Use Who Holds the Key? - A Comparative
Study of US and European Encryption Policies
Sarah Andrews
Policy Analyst
Electronic Privacy Information Center (EPIC)
Washington, DC, USA
[email protected]
Abstract
With everyday transactions now being
carried out electronically, people need to trust that their private
communications are not intercepted or altered as they make their
way across global networks. Encryption is currently the only
reliable means of securing the confidentiality of such
communications and can help citizens and businesses defend
themselves against fraud, electronic vandalism and the improper
disclosure of confidential information. However, because of its
unique ability to conceal data, encryption may also be deployed for
illegitimate purposes. This prospect has urged law enforcement
agencies and governments to call for restrictions on its use and
development. Privacy advocates and business interest groups resist
any attempts to limit encryption arguing that to do so would
unfairly compromise the privacy of individuals and jeopardise the
development of electronic commerce. This paper looks at the tension
between the two sides to this heated debate and studies how law
makers in the US and Europe have chosen to meet the challenge of
regulating this area.
Keywords:
Encryption, Digital Signatures, Key Escrow, Key Recovery, Trusted
Third Parties, Lawful Access, Export Controls, E-Commerce, Law
Enforcement, Privacy Advocates, Human Rights.
This is a Refereed
Article published on 29 February 2000.
Citation: Andrews
S, 'Who Holds the Key? - A Comparative Study of US and European
Encryption Policies', 2000 (2) The Journal of
Information, Law and Technology (JILT) .
<http://elj.warwick.ac.uk/jilt/00-2/andrews.html>. New
citation as at 1/1/04:
<http://www2.warwick.ac.uk/fac/soc/law/elj/jilt/2000_2/andrews/>
1. Introduction
In a society where more and more
personal and sensitive data is held in centralised storage units
and transferred across digital networks, security and privacy are
of utmost importance. With everyday transactions now being carried
out electronically, people need to trust that their private
communications are not intercepted or altered as they make their
way across global networks. If people cannot depend on the
confidentiality and authenticity of electronic information, they
may revert to more traditional methods of communication and
effecting business transactions. As such, the full potential of
electronic commerce may never be exploited and the revolutionary
opportunity for a global information society may be
missed.
Against this backdrop, new and
developing cryptographic techniques are of widespread appeal.
Cryptography is used to conceal or verify the contents of
electronic documents and to protect files from unauthorised access,
alteration and theft. The two most important applications of
cryptography today are digital signatures and
encryption.
Digital signatures can
combat the illicit use of information by guaranteeing that the
contents of a file have not been altered (integrity) and
establishing the identity of a party (authentication). In a world
where hand written signatures are no longer appropriate, digital
signatures provide a way to protect electronic orders, demands,
statements and transfers against fraud. They are created by
techniques similar to those used for encryption. Two complementary
keys are generated and allotted to a user. One key is kept private
and is used for signing, whereas the other key, which is published,
is used for verification. This is the less contentious application
of cryptographic techniques because it involves authenticating
rather than concealing information.[ 1 ] Digital signatures are widely recognised as important
for the development of e-commerce and the ability to make binding,
trust worthy and non-repudiable contracts on-line.
Encryption on the other
hand involves coding a text so that it cannot be read if it is
intercepted. It is used when people need information to stay
confidential. Developed first by the military, in present times it
is an ever increasing feature in business and private worlds, where
it is used to protect privacy, intellectual property rights and to
prevent against fraud. Encryption involves a mathematical process
whereby algorithms use a key to encrypt and decrypt messages by
turning plaintext to ciphertext and vice versa. With single key
encryption both sender and receiver use the same key to encrypt and
decrypt messages. The disadvantage of this system is that the
sender must get the key to the receiver somehow without it being
intercepted. For this reason one of the most important advances in
modern encryption was 'public key encryption'. Developed in 1976 by
Whitfield Diffie and Martin Hellman[ 2 ], this asymmetric encryption process revolutionised
modern encryption. Under this method, algorithms encrypt messages
with one key (public) and permit encryption by a separate, but
mathematically related (private) key. Users simply publish their
public key, which others use to send them information and then they
decrypt that information using their private key. Unless, of
course, one has access to the private keys, the only way to read an
intercepted message in ciphertext is to break the code. To do this
one must try every possible key combination until one gets the
readable text. This process is called a brute force search.
Naturally, the longer the key the more computing required to crack
the code. As the cost of such a search is substantial, and unlikely
to be carried out by accidental intruders, even weak encryption can
offer a reasonable standard of protection to users against
interception.
In the modern world privacy is
equated with security of personal information. There are now such
vast amounts of valuable information available electronically that
the freedom to store, transfer and communicate that information in
confidence, constitutes the basic 'right to left alone'[ 3 ] in information age terms.
In this respect encryption is a critical, and presently the only
reliable, way of safeguarding the security of electronic
information. First developed by governments to protect military and
diplomatic communications, encryption is now vital to wide variety
of people. For example, human rights groups and journalists rely on
encryption to protect their identity and communications against
surveillance by the governments they are monitoring. Businesspeople
need encryption to safeguard sensitive business materials, such as
client records, professional communications or trade secrets.
Consumers depend on encryption to secure their personal and credit
card details against theft or misuse when transacting in the
on-line world. Finally, ordinary individuals, who have come to view
privacy as integral part of life in a democracy, demand encryption
for their electronic communications.[ 4 ]
Used legitimately, therefore,
encryption can help citizens and businesses defend themselves
against fraud, electronic vandalism and the improper disclosure of
confidential information. Unfortunately, however, because of its
unique ability to conceal data, encryption may also be deployed for
illegitimate purposes. This prospect has urged law enforcement
agencies to call for restrictions on unbreakable encryption.
Privacy advocates and business interest groups resist any attempts
to restrict encryption arguing that to do so would unfairly
compromise the privacy of individuals and jeopardise the
development of electronic commerce. The search for a cryptographic
policy, which balances the needs of users, governments and the
international community, has not been smooth, and in certain
countries the debate has become the centre of considerable
controversy.
This paper studies how law makers in
the US and Europe have chosen to meet the challenge of regulating
this area. The paper begins by summarising the main arguments of
pro and anti-encryption groups. It then outlines international
instruments governing this area before moving on to comparatively
study various legislative proposals in the US and Europe. These
policies are analysed within their political backgrounds and where
possible, explanations for their adoption are suggested. The reader
will note that this is not an exhaustive study. In particular, with
the exception of the UK, individual policies of European Member
States are not looked at separately but rather treated under the
heading of the European Union. The reason for this is that, in
general, the policies of European countries are aptly reflected by
European Union initiatives and may be easily contrasted with those
of the US. The UK, on the other hand, has taken a different
approach to its European partners and for many years has mirrored
US proposals to restrict the use of strong encryption. It
therefore, seems appropriate to divide encryption policies in the
Western world into three main sections the US, the European Union
and the UK.
2. A
Polarised Debate
2.1 The Arguments Against Strong
Encryption
As the use of cryptography moves out
of the defence world and becomes accessible to private individuals
and companies, governments and law enforcement agencies fear that
it will lead to an increase in crime. They argue that, in the
extreme, it could lead to a breakdown in society, where criminals
and terrorists will plot their schemes free from interception using
encrypted communications. FBI Director Louis Freeh, in his speech
to US Senate Subcommittee on Terrorism, Technology & Government
Information, stated:
'If we are unable to access and
decrypt real-time... conversations of criminals and people who
would commit horrible crimes... we will be hard up to defend the
country in many respects... Unbreakable encryption will allow drug
lords, spies, terrorists and even violent gangs to communicate
about their crimes and their conspiracies with impunity.'
( Freeh;
1997 )
In response to these fears many
governments would like to restrict the import, export and domestic
use of encryption technologies.[ 5 ] Whereas absolute restrictions on the right to use
encryption products are uncommon among Western countries, some have
proposed a more subtle type of restriction which implement key
recovery or key escrow systems. The difference between key escrow
and key recovery systems is a technical one and they are treated as
one concept within this paper.[ 6 ] Both involve third party covert access to private keys
or the ability to access data in the plaintext outside the normal
decrypting process. Essentially these systems mandate storing
copies of private encryption keys, or information about these keys,
with government agencies or with independent commercial bodies,
known as Trusted Third Parties ('TTP's').[ 7 ] These central storage units would then be obliged to
hand over private keys to law enforcement officials when served
with a court warrant. Surprisingly, for a nation that lays such
claims to true democratic freedom, it is the US which has been the
chief advocator of such restrictions.[ 8 ] Consequently, they are primarily dealt with in this
paper as a US issue and will be concentrated on in further detail
below.
2.2 The Arguments Against Key
Recovery
As might be expected, civil
liberties and business interest groups around the world have
vehemently rejected all government initiatives, such as key escrow
or key recovery, which compromise the total security offered by
encryption. Although these anti-restriction organisations concede
that terrorism and violence must be controlled, they do not regard
the threat of increased terrorist or criminal activity as
justifying the level of invasion of privacy proposed by some
governments. International privacy advocates, such as the Electronic Privacy
Information Centre the Electronic Frontier
Foundation , Privacy International , Cyber Rights & Cyber Liberties (UK), and the Global Internet Liberty Campaign , have rallied together to present a unified resistance
to any such restrictions on user rights to choose strong,
unescrowed encryption. These groups regard controls on encryption
as detrimental to the security of electronic communications and an
unjustified restriction on fundamental privacy rights.
Similarly, the business industry is
strongly critical of all restrictions on encryption, arguing that
they weaken the potential of electronic commerce. From their
viewpoint, encryption stands alone as the most reliable way to
protect on-line users against fraud and misuse of their personal
information. Compromising this, they say, may deter ordinary
individuals from transacting business on-line, thus stifling the
growth of electronic commerce in general. The following are the
among the most common arguments put forward by these civil
liberties and business interest groups.
2.2.1 Key Recovery Systems Violate the Right to
Privacy
Privacy advocates contend that the
only way to protect the privacy of digitally held information is by
encryption and thus that any restriction on use, or demands for
lawful access, run directly counter to the basic human right to
privacy which is enshrined in many international treaties,
constitutions and laws.[ 9 ]
Although they recognise that privacy of information has always been
compromised in the interests of national security, they claim that
key recovery proposals would allow considerably more access to
private information than traditional laws authorising the
interception of communications networks and are, therefore, heavily
weighted in favour of law enforcement and government agencies
rather than private individuals.[ 10 ]
2.2.2 Key Recovery Systems are Ineffective Crime
Prevention Methods
The basis of this argument is that
key recovery systems will be ineffective against criminals who will
simply use other non-escrowed methods or multi-layered encryption
to avoid detection. Anti-restriction activists comment that
criminals are highly unlikely to use key recovery products as the
penalties they will face for unlawfully using restricted encryption
products will be much less severe than those for the crimes they
are plotting. ( Akdeniz
et al; 1997 , p9) Thus, they claim that
key recovery jeopardises the safety of millions of users in the
vain hope of catching a few law breakers.
