EPIC surveys state of global encryption and snooping
Documents regulations, relaxations
Analysis Efforts by governments to regulate encryption have largely been defeated, for three reasons: political action; a realisation that it was becoming increasingly impossible to enforce encryption controls; and most of all because of the rise of electronic commerce. The third annual report on the worldwide state of encryption, issued earlier this month by EPIC, the Electronic Privacy Information Center in Washington DC, documents the relaxations that have occurred, and gives a very interesting review of encryption regulation. Although encryption has declined as a primary issue, there appears to be no relaxation of back-door security checking mechanisms for police and intelligence agencies. Easy key cracking has gone considerably beyond 64 bits, which had been allowed in some countries. With smart card encryption security compromised, as well as the RSA code, the next step is seen to be 2048-bit encryption. The present problems for hackers and spooks are not over whether encryption can be cracked, but how long it would take. There have been several significant liberalisation steps recently, with perhaps the most significant being the US decision to relax encryption export regulations from January and the knock-on effect that this has had on other countries. Those countries that tried to enforce encryption controls, whether on trade or the compulsory depositing of encryption keys, have nearly all relaxed their policies, or are not enforcing them. In the UK, however, Home Secretary Jack Straw has called for more restrictions on cryptography. Countries that have the strongest desire to control encryption include many of the former Warsaw Pact countries, together with those with a troubled history of civil rights. No international agreement It has proved impossible to get any universal agreement about encryption, so the debate has taken place in a number of sub-universal bodies such as the OECD, the European Union, and the Council of Europe. The civil rights aspect is considered to be covered by the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights. The OECD has produced its Guidelines on Cryptography Policy, which influenced the European Commission decision to support the unrestricted development of encryption products and services. Canada, Germany, Ireland and Finland were enthusiastic supporters. US pressure for the OECD to adopt key escrow was not successful. The European Commission has shown itself to be opposed to restrictions on encryption, and opposes any national controls being used in trade between member states. The G-8 industrialised countries adopted the OECD guidelines. Enforcement of encryption laws could be by lawful access using encryption keys, or through forced disclosure, as in Singapore and Malaysia, for example. The Council of Europe, now with 40 member states, is working with the Computer Crime Division of the US Department of Justice with a view to producing a draft convention on computer crime by the end of this year. This will include provision for built-in wire tapping capabilities for all telecommunications and networking equipment. Nor is the work confined to European countries: apart from the USA, there is liaison with Canada, Japan, South Africa, UNESCO, and other agencies. Key escrow or key recovery has generally fallen from favour, says the EPIC report, because key access systems introduced security weaknesses, costs were often high, and they could be circumvented. The demise of key escrow, which had been advocated by US envoy David Aaron, was precipitated when the Wassenaar Arrangement group rejected it at the end of 1998. This Group of 33 industrialised countries, which evolved from the cold-war COCOM, agreed to restrict "dual use" technology which could be used for peaceful and military purposes. The weakness of the arrangement was that it was discretionary and not mandatory, so it was ultimately ineffective - especially as it did not apply to Web downloads. Spooks still busy Some countries have a strong desire to monitor human rights advocates - in Honduras and Paraguay for example - as well as groups such as journalists and political opposition party leaders, as happened in France where the Commission Nationale de Contrôle des Interceptions de Securité estimated that there were 100,000 intercepts a year. In the UK social activists, unions and civil liberties organisations have been monitored by the security services, as detailed in the 1998 STOA report of the European Parliament. The same report drew attention to the massive monitoring of worldwide communications by the US National Security Agency, via Echelon. In February it was claimed in the European Parliament that Echelon was also being used for economic espionage. There was little demand for non-governmental encryption until secure electronic communication was required for business reasons, and encryption became a major issue as email replaced telephone calls in communications. Governments in certain countries had a strong desire to be able to monitor all communications as part of a stated desire to control dissidents, while individuals wanted privacy, especially for medical, financial and personal communications. A particular requirement by dissident groups was the need to ensure that messages were not altered in transit. Countries that still have significant restrictions on the private use of encryption include much of the former Soviet Union, Burma, China, Pakistan, Tunisia, and Vietnam. So far as the future is concerned, the EPIC report notes that police and intelligence organisations are seeking new powers to obtain encryption keys, and are getting increased budgets, so raising concerns about the expansion of surveillance and the need for public accountability. ® Related Stories Gates, Gerstner help NSA snoop - Congressman RSA-155 code cracked France braces for smart card fraud onslaught
Sponsored: RAID: End of an era?