Government should lift crypto export controls and repeal Net Censorship Legislation Dr Michael Baker Board Member, Electronic Frontiers Australia Sydney, 2 August
Introduction to help industry –lift crypto export controls since call for papers –Net censorship legislation to help industry and government –repeal Net censorship legislation
Looking at many forum topics Internet services for government Services for Government via the Internet Services for clients of the government, via the Internet What should the government do to help industry provide Internet services? How can the government run better via the Internet? What can the Government teach companies about the Internet? What is happening around the world and in the labs?
Crypto Summary Current Export Controls serve no useful purpose. Global effect is to risk information, security and communications privacy. De-regulation essential for E- Commerce.
Why is crypto important? Privacy - communications and stored data Authentication - E-commerce
Australian Public Policy Characterised by silence Players include Attorney-General, NOIE, DFAT, DSD, Defence No published policy on encryption Crypto export controls Walsh Report 1997 OECD Cryptography Principles supported
Walsh Report Title: Review of Policy Relating to Encryption Technologies Author: Gerard Walsh, former deputy director of ASIO Review conducted Jul-Aug 1996 Report printed by AGPS Feb 1997 for public comment Distribution stopped by A-G
Walsh Report - The Saga Censored copy obtained by EFA in June 1997 Published on Internet Media coverage: A-G claims not meant for public release Library deposit copies found Dec. 98
Walsh Report - The Saga Uncensored version published on Internet Jan 99 Ausinfo claims copyright infringement Feb 99. EFA affirms right to publish Ausinfo claim withdrawn
Walsh Report - The Detail "Design flaws" in US key recovery proposals. Export controls of dubious value Legalised "hacking" should be allowed to agencies. Such recommendations were censored for national security reasons.
Walsh Report - The followup Largely silence ! No further attempts at public debate ASIO Act Amendments 1999 implement "hacking" recommendation Internet facilitates surveillance LEA's - forget cryptanalysis, go for the plaintext ?
What Purpose Controls? Export controls are in place to prevent the export of (unauthorised) controlled goods and technologies. DEPARTMENT OF DEFENCE AUSTRALIAN EXPORT CONTROLS March
Policy Objective To prevent proliferation of strong cryptography for unlawful purposes.
The Official Rationale If you knew what we knew, you'd agree with us.
Failures of Current Policy Unenforceable Strong crypto already widespread Targets the law-abiding Intangible exports uncontrolled Increased risk of information warfare Chilling effect on E-commerce development
Other Policy Problems No policy guidelines available Case-by-case evaluation Key escrow/key recovery "encouraged" No industry consultation on policy No review of costs, benefits, risks
Dangers of government access Security Risk Liability Issues Risk of privacy infringement Risk of unlawful surveillance Costly Technological problems
Points of vulnerability Weaken the value of the encryption Less secure Difficult to use Key recovery requirements can be evaded Circumvent with double encryption Dangers of government access
Costly infrastructure Negatively affects industry's competitiveness Not feasible for ephemeral keys Deters overseas customers (Lotus Notes example) Disadvantages exporters Dangers of government access
What is Wassenaar? Basis for Australian DSGL 33 nations as signatory Replaced COCOM 1996 Not intended to impact on commerce Directed against offensive weapons Amended December
General Software Note Prior to 1998 exempted mass market and public domain software Now only exempts public domain Was previously ignored by 5 of the 33 signatories: USA, Russia, France, New Zealand, Australia
Scope of Wassenaar? Article 4, Initial Elements: Will not impede bona fide civil transactions Will not interfere with legitimate means of defence
Scope of Wassenaar? Cryptography is not a weapon Cryptography is a defensive tool
Intangible Exports Uncertain legal position Customs Act limitations Intangible goods difficult to distinguish from ideas Academic freedom issues UK has current proposals
Australia Disadvantaged The Wassenaar provisions are being flexibly interpreted by other countries, e.g. Ireland Germany Canada Israel (not a Wassenaar signatory) France
Inconsistency Current application of export controls is inconsistent internationally and is disadvantaging Australian business.
Are export controls effective? What is the policy objective? –preventing proliferation of strong cryptography for unlawful purposes –preventing widespread adoption of strong cryptography for lawful purposes Widely available. Has prevented development of global standards.
Cryptography is Widely Available The basic mathematical and algorithmic methods for strong encryption (without key recovery) are published and well known and can easily be implemented in software by any bright high-school student with access to a personal computer. Industry Canada Report
Cryptography is Widely Available Strong encryption software is already widely available on the Internet, for anyone to download, for free.
Controls impede adoption of crypto Fragmented market Reduces competition Counter to competition policy
No Support for Controls There is no popular consensus, outside the law enforcement or national security communities, that regulation of cryptography is needed
Organisations Opposing Controls Internet Architecture Board (IAB) Internet Engineering Steering Group (IESG) International Federation for Information Processing (IFIP) National Research Council, USA OECD
Institute of Electronics and Electrical Engineers (IEEE) American Association for the Advancement of Science The Internet Society (ISOC) Global Internet Liberty Campaign (GILC) Organisations Opposing Controls
Australian Computer Society (ACS) Australian Information Industry Association (AIIA) US Association for Computing Machinery (USACM) Americans for Computer Privacy (US industry lobby group) Organisations Opposing Controls
Alternatives to Controls Using court orders to gain access to keys Enforcing existing laws on surrender of information Gathering information by means other than examining encrypted files Cryptanalysis
What should government do? Current Export Controls serve no useful purpose De-regulation essential for E-Commerce Public policy debate needed Lift crypto export controls
Net Censorship Legislation Complaints based Prohibited content based on Film & Video video classification scheme Takedown orders on ICHs for prohibited content in Australia Blocking orders on ISPs for prohibited content outside Australia Industry Codes for ICHs and ISPs
Will it be effective? ABA's additional funding will only allow classification of small part of potentially prohibited material Easy to circumvent any blocking
Will it cause damage? Uncertainty for content providers Movement of content overseas Increased costs for ISPs, especially small ISPs Less competition Adverse effect on "balance of traffic" Increased costs Malaysia and Canada won't regulate
What ICHs & ICPs will have to do ICHs - respond to take down orders Content Providers - covered by matching state legislation Content Providers - beware “Adult themes”
What should government do? Amend legislation by removing –content classification –takedown orders –blocking orders Would gut the legislation Repeal the legislation
Conclusion What should the government do to help industry provide Internet services? Lift crypto export controls Repeal Net Censorship Legislation