2.2.3 Key Recovery Systems are Inherently
Dangerous, Costly and Insecure
It is generally thought that key
recovery systems, whereby the private keys of encryption users are
stored with government agencies or independent Trusted Third
Parties, open up a huge potential for abuse. Critics of key
recovery systems say that any centralised structure storing such
valuable information will undoubtedly become a target for attack by
invaders, who will exploit either systems failure or human weakness
to illegally gain access to private information. ( Clayton, R., 1998 , p4) Moreover, it is argued that to build and maintain
such a complex infrastructure at a global level is beyond current
technical capacities and would involve unacceptably high
costs.[ 11 ]
2.2.4 Key Recovery Systems Jeopardise Digital
Signatures
As we have seen, because digital
signatures merely authenticate rather than conceal information,
they are not the focus of law enforcement concerns. However, it is
argued that key recovery systems may also be detrimental to the
effectiveness of these authentication services as in reality most
people use the same key for both digital signatures and encryption.
Thus, it is shown that even where key recovery proposals do not
mandate storing signature keys with a government agency or Trusted
Third Party, implementing them will deny individuals and
businesspeople not only the right to conceal private information
but also the capacity to fully endorse their communications.
( NRC, 1996 , chapter 4.1.3)
2.2.5 Key Recovery Systems are Ultimately
Damaging to Electronic Commerce
Anti-restriction advocates,
particularly members of the business community, are concerned that
if people cannot rely on the confidentiality of their electronic
communications they may reject this system in favour of the
traditional one, under which all of their documents are not subject
to the scrutiny of the government.
Although there has always been
provision for the interception of communications, the prohibitive
cost of doing so often served as a deterrent to wide-scale
surveillance. New surveillance capabilities, however, make it much
easier and cheaper to track electronic communications and could be
used to monitor all citizens rather than only those under suspicion
of illegal activity.[ 12 ] It is
thus argued that without strong unescrowed encryption people may
shy away from modern services such as teleshopping, telebanking,
teleworking, and teleconferencing, which depend on large amounts of
information being available on line, and that the full potential of
electronic commerce may never be reached. (COM (97) 503, p17.)
( EC; 1997b .)
Finally, advocates of strong
encryption point out that encryption can actually benefit law
enforcement and government agencies. Electronic crime today has
significant costs for governments, businesses and private
individuals. (COM (97) 503, p17.) ( EC; 1997b .) Encryption can
help reduce these costs by preventing the piracy of intellectual
property and the interception of sensitive information such as
credit card and pin numbers, corporate secrets, medical records and
personal communications. As the job of law enforcement and national
security agencies is ultimately to prevent crime, electronic or
otherwise, in this respect, at least, their interests converge with
those of private individuals and businesses in favour of the free
use and availability of strong encryption.
3.
International Instruments
Electronic commerce is essentially a
global phenomenon and therefore international organisations have an
interest in harmonising the development national policies in this
area. Although there are, as yet, no binding international
instruments governing encryption, important initiatives have been
taken to set out a framework for its use, availability and
export.
3.1 The Organisation for Economic Co-operation
and Development (OECD)
To emphasise the importance of
cryptography in today's society and to promote international
co-operation in the development of cryptography policies, in 1996
the Organisation for Economic Co-operation and
Development (OECD), set up an ad hoc
group of experts to draft 'Guidelines for Cryptography Policy'.
During the consultation period, the OECD came under increasing
pressure from the US, who was trying to use this as an opportunity
to gain international support for their key recovery
proposals.[ 13 ] The
OECD proved more influenced by civil liberties concerns however,
and the final Recommendation of the Council concerning Guidelines for
Cryptographic Policy , released on March
27, 1997, set out a out a generous framework for encryption
policies.[ 14 ]
Containing eight principles in total, the guidelines stress the
importance of the availability and choice of strong encryption
products subject to proportionate and effective measures to
safeguard law enforcement needs. For example, principle
2 proposes that users should be entitled to choose any
cryptographic product; principle 5 sets out that
the fundamental right to privacy should be respected in national
cryptography products and principle 6 states that
national policies 'may' provide for lawful access in certain
situations but makes no mention of key recovery methods and
concludes firmly that these policies must 'respect the other
principles contained in the guidelines to the greatest extent
possible .'
Although, resolutions by the OECD do
not form binding international law, they are highly influential and
provide clear principles for member states when developing national
policies. For this reason, it was of crucial significance for
pro-encryption activists world-wide, that these guidelines did not
explicitly endorse key recovery proposals. In particular, the OECD
stance was seen as an indirect criticism of the US attempts to
implement such polices at home.
3.2 The Wassenaar Arrangement on Export Controls
for Dual-Use Goods and Technologies and Conventional
Arms
The Wassenaar
Arrangement (WA) replaces the
Co-ordinating Committee on Multilateral Export Controls (COCOM)
which existed during the Cold War-era. It was established in 1995,
and seeks to foster regional and international stability among its
33 member states by controlling trade in conventional arms and dual
use-goods and technologies. Like the above OECD resolution, the WA
is not a binding international treaty or law. It merely sets out a
framework for national policies by specifying the items to be
subject to export controls on a Control List. This list is then
implemented into national export control policies on a
discretionary basis. All decisions relating to individual export
licences remain the responsibility of each Signatory
State.
As cryptography products are
recognised as having both civilian and military capabilities they
are subject to export restrictions under the WA Dual-Use Control
List. Prior to 1998 all encryption products, except mass market or
public domain software[ 15 ], were
classified as dual-use items. During the December 1998 review of
the lists, however, new cryptography guidelines removed controls
over some products, including those used solely for authenticity
purposes (e.g. Digital Signatures) and encryption products not
exceeding 56 bit algorithms. On the other hand, the new List
increased control over encryption hardware and software products
with algorithms of over 64 bits. There was extensive lobbying of
Participating States by privacy advocates prior to these 1998
Plenary meetings. For example the Global Internet
Liberty Campaign (GILC), issued a
Member Statement ,
calling for the removal of all encryption products from the
Wassenaar Arrangement, arguing that controls on cryptography, a
defensive mechanism, are not justified under the terms of the
WA.[ 16 ] This campaign was
successful to a limited extent only and critical cryptographic
products still find themselves regulated under the WA. It is
significant to note, however, that once again US efforts to gain
international approval for their key recovery proposals failed and
the new Control List makes no concessions for the export of such
products.
3.3 The Council of Europe
The Council of Europe was
established in 1949 with the aim of bringing European states closer
together in the 'pursuit of peace based upon justice and
international co-operation' and the 'preservation of human society
and civilisation' ( Statute of the Council of Europe; 1949 ). There are currently 41 signatory members. Unlike
European Union law, Conventions and Agreements passed by the
Council of Europe are not statutory acts. Therefore, in order to
become binding law, a treaty must be signed and ratified by the
signatory states.
The Council of Europe has previously
issued recommendations on the issue of computer crime. In 1995 it
issued a
Recommendation concerning 'Problems of Criminal Procedure Law Connected
with Information States' in which it recommended measures 'to
minimise the negative effects of the use of cryptography on the
investigation of criminal offences.' It is currently working to
produce a Convention on Cybercrime which would harmonise national
computer crime provisions and encourage international co-operation
among law enforcement bodies. On April 27, 2000 the Committee of
Experts on Crime in Cyberspace released a draft of this convention for
public comment. The proposal deals with international law
enforcement issues and is said to have been written in part by U.S
Department of Justice officials. ( McCullagh, D;
2000 ). It would make mutual legal
assistance and extradition available on a permanent basis,
authorise computer searches and seizures and require lawful access
to encryption keys and plaintext. Provisions on the interception of
data are also being discussed but have not yet been included in the
draft. The text is expected to be finalised by a group of experts
by December 2000 and could be adopted for signature as early as
Autumn 2001. Non-member states such as Canada, Japan, South-Africa
and the United States have also been active in the drafting process
and are expected to approve the final treaty. Civil libertarians
and privacy advocates worldwide are currently working on a united
opposition to these expanded powers.
3.4 Group of 8 (G8)
The Group of 8 (G8) is made up of
the leaders of the world's top industrialised countries. The group
has met on many occasions to discuss the problems facing law
enforcement in the digital era and the need for co-operated efforts
to reduce cybercrime.[ 17 ] At
the urging of the United States, the heads of State recently met
with industry leaders in Paris to develop recommendations for the
G8 summit to be held in Okinawa in July 2000. Citing this years
denial of service attacks and the recent 'Love Bug' as examples of
threats to security and confidence in cyberspace, the G8 leaders
unanimously called for the public and private sector to work
together to find solutions to criminal behaviour on the internet.
Despite concerns from the industry groups, the heads of state
expressed support for the Council of Europe's draft Convention and
re-iterated the need for international co-operation among law
enforcement.
4. US
Policies
Turning now to national encryption
policies, it is perhaps appropriate to begin with a study of the
situation in the US. As the undisputed leader in the technological
fields, the US is uniquely poised to influence international trade
and policies on encryption. Consequently, any resolution of the
controversial encryption debate in that country may have an impact
far beyond national borders. In addition, the US policies in this
area are particularly interesting when we consider that, although
the US prides itself on being a free and open society, it has been
one of the most avid advocators of restrictions on the right to use
and export encryption in the democratic world.
4.1 Export Restrictions and Constitutional
Challenges
In an effort to safeguard national
security and foreign intelligence gathering capabilities, the US
Government has long placed strict export controls on encryption
technologies. Its policy has been to exploit the confidentiality
benefits of strong encryption to protect US military and diplomatic
communications, while denying them to foreign adversaries.
( NRC; 1996 , Chapter 8.1.3.) Although the more repressive of these
controls have recently been relaxed, (see below) restrictions on
the export of encryption products still exist and continue to
attract public criticism.
