The Walsh report - Chapter 5

CHAPTER 5

STRIKING A BALANCE

5.1      A Matter of Proportion

5.1.1      There is a broad split among the advanced industrialised countries of the world between those where governments have taken policy initiatives concerning cryptography and those who have simply watched developments. Even at this stage, it is an instructive question to ask whether the latter have suffered any disadvantage from a law enforcement, national security or privacy point of view. The answer seems to be an emphatic negative.

5.1.2      The moral authority of government is easily exhausted in treating such a public policy issue and more quickly if this is done in less than candid and even-handed fashion. As this report noted at its commencement, the issues touch on the central relationship between the individual and the state and there is need to ensure government is not substituted for state in that context. To attempt to play a modern-day Canute, as those who seek to ban unrestricted access to the Internet and restrict imports of encryption materials have done, is simply futile in an age of seamless communication and electronic marketplaces. Those like the United States and Great Britain who have urged so strongly their preferred positions on the international stage, eventually announcing them in the middle of 1996 as official policy, appear to have viewed the issue as primarily a security and law enforcement issue and secondarily a privacy issue. The British Government, curiously, stated early in its paper that the policy had been decided on after detailed discussion between Government departments, adding in the final paragraph that formal consultation will be undertaken prior to the introduction of legislative proposals. 56

5.1.3      In the United States, the Department of Justice and the FBI early moved into the van and never retired from that position. Whatever may have been their original intention, the impression given is they have sought to dominate public discussion of the issue. The British Government showed a little more finesse in its campaign strategy with the Department of Trade and Industry formally picking up the torch.

5.1.4      The consequence of these 'transparent' efforts by the law enforcement and security communities in those countries, supported by some academics and advocates who have argued the cause of data retrieval or sketched images of unbridled terrorism and organised crime, is the sizeable suspicion that the key management proposals are intended primarily to benefit their sponsors. Privacy advocates and guardians, electronic commerce, offices of budget and management within government, the IT industry itself have not been as effective in their advocacy though, arguably, they have more at stake.

5.1.5      Strong support for the broad policy position taken by the present Australian Government, and its predecessor, was evident through the Review consultations. In view of the continuous rate of change, technology development and changing cost structures, there is much to be said for watching developments. None argued prescription, much less the mandating of requirements, was a useful approach. And while one or two might see cryptography as a rare opportunity to cock a snook at the state, there was general recognition that as a community we must address the looming problem in the law enforcement and national security areas. What can we do?

5.1.6      It would be sensible now to generate a more informed and broader discussion of the situation in the Australian community. Those consulted almost universally presumed the outcome of this Review would be used as a trigger in that process. While the tax evaders and black economy participants may rub their hands in glee at the comfort encryption may afford them, the majority are likely to treat the matter seriously, recognising the loss of the law enforcement function across a range of fields such as narcotics and counter- terrorism and further restriction of the funds available for public works, community services and health care will affect the type of society we enjoy and hope to leave to our children. In today's context, any ideal outcome based on a key management system advocated elsewhere or an amalgam of various systems could too easily be circumvented by organised crime or terrorists with reasonable capability and the intention to shield their plans from the investigative agencies of the state. As such systems are primarily intended to meet the needs of public safety, it would be futile to impose requirements which are costly and/or which have a harmful privacy impact but which fail to address their fundamental purpose.

5.1.7      The approach of this Review is to strike a balance: to ensure the extant powers of law enforcement and national security agencies to access and intercept are relevant, to recommend a modest increase to those investigative powers, to afford some greater protection to their high risk activities and to acknowledge the benefit which encryption will bring to people and corporations in securing their data. The Commonwealth Privacy Act 1988 remains the only information privacy law in Australia with legally binding rules. 57 This statute implemented Australia's commitment to take the 1980 OECD Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data into account in domestic legislation. 58 The Government has stated its intention of extending the application of the Privacy Act, which regulates Commonwealth government agencies and all users of consumer credit information and tax file numbers, to the private sector. 59 There would be much sense in avoiding, particularly during the period until legislation is introduced into the parliament, a perception that the privacy of the whole community was to be constrained to address a small sector need. This would leave the government better placed to act or intervene legislatively, if that should later be required.

