Feeds

EPIC surveys state of global encryption and snooping

Documents regulations, relaxations

  • alert
  • submit to reddit

New hybrid storage solutions

Analysis Efforts by governments to regulate encryption have largely been defeated, for three reasons: political action; a realisation that it was becoming increasingly impossible to enforce encryption controls; and most of all because of the rise of electronic commerce. The third annual report on the worldwide state of encryption, issued earlier this month by EPIC, the Electronic Privacy Information Center in Washington DC, documents the relaxations that have occurred, and gives a very interesting review of encryption regulation. Although encryption has declined as a primary issue, there appears to be no relaxation of back-door security checking mechanisms for police and intelligence agencies. Easy key cracking has gone considerably beyond 64 bits, which had been allowed in some countries. With smart card encryption security compromised, as well as the RSA code, the next step is seen to be 2048-bit encryption. The present problems for hackers and spooks are not over whether encryption can be cracked, but how long it would take. There have been several significant liberalisation steps recently, with perhaps the most significant being the US decision to relax encryption export regulations from January and the knock-on effect that this has had on other countries. Those countries that tried to enforce encryption controls, whether on trade or the compulsory depositing of encryption keys, have nearly all relaxed their policies, or are not enforcing them. In the UK, however, Home Secretary Jack Straw has called for more restrictions on cryptography. Countries that have the strongest desire to control encryption include many of the former Warsaw Pact countries, together with those with a troubled history of civil rights. No international agreement It has proved impossible to get any universal agreement about encryption, so the debate has taken place in a number of sub-universal bodies such as the OECD, the European Union, and the Council of Europe. The civil rights aspect is considered to be covered by the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights. The OECD has produced its Guidelines on Cryptography Policy, which influenced the European Commission decision to support the unrestricted development of encryption products and services. Canada, Germany, Ireland and Finland were enthusiastic supporters. US pressure for the OECD to adopt key escrow was not successful. The European Commission has shown itself to be opposed to restrictions on encryption, and opposes any national controls being used in trade between member states. The G-8 industrialised countries adopted the OECD guidelines. Enforcement of encryption laws could be by lawful access using encryption keys, or through forced disclosure, as in Singapore and Malaysia, for example. The Council of Europe, now with 40 member states, is working with the Computer Crime Division of the US Department of Justice with a view to producing a draft convention on computer crime by the end of this year. This will include provision for built-in wire tapping capabilities for all telecommunications and networking equipment. Nor is the work confined to European countries: apart from the USA, there is liaison with Canada, Japan, South Africa, UNESCO, and other agencies. Key escrow or key recovery has generally fallen from favour, says the EPIC report, because key access systems introduced security weaknesses, costs were often high, and they could be circumvented. The demise of key escrow, which had been advocated by US envoy David Aaron, was precipitated when the Wassenaar Arrangement group rejected it at the end of 1998. This Group of 33 industrialised countries, which evolved from the cold-war COCOM, agreed to restrict "dual use" technology which could be used for peaceful and military purposes. The weakness of the arrangement was that it was discretionary and not mandatory, so it was ultimately ineffective - especially as it did not apply to Web downloads. Spooks still busy Some countries have a strong desire to monitor human rights advocates - in Honduras and Paraguay for example - as well as groups such as journalists and political opposition party leaders, as happened in France where the Commission Nationale de Contrôle des Interceptions de Securité estimated that there were 100,000 intercepts a year. In the UK social activists, unions and civil liberties organisations have been monitored by the security services, as detailed in the 1998 STOA report of the European Parliament. The same report drew attention to the massive monitoring of worldwide communications by the US National Security Agency, via Echelon. In February it was claimed in the European Parliament that Echelon was also being used for economic espionage. There was little demand for non-governmental encryption until secure electronic communication was required for business reasons, and encryption became a major issue as email replaced telephone calls in communications. Governments in certain countries had a strong desire to be able to monitor all communications as part of a stated desire to control dissidents, while individuals wanted privacy, especially for medical, financial and personal communications. A particular requirement by dissident groups was the need to ensure that messages were not altered in transit. Countries that still have significant restrictions on the private use of encryption include much of the former Soviet Union, Burma, China, Pakistan, Tunisia, and Vietnam. So far as the future is concerned, the EPIC report notes that police and intelligence organisations are seeking new powers to obtain encryption keys, and are getting increased budgets, so raising concerns about the expansion of surveillance and the need for public accountability. ® Related Stories Gates, Gerstner help NSA snoop - Congressman RSA-155 code cracked France braces for smart card fraud onslaught

The next step in data security

More from The Register

next story
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
JINGS! Microsoft Bing called Scots indyref RIGHT!
Redmond sporran metrics get one in the ten ring
Driving with an Apple Watch could land you with a £100 FINE
Bad news for tech-addicted fanbois behind the wheel
Murdoch to Europe: Inflict MORE PAIN on Google, please
'Platform for piracy' must be punished, or it'll kill us in FIVE YEARS
Phones 4u website DIES as wounded mobe retailer struggles to stay above water
Founder blames 'ruthless network partners' for implosion
Found inside ISIS terror chap's laptop: CELINE DION tunes
REPORT: Stash of terrorist material found in Syria Dell box
Sony says year's losses will be FOUR TIMES DEEPER than thought
Losses of more than $2 BILLION loom over troubled Japanese corp
Show us your Five-Eyes SECRETS says Privacy International
Refusal to disclose GCHQ canteen menus and prices triggers Euro Human Rights Court action
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.