Crypto Politics
Last Updated: 24 February 2001
"I went to the store the other day to buy a bolt for our front door, for as I told the storekeeper, the governor was coming here. 'Aye,' said he, 'and the Legislature too.' 'Then I will take two bolts,' said I. He said that there had been a steady demand for bolts and locks of late, for our protectors were coming."
Historically, cryptography was for many years the exclusive domain of national security agencies and the military. Even though strong cryptographic algorithms are now in the public domain, governments persist with restictive policies on the use and export of cryptography products. Until the cryptography policy debate is resolved, privacy and security on the Internet remain hostage to outdated regulations from the Cold War era that threaten privacy and security online.
This page provides an update on the state of play of Crypto Politics in:
The References section provides links to sources of additional information.
Australia
Australian Crypto Export Restrictions
Australian regulations ban cryptography exports, claiming responsibilities as a party to the Wassenaar Arrangement. However, an export license can be obtained on application to the Department of Defence. The conditions of such a license are not openly stated, and at least one Australian software company has been refused a license. Even public domain software such as PGP requires a license, since Australia does not acknowledge the General Software Note waiver under the Wassenaar Arrangement, which is allowed in most countries to permit the export of mass market and public domain crypto software.
In August 1998, EFA released a Cryptography FAQ (Frequently Asked Questions) concerning Australian crypto policy. This FAQ exposes the reality of Australian controls over encryption, much of which is information that is not widely known.
The government approach to crypto policy generally in Australia is very much along the lines of US policy. Although key escrow has been raised as an issue in some circles here, it has not formed part of any government policy as yet. However, it is known the Defence Signals Directorate, which evaluates export license applications, encourages applicants who are able to provide key escrow or key recovery facilities in their products.
However, the policy of the current Coalition government states:
With the development of extensive electronic commerce networks, this issue has a commercial security dimension as well. Encryption technology is essential to electronic commerce. Transactions will not be initiated unless people are confident that personal and financial information is protected from unauthorised interception. Heavy-handed attempts to ban strong encryption techniques will compromise commercial security, discouraging online service industries (particularly in the financial sector) from adopting Australia as a domicile. This would result in a substantial economic loss to the country.
The Australian regulations on cryptographic export controls can be found in the Customs (Prohibited Exports Regulations) - Schedule 13E and the Customs Act 1901 Section 112 (Prohibited Exports). Actual details of items prohibited under this legislation is listed in Australian Controls on the Export of Defence and Strategic Goods. Crypto software is identified under Part 3, Category 5/2 of these controls. (The documents are provided in PDF and Word format).
In July 1998, EFA launched a campaign aimed at bringing the crypto controls debate into the public arena. See the Campaign page for more information.
In December 1998 the 33 Wassenaar signatory nations, meeting in Vienna in plenary session, agreed to new controls over the export of mass market software. In June 1999, Australia issued a new Defence and Strategic Goods List (DSGL) as a result of the Wassenaar changes. The new list appears to incorporate the 1998 Wassenaar list verbatim.
The Walsh Report
This report has was released by EFA in 1997 after we obtained it under a Freedom of Information Act application. A brief history follows:
In February 1997, the Commonwealth Attorney-General's Department put a hold on the public release of the Walsh Report, an important review of cryptography policy.
The report, entitled Review of policy relating to encryption technologies, is the outcome of a study conducted in 1996 by Gerard Walsh, a former deputy director-general of ASIO. Publication of the report was eagerly awaited by members of the law enforcement community, other government departments, commerce, and the online community. It was expected that the report would examine the the various issues in the crypotography debate and encourage further comment and consultation.
The report was listed for sale by the Australian Government Publishing Service in January 1997, but was hurriedly withdrawn from the list 3 weeks later, following EFA's enquiry as to why it was listed yet unobtainable from AGPS outlets. The original intention was to allow for a 3-month consultation period for public comment. EFA then released a Media Statement calling for the release of the report.
In March 1997, EFA lodged an FOI request for a copy of the report. This was initially denied but a censored version of the report was subsequently released after a request for review of the original decision was lodged. The report was then published online by EFA.
In January 1999, a complete copy of the report was obtained, allowing a unique opportunity to examine the censored sections in the original release. The full publication was then made available online with the censored sections highlighted in red.
This is an important review of encryption policy which has generated international interest. It takes a balanced look at the issues and casts strong doubts on the workability and desirability of key escrow/key recovery policies.
