Note: This summary was prepared by staff at Industry Canada.
SUMMARY OF DISCUSSIONS
Cryptography Policy - Round Table Meeting
April 20, 1998
Minto Place Hotel - Salon Stanley
433 Laurier Avenue West, Ottawa
|David Johnston (Moderator)
|Michelle d'Auray||Industry Canada|
|Helen McDonald||Industry Canada|
|Wynn Redden||Industry Canada|
|James Ladouceur||Industry Canada|
|Don Campbell||Department of Foreign Affairs and International Trade|
|Lynda Watson||Department of Foreign Affairs and International Trade|
|Patrick Daly||Canadian Business Telecommunications Alliance|
|Julien Delisle||Office of the Privacy Commissioner of Canada|
|Ward Elcock||Canadian Security Intelligence Service|
|David Farnes||Canadian Wireless Telecommunications Association|
|Brian Ford||Canadian Association of Chiefs of Police|
|Jim Harlick||Office of the Solicitor General of Canada|
|Tim Hember||TimeStep Corporation|
|David Jones||Electronic Frontier Canada|
|Peter Hope-Tindall||Information and Privacy Commission of Ontario|
|Ron Kellison||Stentor Policy Inc.|
|Tom McMahon||Department of Justice|
|Bill Munson||Information Technology Association of Canada|
|Phillip Murray||Royal Canadian Mounted Police|
|Joop Plomp||Royal Canadian Mounted Police|
|Jayson Myers||Alliance of Manufacturers and Exporters|
|Steven Prudhomme||Canadian Medical Association|
|Jim Savary||Consumer Association of Canada|
|John Tait||Privy Council Office|
|Mark Weseluck||Canadian Bankers Association|
|Stu Woolner||Communications Security Establishment|
|Paul Van Oorschot||Entrust Technologies|
Cryptography Policy Round Table - Summary of Discussions
Purpose of Round Table
- Given that most interests represented at the meeting will provide formal
submissions (which will be publicly available) to the discussion paper,
this summary is not intended to provide a detailed record of each presentation but rather a flavour of the round table discussions.
- The round table brought together stakeholders
from industry, non-governmental organizations, and government departments,
with the goals of exchanging views among knowledgeable experts
representing the various stakeholder constituencies,
of gaining a better appreciation of the policy challenges,
and of identifying potential avenues for policy formulation
within the three general areas outlined in the public discussion paper.
The round table began with five short opening presentations
by government representatives on the government's strategy
for Electronic Commerce, Lawful State Access, Human Rights/Civil Liberties,
Technical Security, and Internation considerations
raised in the public discussion papers.
- Following these presentations, participants were each offered
a few minutes to introduce themselves
and present the position of their organization.
These statements indicated a genuine desire on the part of all stakeholders
to work cooperatively and, to the extent possible,
seek workable solutions to the issues
outlined in the public discussion paper.
Government indicated it was looking to industry for advice and guidance,
and wanted to draw on industry knowledge and expertise.
- Industry clearly indicated its desire to take the lead
in creating balanced market-driven solutions.
They made a strong call for no additional regulation,
no mandatory key recovery, and relaxed export controls.
They also called for action to achieve legal recognition of digital signatures.
They noted that business and industry
have traditionally cooperated with law enforcement agencies
and that the advent of cryptography would not alter this cooperative exchange.
- From a law enforcement perspective,
there was a strong recognition of the need
to balance electronic commerce needs, human rights, civil liberties,
and international considerations,
while at the same time maintaining safe and secure communities.
Law enforcement representatives indicated clearly that
they are not seeking new or more intrusive mechanisms,
rather they seek to maintain existing investigation capabilities.
Law enforcement agencies recognize that cryptography
would play a role in crime prevention.
They also noted that there was a lack of cryptographic abilities
within the law enforcement community.
- Privacy and consumer advocates pointed out that privacy and security
were fundamental issues of concern for citizens in an electronic environment
and that cryptography is recognized as the most basic, widely available tool
in ensuring privacy in an information economy.
