[Previous] [No next] [Up] [Title]

7. Encryption - our cryptic policy

Cyberspace is a virtual place littered with `Superhighway - under construction' signs, large holes, and people with hard hats carrying plans marked `Standards', `Public Key Infrastructure', `key escrow' and the like. Meanwhile, many of the natives have been building increasingly elaborate shanties out of stuff called encryption. The planners like the local materials, but have other ideas for the site ...

7.1. Cryptography changes everything

The importance of public key (or asynchronous) encryption to the construction of cyberspace can scarcely be overstated. The discovery that different keys (numbers) could be used to encrypt and decrypt a message, and that one key could not be derived from the other even if the encryption algorithm was known, may be one of the most significant developments in the history of communications.

The technologies that public key cryptography has made possible are essential for the confidentiality and privacy of internet communications; for the guaranteed authenticity of messages through digital signatures; for the `crypto bottling' of intellectual property `super-distribution' systems[44]; for secure credit card transactions; and for the additional privacy advantages of electronic cash. Cryptography has long been described as the walls and ceilings out of which cyberspace is being built[45]http://www.eff.org/pub/Publications/John_Perry_Barlow/HTML/idea_economy_article.html], and now it is often said that `cryptography changes everything'.

It is rare that a single technology plays such a major role in the development of public policy in so many areas. A great deal of the attention of government officials and official standards bodies is being turned to getting the policy and legal settings right for encryption technologies, mainly because they are the perceived to be, at the same time, the key to competitive advantage in electronic commerce, and a threat to law enforcement and revenue collection. Privacy advocates, on the other hand, see the general availability of 'strong' encryption (ie in practice uncrackable by governments or anyone else) as offering the essential 'privacy enhancing technology' (PET) in relation to telecommunications and the internet.

The legal framework within which encryption technologies will operate is perhaps the single most important privacy issue of the moment[46].

7.2. The international debate

Australia moves centre-stage in encryption debates

In February 1996 Australia and the OECD jointly hosted a Conference on Security, Privacy and Intellectual Property Protection in the Global Information Infrastructure. The Conference was notable not so much for the written papers[47]http://www.nla.gov.au/gii/papers.html] as for the preoccupation of attendees with the development of encryption policies, and increasingly lively debates on the Conference floor[48]http://www.nla.gov.au/gii/copyrite.html].

Norman Raeburn, Deputy Secretary of Australia's Attorney-General's Department, was elected as the Chairman of the OECD's Group of Experts on Security, Privacy and Intellectual Property on the GII. It was previously an ad hoc committee when chaired by Justice Michael Kirby to produce the OECD's privacy and security Guidelines, but it has now been given 'permanent' status. The Group of Experts reports to the Committee for Information, Computing and Communications Policy (ICCP) of the OECD. This OECD structure seems to be emerging as the main forum for international negotiation of cryptography policy (at least outside Europe), so Australia has obtained an influential position in the developing international debate.

OECD forging crypto consensus?

In relation to crypto policy, the main action is occurring at the meetings of the Ad Hoc Group of Experts on Cryptography Policy Guidelines (the `Crypto-Experts Group'), which is supposed to report to the broader Group of Experts mentioned above. The most recent meeting was in Washington on 8 May, and the next is in Paris on 26-27 June. At the 8 May meeting, a number of sets of draft Guidelines were discussed, including one deriving from a December 1995 meeting of the Crypto-Experts Group, and one prepared jointly by the ICC (International Chamber of Commerce) and BIAC (the OECD's Business and Industry Advisory Council). The ICC/BIAC draft was the subject of considerable discussion.

Some of the issues under discussion by the Crypto-Experts Group include whether there should be any national limitations on the export of products that are in fact widely available internationally; whether governments should insist that any keys be held within their borders; whether there should be any requirements at all that private keys be held in escrow by any third parties; and whether it is sufficient to protect governmental interests that governments be able to obtain warrants to obtain private keys in order to decrypt texts. The breadth of the issues under discussion indicates that no one view yet predominates.