Originally, export controls were
regulated under the International Traffic in Arms Regulations
(ITAR), which placed restrictions on programs using algorithms of
greater than 40 bit key length. ITAR provided for a 'commodity
jurisdiction' procedure by which a determination could be made as
to whether a specific item came under the United States Munitions
List. If it was found to do so, the item required a licence before
it could be exported. Munitions licences were granted by the
Department of State on a case by case basis.
In the well-known trilogy of cases
referred to as Bernstein I, II and III [ 18 ], the
constitutional validity of this licensing system was challenged.
Daniel Bernstein had developed an encryption program, called
'Snuffle' while a graduate student at the University of California
at Berkley. As ITAR defined 'export' to include divulging data to
any foreign person, whether in the United States or abroad, he was
advised that he might infringe the regulations by publishing his
work on the Internet or teaching it to foreign nationals in his
classes. He, thus, applied to the Department of State for a
'commodity jurisdiction' determination to see whether his program
was classified as a munition under ITAR. He filed separate
commodity jurisdiction requests for the source code of Snuffle and
three accompanying academic papers explaining the program. The
export authority classified both items as munitions and held them
to be subject to controls. He was denied permission to distribute
his software and academic files. Bernstein subsequently took an
action against the Department of State claiming that the licensing
scheme under ITAR violated his First Amendment right to free
speech.
In Bernstein I , (Berstein v
United States Department of State, 922 F. Supp. 1426) the District
Court for the Northern District of California rejected the
Department of State's motion to dismiss the case for lack of
justiciability, holding that source code constitutes speech within
the meaning of the First Amendment.[ 19 ]
In Bernstein II , the Court
looked at the substantive issue and held that the licensing system
under ITAR, which gave the export authority exclusive and absolute
discretion to decide whether or not to grant licences, was a
' paradigm of standardless discretion ' and constituted an
unconstitutional prior restraint of speech. (Berstein V United
States Department of State, 945 F. Supp. 1279 at 1289) The effect
of this ruling was to remove cryptographic technologies from the
export controls list. To thwart the result of this decision, the
Clinton Administration transferred responsibility for exports of
cryptographic technologies from the Department of State to the
Department of Commerce and amended the Export Administration
Regulations (EAR) of the Department of Commerce to essentially
replicate the impugned ITAR controls on cryptographic
technologies.
In Bernstein III (Bernstein
v. United States Department of State, 974 F. Supp. 1288) these new
regulations were subject to challenge. The Californian District
Court upheld it's earlier ruling and found them to be
unconstitutional. The Government appealed this decision to the US
Court of Appeals. On May 6th, 1999 the Ninth Circuit Court of
Appeals once again decided the case in favour of Bernstein. In
September 1999, the Court granted the government's petition for
rehearing 'en banc' of this case. However, this hearing was
postponed in light of an announcement by the government that it
intended to issue new export regulations. The case has now been
remanded to the District Court to rule on the constitutionality of
these new regulations.
It is difficult to predict
definitively the outcome of this case. As we will see the export
rules have now been liberated to such an extent that the Court may
no longer be able to find them as blatantly unconstitutional.
However, whatever the final decision may be, this case has so far
represented a major triumph for all encryption advocates and has no
doubt been a driving force behind the new export
regulations.
4.2 Liberalisation of Export
Policies
Apart from first amendment
challenges, the US export policy has been criticised for other
reasons. Civil liberties groups, for example, have always opposed
any export restrictions claiming that they constitute de facto
restrictions on the domestic use of strong encryption. They argue
that as software companies are slow to produce different versions
of the same product, one for domestic use and one for export,
imposing strict export controls leaves US citizens with access only
to unacceptably weak encryption products. ( Froomkin, 1996 , p3) Business interest groups have also disapproved of
these controls on the grounds that they undermine the
competitiveness of US software companies. They consider that
restricting these companies from exporting strong encryption
products excludes them from the global market and allows foreign
competitors to take the lead in this area.[ 20 ] Influential support for these arguments was found in
the 1996 report by the National Research Council's entitled,
'Cryptography's Role in Securing the Information Society'
( CRISIS
Report ). There it was concluded that as
encryption 'diffuses readily through national boundaries',
it is not possible to delay its use and availability abroad on the
long term and thus that the strict export policy should be
'progressively relaxed'. ( NRC; 1996 , Chapter
8.2)
Ceding finally to this pressure for
reform, in September 1998 the Clinton administration announced a
new policy to somewhat liberalise the strict export regime.[
21 ] These regulations,
however, did not satisfy privacy advocates, who complained that by
encouraging key recovery products in the new export laws, the
government was still jeopardising individual privacy rights and
computer security in favour of law enforcement interests.
( EFF; 1998 ) These activists continued to fight export controls and
pushed for public support of legislative proposals such as the
'Security and Freedom through Encryption (SAFE) Act' to liberalise
the export regime.[ 22 ]
SAFE was first introduced in 1996 by
Representative Bob Goodlatte and proposed a prohibition on domestic
use restrictions and the liberalisation of export controls. During
the summer of 1999 a re-draft of this Bill (H.R. 805) passed
through five Committees in the House of Representatives and was due
to be voted on by House members some time in late September.
Commanding an overwhelming public support and with 258 bipartisan
cosponsors, this Bill looked set to be approved by Congress. The
final vote on its passage, however, was stalled at the last minute
in light of a White House
Announcement on Sept
16, 1999 declaring an intention to revise the export
laws.
These much awaited regulations
implementing the September announcement were
issued on Jan 12, 2000
by the US Department of Commerce Bureau of Export Administration
(BXA) and took effect on January 14 following publication in the
Federal Register.[ 23 ] The
following is a summary of the major changes implemented by the new
regulations:
-
encryption products of any key
length may now be exported to non-government end users after a one
time technical review of the product.
-
'Retail' encryption products,
defined as 'those which are widely available and can be exported
and re-exported to anyone..... and can be used to provide any
product or service' ( Dept. of Commerce (US); 2000 ) are eligible for export to any end user including
foreign governments.
-
In accordance with the 1998
revisions of the Wassenaar Arrangement, mass market products with
key lengths of up to 64 bits key length may now be exported without
a license after a technical review.
-
Foreign nationals working within the
US no longer need an export licence to work for U.S. firms on
encryption. In addition, U.S. firms may export encryption items of
any key length to their foreign subsidiaries without a technical
review.
-
The export controls for source code
are relaxed in that encryption source code freely available to the
public may now be exported under a license exemption without a
technical review. The exporter must, however, submit a copy of the
source code, or a written notification of its Internet location, to
the Bureau of Export Administration by the time of export. There is
no longer a review requirement for the re-export of foreign
products made with the unrestricted source code. Most 'open source'
software will benefit from this license exception.
Although business industry groups
are stated to be 'extremely gratified' by this breakthrough in the
export regime,[ 24 ]
privacy advocates argue that the new regulations do not go far
enough. In a
joint statement issued
by the Electronic Privacy Information Center (EPIC), the American Civil Liberties Union (ACLU), and the Electronic Frontier
Foundation (EFF), the new rules were
criticised as placing a 'regulatory maze' in the way of the free
export of encryption and thus a truly secure Internet. In
particular, the requirement to notify the government of the
electronic export of 'publicly available' source code and to obtain
a license for 'restricted' source codes or those not 'publicly
available' was said to impose unconstitutional requirements on
Internet speech.[ 25 ]
In light of these criticisms the
outcome of the Bernstein case is eagerly awaited. It will be
interesting to note whether the Court will again accept the views
of privacy advocates and boldly denounce these latest regulations
as a continuing violation of the right to free speech, thereby
opening the door, once and for all, for a decontrolled export
regime for encryption products.
4.3 Domestic Use Proposals
Over the last number of years, the
US government has proposed domestic controls on the use of
encryption which would enable law enforcement officials to legally
access encryption keys when necessary. Despite repeated attempts,
this objective has not yet formally succeeded, and to this day
there are no restrictions on the domestic availability of strong
encryption products.
The first attempt to restrict
domestic use came in 1993 when the Government developed the
Escrowed Encryption Standard Initiative. This initiative, which was
implemented in the Clipper Chip, was aimed at providing citizens
with a good level of security for communications while at the same
time preventing transmission of data in total secrecy. 'Clipper'
was a hardware solution using key escrow technology. It proposed
that every single modem, telephone, fax machine or other piece of
communications equipment manufactured or sold in the United States
would have had to carry a Clipper Chip, to which a master key would
be held in escrow for access by law enforcement. This special key
would be held in two parts by the US Justice Department and the
National Institute of Standards and Technology. In order to decrypt
data, law enforcement agencies would have to get a court order
permitting the retrieval of the two components. An outraged public
and computer industry, claiming that this proposal would both
violate fundamental civil liberties and greatly reduce foreign
demand for national products, ensured that this highly invasive
hardware solution never passed into law.[ 26 ] In the years to follow, however, there were several
effective reformulations of the Clipper system.[ 27 ] Although these new
proposals were primarily based on software and involve mandatory
key recovery rather than escrow, they essentially relied on the
same principle as Clipper and were consistently criticised by
privacy advocates and constitutional watchdogs. These groups
argued, in particular, that such proposals violated the Fourth
Amendment to the U.S. Constitution. This Amendment protects the
right to freedom from unreasonable searches and seizures and lays
down specific requirements for the issuing of warrants. Key
recovery was said to violate this provision by not respecting the
traditional 'notice and knock provisions that must be satisfied
before a warrant could be executed' and by vesting 'vast
powers in third-party agents who have neither the incentive nor
knowledge to contest any government intrusion.' ( Epstein R. A.;
1998 , p8) In addition, key recovery and
escrow proposals were criticised on Fifth Amendment grounds. It was
claimed that by compelling a user to disclose his/her private key
to the government, these proposals could result in uncompensated
taking of private property contrary to the Fifth Amendment.
( Rotenberg, M.;
1993 )
Although the government now seems to
have moved away from key recovery, unfortunately this does not mean
the end of attempts to authorise access to encryption keys. In
February 2000, the Department of Justice published 'The Electronic
Frontier: The Challenge of Unlawful Conduct involving the Use of
the Internet', ( Dept. of
Justice (US); 2000 ), in which it
expressed concerns about anonymity on the internet and called for
expanded law enforcement authority and access to information. As we
have seen the U.S has repeated these recommendations on the
international front with the recent developments by the Council of
Europe and the G8 being accused of showing all the signs of US
policy laundering. ( Banisar D.; 2000 )
Also pending in the US is the
Cyberspace Electronic Security Act of
1999 which was drafted by Department of
Justice officials and transmitted to Congress on September 16,
1999. As it currently stands the Bill has four central
prongs
-
Recovery agents are prohibited from
disclosing or using recovery information to decrypt data, except
where those disclosures are authorised by law.