5.1.8      As at October 1996, no 'magic' solution to this problem was in prospect. There is yet a short time available. The impact of encryption on the totality of law enforcement and national security interests in Australia remains fairly negligible, though the problem is only as far away as tomorrow. What should be done in the interval? Government should continue to monitor the situation and study the experience of others, as the practices eventually adopted by major players such as the European Union, the United States and the OECD will have trans-national impact. There are some practical steps both to strengthen and maintain the investigative capability of law enforcement and national security which should be undertaken and some greater protection given to the covert operational methods of law enforcement and national security agencies. These are discussed in more detail in Chapter 6.

5.1.9      The Privacy Commissioner, the New South Wales Anti- Discrimination Board and various lawyers and academics with a strong interest in privacy issues were concerned there should be no diminution of the stringent program of oversight and accountability where intrusive powers were exercised. 60 I concur entirely with that attitude. A view seemed to emerge that the Commonwealth's oversight and accountability arrangements were more effective than those of the States. The Review found general support for the approach of increasing, to some small degree, the warranted intrusive powers directed against persons the subject of serious investigations, rather than imposing a penalty on the whole community by attempting, in vain fashion, to limit or control the use of encryption.

5.1.10 Some consideration was given to the idea that the department vested with the driving and coordination function on cryptography policy might ensure Ministers were kept abreast of developments overseas and the changing situation and requirements for Australia. On reflection, it was felt this function would more effectively be discharged by a further review, on terms similar to this one. There is need for that degree of detachment in the conduct of a review so that all views may be garnered and synthesised into policy options. This is more readily extended to a reviewer than an official with daily responsibility for elements of the policy. A time of late 1997 would allow for the passage of 12 months since this review, a significant period of technological development, some experience of a deregulated telecommunications market and any impact on law enforcement and national security, the preparation by the AFP of the proposed submission on the impact of the loss of real-time access to voice and data communications 61, the conclusion of the OECD drafting exercise and legislative proposals being brought forward in Britain and the United States.

5.2      Export Controls

5.2.1      The Review was invited to examine the effectiveness of Australia's export controls on encryption technology. How this issue might be addressed depends very much on the interest being espoused. As the Review moved among its primary catchment area, parties representing privacy, law enforcement or national security interests, it was apparent no uniform judgement could be made. Few who spoke to the Review thought the issue of Australia's export controls could be divorced from the export controls of the United States. That the United States was but one of a number of signatory countries, first to COCOM and more recently to the Wassenaar agreement, seems generally to be ignored. Its super-power status and position as the principal global software manufacturer prompt an identification of those agreements with the national interest of the United States

5.2.2      The Australian government effects controls on the export of defence and related goods through the Customs Act 1901, the Customs (prohibited Exports) Regulations and, the guidelines Australian Controls on tile Export of Defence and related Goods - Guidelines for Exporters. issued in March 1994 and the Australian Controls on the Export of Technology With Civil and Military Applications - A Guide for Exporters and Importers issued in November 1994. The controls specify a range of cryptography products, such as cryptographic equipment, software controlling the function of cryptographic equipment, computers performing such functions, mechanical bits and pieces used in these processes and applications software for such purposes.

5.2.3      The context of the controls make it clear the government encourages the export of defence and related goods where these do not conflict with the national interest or Australia's external obligations. The Strategic Trade Policy and Operations Section of the Department of Defence considers export applications and makes recommendations on them. It also works closely with manufacturers, where possible, to advise on products and applications eligible for export.

5.2.4      From the vantage point of the Defence Department, and the Review's terms of reference require particular regard be paid to national security and defence interests, the principal defensive goal of export controls is the prevention of the proliferation of 'strong' encryption. Various commentators thought Australia's export controls may have had some effect in this regard though they suspected American export controls have much the greater impact. A claimed by-product or secondary benefit is that export controls may have aided the Australian cryptographic industry, enabling it to export and market more competitively in the region. This claim, couched in the subjunctive tense, was disputed by many but does not bear on the primary defensive goal of export controls.