OECD
On 27 March 1997 the Organization for Economic Cooperation and Development (OECD) released Cryptography Policy Guidelines. The guidelines reject key escrow and recommend voluntary, market driven development of crypto products. The OECD member countries also emphasized privacy protection, user confidence, and recommended removal of restrictions on cryptography. The Media Release announcing the guidelines contains additional explanatory information. Although the OECD has no formal authority, it is hoped that the guidelines will allow the development of a unified international framework for the use of cryptography.
The Australian Government announced in the Prime Minister's industry statement of December 1997 that it would be adopting the OECD guidelines.
In September 1996, EPIC and other groups sponsored a conference to educate the OECD on the public and technical views on cryptography policy.
Immediately prior to this conference, EFA joined many of the world's leading human and cyber rights organizations in signing a resolution supporting unresticted use of cryptography. The resolution notes that the use of cryptography implicates human rights and matters of personal liberty that affect individuals around the world, and that the privacy of communication is explicitly protected by Article 12 of the Universal Declaration of Human Rights, Article 17 of the International Covenant on Civil and Political Rights.
USA
The US government has been one of the world's strongest proponents of tight restrictions on cryptography, and has pushed strongly for various Key Escrow proposals (widely known as Clipper after the initial proposal for a Clipper chip which incorporated a built-in government-mandated key escrow feature). The US government has also strongly resisted demands from business and the software industry for loosening of cryptography export controls, which are among the most restrictive in the world.
New US Export Regulations
On December 30, 1996 the White House released new regulations on the export of cryptography, although many claim that they differ little from the previous restrictions. Jurisdiction for controls has been moved from the State Department to the Commerce Department. Key escrow and key recovery products are given favourable treatment under this policy. Several companies have now obtained licenses under these new regulations, including one company which has been permitted to export a product using a 128-bit key, for an application limited to the transfer of specific financial information.
Bernstein Challenge on Constitutional Grounds
On December 18, US District Court Judge Patel ruled in the Bernstein case that current restrictions on exports of cryptography violate the First Amendment. On December 30, Professor Bernstein asked the Government to agree to delay enforcement of the new regulations while Judge Patel reviews them for Constitutionality. Failing that, Bernstein asked the court for a temporary restraining order to block their enforcement.
Karn Challenge to Export Regulations
In another challenge to US export restrictions on algorithms, oral arguments in the Karn V. State case were heard by the US Court of Appeals for the DC Circuit in January 1997. EPIC, ACLU, the Internet Society and USACM filed an Amicus brief supporting free use of cryptography.
Proposed Congress Bill
On January 28 1997, Senators Conrad Burns, Patrick Leahy, and Ron Wyden announced that they will re-introduce the Promotion of Commerce Online in the Digital Era (Pro-CODE) bill. The bill, which attracted significant bi-partisan support last year, would relax exports controls on encryption technologies and promote the widespread availability of strong, easy-to-use privacy and security technologies.
U.K.
In March 1997, the British Government's Department of Trade and Industry published proposals on licensing encryption services which run counter to the recently announced OECD Cryptography Policy Guidelines. The effect of the UK proposals would be to:
- mandate key escrow.
- require licenses for any service involving key management, key recovery,
key certification, key storage, message integrity (through the use of
digital signatures) key generation, time stamping, or key revocation
services.
- ban public domain encryption systems such as PGP.
The Government invited comments on this paper and the major cyber-rights organisations around the world, including EFA, published a press release and letter to DTI protesting about the proposal.
In July 1998, DTI published an Industry White Paper on Export Controls which proposes to extend export controls to include intangibles (see section 3.2). This proposal has attracted a great deal of opposition, particularly from the UK crypto research community.
References
Sources of additional information on Crypto Politics.
Australia
EFA's Frequently Asked Questions (FAQ) on Australian crypto policy - August 1998.
Review of policy relating to encryption technologies - the Walsh Report.
Commonwealth Attorney-General's Department 1996.
http://www.efa.org.au/Issues/Crypto/Walsh/
Distributing encryption software by the Internet: Loopholes in Australian
export controls.
Patrick Gunning, Mallesons Stephen Jacques, 1998.
http://www2.austlii.edu.au/itlaw/articles/Gunning_Encryption.html
Prime Minister's Industry Statement, Dec. 1997
committing Australia to adopting the OECD Guidelines
http://www.dist.gov.au/growth/html/infoage.html
The Federal Coalition's Australia Online pre-election policy on privacy and commercial security.
http://www.liberal.org.au/ARCHIVES/ONLINE/online.htm
Australian Information Industry Association (AIIA) Encryption Policy, July 1998.