-
Government agents may obtain court
orders to access to decryption information where
-
'(1) the use of the stored recovery
information is reasonably necessary to allow access to the
plaintext of data or communications;
(2) such access is otherwise
lawful;
(3) the governmental entity will
seek such access within a reasonable time; and
(4) there is no constitutionally
protected expectation of privacy in such plaintext, or the privacy
interest created by such expectation has been overcome by consent,
warrant, order, or other authority.' (2712 (b))
-
A fund of $80 million is authorised
for the FBI's Technical Support Centre to bolster law enforcement
capabilities to respond to the use of encryption by criminals.
-
The confidentiality of sensitive
investigative and decryption techniques of government entities are
protected by prohibiting their disclosure in litigation or criminal
trials.
The Bill contains no provisions to
promote key recovery and, in contrast to the earlier draft, does
not include draconian search and seizure provisions which would
have enabled law enforcement agents to obtain search warrants to
surreptitiously enter private homes and offices, search computers
for passwords and decryption keys, and to install recovery devices
to override encryption programs. Nevertheless, civil liberties
groups are still critical of the Bill claiming that it does not
adequately protect the privacy of decryption keys. The powers laid
down for police seizure of keys are said to be contrary to the
Fourth Amendment, because they do not require 'probable cause' and
contemporaneous notice for the issue of a search warrant in
accordance with the Constitutional requirement. Rather, CESA bases
issue of a search warrant upon obscure requirements such as a
finding that there is ' no constitutionally protected
expectation of privacy in such plaintext .' Notice must only be
given within 90 days of the disclosure and there is even provision
for the indefinite postponement of notice 'on the government's ex
parte showing of good cause'. (Section 2712 (c)). In addition it is
argued that by allowing government agencies to use decrypted
evidence in court without revealing how they descrambled it, denies
the defendants' rights to a fair trial under the Due Process clause
and the Sixth Amendment.
Interestingly, it has been suggested
that CESA was introduced at the same time as the government
announced its intention to relax export controls, in order to
re-institute law enforcement powers 'taken away' by the new export
regulations. ( Koops, B.
J.; 2000 ) It is, therefore, critical
that civil liberties groups continue to monitor the passage of this
bill and US activities on the international level in order to stop
the introduction of unacceptable powers for law enforcement. Only
then will there be a realistic translation of the traditional right
to personal freedom and privacy into the cyber-law era.
5.
The European Union
Although there has not yet been
formal harmonisation of encryption policies among EU Member States,
in general and with the exception of the UK, these countries are
unified in their commitment to a liberal framework for encryption
regulations.[ 28 ] For
this reason, rather than detail the individual policies of every
Member State this paper treats the policies of the European
Community as reflecting the overall mood of European countries
towards this issue.
5.1 Export Restrictions
The export laws of Member States
concerning encryption products are uniformly regulated under
European law. At present the governing legislation is the Dual
Use Regulation, (EC) No. 3381/94[ 29 ] which was introduced in 1994 and is closely modelled
on the Wassenaar Arrangement. This regulation establishes a common
framework for export of all dual use goods and sets out a list of
dual use goods, destinations and guidelines which all Member States
must recognise. Under this regulation, most encryption products may
only be exported to countries outside the EU on foot of a licence.
Member States are also obliged to exercise a licence procedure, for
a transitional period, for intra-Community trade of certain
particularly sensitive products, including encryption technologies.
A 'General Technology Note' and a 'General Software Note' exclude
information and software within the public domain from the Controls
List. The control list was updated in March 1999, by Council
Decision 1999/193/GASP to take account of the new Wassenaar
regulations. Now, mass-market cryptography of any key length can be
exported within the EU on a general license.
In 1998, responding to criticisms of
this regime[ 30 ], the
European Council published its Proposal for a Council Regulation
(EC) setting up a Community regime for the Control of Exports of
Dual-use Goods and Technology, (COM (1998) 257 final). This
document proposed a new regulation to replace the current export
system which was stated to be 'too cumbersome to be useful in
practice'. The new regulation, would have replaced the current
licence procedure for Intra-Community trade with a simple
notification procedure. As the free movement of goods is one of the
fundamental principles of the EU itself, there is a clear need for
a new system to facilitate the easy and efficient trade in
encryption among community members. As of time of writing, however,
there is still no record of its implementation.
5.2 Domestic Use
Restrictions
Divergences in laws on encryption
among EU member states are widely recognised as damaging, not only
to the working of the internal European market, but to electronic
commerce in general. Unfortunately, however, as yet, there is no
definitive guidance from the European Union concerning the domestic
use and availability of encryption products, and member states can
only rely on policy statements to take their lead when regulating
this area.
One of the first suggestions of a
measure to regulate the use of encryption came in 1997. In its
April 1997 Communication document, 'A European Initiative in
Electronic Commerce' (COM (97) 157 final), ( EC; 1997a ), the European Commission announced an intention to
create a policy aimed at guaranteeing the free movement of
encryption products as well as preparing a specific initiative on
digital signatures. The next significant activity took place with
the Global Information Networks Conference when ministers of 29 European countries met in an effort
to agree on key principles governing the use of global information
networks. Organised jointly by the European Commission and the
Federal Republic of Germany this conference was held in Bonn in
July 1997. Participating members re-iterated the OECD guidelines
and stressed the vital role of strong encryption technology in the
development of the global information society. They made a
commitment to achieving the ' international availability and
free choice of cryptography products and interoperable
services' and specifically provided that all measures taken to
ensure lawful access must be 'proportionate and effective and
respect applicable provisions relating to privacy'. ( Bonn Ministerial Declaration , No. 36).
Following this conference and
perhaps encouraged by the unanimity of participants, in October
1997, the European Commission released a Communication paper
entitled 'Towards a European Framework for Digital Signatures and
Encryption' (COM (97) 503) ( EC; 1997b ). In this
document, the Commission emphasised the exigency of the situation
and signalled an intention to establish uniformity at European
level, stating:
'An EU Policy framework for
ensuring security and trust in electronic communication and
safeguarding the functioning of the Internal Market is therefore
urgently needed. The European Union simply cannot afford a divided
regulatory landscape in a field so vital for the economy and
society.' (COM (97) 503, p1) ( EC; 1997b )
Advancing along the lines of the
OECD guidelines and the Bonn Ministerial Declaration, the
Communication paper clearly recognised encryption as an
indispensable component of secure and trustworthy electronic
commerce. Finally, the prospect of a harmonised and liberal
framework for encryption policies appeared within reach. In
contrast to the US attempts to promote key escrow and key recovery
systems which were taking place at the time, the Commission
expressed such restrictions on the use of encryption to be
dangerous, costly and ineffective and concluded that any
regulations should be 'limited to what is absolutely
necessary.' (COM (97) 503, p17) ( EC; 1997b ).
In trying to understand why the
European Commission took such a radically different approach to the
US in respect of encryption, it may be useful to look at the
fundamental role of informational privacy in both the US and
Europe. In the US, for example, there is no specific law protecting
the right to privacy of personal information. Protection in this
area is governed by a piecemeal collection of constitutional and
statutory laws, and self imposed industry regulations.[ 31 ] In Europe, on the other
hand, privacy rights in personal information are protected by
binding EU Data Protection Directives. For example, Directive
(95/46/EC)[ 32 ]
places stringent controls on the use of data and requires
controllers to use state of the art technologies to ' protect
personal data against accidental or unlawful destruction or
accidental loss, alteration, unauthorized disclosure or access, in
particular where the processing involves the transmission of data
over a network...' (Article 17). In addition, Directive
97/66/EC[ 33 ]
requires Member States to 'ensure via national regulations the
confidentiality of communications..... (and to) prohibit listening,
tapping, storage or other kinds of interception or surveillance of
communications, by others than users, without the consent of users
concerned,' (Article 5). As cryptographic techniques are the
only realistic means of ensuring data security and confidentiality,
a case could, therefore, be made that any restrictions on the right
to use encryption are contrary to the provisions of these
Directives.[ 34 ]
5.3 Need for More Definitive European
Guidance
As Communication papers are
generally taken as an indication that there will be a Council
Directive issued in that area, it was believed that the Commission
would go on to implement these liberal policies in a measure which
would be binding on all EU Member States. Three years later
however, hopes are beginning to fade and the much-desired guidance
from the Commission is not forthcoming.[ 35 ] The only recent evidence of Europe's continued
position in favour of secure communications is a vague reference in
the recent Electronic Commerce Directive[ 36 ] Recital 15 of that Directive acknowledges that Article
5 of Directive 97/66/EC guarantees the confidentiality of
communications and requires Member States to 'prohibit any kind
of interception or surveillance of such communications by others
than the senders and receivers .'[ 37 ]
Although it is significant that
cryptography is seen as an important part of establishing a
coherent legal framework for electronic commerce within the Single
Market, this is no supplement for definitive guidance on
encryption. A fragmented approach to encryption technologies among
European countries would be uneconomical and impractical. In
addition, given the repeated attempts of the UK to implement strict
restrictions on the free use and availability of encryption (see
below), such guidance may be needed to safeguard the privacy rights
and fundamental freedoms of European citizens.
6. UK
Proposals
Notable for its historical support
of the US position, the UK stands alone in Europe regarding
encryption policies. This support is evidenced by its proposals to
restrict the use and availability, rather than export, of
encryption technologies.
6.1 Export Controls
The UK regulates the export of
cryptographic products in accordance with the EU Dual Use
Regulation and the Wassenaar Arrangement on Export Controls for
Dual-Use Goods and Technologies and Conventional Arms. The
implementing legislation is the UK through the Export of Goods
(Control) Order 1994 as amended by the Dual-Use and Related Goods
(Export Control) Regulations 1996. There is currently no regulation
of exports by intangible means although this was recommended in a
1998 Department of Trade and Industry (DTI) White Paper on
Strategic Export Controls, (section 3.2.1) ( DTI; 1998b ). The government has also suggested that streamlining
the procedures for ' the export of cryptographic products which
facilitate legal access through a third party' ( DTI; 1999a , paragraph 47), however, this proposal has been
uniformly rejected and is unlikely to resurface.[ 38 ]
6.2 Domestic Controls
As yet there are no import
restrictions or domestic use controls on encryption products in the
UK. In June 1996 the UK Department of Industry published a 'Paper
on Regulatory Intent Concerning Use of Encryption on Public
Networks' ( DTI;
1996 ). This paper was followed by the
March 1997 Public Consultation Paper, on 'Licensing of Trusted
Third Parties for the Provision of Encryption Services' ( DTI; 1997 ). This policy document was alarmingly similar to the US
Clipper Chip and subsequent initiatives. Although there was no
provision made for official constraints to be placed on user choice
of encryption products, the proposed scheme effectively implemented
domestic use restrictions in the form of mandatory key recovery.
