The Public Voice in the
Development of Internet Policy
Ottawa, October 7, 1998.

Privacy and Encryption Online

Moderator:
Deborah Hurley, Harvard University Information Infrastructure Project
Panelists:
David Banisar, Electronic Privacy Information Center
Ulf Brühan, European Commission, DG XV
David Jones, McMaster University, Electronic Frontier Canada
Viktor Mayer-Schönberger, Austria
Jim Savary, York University


Canada's Cryptography Policy in the Global Context

David Jones, PhD
McMaster University, Dept of Computer Science
President, Electronic Frontier Canada

Outline:




In my talk today, I'd like to focus on Canada's newly announced Cryptography Policy, contrast it a little with the American approach, and try to see how it fits into the global context.

What is Cryptography?

Cryptography is the science of secrecy. Encryption techniques, often implemented as computer software, allow people to store and communicate information in secret.

(transparency: EFC cipher text)
Encryption uses sophisticated mathematical algorithms to 'scramble' digital information, whether it is text, voice, or images, so that it becomes indistinguishable from random bits. The encrypted data remains unintelligible to everyone except those who have access to a secret 'key' that can be used to unlock the original message.

(transparency: EFC secret key)
In this Information Age, encryption is increasingly important to individuals, businesses, and governments as a privacy- and security-enhancing technology.

Cryptography's benefits are often broken down into four broad categories. Encryption tools can be used:

1.
to safeguard confidentiality, by protecting us from snoops and eavesdroppers,
2.
to facilitate authentication, to protect us from impersonators and counterfeiters,
3.
to ensure data integrity, by detecting when tampering has occurred, and
4.
to facilitate binding contracts using digital signatures.
Encryption is recognized as a key enabling technology for Electronic Commerce.

But do regular people really need encryption? . . . Yes.

We need encryption ...

to protect our own sensitive financial and health information,
to protect intimate conversations with our lovers,
to protect union negotiations from management eavesdroppers,
to protect discussions between journalists and confidential sources, and
to protect human rights organizations around the world who may wish to conduct strategic planning over the Internet.

Our fundamental right to use encryption flows, not only from our right to privacy, but also from our rights to freedom of expression, freedom of association, and freedom of the press.

Cryptography is not a secret

The modern era of cryptography started in 1976 when Whitfield Diffie and Martin Hellman devised public-key cryptography -- an ingenious method that allows people who have never met face to face, to exchange keys and communicate in secret, at a distance, over an insecure communication channel. This theoretical idea was quickly followed by practical implementations and during the past two decades, there has been an explosion of public academic research in cryptography, as well as useful commercial applications.

Today, the technology of keeping secrets is not itself a secret. There are lots of academic papers, books, and web sites that publish all the technical details, ...

(holding crypto book) ... Here's a "how to" book I pulled off my shelf.
.. so that any bright high school student can easily implement the world's strongest encryption algorithms. And it's not just high school students. The University of Waterloo's Centre for Applied Cryptography is churning out Canadian experts with PhD's in cryptography, and some of them are working at world-class high-tech companies, like Entrust, Certicom, Timestep, KyberPASS, and Chrysalis-ITS.

(holding Schneier's book)
As Bruce Schneier, author of Applied Cryptography, says, "There are two kinds of cryptography in this world: cryptography that will stop your kid sister from reading your files, and cryptography that will stop major governments from reading your files. This book is about the latter."

When it comes to protecting our privacy, we all want the real thing. Anything less than strong cryptography simply isn't good enough.

Cops and Spooks

There is, however, one dissenting voice, and it is coming from the law enforcement and intelligence communities. In recent years, the cops and spies have come to enjoy the relative ease with which they can 'listen in' on private conversations as one of their investigative techniques, whether it is tuning in a radio receiver to hear someone's cellular telephone conversation, or persuading an Internet Service Provider to provide access to someone's electronic mail.

This kind of surveillance society is placed in jeopardy by the widespread use of strong encryption. And so it should come as no surprise that the Canadian Association of Chiefs of Police passed a resolution in August, 1997, demanding:

1.
Mandatory law enforcement access to all encryption keys;
2.
Mandatory requirements that all telecommunication providers and network operators provide law enforcement with real-time access to decrypted data ... at no cost to the police; and
3.
New laws that would criminalize the use of encryption to commit a crime or conceal evidence, and would permit the seizure of any equipment used for encryption.
These demands, of course, echo the demands being made by law enforcement and intelligence agencies around the world, most notably the United States, which has seen a whole series of similar proposals, including the infamous Clipper Chip.