The Electronic Privacy Information Centre (EPIC), analysing the OECD developments, concludes that it is unlikely that the Expert Group will agree in the near future to an international encryption policy based on key escrow. However, the US Government is continuing to push such an approach, as noted below.

Australian Government policy

The Coalition parties election policy, On-line Services Policy 49 concludes that: `Heavy-handed attempts to ban strong encryption techniques will compromise commercial security, discouraging online service industries (particularly in the financial sector) from adopting Australia as a domicile. This would result in a substantial economic loss to the country'. It says that `the onus is on security agencies to demonstrate that the benefits of mandating "crackable" codes (as has been attempted in the USA with the "Clipper" chip technology) outweigh the social and economic consequences of the loss of personal privacy and commercial security that this would entail.' This is a strong pro-privacy election statement, but it remains to be seen how it translates into policies now that the Coalition is in government. It shouldn't be forgotten that Federal Cabinet's 1990 decision that `all public telecommunications services should be capable of being intercepted for law enforcement and national security purposes'[50] still stands.

The issue of the unconstrained availability of strong encryption has been the issue which has attracted most public attention, particularly in the USA. It seems far less an issue in countries like Australia, or in Canada[51].

The USA holds out

The US administration, despite abandoning its `Clipper chip' proposal, is still maintaining its export ban on strong cryptography, and is actively developing new proposals which use export prohibitions as the stick with which to force US companies to only release software which requires private keys to be placed in approved escrow arrangements, both internationally and within the USA, as a condition of obtaining export permissions.

The new Key Management Infrastructure (KMI) proposals[52]http://www.epic.org/crypto/key_escrow/white_paper.html ] - also dubbed `Clipper III' - have a vital bearing on international developments, because the US proposal is that US software exports with strong encryption would only be permitted to countries which have government-to-government key escrow arrangements with the USA. As EPIC puts it, KMI is proposed as `a worldwide standard for network communication'. Whether Australia, New Zealand and Canada hold out against US pressures to introduce key escrow schemes is likely to be significant.

7.3. Public key infrastructure

The availability of strong encryption only one important encryption issue. Public key encryption is not effective unless there is a ready means for anyone to obtain the public key of any other person from whom they may receive a message (or alternatively, for the sender to readily obtain the public key of anyone to whom they wish to send a confidential message). As a result, various types of structures are being proposed for the certification and distribution of public keys, to be used either for the purpose of encryption/decryption or for authentication of digital signatures, or both. `Public key infrastructure' (PKI) or `certification authority' proposals can cover an enormous range of possibilities, from the most centralised government-controlled registers to very decentralised approaches.

Standards Australia has released a new draft standard for a `public key authentication framework' for Australia (DR 96078).

The bottom-line privacy issue in all of these proposals is that they will create identification registers which will play an important role in our future society. Certification authorities will have to hold acceptably strong evidence of identification, so as to certify that a particular physical/legal person is to be identified with a particular public key. Any methods of excluding a person from such registers could prejudice their participation in cyberspace, and therefore have significant privacy implications. Issues relating to the extent of central control of such registers, and any potential for abuse, are likely to be important.

[44] See the announcement of IBM's Cryptolope containers - http://www.infomarket.ibm.com

[45] John Perry Barlow 'Crypto bottling' from 'Wine without bottles: The economy of mind on the global net' (1993)

[46] For an introduction to these issues, see Privacy Law & Policy Reporter, Vol 3 No 2 (1996), the introduction to which is the origin of this part of this paper.

[47] See for a selection

[48] The rapporteurs reports capture some of this (see ).

49 For a review, see G Greenleaf `Privacy and Australia's new Federal government' (1996) 3 PLPR 1.

[50] see 1 PLPR 161 for details

[51] Information Highway Advisory Council Report (1995) - `Security Recommendations'; see (1995) Privacy Files, Vol 1 No 1, p11

[52] see

[Previous] [No next] [Up] [Title]