5.2.5      From a strategic perspective of the IT industry in Australia, changes to United States export controls, certainly changes of the order advocated in the Republican bills before the Congress, were considered deleterious by sections of industry. This view was based on the premise that all strategic decisions of the industry have been predicated on the expectation that export controls, Australian and American, would not significantly vary. The more controlled relaxation of export controls announced by the United States Vice-President on 1 October 1996 mark a departure from that planning base but are less extreme than some have advocated. 62

5.2.6      There were, however, more particular indications of a negative side to export controls. Software and hardware manufacture is dominated by the United States, so business, IT or otherwise, has to ensure product compatibility when buying products. It was said, almost uniformly, Australian products tended to be more expensive (from small amounts to some thousands of dollars), less convenient (US software applications may be purchased in thousands of shops but hunting is often required to find the Australian equivalent) and problems of compatibility frequently arise with systems geared to American products and applications. Major banks have the capacity to step around this problem and purchase off-shore.

5.2.7      When particular judgements were offered about the impact of United States export controls, the point was always made that the United States was one of a considerable number of countries linked first under COCOM and more recently under the Wassenaar agreement and should not, therefore, be viewed as acting alone. This was uniformly countered with the view that the United States position as a military and economic super-power, combined with its dominant position in the software production market, gave it the critical voice in any grouping to which it belonged or sponsored.

It has to be said the continuing validity of export controls as a defensive strategy is open to question when import controls do not exist in most countries, where firms in countries covered by multi-lateral agreements on the proliferation of cryptography are able to circumvent United States' or Australia's export controls and buy the software of their choice in Asia or Europe and when easy access to the Internet is available to all.

5.2.8      Some irritation was expressed with the export licence system. Certainly, there was appreciation that 'continuing licences' had been introduced by DSD, enabling manufacturers to export to foreign countries or specified companies for a 12 month period, without reference back to the Directorate.

5.2.9      It is a truism to note that research and development take time. A strong view was put to the Review by the IT industry that incentives to undertake R&D in Australia are diminishing and likely to continue to do so. Even without the pressure which a relaxation of US export controls would cause, a migration of both technology and the research and development effort from Australia is likely. Any amelioration of the export control regime would likely hasten that trend.

5.2.10      A common banking industry view was that while Australian encryption products were always available, they did not always meet business needs. American products normally offered functionality, but their availability was frequently uncertain. End user licensing is seen as a problem for banks as the purpose is often wider than the commercial transaction and any part- escrowing of keys would render the system insecure. Consequently, banks are sometimes forced to rewrite software or undertake substantial work to link or cause to interface two separate products. Because some of these couplings are 'unnatural', the expected productivity benefits are reduced.

5.2.11      One consequence of the abolition of US export controls or substantial contraction of them is likely to be an outbreak of a condition which might be termed 'key length envy' - the assumption that by simply lengthening the key a greater degree of security is obtained. Of itself this contention is simplistic. What matters is the key space, or the pool from which keys are drawn, the soundness of the operating system and the operator's procedures. Providing the algorithm is sound, the operating standards are high and functionality is not adversely affected, a longer key will offer more security than a shorter one. Key length estimates are normally geared to what is required in 20 years' time and that is considered adequate protection against concerted efforts to discover them. There is a general wariness in some business circles of the enormous amount of idle time which exists for the computing power of large-scale corporations and the purposes to which that power might be put, but that, as they say, is another story.

Footnotes:

56 Paper on Regulatory Intent Concerning Use of Encryption on Public Networks, issued by the Department of Trade and Industry. London. 11 June 1996, paragraph 2 and paragraph 16. See Annex D.

57 Nigel Waters, 'Street Surveillance and Privacy" in Privacy Law & Policy Reporter, Vol 3, No 3, June 1996, p 49.

58 The OECD Guidelines are attached as Annex E to this report.

59 A discussion paper to this effect was issued by the Attorney-General in September 1996.

60 While these views have been made clear in publications and writings, they were repeated to the Review during discussions in Sydney on 10-11 July 19%.

61 See finding 1.2.19.

62 The United states Vice President's statement on encryption is set out in Annex F



Chapter 6