Consumers should be free to use
the type and strength of cryptography they choose
and the cryptography market should be left to evolve
free from government regulation.
- It was recognized by government and other participants
that Canada is a world leader in developing
cryptographic solutions for electronic commerce,
and that mandatory controls could have a chilling effect
on further development.
Cryptography suppliers called for a made-in-Canada policy
which would foster a level playing field for Canadian industry
within the global market.
If one of the main aims of a new cryptography policy
was to eliminate competitive disadvantages for Canadian industry,
then market-based solutions should be allowed to evolve in Canada
to meet the emerging international cryptography policy balance.
- The second part of the session was devoted to discussing
the three main option areas outlined in the consultation paper.
Each of the three option areas -
Encryption of Stored Data,
Encryption of Real-Time Communications,
and Export Controls,
was allocated thirty minutes of discussion time.
Encryption of Stored Data
- The moderator opened the discussion by reviewing the following questions
raised in the round table paper previously distributed to all invited guests:
"How far does a voluntary approach to the backing up of encryption keys
used for confidentiality go in ensuring that the protection of critical
business information is maintained?
Would a minimum set of standards, designed to encourage
private sector cryptography service providers and business users
to adopt key backup practices,
be an appropriate method to ensure that keys are available when needed?
Should key recovery of cryptography services for confidentiality be mandated?"
- Law enforcement representatives noted that
in the course of an investigation it was pointless to go to the user
and ask for the key - this would compromise the investigation activities.
Others pointed out, however,
that in the case of normally stored business information,
the stored data is not the property of an individual,
but rather is the property of the business itself.
The warrant is served to the business holding the information,
not to a third party.
- Regarding key recovery, crypto producers stated that
key recovery for stored data was good business practice
and would become a standard feature in commercial products.
It should therefore be left to market forces
to set the practices for key recovery of stored data.
Additionally, it was pointed out that government regulation
of an emerging technology (i.e., cryptographic key recovery)
would be expensive, controls would not be enforceable on individual users,
mandated standards would be quickly outdated,
and open knowledge of the technology is such that
anyone of thousands of programmers could quickly circumvent controls.
- From a law enforcement and intelligence point of view,
it was noted that if domestic key recovery was mandated,
criminal elements would circumvent the system and purchase off-shore,
non-standard cryptographic products.
This could actually increase the odds
in favour of law enforcement in certain instances
because some non-standard products are likely to be weaker
and this easier to break.
- Finally, it was pointed out that to justify mandatory key recovery,
there must exist a clear and concrete benefit to all users,
and that the benefit must be proportional
to any resulting tradeoffs in privacy, human rights, and electronic commerce
in view of the ease of circumvention by criminals.
Encryption of Real-Time Communications
- The moderator opened the discussion by reviewing the following questions:
"Should carriers be encouraged to enhance their capacity
to include cryptography within their commercial service offerings
and in so doing include a facility to detect and record
encrypted traffic in response to a legal request?
To what extent can law enforcement objectives be met
through collaborative efforts
with domestic manufacturers and service providers?
Conversely, should legislation or conditions of license
be used to place additional cryptograpy-related lawful access requirements
on carriers? If so, who should bear the costs to do this?
- The carries represented pointed out that
lawful access to real-time communications
was much more complex in comparison to stored data,
and that there is no business need for
key recovery for real-time communications.
According to the carriers, such access adds burdens of cost
with no business value added.
They also noted that the costs for developing and installing
carrier facilities for a key recovery infrastructure
could run into the hundreds of millions of dollars to install
and an equal yearly amount to maintain.
- There was a general objection to the use of license conditions
on wireless providers as it creates a distortion within the marketplace
as a result of unequal constraints
on traditional telecommunications providers over other alternatives.
Questions were also raised as to why carriers were being singled out
and not other service providers such as Value Added Network
and Internet Service Providers.
- It was also noted that lawfully mandated intercepts on the Internet
would be more complex to achieve than on the public switched network.