The document proposed that any organisation (rather than
individual) offering cryptographic services (such as Certification
Authorities, Key Escrow Agencies and other TTPs) would require a
licence. Every user would be obliged to lodge his/her private keys
with these licensed bodies who would hold the keys in centralised
storage units with the possibility of recovery by law enforcement.
Law enforcement agents would be able to access these keys on
receipt of a judicial warrant and the user would not be informed
that his key had been disclosed. Essentially, therefore, this
system would give the Government power to intercept and monitor all
digital communications between those living within the country and
those exchanging information with others outside the
country.
These proposals met with
considerable criticism from civil liberties groups, who argued that
the proposals were technically insecure, subject to abuse,
commercially damaging and contrary to fundamental privacy
rights.[ 39 ]
Although the licensing of TTPs was not, of itself, criticised, the
mandatory nature of the licensing, which would be linked to a key
escrow system, was strongly objected to. The proposals were also
specifically rejected by the Labour Party in its electoral
campaign. Its manifesto, 'Communicating Britain's Future'
declared that it would not endorse key escrow or recovery schemes,
stating that:
'Attempts to control the use of
encryption technology are wrong in principle, unworkable in
practice, and damaging to the long-term economic value of the
information networks...It is not necessary to criminalise a large
section of the network-using public to control the activities of a
very small minority of law-breakers.'
Unfortunately, there have been
indications of a post-election shift in the Labour Party stance.
Despite promises to the contrary, Labour's position in Government
did not help to alter the DTI proposal. In April 1998, the DTI
issued its Secure Electronic Commerce Statement ( DTI; 1998a ) - a policy announcement to follow up its earlier
discussion paper. This statement indicated only a few minor changes
to the original policy, such as abolishing mandatory licensing, and
the basic structure and principles of the earlier proposal remained
in place. Critics disapproved even of a voluntary system of
licensing arguing that by granting 'safe and secure' licenses only
to those TTPs with key recovery capabilities, the government could
pave the way for ' a position of blanket key recovery
later'. ( Bowden C.,
& Akdeniz, Y.; 1999 ,
p39.)
Although this particular initiative
was never introduced, the British Government, just like the US
government, has since attempted to introduce equally harsh
alternatives to restrict the free use of encryption. Around the
same time that the US government was moving away from key recovery,
the DTI published a public consultation document: ' Building Confidence in Electronic
Commerce ', which sought to introduce
legislation to achieve the government's goal of making the UK the
world's best environment for electronic commerce by the year
2000.[ 40 ] Recognising that making
'key recovery and third party key recovery a requirement for
licensing could hinder the development of electronic commerce in
the UK', the government dropped such proposals in favour of
more overt powers of lawful access to decryption keys. On the whole
the proposed legislation was not well received. Cyber-Rights &
Cyber-liberties (UK), which has lead the opposition to the UK
government's proposals to restrict encryption, argued that the
proposed law enforcement powers ignored 'fundamental human
rights such as freedom of expression and right to privacy...'
and were not in line with the European Commission's 1997
Communication or the OECD Guidelines. ( Cyber-Rights &
Cyber-liberties (UK); 1999a , p2.) In
May 1999, the House of Commons Select Committee on Trade and
Industry, responded to the government proposals in its seventh
report ( House of
Commons; 1999a ). The report concluded
that the 'Government (should) think twice about the content of
its forthcoming Bill and only include in the Bill measures which
will promote electronic commerce rather than measures discarded
from the previous key escrow policy'.
In July 23, 1999 the Government
published its responses to the Trade and Industry Committee's
report in another consultation paper: Promoting Electronic Commerce , which included a draft Electronic Communications Bill . Part III of this Bill sparked huge controversy and was
widely objected to on human rights grounds. It envisaged an
alternative system of providing government access to encryption
keys which, if implemented, would have authorised law enforcement
officials armed with 'decryption warrants' to force users to hand
over their private encryption keys. Failure to do so would have
lead to a presumption that the key was being withheld and would
have been punishable by jail sentences of up to two years. The Bill
would also have introduced a 'tipping off' offence whereby
recipients of decryption warrants could have been imprisoned for up
to five years for informing others that their own keys were no
longer private.
The privacy implications of these
far reaching provisions did not escape civil liberties groups. In
particular it was argued that requiring individuals, who failed to
comply with encryption warrants, to prove that they were not
withholding the requested key would violate the presumption of
innocence guaranteed by Article 6(2) of the European Convention on
Human Rights and the UK Human Rights Act 1998, which incorporated
this treaty into national law. ( FIPR; 1999 , p2) Critics also
felt that demanding decryption keys was an over-aggressive invasion
of privacy and security. They suggested that a more moderate
approach, such as than obliging users to decrypt specific encrypted
texts only, would sufficiently allay legitimate law enforcement
fears without jeopardising the privacy and security of encryption
users and those with whom they correspond. ( Cyber-Rights &
Cyber-Liberties (UK), 1999b .) Once
again the government position on key recovery was criticized.
Although the Bill specifically ruled out a mandatory link between
the accreditation of TTPs and key recovery, it was feared that
there was still scope for the government to encourage a voluntary
link. ( House of
Commons Select Commitee on Trade and Industry;
1999b , Part B.) Overall, Part III of
the Bill was considered to have no place in legislation with the
purported objective of 'Promoting Electronic Commerce'. On the
contrary, it was felt that these law enforcement powers to access
private communications could undermine confidence in the UK as a
forum for secure electronic commerce, and belonged in legislation
dealing with interception of communications. ( DTI; 1999b , Paragraph 6.)
6.3 Present Situation
In November 1999, the Queen
announced the introduction of a revised
Electronic Communications Bill in her speech to Parliament. This Bill dropped the
controversial Part III law enforcement powers and set out a general
'prohibition on key escrow requirements'. At the same time,
however, the Queen also announced the introduction of a Bill to
'ensure that the interception of communications, and the use or
other intrusive techniques, continues to be regulated for the
protection both of the rights of Individuals and of society as a
whole.' (Queens Speech, 17 November 1999).
Despite public outcry and the
criticism by privacy advocates and libertarians, this new Bill,
known as the Regulation of Investigatory Powers Bill, has already
passed through the House of Commons and been introduced in the
House of Lords. Essentially it replicates Part III of the draft
Electronic Communications Act in providing law enforcement agencies
the power to require disclosure of encryption keys. Again it places
the burden of proof for failing to comply with this decryption
warrant upon the accused party and re-introduces the 'tipping off'
offence for third parties. The Bill also establishes a new
GBP 25 million Government Technical Assistance
Centre (GTAC) which MI5 will use to monitor internet traffic and
e-mail communications.
The reasons for the UK position in
an otherwise united Europe remain unclear. Its willingness to
implement and essentially replicate draconian US proposals can only
suggest that the Home Office is under pressure from the US
government.[ 41 ]
Furthermore, its particular stance reinforces the argument in
favour of action at the EU level. This would not only legally
prohibit repressive UK laws but would mark an end to US pressures
to enforce its views on European countries.
7.
Conclusion
'Human persons need to be able
to close out the rest of the world, at appropriate times, but the
reconciliation of such a subjective and personal psychological
requirement with other human or socio-economic interests is a
profound and difficult task' ( Clark R; 1990 ,
preface)
Privacy rights are of primary
importance in our society. Indeed they have been recognised as
essential for physical and mental health, for the maintenance of a
stable and mature individual personality, and to protect personal
integrity. (UK Privacy Committee (Younger) Report 1972) For this
reason, privacy rights are protected by many legally binding
international treaties, such as the Universal Declaration and the
European Convention on Human Rights. The exponential growth in
global computer networks exposes large amounts of confidential
material to the risk of interception and misuse, and potentially
jeopardises the private sphere of all citizens. Although encryption
products are now the only viable way of avoiding these dangers,
other interests, such as the investigation of criminal offences and
national security considerations, are hindering wide-scale
deployment of these new privacy-enhancing technologies. As the
quotation suggests, finding the intricate balance necessary to
satisfy these competing interests is not always an easy task and
unfortunately has not yet been reached in encryption policies. As
we have seen, US and UK measures aimed at restricting the use of
encryption involve an unprecedented and unjustified intrusion into
the personal lives of individuals, and clearly swing the balance
too far in favour of law enforcement interests. For this reason,
they have been rejected by a wide international community of civil
liberties and business interest groups.
The irony of the situation is that
by clinging to unrealistic and unacceptable proposals, the US, in
particular, may have done itself more harm than good. Had it
initially advocated a more moderate approach to encryption which
did not fly in the face of commercial and private needs, the US may
well have been able to dominate the development of cryptographic
products and policies world-wide.[ 42 ] As it is, however, the European Union is now more
likely to assume this role and, hopefully, introduce a balanced
solution to the encryption dilemma. It once advocated lawful access
as this solution suggesting that law enforcement agencies
essentially only need access to plaintext rather than keys. (COM
(97) 503, p17.) ( EC;
1997b .) This enforcement method has the
advantage of avoiding the dangers associated with a centralised
holding body. However, as is evidenced by recent US and UK
proposals, lawful access provisions can also spark privacy and
human rights concerns if they do not respect traditional principles
governing police searches, seizures, and surveillance. The EU,
therefore, needs to refine this recommendation and develop a more
balanced and workable measure.
Ultimately, the controversy caused
by encryption can only be understood if we see it as part of a
broader philosophical debate regarding the state's right to
restrict personal freedoms in the interests of justice. Set against
a backdrop of international law enforcement measures aimed at
widespread electronic surveillance[ 43 ], we see that the encryption crisis is not really about
the threat of a particular new technology but rather about the
future of policing in the 21st century. Now is the time to ask
whether are willing to sacrifice time honoured privacy rights and
allow encryption to be demonised as a tool for criminals merely in
order to gain unprecedented access to our personal
information.
