[ISN] Under lock and key (crypto)

From: mea culpa (jerichoat_private)
Date: Wed Mar 03 1999 - 23:43:33 PST

  • Next message: mea culpa: "[ISN] British Defense Ministry Dismisses Hacker Report"

    Forwarded From: privacy <anonat_private>
    Under lock and key 
    By Duncan Graham-Rowe
    GOVERNMENTS hate things going on that they don't know about. Not long ago,
    many governments insisted that they should have the ability--and the
    right--to decipher all coded messages. The US government, for example,
    tried to get organisations to use its clipper chip for encryption. Only
    the government, of course, would hold the numbers, or keys, that would
    enable it to read anything encoded by the chip. Encryption looked set to
    become a major civil liberty issue.
    The subject might seem somewhat esoteric. Indeed, many people have never
    even heard of it. But whether you know it or not, you almost certainly
    depend on computer encryption already. Banks, for example, use encryption
    software to safeguard their customers' personal identification numbers, or
    Many other businesses, and individuals, also have good reasons for wanting
    to be sure that information such as a credit card number sent over the
    Internet is not being intercepted--or at least cannot be read if it is.
    Human rights organisations, for example, often use cryptography to relay
    sensitive information.
    People who send coded messages obviously want to use strong encryption
    software, the best available. And while there is no such thing as an
    uncrackable code, strong encryption comes pretty close. Even with the
    fastest supercomputers, it could take years to break most properly encoded
    And this is what gets governments so worried. Strong encryption makes
    eavesdropping on other people's communications practically impossible. 
    Many governments argue that being able to decode encrypted messages is
    essential if they are to crack down on criminal activity, such as the
    distribution of child pornography on the Internet.
    As a result, a number of Western governments, including France, Britain
    and the US, have spent years quietly trying to introduce various versions
    of what is called key escrow. The idea is that government approved
    agencies, called "trusted third parties", would be set up to hold the
    encryption keys on our behalf. Then, when the police want to decode a
    particular message or set of communications, they would present a warrant
    to these agencies. 
    It sounds reasonable, but such a system would be open to abuse and far
    from secure. Besides favouring encryption systems that are easy to crack,
    key escrow represents a weak link in what would otherwise be an almost
    impenetrable chain.
    Worse still, it wouldn't even achieve what it was designed for. If key
    escrow was in place, few criminals would be stupid enough to use it. In
    fact, criminals would probably be the only ones with any real privacy. 
    And while all those whose job it is to fight crime argue that this would
    nevertheless provide a good way of flushing out criminals, to do this
    effectively you would have to know where to look in the first place, which
    is a somewhat circular argument.
    So is it really worth jeopardising our privacy on the off chance that the
    police might catch a few careless criminals? Not according to the French. 
    Last month, France denounced its own well-established policy of banning
    commercial encryption, after 200 companies complained to the government
    about key escrow. Prime Minister Lionel Jospin openly admitted that key
    escrow was useless in fighting crime and therefore unwarranted.
    And even the US seems to be backing down, after a spate of TV commercials
    aimed at embarrassing the government brought the issue out in the open. 
    It also seems likely that export laws will be relaxed so that strong
    encryption software such as Pretty Good Privacy (PGP) is no longer
    classified as munitions and banned from export. 
    Britain's Department of Trade and Industry seems to be following suit. 
    After nearly five years of consultation, the e-commerce bill is rumoured
    to be published this week. Although the official line has been that the
    government favours key escrow, euphemistically calling it a voluntary
    system of cryptography, the message that this is unacceptable appears to
    have been drummed home not just by industry bodies but also, according to
    popular rumour, by the former trade minister Peter Mandelson.
    This is a welcome change of heart. It is just a pity that it has come not
    from governments recognising the futility of key escrow or from listening
    to the cogent arguments of civil libertarians, but merely in response to
    pressure from industry. 
    >From New Scientist, 6 March 1999
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:20:12 PDT