Law enforcement pointed out that
they were not seeking broad surveillance rights,
but individualized warrants under strict lawful court order.
It was suggested that law enforcement needs to explore
alternate means of interception,
for example, accessing the required information when it is in the clear,
behind network and system firewalls.
Law enforcement officials commented that
even though it may be technologically difficult
to access real-time communications at present,
they were confident that the technology would continue to evolve
and that cost-effective solutions would become available in the future.
- There was a clear consensus that law enforcement and industry
need to work together,
and that neither party can unilaterally bear any significant potential costs.
It was noted that the change from a monopoly environment to a competitive
telecommunications marketplace has brought different challenges for carriers
and law enforcement.
While keeping a close eye on international developments,
the opportunity still exists for both groups to work together
to find solutions.
- The moderator opened the discussion by reviewing the following questions:
"What changes in the export regime would help the government provide
an appropriate balance between out national security interests
and the needs of Canadian business, including the cryptography industry?
To what extent should Canada be influenced by foreign availability
of cryptographic products and by the positions of its allies?
To what extent should Canada encourage a domestic cryptography industry?
- Participants commented on the briefing material handed out by
the Department of Foreign Affairs and International Trade (DFAIT)
during its presentation.
In particular, comments covered:
foreign availability and its potential use as a permit-granting criterion;
the extent to which Canadian industry was disadvantaged
by a cumbersome export permit process;
and the general ineffectiveness of export restrictions.
It was pointed out that the export approval statistics
contained in the DFAIT material could be somewhat misleading
because industry does not apply for permits which are likely to be denied,
and they often modify or withdraw applications
after discussions with the government.
Many industry players noted that the export controls group at DFAIT
is very knowledgeable and helpful
and that good relations were generally maintained between DFAIT and industry.
- Regarding mass market and public domain software (MMS/PDS),
the difficulty of enforcing controls on intangibles was discussed.
The issue of transparency in process was raised
and the need for clear and published criteria was discussed.
In response to questions from industry,,
the government explained the need to exercise a level playing field
based upon functionality.
This raised the possibility of extending controls to MMS/PDS
rather than removing controls from hardware.
The discussion closed with industry stating that the present system
is too arbitrary, too indeterministic, and is not well understood.
This tends to disadvantage small to medium size enterprises
who cannot afford the process over a six month sales cycle.
Government pointed out that Canada has
limited room to manoeuvre in international cryptography policy making,
including export controls, because Canada is part of a matrix
of multilateral fora and partner countries
and electronic commerce by its nature
requires workable levels of compatibility and harmonization.
- The moderator summarized the discussions as useful to all stakeholders.
All parties were encouraged to continue discussion and collaboration
and that law enforcement and industry work together to find workable solutions.
The following generally accepted, non-binding common positions
were noted by the moderator and Industry Canada representatives.
- Key recovery for stored data is clearly a business need.
This is not the case for real-time communications.
- Market driven approaches should be favoured over regulated control.
- For real-time communications, there are more service providers
than just licensed carriers who should be part of the solution.
The costs for developing and implementing
a key recovery infrastructure will be significant.
- A completely made-in-Canada export control solution
will be hard to achieve.
There is a need for Canada to influence the international process.
A good opportunity will be the annual list review
at the Wassenaar Arrangement meetings in September and October of this year,
which should be approached with a view toward
eliminating competitive hindrances.
- Options available to government should not be restricted
to those listed in the public consultation paper.
There is a need to exploit the full range of options,
including research and development opportunities.
- Having a vibrant cryptographic industry within Canada
is an asset for law enforcement --
offshore industry will not be ready to help.
- The moderator closed the round table by thanking everyone
for taking valuable time from their busy schedules to participate.
He pointed out that attendance by so many senior individuals
representing such a broad range of key organizations
indicated the critical importance
of cryptography policy development in Canada.
He encouraged all to continue the dialogue and work together
to seek a balanced solution.
David Johnston, Moderator
April 30, 1998