Canada's new Cryptography Policy

In Canada, as many of you already know, we have just finished an 18-month process of public consultation, culminating in the announcement of a new Cryptography Policy one week ago by Industry Minister John Manley.

It's often said that a policeman's job is only easy in a police state, and with Canada being a free and democratic society the answer to the police chiefs' demands was, in short, 'you must be dreaming'.

I am pleased to say that Electronic Frontier Canada was invited to play a role in policy discussions, starting with informal face to face meetings more than a year ago, the release of a government discussion paper, written submissions, and formal roundtable discussions, that included, by the way, an alphabet soup of the cops and spies, RCMP, CACP, CSIS, CSE, side by side with representatives from government, industry, and civil liberties organizations.

Incidentally, to all our international visitors, it is a process for developing public policy that I would highly recommend.

In Industry Canada's own recently published analysis of written submissions, they took note of EFC's inclusion of 14 letters from leading cryptographers who explained that it was "mathematically impossible to distinguish cleartexts from cryptograms" (as I think my demonstration may have already convinced you) and therefore, the only way police proposals "would be remotely workable would be if the government was prepared to prosecute and convict people merely for sending messages that the government could not read -- it would even have to be against the law, for example, to send random bits over a computer network or to send noise over a telephone line."

Industry Canada also noted that EFC's submission included a letter endorsed by the Global Internet Liberty Campaign (GILC) and signed by more than 20 human rights, civil liberties, and consumer protection groups from around the world, who argued that a restrictive policy would be contrary to the Canadian Charter of Rights and Freedoms, and the UN Declaration on Human Rights, harmful to Canadian society, detrimental to the Canadian economy, and in the end, simply unenforceable.

After 18 months of public consultation, the only logical and viable policy direction was clear enough. As Minister John Manley affirmed a week ago, Canadians remain free to use "the very strongest forms of encryption" without any mandatory key recovery or licensing requirements.

As one of my colleagues remarked after hearing the announcement, "The good guys won".

While this is clearly good news, and I know my American colleagues may be somewhat envious, but there are two remaining areas of concern ...

Hollow Victory?

One concern relates to export policy. Even though Canadians are free to use strong encryption on their own soil, it remains a hollow victory if Canadian high-tech companies cannot export their products. Since these companies earn more than 90% of their revenue outside the country, there is simply no business cases for a Canada-only encryption product. If they know they can't export a product, then they won't develop it in the first place, so Canada's restrictive export policy will continue to have an impact at home, by limiting the diversity and strength of encryption tools available to Canadians.

Through the Back Door

The other concern relates to the announcement that there may soon be amendments to the Criminal Code to 'deter' the use of encryption to commit a crime or conceal evidence and to 'compel assistance' with the interception, search, and seizure of encrypted information. Since words like 'deter' and 'compel assistance' are left open to interpretation, we'll simply have to wait and scrutinize the legislation when it is introduced in Parliament. It will be important to ensure that 'deterring' criminals doesn't interfere with the widespread legitimate use of encryption, and that 'compelling assistance' doesn't violate the right against self incrimination.

It's not even clear that the public will be given much notice if future restrictions on the use of encryption are about to be introduced. A good example in Canada is the relatively new digital cellular telephones. As in many countries, our telecommunications providers are licensed by the government. Companies that offer digital PCS cell phone service may choose to encode their customers' voice communications to enhance privacy, but they are required, as a condition of license, to provide law enforcement officials with access to "clear voice", whenever necessary. It's a clause that was parachuted in at the last moment.

Since this kind of licensing restriction is a matter of regulation, as opposed to legislation that would receive considerable public debate, decisions affecting the privacy rights of individuals may end up being negotiated behind closed doors and decided between regulators and companies, who may be motivated to deal away the privacy of their customers in return for gains in other areas.

The American company, Cisco Systems, provides another illustration of this phenomenon. You may already know Cisco as the maker or network 'routers', which form the backbone of the Internet. In July of this year, Cisco, along with a dozen other technology firms, announced something they called the "private doorbell feature" for routers that encrypt network traffic. When the FBI or local police want to spy on you, they simply hand a court order to your system administrator who flicks a "network control switch" and then the Cisco software surreptitiously records everything you type or do online, before it gets encrypted. That information is conveniently gathered together in a file that cops can pick up at the end of the day.

Do not underestimate the business world's profit motive, and the willingness of large corporations to deal away your privacy rights in return for government favours.


