Feeds

EPIC surveys state of global encryption and snooping

Documents regulations, relaxations

  • alert
  • submit to reddit

Secure remote control for conventional and virtual desktops

Analysis Efforts by governments to regulate encryption have largely been defeated, for three reasons: political action; a realisation that it was becoming increasingly impossible to enforce encryption controls; and most of all because of the rise of electronic commerce. The third annual report on the worldwide state of encryption, issued earlier this month by EPIC, the Electronic Privacy Information Center in Washington DC, documents the relaxations that have occurred, and gives a very interesting review of encryption regulation. Although encryption has declined as a primary issue, there appears to be no relaxation of back-door security checking mechanisms for police and intelligence agencies. Easy key cracking has gone considerably beyond 64 bits, which had been allowed in some countries. With smart card encryption security compromised, as well as the RSA code, the next step is seen to be 2048-bit encryption. The present problems for hackers and spooks are not over whether encryption can be cracked, but how long it would take. There have been several significant liberalisation steps recently, with perhaps the most significant being the US decision to relax encryption export regulations from January and the knock-on effect that this has had on other countries. Those countries that tried to enforce encryption controls, whether on trade or the compulsory depositing of encryption keys, have nearly all relaxed their policies, or are not enforcing them. In the UK, however, Home Secretary Jack Straw has called for more restrictions on cryptography. Countries that have the strongest desire to control encryption include many of the former Warsaw Pact countries, together with those with a troubled history of civil rights. No international agreement It has proved impossible to get any universal agreement about encryption, so the debate has taken place in a number of sub-universal bodies such as the OECD, the European Union, and the Council of Europe. The civil rights aspect is considered to be covered by the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights. The OECD has produced its Guidelines on Cryptography Policy, which influenced the European Commission decision to support the unrestricted development of encryption products and services. Canada, Germany, Ireland and Finland were enthusiastic supporters. US pressure for the OECD to adopt key escrow was not successful. The European Commission has shown itself to be opposed to restrictions on encryption, and opposes any national controls being used in trade between member states. The G-8 industrialised countries adopted the OECD guidelines. Enforcement of encryption laws could be by lawful access using encryption keys, or through forced disclosure, as in Singapore and Malaysia, for example. The Council of Europe, now with 40 member states, is working with the Computer Crime Division of the US Department of Justice with a view to producing a draft convention on computer crime by the end of this year. This will include provision for built-in wire tapping capabilities for all telecommunications and networking equipment. Nor is the work confined to European countries: apart from the USA, there is liaison with Canada, Japan, South Africa, UNESCO, and other agencies. Key escrow or key recovery has generally fallen from favour, says the EPIC report, because key access systems introduced security weaknesses, costs were often high, and they could be circumvented. The demise of key escrow, which had been advocated by US envoy David Aaron, was precipitated when the Wassenaar Arrangement group rejected it at the end of 1998. This Group of 33 industrialised countries, which evolved from the cold-war COCOM, agreed to restrict "dual use" technology which could be used for peaceful and military purposes. The weakness of the arrangement was that it was discretionary and not mandatory, so it was ultimately ineffective - especially as it did not apply to Web downloads. Spooks still busy Some countries have a strong desire to monitor human rights advocates - in Honduras and Paraguay for example - as well as groups such as journalists and political opposition party leaders, as happened in France where the Commission Nationale de Contrôle des Interceptions de Securité estimated that there were 100,000 intercepts a year. In the UK social activists, unions and civil liberties organisations have been monitored by the security services, as detailed in the 1998 STOA report of the European Parliament. The same report drew attention to the massive monitoring of worldwide communications by the US National Security Agency, via Echelon. In February it was claimed in the European Parliament that Echelon was also being used for economic espionage. There was little demand for non-governmental encryption until secure electronic communication was required for business reasons, and encryption became a major issue as email replaced telephone calls in communications. Governments in certain countries had a strong desire to be able to monitor all communications as part of a stated desire to control dissidents, while individuals wanted privacy, especially for medical, financial and personal communications. A particular requirement by dissident groups was the need to ensure that messages were not altered in transit. Countries that still have significant restrictions on the private use of encryption include much of the former Soviet Union, Burma, China, Pakistan, Tunisia, and Vietnam. So far as the future is concerned, the EPIC report notes that police and intelligence organisations are seeking new powers to obtain encryption keys, and are getting increased budgets, so raising concerns about the expansion of surveillance and the need for public accountability. ® Related Stories Gates, Gerstner help NSA snoop - Congressman RSA-155 code cracked France braces for smart card fraud onslaught

Providing a secure and efficient Helpdesk

More from The Register

next story
Facebook, Apple: LADIES! Why not FREEZE your EGGS? It's on the company!
No biological clockwatching when you work in Silicon Valley
Lords take revenge on REVENGE PORN publishers
Jilted Johns and Jennies with busy fingers face two years inside
Yes, yes, Steve Jobs. Look what I'VE done for you lately – Tim Cook
New iPhone biz baron points to Apple's (his) greatest successes
Happiness economics is bollocks. Oh, UK.gov just adopted it? Er ...
Opportunity doesn't knock; it costs us instead
Ex-US Navy fighter pilot MIT prof: Drones beat humans - I should know
'Missy' Cummings on UAVs, smartcars and dying from boredom
Sysadmin with EBOLA? Gartner's issued advice to debug your biz
Start hoarding cleaning supplies, analyst firm says, and assume your team will scatter
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
YARR! Pirates walk the plank: DMCA magnets sink in Google results
Spaffing copyrighted stuff over the web? No search ranking for you
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.