Threat Report 2014
An overview and analysis of the year in global threat activity: identify, analyze, and provide commentary on emerging trends in the dynamic threat landscape.