SUMMARY OF DISCUSSIONS

Cryptography Policy - Round Table Meeting

April 20, 1998
Minto Place Hotel - Salon Stanley
433 Laurier Avenue West, Ottawa

Participants:

Cryptography Policy Round Table - Summary of Discussions

Purpose of Round Table

1.

Given that most interests represented at the meeting will provide formal submissions (which will be publicly available) to the discussion paper, this summary is not intended to provide a detailed record of each presentation but rather a flavour of the round table discussions.

2.

The round table brought together stakeholders from industry, non-governmental organizations, and government departments, with the goals of exchanging views among knowledgeable experts representing the various stakeholder constituencies, of gaining a better appreciation of the policy challenges, and of identifying potential avenues for policy formulation within the three general areas outlined in the public discussion paper. The round table began with five short opening presentations by government representatives on the government's strategy for Electronic Commerce, Lawful State Access, Human Rights/Civil Liberties, Technical Security, and Internation considerations raised in the public discussion papers.

Introductory Statements

3.

Following these presentations, participants were each offered a few minutes to introduce themselves and present the position of their organization. These statements indicated a genuine desire on the part of all stakeholders to work cooperatively and, to the extent possible, seek workable solutions to the issues outlined in the public discussion paper. Government indicated it was looking to industry for advice and guidance, and wanted to draw on industry knowledge and expertise.

4.

Industry clearly indicated its desire to take the lead in creating balanced market-driven solutions. They made a strong call for no additional regulation, no mandatory key recovery, and relaxed export controls. They also called for action to achieve legal recognition of digital signatures. They noted that business and industry have traditionally cooperated with law enforcement agencies and that the advent of cryptography would not alter this cooperative exchange.

5.

From a law enforcement perspective, there was a strong recognition of the need to balance electronic commerce needs, human rights, civil liberties, and international considerations, while at the same time maintaining safe and secure communities. Law enforcement representatives indicated clearly that they are not seeking new or more intrusive mechanisms, rather they seek to maintain existing investigation capabilities. Law enforcement agencies recognize that cryptography would play a role in crime prevention. They also noted that there was a lack of cryptographic abilities within the law enforcement community.

6.

Privacy and consumer advocates pointed out that privacy and security were fundamental issues of concern for citizens in an electronic environment and that cryptography is recognized as the most basic, widely available tool in ensuring privacy in an information economy. Consumers should be free to use the type and strength of cryptography they choose and the cryptography market should be left to evolve free from government regulation.

7.

It was recognized by government and other participants that Canada is a world leader in developing cryptographic solutions for electronic commerce, and that mandatory controls could have a chilling effect on further development. Cryptography suppliers called for a made-in-Canada policy which would foster a level playing field for Canadian industry within the global market. If one of the main aims of a new cryptography policy was to eliminate competitive disadvantages for Canadian industry, then market-based solutions should be allowed to evolve in Canada to meet the emerging international cryptography policy balance.

8.

The second part of the session was devoted to discussing the three main option areas outlined in the consultation paper. Each of the three option areas - Encryption of Stored Data, Encryption of Real-Time Communications, and Export Controls, was allocated thirty minutes of discussion time.

Encryption of Stored Data

9.

The moderator opened the discussion by reviewing the following questions raised in the round table paper previously distributed to all invited guests:

"How far does a voluntary approach to the backing up of encryption keys used for confidentiality go in ensuring that the protection of critical business information is maintained?

Would a minimum set of standards, designed to encourage private sector cryptography service providers and business users to adopt key backup practices, be an appropriate method to ensure that keys are available when needed?

Should key recovery of cryptography services for confidentiality be mandated?"

10.

Law enforcement representatives noted that in the course of an investigation it was pointless to go to the user and ask for the key - this would compromise the investigation activities. Others pointed out, however, that in the case of normally stored business information, the stored data is not the property of an individual, but rather is the property of the business itself. The warrant is served to the business holding the information, not to a third party.

11.

Regarding key recovery, crypto producers stated that key recovery for stored data was good business practice and would become a standard feature in commercial products. It should therefore be left to market forces to set the practices for key recovery of stored data. Additionally, it was pointed out that government regulation of an emerging technology (i.e., cryptographic key recovery) would be expensive, controls would not be enforceable on individual users, mandated standards would be quickly outdated, and open knowledge of the technology is such that anyone of thousands of programmers could quickly circumvent controls.

12.

From a law enforcement and intelligence point of view, it was noted that if domestic key recovery was mandated, criminal elements would circumvent the system and purchase off-shore, non-standard cryptographic products. This could actually increase the odds in favour of law enforcement in certain instances because some non-standard products are likely to be weaker and this easier to break.

13.

Finally, it was pointed out that to justify mandatory key recovery, there must exist a clear and concrete benefit to all users, and that the benefit must be proportional to any resulting tradeoffs in privacy, human rights, and electronic commerce in view of the ease of circumvention by criminals.

Encryption of Real-Time Communications

14.

