Feeds

EPIC surveys state of global encryption and snooping

Documents regulations, relaxations

  • alert
  • submit to reddit

Gartner critical capabilities for enterprise endpoint backup

Analysis Efforts by governments to regulate encryption have largely been defeated, for three reasons: political action; a realisation that it was becoming increasingly impossible to enforce encryption controls; and most of all because of the rise of electronic commerce. The third annual report on the worldwide state of encryption, issued earlier this month by EPIC, the Electronic Privacy Information Center in Washington DC, documents the relaxations that have occurred, and gives a very interesting review of encryption regulation. Although encryption has declined as a primary issue, there appears to be no relaxation of back-door security checking mechanisms for police and intelligence agencies. Easy key cracking has gone considerably beyond 64 bits, which had been allowed in some countries. With smart card encryption security compromised, as well as the RSA code, the next step is seen to be 2048-bit encryption. The present problems for hackers and spooks are not over whether encryption can be cracked, but how long it would take. There have been several significant liberalisation steps recently, with perhaps the most significant being the US decision to relax encryption export regulations from January and the knock-on effect that this has had on other countries. Those countries that tried to enforce encryption controls, whether on trade or the compulsory depositing of encryption keys, have nearly all relaxed their policies, or are not enforcing them. In the UK, however, Home Secretary Jack Straw has called for more restrictions on cryptography. Countries that have the strongest desire to control encryption include many of the former Warsaw Pact countries, together with those with a troubled history of civil rights. No international agreement It has proved impossible to get any universal agreement about encryption, so the debate has taken place in a number of sub-universal bodies such as the OECD, the European Union, and the Council of Europe. The civil rights aspect is considered to be covered by the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights. The OECD has produced its Guidelines on Cryptography Policy, which influenced the European Commission decision to support the unrestricted development of encryption products and services. Canada, Germany, Ireland and Finland were enthusiastic supporters. US pressure for the OECD to adopt key escrow was not successful. The European Commission has shown itself to be opposed to restrictions on encryption, and opposes any national controls being used in trade between member states. The G-8 industrialised countries adopted the OECD guidelines. Enforcement of encryption laws could be by lawful access using encryption keys, or through forced disclosure, as in Singapore and Malaysia, for example. The Council of Europe, now with 40 member states, is working with the Computer Crime Division of the US Department of Justice with a view to producing a draft convention on computer crime by the end of this year. This will include provision for built-in wire tapping capabilities for all telecommunications and networking equipment. Nor is the work confined to European countries: apart from the USA, there is liaison with Canada, Japan, South Africa, UNESCO, and other agencies. Key escrow or key recovery has generally fallen from favour, says the EPIC report, because key access systems introduced security weaknesses, costs were often high, and they could be circumvented. The demise of key escrow, which had been advocated by US envoy David Aaron, was precipitated when the Wassenaar Arrangement group rejected it at the end of 1998. This Group of 33 industrialised countries, which evolved from the cold-war COCOM, agreed to restrict "dual use" technology which could be used for peaceful and military purposes. The weakness of the arrangement was that it was discretionary and not mandatory, so it was ultimately ineffective - especially as it did not apply to Web downloads. Spooks still busy Some countries have a strong desire to monitor human rights advocates - in Honduras and Paraguay for example - as well as groups such as journalists and political opposition party leaders, as happened in France where the Commission Nationale de Contrôle des Interceptions de Securité estimated that there were 100,000 intercepts a year. In the UK social activists, unions and civil liberties organisations have been monitored by the security services, as detailed in the 1998 STOA report of the European Parliament. The same report drew attention to the massive monitoring of worldwide communications by the US National Security Agency, via Echelon. In February it was claimed in the European Parliament that Echelon was also being used for economic espionage. There was little demand for non-governmental encryption until secure electronic communication was required for business reasons, and encryption became a major issue as email replaced telephone calls in communications. Governments in certain countries had a strong desire to be able to monitor all communications as part of a stated desire to control dissidents, while individuals wanted privacy, especially for medical, financial and personal communications. A particular requirement by dissident groups was the need to ensure that messages were not altered in transit. Countries that still have significant restrictions on the private use of encryption include much of the former Soviet Union, Burma, China, Pakistan, Tunisia, and Vietnam. So far as the future is concerned, the EPIC report notes that police and intelligence organisations are seeking new powers to obtain encryption keys, and are getting increased budgets, so raising concerns about the expansion of surveillance and the need for public accountability. ® Related Stories Gates, Gerstner help NSA snoop - Congressman RSA-155 code cracked France braces for smart card fraud onslaught

The essential guide to IT transformation

More from The Register

next story
Assange™: Hey world, I'M STILL HERE, ignore that Snowden guy
Press conference: ME ME ME ME ME ME ME (cont'd pg 94)
Premier League wants to PURGE ALL FOOTIE GIFs from social media
Not paying Murdoch? You're gonna get a right LEGALLING - thanks to automated software
Caught red-handed: UK cops, PCSOs, specials behaving badly… on social media
No Mr Fuzz, don't ask a crime victim to be your pal on Facebook
Ballmer quits Microsoft board to spend more time with his b-balls
From Clippy to Clippers: Hi, I see you're running an NBA team now ...
Online tat bazaar eBay coughs to YET ANOTHER outage
Web-based flea market struck dumb by size and scale of fail
Amazon takes swipe at PayPal, Square with card reader for mobes
Etailer plans to undercut rivals with low transaction fee offer
Call of Duty daddy considers launching own movie studio
Activision Blizzard might like quality control of a CoD film
US regulators OK sale of IBM's x86 server biz to Lenovo
Now all that remains is for gov't offices to ban the boxes
prev story

Whitepapers

5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.