Government should lift crypto export controls and repeal Net Censorship Legislation Dr Michael Baker Board Member, Electronic Frontiers Australia Sydney,

Government should lift crypto export controls

and repeal Net Censorship Legislation

Dr Michael Baker

Board Member, Electronic Frontiers Australia

Sydney, 2 August 1999

http://pobox.com/~mbaker/Govforum.html

Introduction

• to help industry – lift crypto export controls

• since call for papers – Net censorship legislation

• to help industry and government– repeal Net censorship legislation


Looking at many forum topics

• Internet services for government

• Services for Government via the Internet

• Services for clients of the government, via the Internet

• What should the government do to help industry

provide Internet services?

• How can the government run better via the Internet?

• What can the Government teach companies about the

Internet?

• What is happening around the world and in the labs?


Crypto Summary

• Current Export Controls serve no useful purpose.

• Global effect is to risk information, security and communications privacy.

• De-regulation essential for E-Commerce.


Why is crypto important?

• Privacy - communications and stored data

• Authentication - E-commerce


Australian Public Policy

• Characterised by silence• Players include Attorney-General,

NOIE, DFAT, DSD, Defence• No published policy on encryption• Crypto export controls• Walsh Report 1997• OECD Cryptography Principles

supported 1997


Walsh Report

• Title: Review of Policy Relating to Encryption Technologies

• Author: Gerard Walsh, former deputy director of ASIO

• Review conducted Jul-Aug 1996• Report printed by AGPS Feb 1997 for

public comment• Distribution stopped by A-G


Walsh Report - The Saga

• Censored copy obtained by EFA in June 1997

• Published on Internet

• Media coverage: A-G claims not meant for public release

• Library deposit copies found Dec. 98


Walsh Report - The Saga

• Uncensored version published on Internet Jan 99

• Ausinfo claims copyright infringement Feb 99.

• EFA affirms right to publish

• Ausinfo claim withdrawn


Walsh Report - The Detail

• "Design flaws" in US key recovery proposals.

• Export controls of dubious value

• Legalised "hacking" should be allowed to agencies.

• Such recommendations were censored for national security reasons.


Walsh Report - The followup

• Largely silence !

• No further attempts at public debate

• ASIO Act Amendments 1999 implement "hacking" recommendation

• Internet facilitates surveillance

• LEA's - forget cryptanalysis, go for the plaintext ?


What Purpose Controls?

Export controls are in place to prevent the export of (unauthorised) controlled goods and technologies.

DEPARTMENT OF DEFENCE

AUSTRALIAN EXPORT CONTROLS

March 1998


Policy Objective

To prevent proliferation of strong cryptography for unlawful purposes.


The Official Rationale

If you knew what we knew,

you'd agree with us.


Failures of Current Policy

• Unenforceable

• Strong crypto already widespread

• Targets the law-abiding

• Intangible exports uncontrolled

• Increased risk of information warfare

• Chilling effect on E-commerce development


Other Policy Problems

• No policy guidelines available

• Case-by-case evaluation

• Key escrow/key recovery "encouraged"

• No industry consultation on policy

• No review of costs, benefits, risks


Dangers of government access

• Security Risk

• Liability Issues

• Risk of privacy infringement

• Risk of unlawful surveillance

• Costly

• Technological problems


• Points of vulnerability

• Weaken the value of the encryption

• Less secure

• Difficult to use

• Key recovery requirements can be evaded

• Circumvent with double encryption



• Costly infrastructure

• Negatively affects industry's competitiveness

• Not feasible for ephemeral keys

• Deters overseas customers (Lotus Notes example)

• Disadvantages exporters



What is Wassenaar?

• Basis for Australian DSGL

• 33 nations as signatory

• Replaced COCOM 1996

• Not intended to impact on commerce

• Directed against offensive weapons

• Amended December 1998


General Software Note

• Prior to 1998 exempted mass market and public domain software

• Now only exempts public domain

• Was previously ignored by 5 of the 33 signatories: USA, Russia, France, New Zealand, Australia


Scope of Wassenaar?

Article 4, Initial Elements:

• Will not impede bona fide civil transactions

• Will not interfere with legitimate means of defence


Scope of Wassenaar?

• Cryptography is not a weapon

• Cryptography is a defensive tool


Intangible Exports

• Uncertain legal position

• Customs Act limitations

• Intangible goods difficult to distinguish from ideas

• Academic freedom issues

• UK has current proposals


Australia Disadvantaged

The Wassenaar provisions are being flexibly interpreted by other countries, e.g.

• Ireland

• Germany

• Canada

• Israel (not a Wassenaar signatory)

• France


Inconsistency

Current application of export controls is inconsistent internationally and is disadvantaging Australian business.


Are export controls effective?

• What is the policy objective?– preventing proliferation of strong

cryptography for unlawful purposes– preventing widespread adoption of strong

cryptography for lawful purposes

• Widely available.

• Has prevented development of global standards.


Cryptography is Widely Available

The basic mathematical and algorithmic methods for strong encryption (without key recovery) are published and well known and can easily be implemented in software by any bright high-school student with access to a personal computer.

Industry Canada Report 1998.


Cryptography is Widely Available

Strong encryption software is already widely available on the Internet, for anyone to download, for free.


Controls impede adoption of crypto

• Fragmented market

• Reduces competition

• Counter to competition policy


No Support for Controls

There is no popular consensus, outside the law enforcement or national security communities, that regulation of cryptography is needed


Organisations Opposing Controls

• Internet Architecture Board (IAB)

• Internet Engineering Steering Group (IESG)

• International Federation for Information Processing (IFIP)

• National Research Council, USA

• OECD


• Institute of Electronics and Electrical Engineers (IEEE)

• American Association for the Advancement of Science

• The Internet Society (ISOC)

• Global Internet Liberty Campaign (GILC)



• Australian Computer Society (ACS)

• Australian Information Industry Association (AIIA)

• US Association for Computing Machinery (USACM)

• Americans for Computer Privacy (US industry lobby group)



Alternatives to Controls

• Using court orders to gain access to keys

• Enforcing existing laws on surrender of information

• Gathering information by means other than examining encrypted files

• Cryptanalysis


What should government do?

• Current Export Controls serve no useful purpose

• De-regulation essential for E-Commerce

• Public policy debate needed

• Lift crypto export controls


Net Censorship Legislation

• Complaints based• Prohibited content based on Film &

Video video classification scheme• Takedown orders on ICHs for prohibited

content in Australia• Blocking orders on ISPs for prohibited

content outside Australia• Industry Codes for ICHs and ISPs


Will it be effective?

• ABA's additional funding will only allow classification of small part of potentially prohibited material

• Easy to circumvent any blocking


Will it cause damage?

• Uncertainty for content providers• Movement of content overseas• Increased costs for ISPs, especially

small ISPs• Less competition• Adverse effect on "balance of traffic"• Increased costs• Malaysia and Canada won't regulate


What ICHs & ICPs will have to do

• ICHs - respond to take down orders

• Content Providers - covered by matching state legislation

• Content Providers - beware “Adult themes”


What should government do?

• Amend legislation by removing– content classification– takedown orders– blocking orders

• Would gut the legislation

• Repeal the legislation


Conclusion

• What should the government do to help industry provide Internet services?

• Lift crypto export controls

• Repeal Net Censorship Legislation


Documents

Government should lift crypto export controls and repeal Net Censorship Legislation Dr Michael Baker Board Member, Electronic Frontiers Australia Sydney,