References
'The
Risks of Key Recovery, Key Escrow and Trusted Third-Party
Encryption'. A Report by Cryptography Experts, May 1998.
< http://www.cdt.org/crypto/risks98/>.
Akdeniz, Y, et al, 'Cryptography and
Liberty: Can the Trusted Third Parties be Trusted? A Critique of
Recent UK Proposals', 1997 (2) The Journal of Information Law and
Technology (JILT). < http://www2.warwick.ac.uk/fac/soc/law/elj/jilt/1997_2/akdeniz/>.
American Civil Liberties Union (ACLU),
'Big Brother in the Wires: Wiretapping in the Digital Age', Special
Report, March 1998. < http://www.aclu.org/issues/cyber/wiretap_brother.html >.
Americans for Computer Privacy (ACP),
Press Release, January 12, 2000. < http://www.computerprivacy.org/news/947779537.shtml >.
Banisar, D, 'Love Letter's last
Victim', Security Focus, May 22, 2000. < http://www.securityfocus.com/commentary/39 >.
Bowden, C, & Akdeniz, Y,
'Cryptography and Democracy: Dilemmas of Freedom,' in Liberty eds.,
Liberating Cyberspace: Civil Liberties, Human Rights, and the
Internet, London: Pluto Press, 1999, 81-125. < http://www.cyber-rights.org/reports/yacb.pdf >.
Campbell, D, 'Interception Capabilities
2000,' a working paper for the European Parliament, Science and
Technology Options Assessment (STOA). <
http://www.europarl.eu.int/dg4/stoa/en/publi/pdf/98-14-01-2en.pdf >.
Campbell, D, et al, 'Enfopol Timeline
1991-1999' Telepolis, March, 1999. < http://www.telepolis.de/tp/english/special/enfo/6382/1.html >.
Clark, R, 'Data Protection Law in
Ireland' (Round Hall Press 1990).
Clayton, R, 'The DTI Proposals on
Encryption: an Overview', Demon Internet, March 1998.
Cyber-Rights & Cyber-Liberties
(UK), 'First Report on UK Encryption Policy: Response to
the DTI Consultation Paper', May 1997. < http://www.leeds.ac.uk/law/pgs/yaman/ukdtirep.htm >.
Cyber-Rights & Cyber-Liberties
(UK), 'Wassenaar Controls, Cyber-Crime and Information
Terrorism', September 1998. < http://www.cyber-rights.org/crypto/wassenaar.htm >.
Cyber Rights & Cyber Liberties
(UK), 'Response to the March 1999 DTI Paper Building
Confidence in Electronic Commerce - A Consultation Document,' April
1, 1999. < http://www.cyber-rights.org/reports/dti99.htm >.
Cyber-Rights & Cyber-Liberties
(UK), 'Open Letter to IBM and BT in relation to UK
Government Electronic Commerce Proposals', August 5, 1999.
< http://www.cyber-rights.org/reports/ibmbt-letter.htm >.
Davies, S, 'Europe Plans a Huge Spy
Web', Daily Telegraph, January 7, 1999.
Department of Commerce (US),
'Administration Implements Updated Encryption Export Policy',
Bureau of Export Administration (BXA) Fact Sheet, January 12, 2000.
<
http://204.193.246.62/public.nsf/docs/60D6B47456BB389F852568640078B6C0/>.
Department of Justice (US), 'The
Electronic Frontier: The Challenge of Unlawful Conduct Involving
the Use of the Internet', a report of the President's Working Group
on Unlawful Conduct on the Internet, March 2000. < http://www.usdoj.gov/criminal/cybercrime/unlawful.htm >.
Department of
Trade and Industry
(UK),'Regulatory Intent Concerning
use of Encryption on Public Networks', June 1996. < http://dtiinfo1.dti.gov.uk/cii/encrypt/>.
Department of Trade and Industry (UK),
'Licensing of Trusted Third Parties for the Provision of Encryption
Services', March 1997.
Department of Trade and Industry (UK),
'Secure Electronic Commerce Statement', April 1998. < http://www.dti.gov.uk/CII/ana27p.html >.
Department of Trade and Industry (UK),
'White Paper on Strategic Export Controls', July 1998.
< http://www.dti.gov.uk/export.control/stratex/>.
Department of Trade and Industry (UK),
'A Report for the DTI Summarising Responses to Building Confidence
in Electronic Commerce: A consultation Document', June 1999.
< http://www.dti.gov.uk/cii/elec/conrep.htm >.
Department of Trade and Industry (UK),
'Summary of Responses to Promoting Electronic Commerce: A
Consultation Document', 29 October 1999. < http://www.dti.gov.uk/cii/elec/billsumm.html >.
Electronic Frontier Foundation,
'Inadequate White House Crypto Policy Changes' Press Release,
September 16, 1998. <
http://www.eff.org/pub/Privacy/ITAR_export/1998_export_policy/HTML/19980916_p
olicy.html >.
Electronic Privacy Information Center,
'Cryptography and Liberty: an International Survey of Encryption
Policy', (EPIC, 1999). < http://www.gilc.org/crypto/crypto-survey-99.html >.
Electronic Privacy Information Center and
Privacy International, 'Privacy and Human Rights 1999: An
International Survey of Privacy Laws and Developments', (EPIC,
1999). < http://www.privacyinternational.org/survey/>.
Epstein, R A, Testimony before the
Senate Judiciary Sub-Committee on the Constitution, Federalism and
Property Rights, prepared on behalf of the Americans for Computer
Privacy. < http://www.computerprivacy.org/archive/03171998-3.shtml >.
European Commission, 'A European
Initiative in Electronic Commerce', April 1997 Communication
document, (COM (97) 157 final) < http://www.cordis.lu/esprit/src/ecomcom/>
European Commission, 'Towards a
European Framework for Digital Signatures and Encryption'.
Communication by the Commission to the European Parliament, The
Council, The Economic and Social Committee, and the Committee of
Regions Ensuring Security and Trust in Electronic Communication,
October 1997, COM (97) 503. < http://www.ispo.cec.be/eif/policy/97503toc.html >.
European Commission, 'An Amended
Proposal for a European Parliament and Council Directive on Certain
Legal Aspects of Electronic Commerce in the Internal Market,' COM
(1999) 247.
European Commission, 'Directive of the
European Parliament and of the Council on Certain Legal Aspects of
Information Society Services, in particular Electronic Commerce in
the Internal Market' (14263/1/99), 1 September 1999. <
http://europa.eu.int/comm/internal_market/en/media/eleccomm/index.htm >.
Foundation for Information Policy
Research, Press Release, July 23 1999: 'Electronic
Commerce will Harm UK Industry, Hold Back Growth of E-Commerce,
Undermine Consumer Protection, and Violate European Convention on
Human Rights'. < http://www.fipr.org/ecommpr.html >.
Freeh, L, Speech to US Senate
Sub-Committee on Terrorism, Technology & Government
Information, September 3, 1997.
Froomkin, A M, 'It came from Planet
Clipper: The Battle Over Cryptographic Key 'Escrow'', 1996 U. CHI.
L. Forum 15. < http://www.law.miami.edu/~froomkin/articles/clipper.htm >.
House of Commons Select Committee on Trade and
Industry, 'Seventh Report: on Building Confidence in
Electronic Commerce: A Consultation Document', May 18, 1999.
<
http://www.parliament.the-stationery-office.co.uk/pa/cm199899/cmselect/cmtrdind
/187/18702.htm >.
House of Commons Select Committee on Trade and
Industry, 'Fourteenth Report on Draft Electronic
Communications Bill', October 26, 1999. <
http://www.parliament.the-stationery-office.co.uk/pa/cm199899/cmselect/cmtrdind
/862/86202.htm >.
Koops, B J, 'Crypto Law Survey',
Version 17.0, February 2000. < http://cwis.kub.nl/~frw/people/koops/lawsurvy.htm >.
Landrock, P, 'Opportunities and
Barriers in Europe', speech delivered to the Copenhagen expert
hearing on digital signatures and encryption, April 23, 1998.
< http://www.fsk.dk/fsk/div/hearing/ses3/barrier.html >.
McCullagh, D, 'Decoding the Crypto
Policy Change', Wired News, September 17, 1999. < http://www.wired.com/news/politics/0,1283,21810-1,00.html >.
McCullagh, D, 'Cybercrime Solution has
Bugs', Wired News, May 3, 2000. < http://www.wired.com/news/politics/0,1283,36047,00.html >.
McKay, N, 'Europe is Listening', Wired
News, December 1998.
National Research Council ,
'Cryptography's Role in Securing the Information Society' (CRISIS
Report), June 1996. < http://www.nap.edu/readingroom/books/crisis/>.
Report of Day 1 of the European Expert Hearing
(Copenhagen Hearing) on Digital Signatures and Encryption, April
23, 1998. < http://www.fsk.dk/fsk/div/hearing/first.html >.
Rotenberg, M, Prepared Testimony and
Statement for the Record on Encryption Technology and Policy before
the Sub-Committee on Telecommunications and Finance. Committee on
Energy and Commerce US House of Representatives, June 9, 1993.
<
http://www.epic.org/crypto/clipper/cpsr_markey_testimony_6_9.html >.
Statute of the Council of Europe, 1949.
< http://conventions.coe.int/treaty/EN/cadreintro.htm >.
Bibliography
Akdeniz, Y, 'UK
Government Encryption Policy', 1997 (1) Web Journal of Current
Legal Issues. < http://webjcli.ncl.ac.uk/1997/issue1/akdeniz1.html >.
Akdeniz,Y, 'No
Chance for Key Recovery: Encryption and International Principles of
Human and Political Rights', 1998 (1) Web Journal of Current Legal
Issues. < http://webjcli.ncl.ac.uk/1998/issue1/akdeniz1.html >.
Astor, P, ' Thin
Consensus veils Conflict at G8', Security Focus, May 17, 2000.
< http://www.securityfocus.com/news/37 >.
BBC News 'UK
Government Dithers on Encryption Regulation', Friday 20,
1998.
Blume, P, 'The
Citizens Data Protection', 1998 (1) The Journal of Information Law
and Technology (JILT). < http://www2.warwick.ac.uk/fac/soc/law/elj/jilt/1998_1/blume/>.
Campbell, D,
'Britain Sneaks >>Enfopol<< Plan into Action',
Telepolis, June 1999. < http://www.telepolis.de/tp/english/inhalt/te/2989/1.html >.