The moderator opened the discussion by reviewing the following questions:

"Should carriers be encouraged to enhance their capacity to include cryptography within their commercial service offerings and in so doing include a facility to detect and record encrypted traffic in response to a legal request?

To what extent can law enforcement objectives be met through collaborative efforts with domestic manufacturers and service providers?

Conversely, should legislation or conditions of license be used to place additional cryptograpy-related lawful access requirements on carriers? If so, who should bear the costs to do this?

15.

The carries represented pointed out that lawful access to real-time communications was much more complex in comparison to stored data, and that there is no business need for key recovery for real-time communications. According to the carriers, such access adds burdens of cost with no business value added. They also noted that the costs for developing and installing carrier facilities for a key recovery infrastructure could run into the hundreds of millions of dollars to install and an equal yearly amount to maintain.

16.

There was a general objection to the use of license conditions on wireless providers as it creates a distortion within the marketplace as a result of unequal constraints on traditional telecommunications providers over other alternatives. Questions were also raised as to why carriers were being singled out and not other service providers such as Value Added Network and Internet Service Providers.

17.

It was also noted that lawfully mandated intercepts on the Internet would be more complex to achieve than on the public switched network. Law enforcement pointed out that they were not seeking broad surveillance rights, but individualized warrants under strict lawful court order. It was suggested that law enforcement needs to explore alternate means of interception, for example, accessing the required information when it is in the clear, behind network and system firewalls. Law enforcement officials commented that even though it may be technologically difficult to access real-time communications at present, they were confident that the technology would continue to evolve and that cost-effective solutions would become available in the future.

18.

There was a clear consensus that law enforcement and industry need to work together, and that neither party can unilaterally bear any significant potential costs. It was noted that the change from a monopoly environment to a competitive telecommunications marketplace has brought different challenges for carriers and law enforcement. While keeping a close eye on international developments, the opportunity still exists for both groups to work together to find solutions.

Export Controls

19.

The moderator opened the discussion by reviewing the following questions:

"What changes in the export regime would help the government provide an appropriate balance between out national security interests and the needs of Canadian business, including the cryptography industry?

To what extent should Canada be influenced by foreign availability of cryptographic products and by the positions of its allies?

To what extent should Canada encourage a domestic cryptography industry?

20.

Participants commented on the briefing material handed out by the Department of Foreign Affairs and International Trade (DFAIT) during its presentation. In particular, comments covered: foreign availability and its potential use as a permit-granting criterion; the extent to which Canadian industry was disadvantaged by a cumbersome export permit process; and the general ineffectiveness of export restrictions. It was pointed out that the export approval statistics contained in the DFAIT material could be somewhat misleading because industry does not apply for permits which are likely to be denied, and they often modify or withdraw applications after discussions with the government. Many industry players noted that the export controls group at DFAIT is very knowledgeable and helpful and that good relations were generally maintained between DFAIT and industry.

21.

Regarding mass market and public domain software (MMS/PDS), the difficulty of enforcing controls on intangibles was discussed. The issue of transparency in process was raised and the need for clear and published criteria was discussed. In response to questions from industry,, the government explained the need to exercise a level playing field based upon functionality. This raised the possibility of extending controls to MMS/PDS rather than removing controls from hardware. The discussion closed with industry stating that the present system is too arbitrary, too indeterministic, and is not well understood. This tends to disadvantage small to medium size enterprises who cannot afford the process over a six month sales cycle. Government pointed out that Canada has limited room to manoeuvre in international cryptography policy making, including export controls, because Canada is part of a matrix of multilateral fora and partner countries and electronic commerce by its nature requires workable levels of compatibility and harmonization.

Closing Remarks

22.

The moderator summarized the discussions as useful to all stakeholders. All parties were encouraged to continue discussion and collaboration and that law enforcement and industry work together to find workable solutions. The following generally accepted, non-binding common positions were noted by the moderator and Industry Canada representatives.

a.

Key recovery for stored data is clearly a business need. This is not the case for real-time communications.

b.

Market driven approaches should be favoured over regulated control.

c.

For real-time communications, there are more service providers than just licensed carriers who should be part of the solution. The costs for developing and implementing a key recovery infrastructure will be significant.

d.

A completely made-in-Canada export control solution will be hard to achieve. There is a need for Canada to influence the international process. A good opportunity will be the annual list review at the Wassenaar Arrangement meetings in September and October of this year, which should be approached with a view toward eliminating competitive hindrances.

e.

Options available to government should not be restricted to those listed in the public consultation paper. There is a need to exploit the full range of options, including research and development opportunities.

f.

Having a vibrant cryptographic industry within Canada is an asset for law enforcement -- offshore industry will not be ready to help.

23.

The moderator closed the round table by thanking everyone for taking valuable time from their busy schedules to participate. He pointed out that attendance by so many senior individuals representing such a broad range of key organizations indicated the critical importance of cryptography policy development in Canada. He encouraged all to continue the dialogue and work together to seek a balanced solution.