Just recently, in the United States, there was a great deal of enthusiasm among groups like the EFF, CDT, and EPIC for an industry lobby group known as Americans for Computer Privacy (ACP) that appeared it would put serious resources into the fight against government restrictions on encryption. However, in a politically adept move that effectively drove a wedge between the corporate sector and advocates for individual privacy rights, the U.S. government softened export restrictions on encryption software, but only for the most powerful financial and health sectors, and only for software using 56-bit keys. The Data Encryption Standard or DES is a well known algorithm that uses uses 56-bit keys. It was designed more than 20 years ago, and is now widely regarded as 'broken', since any message encoded with DES can be deciphered in less than 3 days using readily available hardware. To most observers, the US concessions are too little, too late.

Freedom of Expression

Before talking some more about export polices, I'd like to take a moment to draw a distinction between the Canadian and American approaches to free speech, because, in the end, the matter of export restrictions may be at least partially resolved in the courts.
(holding up diskette)
On this diskette, I have a computer program that implements a strong encryption algorithm known as Blowfish, which supports keys up to 448 bits in length. Messages scrambled with this program cannot be unscrambled, even by the most powerful computers, without knowledge of the secret key.

(holding up diskette) ... Is this speech?
To me, this question highlights a key difference in the Canadian and American approaches to freedom of expression. In well known American cryptography export cases, like Bernstein and Junger, much of the legal wrangling seems to be wrapped up in determining whether the source code for a computer program is "speech", for the purpose of protection under the First Amendment.

In Canada, our constitution, and specifically the Charter of Rights and Freedoms, provides that everyone is entitled to the fundamental "freedom of thought, belief, opinion, and expression, including freedom of the press and other media of communication".

There can be no doubt that computer languages are "expressive" in the broad sense of the word, ... and so are flag burning, child pornography, and nude dancing, for that matter.

In Canada, we quickly move on to a second step, in which a court can be asked to decide whether any limits prescribed by law are reasonable, appropriately narrow, and proportional, ... with the burden of proof resting on the government.

To me, this makes the free speech debate a more straightforward one. Instead of arguing about the semantics of whether programs are more functional than expressive, the focus is on whether or not the government can come up with a sufficiently persuasive justification for its restriction, and show that their limit does substantially more good than harm.

Cryptography is not a weapon

Coming back to export policy, ... As a signatory to the the Wassenaar Arrangement on dual-use technologies, Canada, along with 32 other nations, treats cryptographic software much like it treat dangerous lasers, missile guidance systems, and weapons-grade uranium. Export restrictions prevent Canadian companies from selling software like this to customers outside the country without prior government approval. And for encryption this strong, I can tell you that approval will not be granted.

But cryptography is not a weapon, and as the Global Internet Liberty Campaign has argued recently, it has no place in an international arms control treaty. Cryptography is an inherently defensive technology, that allows the protection of valuable information assests. ... It remains to be seen whether logic or politics will prevail at the latest round of Wassenaar negotiations.

Although I may be prohibited from selling this software to foreigners, oddly enough, a clause in the Wassenaar Arrangement allows me to simply "give it away". In contrast to U.S. policy, where it would be illegal, in Canada, as long as the software is in the public domain, there are no export restrictions. So, if there are any foreign nationals in the audience who would like this as a souvenir, please see me after the session.


Copyright © 1998 by David Jones. All Rights Reserved.


BIO

David Jones received his BSc and the computer science gold medal at the University of Western Ontario, received his PhD in computer science at Stanford University, and was a post-doctoral scholar at U.C. Berkeley before taking a faculty position at McGill University and doing research in the Centre for Intelligent Machines. Since 1994, Dr. Jones has been a computer science professor at McMaster University where he conducts research in computational vision systems for robotics and computational models of neural mechanisms underlying visual perception, and teaches in the Theme School on Science, Technology, and Public Policy.

In January 1994, David Jones co-founded Electronic Frontier Canada (EFC), a non-profit organization dedicated to protecting freedom of expression and the right to privacy in cyberspace -- an organization that now has several hundred supporting members across the country. As EFC president, he has provided numerous interviews and appearances in newspapers, magazines, radio, and television, and has been a contributing editor for the online magazine "Convergence". He is now consulted on an almost weekly basis by Canadian and foreign journalists on current issues related to computer technology and society. According to Canada's SHIFT magazine, David Jones is one of Canada's top ten Digerati.

David Jones has also been asked to consult with government departments formulating new policy related to controversial and illegal content on the Internet, and related to Canada's policy on encryption. He has also provided technical advice and testimony for lawyers in cases involving computer technology and has been formally recognized in court as an "Expert in Computer Science".