Clausing, J,
'Administration Announces New Concessions on Encryption Policy',
New York Times, September 16, 1999.
Cyber-Rights &
Cyber-Liberties (UK), 'British and Foreign Civil Rights
Organisations Oppose Encryption Paper', Press Release, April 9,
1997.
Cyber Rights &
Cyber-Liberties (UK), Press release; 'Electronic
Communications Bill Published and Key Escrow is Dead', 19 November
1999. < http://www.cyber-rights.org/crypto/>.
Cyber-Rights &
Cyber-Liberties (UK), Briefing for the House of Commons,
Second Reading Debate of the 'Regulation of Investigatory Powers
Bill', 6 March, 2000. < http://www.cyber-rights.org/reports/crcl-rip.htm >.
Electronic Frontier
Foundation, 'Legal Cases- Crypto- Berstein v, U.S., Dept.
of Justice,' Archive. < http://www.eff.org/bernstein/>.
Electronic Privacy
Information Center, 'New White House Computer Surveillance
Plan Would Pose Unprecedented Threat to Privacy', Press Release,
August 20, 1999.
Electronic Privacy
Information Center, American Civil Liberties Union, Electronic
Frontier Foundation, Joint Statement Press Release: 'Civil
Liberties Groups Say New Encryption Export Regulations Still Have
Serious Constitutional Deficiencies', January 13, 2000. <
http://www.epic.org/crypto/export_controls/joint_release_1_00.html >.
European
Commission, A Proposal for a European Parliament and
Council Directive on Certain Legal Aspects of Electronic Commerce
in the Internal Market; COM (1998) 586.
Foundation for Information
Policy Research, Press Release: 'Comment on Queens
Speech', November 17, 1999. < http://www.fipr.org/uk_ecomm_bill/qupr.html >.
Global Information Networks
Conference 1997 , Press Release of 8 July 1997.
Global Internet Liberty
Campaign (GILC), Member Statement, 1998, 'Cryptography is
a Defensive Tool, Not a Weapon'. <
http://www.gilc.org/crypto/wassenaar/gilc-statement-998.html >.
Goodlatte, B,
'Let's Open up Encryption', Washington Post: Encryption Special
Report, June 12, 1997.
Labour Party Policy on
Information Superhighway, 'Communicating Britain's
Future', 1995. Originally posted at
<http://www.labour.org.uk/views/info%2Dhighway/content.html>[no
longer available].
Nguyen, T,
'Cryptography, Export Controls and the First Amendment in Bernstein
v. United States Department of Justice', 1997, 10 Harvard Journal
of Law & Technology, 667.
O'Harrow, R,
'Justice Department Pushes for Powers to Unlock PC Security
Systems', Washington Post, August 20, 1999.
Organisation for Economic
Co-operation and Development, Recommendation of the
Council Concerning Guidelines for Cryptographic Policy, March 27,
1997. < http://www.oecd.org/dsti/sti/it/secur/prod/e-crypto.htm >.
Organisation for Economic
Co-operation and Development, 'Inventory of Controls on
Cryptographic Technologies', DSTI/ICCP/REG(98)4/FINAL, January 28,
1999.
President's Export Council
Subcommittee on Encryption (PECSE), 'Liberalisation 2000:
Recommendations for Revising the Encryption Export Regulations',
July 1999. < http://cryptome.org/LIB42.htm >.
Rosenoer, J,
'Cryptography and Speech,' CyberLaw, 1995.
< http://www.cyberlaw.com/cylw1095.html >.
Ross, P, 'First
Amendment: Computer Programming Language: Bernstein v. United
States Department of Justice', 1998, 13 Berkley Technology Law
Journal, 405.
Statewatch Report,
'Global Surveillance System Launched by FBI & European Union',
Statewatch, February 1997. < http://www.can-offshore.com/global_surveillance_FBI.htm >.
Footnotes
1 . In its 1997 Communication
paper, the European Commission stated; 'Digital signatures do not
pose any risk for law enforcement since they do not prevent data
from being read. Digital signatures could even bring significant
law enforcement benefits as they allow for example messages to be
attributed to a particular reader and/or sender.' (COM (97) 503,
p2.) ( EC;
1997b .)
2 . W Diffie and M E Hellman
first published this new encryption process in a paper entitled
'New Directions in Cryptography', IEEE Transactions on Information
Theory, IT-22: 644-654, 1976.
3 . Justice Louis D Brandeis,
delivering a dissenting judgement before the US Supreme Court in
1927 acknowledged the 'right to be let alone' as ' the
most comprehensive of the rights of man and the right most valued
by civilized men.' (Olmstead v. US, 277 US 438,
478.)
4 . The analogy has been
drawn between encrypting a message and putting a letter in a sealed
envelope. The idea is that just as it should not be regarded as
suspicious to want to keep the contents of a letter private,
neither should it be to want to conceal information in electronic
form. ( Akdeniz et al;
1997 , p6.)
5 . For a comprehensive and
up to date summary of different countries responses to encryption
see 'Cryptography and Liberty 2000: an International Survey of
Encryption Policy'. Written by members of the Electronic Privacy
Information Center, this survey classifies the countries into three
different categories (green, yellow, and red) regarding controls on
cryptography.
6 . It has been noted that
'[T]oday the term 'key recovery' is used as generic term for
these systems, encompassing the various 'key escrow,' 'trusted
third-party,' 'exceptional access,' 'data recovery,' and 'key
recovery' encryption systems introduced in recent years.'
(' The Risks of Key
Recovery, Key Escrow and Third Party Encryption';
1998 , p9.)
7 . Trusted Third Parties or
Certification Authorities were originally intended as independent
commercial bodies responsible for authenticating the identification
of an encryption key holder. In more recent years, however, they
have been targeted by some governments to act as 'escrow agents',
whereby they would demand storing a copy of the private decryption
key of all their clients. ( Bowden, C, & Akdeniz, Y; 1999 , p15.)
8 . It has been suggested
that this particular stance by the US government arises from
'the dominant role that national intelligence and federal law
enforcement agencies hold in the development of encryption policy.'
( EPIC;
1999a .)
9 . For example, Article 12
of the Universal Declaration and Article 17.1 of the International
Covenant on Civil and Political Rights protect people from
' arbitrary or unlawful interference' with their
'privacy, family, home or correspondence,'; Article 8.1 of
the European Convention on Human Rights and Fundamental Freedoms
grants everyone 'the right to respect for his private and
family life, his home and his correspondence'; Article F(2) of
the Treaty on the European Union guarantees respect for the
fundamental freedom protections set out in the European Convention;
and the EU Data Protection Directive [95/46/EC] lays down new
standards for privacy protection within the European Community as a
whole.
10 . Cyber Rights and Cyber
Liberties (UK) responding to calls for the introduction of similar
legislation to the UK Interception of Communications Act 1985 to
regulate the recovery of keys from TTP's, note that;
'[T]his idea seems to go further
than the requirements of the 1985 Act because... future legislation
will not only deal with information on the move through a
telecommunications system but also for 'lawful access to data
stored and encrypted by the clients of the licensed TTP's.
Additionally, Internet communications are different from simple
telephone communications, and the encryption technology in question
is obviously not the medium itself, but a tool that can be used for
many purposes. So an analogy with the Interception of
Communications Act 1985 is not necessarily the correct one .'
( Cyber Rights &
Cyber Liberties (UK); 1999a ,
p6.)
11 . In 1998 a group of
international cryptography experts published a report, 'The Risks
of Key Recovery, Key Escrow, and Trusted Third-Party Encryption',
which focused specifically on these issues. They concluded
that;
' Building the secure
computer-communication infrastructures necessary to provide
adequate technological underpinnings demanded by these requirements
would be enormously complex and is far beyond the experience and
current competency of the field. Even if such infrastructures could
be built. The risks and costs of such an operating environment may
ultimately prove unacceptable.' (' The Risks of Key Recovery, Key
Escrow and Third Party Encryption'; 1998 .)
12 . The American Civil
Liberties Union, addressing this point, state; 'In the pre-digital
era, the cost of labor intensive wiretaps, conducted by human
agents listening to conversations and then transcribing them,
functioned to some extent as an economic deterrent to wide scale
wiretapping. Digital wiretapping, on the other hand, means massive
scanning of thousands of conversations by computers programmed to
look for digital representations of key words, like 'drugs,'
'bombs,' Civil rights,' 'Republicans', or 'Democrats.' Obviously
the potential for abuse is thereby magnified many-fold. ...........
Today the government's control of encryption, through restrictions
on its strength and demands for access to decoding 'keys' is the
lynch pin of a new and unparalleled era of wiretapping.' ( ACLU; 1998 , p4.)
13 . The US attempts to
pressure the OCED countries to approve key recovery proposals are
evidenced by the travel records of David Aaron, the special envoy
for cryptography policy abroad. Aaron, dubbed the 'Crypto Czar' was
instructed to 'foster the international co-operation needed to
achieve the goals of the Clinton administration encryption
initiative; specifically to promote... a global key recovery
architecture.' Transcript of a Signal from Washington to the US
Embassies in London and Paris, 22 November 1996. These travel
records were obtained by the Electronic Privacy
Information Center (EPIC) under the US
Freedom of Information Act. This extract was taken from
Cyber-Rights & Cyber-Liberties (UK), ' Freedom
of Information Files '.
14 . Groups such as the
Global Internet Liberty Campaign also lobbied the OCED and urged it
to adopt a position which would respect 'the fundamental rights of
citizens to engage in private communications.' (GILC, Resolution in
Support of the Freedom to use Cryptography', presented in 1996 to
the OECD conference.)
15 . The General Software
Note (GSN) excepted such goods from the controls. Some countries,
however, such as the US, did not incorporate the GSN and maintained
controls on the export of both mass market and public domain
cryptography software.
16 . One GILC member,
Cyber-Rights & Cyber Liberties (UK), examined the purported objectives of the Wassenaar
Agreement and found that controls placed on cryptographic products
were actually contrary to the principles on which it was based.
They issued a report concluding that, as the Arrangement itself
provides that restrictions must not be used to obstruct genuine
civil transactions, it is surely not legitimate to control
encryption products which are clearly designed and sold for civil
or commercial purposes. ( Cyber Rights & Cyber Liberties (UK);
1998 , p6.)
17 . A detailed history of G8
meetings is available from Privacy International's dedicated
Cyber-crime page .