ACS Welcomes IFIP Position on Cryptography October 1997.
Encryption and the Global Information Infrastructure - An Australian Perspective - Steve Orlowski, Assistant Director, Security Management, Commonwealth Attorney-General's department, Cryptography Policy and Algorithms Conference, QUT, July 1995.
Security of the Government Information Infrastructure - Steve Orlowski. Includes viewpoints on digital signatures and public key authentication.
Security Imperatives - The Australian Context - Steve Orlowski, IBC Security Conference, Sydney, November 1995.
Joint Australian/OECD Conference on Security, Privacy and Intellectual Property Protection in the Global Information Infrastructure. Canberra, February 1996.
Crypto-Confusion - Roger Clarke. "Mutual Non-Comprehension Threatens Exploitation of the GII".
International
Cryptography and Liberty - an international survey of encryption policy. Global Internet Liberty Campaign, February 1998.The Crypto Law Survey - a good summary of crypto law in various countries.
The Risks of Key Recovery, Key Escrow, and Trusted Third Party Encryption.
A Report by an Ad Hoc Group of Cryptographers and Computer Scientists, 1998.
http://www.crypto.com/key_study
Cryptography's Role in Securing the Information Society.
National Research Council, USA, 1996.
http://www.replay.com/mirror/nrc/
The Copenhagen Hearing April 1998 European expert hearing on digital signatures and encryption.
Towards A European Framework for Digital Signatures And Encryption
Ensuring Security and Trust in Electronic Communication. European Commission,
October 1997.
OECD Cryptography Policy Guidelines, March 1997.
GILC Resolution in Support of the Freedom to Use Encryption, September 1996 - Resolution urging the Organization for Economic Cooperation and Develeopment (OECD) to "base its cryptography policies on the fundamental right of citizens to engage in private communication."
UK Department of Trade and Industry White Paper on Export Controls July 1998. Proposes restrictions on intangibles (see section 3.2).
United Kingdom. Department of Trade and Industry paper on Regulatory Intent Concerning Use Of Encryption On Public Networks.
Review of UK policies on encryption.
GILC Statement on Proposed UK Crypto Restrictions Feb 1998.
Industry Canada paper and request for submissions on encryption policy, Feb 1998.
Analysis of Canadian export controls - by Electronic Frontier Canada.
GILC Submission to Industry Canada, April 1998 opposing suggestions to place domestic and export controls on encyption.
Electronic Frontier Canada Statement on Canadian Cryptography Policy, August 1997.
US Official Criticizes Crypto Policy. Commerce Secretary William Daley described the current U.S. encryption policy as a "failure". April 1998.
Golden Key Campaign - an international campaign promoting the free use of cryptography.
EPIC Cryptography Policy Sources
Internet Privacy Coalition. Materials on US Encryption Policy.
Americans
for Computer Privacy - Industry group campaiging for export relaxations.
Information on the OECD Cryptography Policy
The Wassenaar Arrangement - the international treaty that concerns export controls.
Marc Rotenberg on OECD crypto-politics
Statements on Cryptography Policy by various organisations
Almost all major national and international organisations involved in the information industry have publicly supported the relaxation of strict controls over the use and export of encryption products. Among these are:
The Internet Architecture Board (IAB) and the Internet Engineering Steering
Group (IESG)
http://www2.echo.lu/legal/en/internet/digsig/iabiesg.html
International Federation for Information Processing (IFIP)
http://www.ifip.tu-graz.ac.at/TC11/TC11.crypto/
Ad Hoc Group of Cryptographers and Computer Scientists, 1998.
http://www.crypto.com/key_study
National Research Council, USA, 1996.
http://www.replay.com/mirror/nrc/
US Association for Computing Machinery (USACM)
http://www.acm.org/usacm/crypto/
Institute of Electronics and Electrical Engineers (IEEE)
http://www.ieee.org
American Association for the Advancement of Science
http://www.acm.org/usacm/crypto/joint_crypto_letter_1997.html
The Internet Society (ISOC)
http://www.isoc.org
Australian Information Industry Association (AIIA)
http://www.aiia.com.au/4AIIApublications.html
The Australian Computer Society (ACS)
http://www.acs.org.au/news/caelli.htm
Council of European Professional Informatics Societies (CEPIS) statement Governmental Restrictions on Encryption Products Put Security at Risk.
European Electronic Messaging Association statement on "European Companies Threatened by US Export Controls on Encryption Technology"