[EFC]

Electronic Frontier Canada
Canadian Cryptography Policy Consultation

[Golden Key Campaign - Strong Crypto]

April 21, 1998
Helen McDonald
Director General, Policy Development
Task Force on Electronic Commerce
Industry Canada
20th Floor, 300 Slater Street
Ottawa, Ontario   K1A 0C8
CANADA

Dear Ms. McDonald:

We are writing in reference to your call for public comments on the document "A Cryptography Policy Framework for Electronic Commerce -- Building Canada's Information Economy and Society", available on the world-wide web at: http://strategis.ic.gc.ca/crypto

Electronic Frontier Canada (EFC) is a federally incorporated non-profit organization with hundreds of members representing every province and territory in Canada. EFC is dedicated to protecting freedom of expression and the right to privacy as new computing, communication, and information technologies are introduced into Canadian society.

Summary:

First and foremost, we need a cryptography policy that is "Made in Canada", tailored to national interests - a policy that makes sense for individuals and for companies.

The proper goals of a truly Canadian cryptography policy should include:

The "Framework" policy discussion paper contains some notable errors and omissions. These include: The "Framework" paper, in its consideration of mandatory key recovery, seems to put put American foreign policy ahead of Canadian interests, puts crime investigation ahead of crime prevention, and seems to advocate a policy that would result in exporting high-tech jobs, instead of supporting high-tech industry in Canada.

Electronic Frontier Canada would like to summarize its position by making the following specific recommendations to the federal government.

1.
There should continue to be no regulation of data encryption in Canada.
2.
There should be no regulation of encrypted real-time communication in Canada.
3.
There should be no import/export limits based on strength of encryption. Limitations based on destination country would be acceptable if such limitations were clearly in the national interest.

Included Documents:

Electronic Frontier Canada prepared a position statement on Canadian cryptography policy in August, 1997 and submitted it to Industry Canada as part of the informal consultation process. We are also including that document here as part of our current submission. ( http://www.efc.ca/pages/crypto/policy-statement.14aug97.html )

Electronic Frontier Canada, in collaboration with more than a dozen of Canada's most talented experts in cryptography, has identified some important technical concerns in relation to Canada's cryptography policy. Letters in opposition to mandatory key recovery, from these Canadian experts in cryptography, are included here as part of our current submission. ( http://www.efc.ca/pages/crypto/letter.20mar98.html )

Electronic Frontier Canada, in collaboration with more than a dozen civil liberty and human rights organizations around the world who are members of the Global Internet Liberty Campaign, has written a letter identifying some important international concerns in relation to Canada's cryptography policy. A letter in opposition to mandatory key recovery, from these international organizations, is included here as part of our current submission. ( http://www.efc.ca/pages/crypto/gilc-letter.20apr98.html )

Further Details:

In addition to the specific points raised in these other documents, we would like to make these additional comments.

No Domestic Controls on Encryption:

There has been an unwarranted amount of attention paid to encryption as a possible impediment to criminal investigations. We find these scenarios somewhat imaginative and highly speculative. There is a far greater benefit to Canadian society as a whole in the use of strong encryption to prevent crimes from occurring in the first place.

In any free and democratic country like Canada, there are important legal protections of fundamental rights and freedoms, such as freedom of expression, freedom of association, the right to privacy, and the right not to be subject to unreasonable search and seizure. In Canada these rights are spelled out in the Charter of Rights and Freedoms. Internationally, Canada has also agreed to the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights.

Canadians have the right to speak in codes. We have the right to speak in languages the police don't understand, whether it is Inuktitut or Cree or Swahili or some other digital language. Canadian academics and researchers have the right to teach and to devise new encryption algorithms, to publish these algorithms in books, and to provide detailed instructions about how to implement these algorithms as working software encryption systems. The technology underlying strong encryption is not secret. Only our keys are secret.

If a law were passed prohibiting the use of encryption, criminals would continue to use it. Prof. Helmut Jurgensen from the University of Western Ontario points out (in his letter included with our submission) that it is mathematically "impossible to distinguish cleartexts from cryptograms". Therefore, points out Prof. Charles Rackoff from the University of Toronto, "the only way this legislation would be remotely workable would be if the government is prepared to prosecute and convict people merely for sending messages that the government cannot read; it would even have to be against the law, for example, to send random bits, or noise across a line."

The requirement that keys should recoverable by law enforcement, without knowledge of the owner, is comparable to asking the front-door keys for 10 million Canadian homes be deposited at the local police station, "just in case" there was a need to execute a search warrant. Canadians are right to reject this as unreasonably intrusive. Past abuses, such as when CSIS was accused in 1994 of spying on the CBC and the Canadian Jewish Congress, have sensitized Canadians, who are now skeptical of the reliability and security of keys gathered in this way.

A prohibition of non-key-recovery encryption would have a devastating effect on electronic commerce. To take just one example, Canada's financial institutions, high-tech companies, and even federal funding agencies, have invested hundreds of millions of dollars in smart cards, such as the Mondex electronic payment system. These cards conduct offline financial transactions between computer chips on the card and the system is only feasible because of the extremely low cost per transaction. To prevent rampant fraud, strong encryption is essential, and because the transactions are conducted offline, it is not possible to recover keys. Prohibiting non-key-recovery encryption would make smart cards illegal.

In a large portion of the private and public sector, key recovery may become recognized as good business practice, especially when there exists a legal obligation to maintain certain business records. Therefore, this use of encryption does not put these documents beyond the reach of a court order.

No Export Limits Based on Strength:

We should eliminates export restrictions based on strength of encryption.

Strong encryption techniques are taught at universities and published in numerous books, available around the world, and despite some export restrictions, the current exceptions for mass market and public domain software, combined with disregard for the law, mean that strong encryption is effectively available to anyone in the world who wants it. Continued restrictions on the export of strong encryption will have little or no effect on international availability of these products, but will have a devastating effect on Canadian companies.

Any policy that allows a Canadian company to put its intellectual property into the public domain and give it away for free, but prohibits export of the same software for profit is just a bad policy.

While limitations are placed on the movement on products, no such limitations are placed on highly trained Canadians. Continued obstacles to the export of strong encryption products will results in the export of jobs to the many countries with more liberal export regimes, the export of Canadian expertise, and the export of highly trained Canadians.

Sincerely,

David Jones, PhD
President,
Electronic Frontier Canada


Reference:

[1]
The risks of key recovery, key escrow, and trusted third-party encryption.
Abelson, Anderson, Bellovin, Benaloh, Blaze, Diffie, Gilmore, Neuman, Rivest, Schiller, Schneier, "Final Report", May 27, 1997
URL = http://www.crypto.com/key_study/

EFC