18 . This is the third case
to challenge the constitutionality of the US export rules. Other
cases pending before the courts include Karn v. US Department of
State and Junger v. Daley. On April 4, 2000 the Sixth Circuit
Federal Court of Appeals issued a landmark
ruling in the Junger
case. It held that as computer source code is an
' expressive means for the exchange of information
and ideas about computer programming' it is protected speech under
the First Amendment. It then referred the case back to a lower
court to decide the impact of the current US export rules on this
protected speech.
19 . In its seminal ruling,
the Court held that: 'the particular language one chooses [does
not] change the nature of language for First Amendment purposes.
This court can find no meaningful difference between computer
language, particularly high level languages and German or French.
All participate in a complex system of understood meanings within
specific communities.' (Berstein v. United States Department
of State, 922 F. Supp. 1426 at 1435.)
20 . Indeed there is evidence
that European companies have regarded the US export rules as a
unique opportunity to dominate the global encryption market. For
example, in a speech delivered to the Copenhagen Hearing on digital
signatures and encryption, it was stated: 'Luckily enough for
all European companies in the business, USA authorities have put an
incomprehensible restriction on export of strong encryption....This
is a great opportunity, and the EU ought to be grateful... not only
have we not lost the battle for secure communication, we are in
many respects ahead of the USA and the rest of the world ... in
this area.' ( Landrock, P; 1998 ,
p2.)
21 . The new concessions
allowed very strong encryption with any key length and with or
without key recovery will now be permitted for export, under
licence exception to financial institutions and on-line merchants
as well as the previously exempt medical, health and insurance
businesses. Also, hardware and software encryption products of up
to 56 bit DES or equivalent were allowed to be granted a six-month
export licence after a one-time review. Previously export of any
item with longer than a 40 bit key was prohibited. Finally, key
recovery encryption products, irrespective of bit length, were
permitted for export without a licence, after a one time review, to
any country except one of seven 'terrorist' countries, including
Iran, Iraq, Libya, Syria, Sudan, North Korea and Cuba. (See
EFF; 1998 .)
22 . Other similar
legislative proposals include the 'Promotion of Commerce Online in
the Digital Era' (Pro-CODE) Bill 1996 introduced Senator Burns, and
the 'Encryption Protects the Rights of Individuals from Violation
and Abuse in Cyberspace' (E-PRIVACY) Bill 1998 authored by Senators
Ashcroft and Leahy, the 'Promote Reliable On Line Transactions To
Encourage Commerce and Trade' (PROTECT) Bill 1999 sponsored by
Senators Mr. McCain, Burns, Wyden, Leahy, Abraham and
Kerry.
23 . The regulations were
prompted by a report by the President's Export Council Subcommittee
on Encryption entitled, ' Liberalization 2000 ', which
advocated a further relaxation of the US export laws.
Unfortunately, however, the administration did not implement this
report fully and the published regulations were slightly less
liberal than those PECSE had recommended.
24 . Americans for Computer
Privacy (ACP) issued the following statement: ' ACP is extremely
gratified by the new encryption regulations. They are more in step
with the economic realities of the Information Age, while
protecting our nation's vital security and law enforcement needs.
And, they strike a balance between security and America's
commercial interests.' (See ACP; 2000 .)
25 . More sinister results of
the government's refusal to decontrol the export of encryption have
also been put forward. It has been suggested that the continued
controls over encryption may lead to a certain amount of
government-industry collusion as the government may use the
licensing and technical review requirements to coerce companies to
insert flaws into their products and allow for 'back door' access.
( McCullagh D;
1999 .)
26 . For articles and
statements detailing reactions from members of the public and the
computer industry see the Electronic Privacy Information Center's
'Clipper Page', available at < http://www.epic.org/crypto/clipper/>.
27 . For example, the
'Electronic Data Security Act of 1997', published by the Clinton
Administration in March 1997 and the Secure Public Networks Act,
(S.909) authored by Senators Kerry, McCain and Hollings in June of
the same year.
28 . Until recently, the UK
and France stood out in Europe as the sole supporters of
restrictions on encryption. In January 1999, however, Prime
Minister, Lionel Jospin, announced an intention to liberalise the
French cryptographic policy and remove the strict controls on the
export and use of encryption. The use of encryption products of up
to 128 bits is now permitted and represents a substantial increase
on the previous 40 bit limit. ( Koops; 2000 ) Since this
liberalisation, the UK has been even more isolated in its approach
to encryption among its European counterparts.
29 . [OJ L 367/1] This
regulation entered into force on July 1, 1995, containing 24
articles. Council Decision No. 94/942/CFSP with eight articles and
five annexes has since been appended to it. [OJ L
367/8.]
30 . There have been many
criticisms of this export regime over the years. For example, in
1997 the European Commission found that as the regulation 'does
not fully specify the scope, content and implementation practices
of national controls' it leads to divergences in national
measures which can distort competition. (COM (97) 503, p13).
( EC; 1997b .) Also, during the 1998 Copenhagen Hearing expert
members stated that 'the need to apply for export
licenses....impose[s] significant barriers for the European
cryptographic industry even when trading within the boundaries of
the European Union.' ( Report from Day 1; 1998 .)
31 . The Fourth Amendment
protects 'the right of people to be secure in their persons,
houses, papers and effects ' and is understood to extend to
informational privacy. ( Epstein, R. A.; 1998 .) The
Privacy Act of 1974, (5 USC 552a, PL 93-579) protects data held by
Government agencies. A number of US federal laws govern data
protection by certain sectors e.g. the financial, educational, and
communications sectors. (EPIC & Privacy International, 1999,
Country Reports, p23-25.) Overall, however, the US government has
remained committed to a self-regulatory approach to data protection
among the private sector. Unless the US improves regulation of this
area, it may detrimentally affect its ability to trade with EU
Member States who are required under the terms of the EU Data
Protection Directive to ensure that information relating to EU
citizens is adequately protected when processed in countries
outside the EU. (EPIC & Privacy International, 1999,
Overview.)
32 . Directive 95/46/EC of
the European Parliament and of the Council on the Protection of
Individuals with Regard to the Processing of Personal Data and on
the Free Movement of Such Data. [OJ L 281/31.]
33 . Directive 97/66/EC of
the European Parliament and of the Council Concerning the
Processing of Personal Data and the Protection of Privacy in the
Telecommunications Sector. [OJ L 24/1.]
34 . The Commission itself
implied this in its 1997 Communication paper stating that ' Any
regulation hindering the use of encryption products and services
throughout the Internal Market hinders the secure and free flow of
personal information and the provision of related goods and
services, and its justification needs to be examined in light of
the Treaty and the EU Data Protection Directive.' (COM (97)
503 p17.) ( EC;
1997b .)
35 . On the other hand, the
intention of the Commission expressed in this Communication to
introduce a specific initiative on digital signatures has recently
been implemented in
Directive 1999/93/EC .
This directive came into force in January 2000 and member states
must regulate their laws in accordance with it by July
2001.
36 . 'Directive of the
European Parliament and of the Council on Certain Legal Aspects of
Information Society Services, in particular Electronic Commerce in
the Internal Market'. (14263/1/99.) ( EC; 1999b .) This was put
forward on 1 September 1999 by the European Commission. After the
first reading in the European Parliament, on 7 December 1999, the
EU Council of Ministers made a unanimous political agreement on its
position on this Directive. The Common Position was formally
adopted by the Council of Ministers on February 28 and sent to the
European Parliament for its second reading. On May 4, 2000 the
Parliament adopted the Directive without amendments. It will
shortly be published in the Official Journal after which time the
member states will have 18 months to implement it into national
law.
37 . Note, however, that the
original proposal by the Commission mentioned cryptography
specifically. Recital 15 stated that member states were required to
'prohibit any kind of interception or surveillance of such
electronic messages by others than the senders and receivers
and to abstain from prohibiting or restricting the use of
cryptographic methods or tools for protecting confidentiality or
ensuring authenticity of the information transmitted or
stored.' ('An Amended Proposal for a European Parliament and
Council Directive on Certain Legal Aspects of Electronic Commerce
in the Internal Market', COM (1999) 247. ( EC; 1999a .))
38 . In particular it was
argued that in light of the liberalization of the US export regime,
the government should ' look again at the case for a review into
the rationale of export controls on such products.' ( House of Commons Select
Committee on Trade & Industry; 1999b , Part F.)
39 . See generally
'Cryptography and Liberty: Can the Trusted Third Parties be
Trusted? A Critique of Recent UK Proposals' ( Akdeniz et al;
1997 ); 'The DTI Proposals on
Encryption: an Overview' ( Clayton R.; 1998 ); and
'First Report on UK Encryption Policy: Response to the DTI
Consultation Paper' ( Cyber-Rights & Cyber-Liberties (UK);
1997 ).
40 . In the 1998 White Paper,
' Our Competitive Future: Building the Knowledge-Driven
Economy ', the Government set this as a
goal for the year 2002.
41 . Indeed official records
obtained by civil liberties groups under Freedom of Information
laws indicate that the US has closely influenced the development of
UK policies in this area. See in particular Cyber-Rights &
Cyber-Liberties (UK), ' Freedom
of Information Files ',
section.
42 . The National Research
Council writing in 1996 predicted this as the likely outcome of an
overly oppressive encryption regime. It stated: '[ P]roposed
policy regimes that attempt to impose market-unfriendly solutions
will inevitably lead to resistance and delay..... Responsible
domestic businesses, vendors, and end users are ...likely to try to
move ahead on their own - and quickly so - if they believe that
government requirements are not reasonable. Moreover, foreign
vendors may well attempt to step into the vacuum. The bottom line
is that the U.S. government may have only a relatively small window
of time in which to influence the deployment of cryptography
worldwide.' ( NRC;
1996 , Chapter 8.1.4.)
43 . For details of projects
such as 'Echelon', and the proposed 'Enfopol '98' which rely on a
system of international co-operation among law enforcement to
establish global surveillance, see 'Interception Capabilities
2000', a working paper for the European Parliament, Science and
Technology Options Assessment (STOA) panel ( Campbell, D ); Echelon Watch , a web site
hosted by the ACLU; 'Enfopol Timeline 1991-1999', Telepolis,
( Campbell, D, et al;
1999 ); 'Europe Plans a Huge Spy Web',
Daily Telegraph, ( Davies,
S; 1999 ), and 'Europe is Listening',
Wired News, ( McKay, N;
1998 ).
|