David Jones, PhD
McMaster University, Dept of Computer Science
President, Electronic Frontier Canada
Outline:
In my talk today, I'd like to focus on Canada's newly announced Cryptography Policy, contrast it a little with the American approach, and try to see how it fits into the global context.
(transparency: EFC cipher text)Encryption uses sophisticated mathematical algorithms to 'scramble' digital information, whether it is text, voice, or images, so that it becomes indistinguishable from random bits. The encrypted data remains unintelligible to everyone except those who have access to a secret 'key' that can be used to unlock the original message.
(transparency: EFC secret key)In this Information Age, encryption is increasingly important to individuals, businesses, and governments as a privacy- and security-enhancing technology.
Cryptography's benefits are often broken down into four broad categories. Encryption tools can be used:
Encryption is recognized as a key enabling technology for Electronic Commerce.
- 1.
- to safeguard confidentiality, by protecting us from snoops and eavesdroppers,
- 2.
- to facilitate authentication, to protect us from impersonators and counterfeiters,
- 3.
- to ensure data integrity, by detecting when tampering has occurred, and
- 4.
- to facilitate binding contracts using digital signatures.
But do regular people really need encryption? . . . Yes.
We need encryption ...
Our fundamental right to use encryption flows, not only from our right to privacy, but also from our rights to freedom of expression, freedom of association, and freedom of the press.
Today, the technology of keeping secrets is not itself a secret. There are lots of academic papers, books, and web sites that publish all the technical details, ...
(holding crypto book) ... Here's a "how to" book I pulled off my shelf... so that any bright high school student can easily implement the world's strongest encryption algorithms. And it's not just high school students. The University of Waterloo's Centre for Applied Cryptography is churning out Canadian experts with PhD's in cryptography, and some of them are working at world-class high-tech companies, like Entrust, Certicom, Timestep, KyberPASS, and Chrysalis-ITS.
(holding Schneier's book)As Bruce Schneier, author of Applied Cryptography, says, "There are two kinds of cryptography in this world: cryptography that will stop your kid sister from reading your files, and cryptography that will stop major governments from reading your files. This book is about the latter."
When it comes to protecting our privacy, we all want the real thing. Anything less than strong cryptography simply isn't good enough.
This kind of surveillance society is placed in jeopardy by the widespread use of strong encryption. And so it should come as no surprise that the Canadian Association of Chiefs of Police passed a resolution in August, 1997, demanding:
These demands, of course, echo the demands being made by law enforcement and intelligence agencies around the world, most notably the United States, which has seen a whole series of similar proposals, including the infamous Clipper Chip.
- 1.
- Mandatory law enforcement access to all encryption keys;
- 2.
- Mandatory requirements that all telecommunication providers and network operators provide law enforcement with real-time access to decrypted data ... at no cost to the police; and
- 3.
- New laws that would criminalize the use of encryption to commit a crime or conceal evidence, and would permit the seizure of any equipment used for encryption.
It's often said that a policeman's job is only easy in a police state, and with Canada being a free and democratic society the answer to the police chiefs' demands was, in short, 'you must be dreaming'.
I am pleased to say that Electronic Frontier Canada was invited to play a role in policy discussions, starting with informal face to face meetings more than a year ago, the release of a government discussion paper, written submissions, and formal roundtable discussions, that included, by the way, an alphabet soup of the cops and spies, RCMP, CACP, CSIS, CSE, side by side with representatives from government, industry, and civil liberties organizations.
Incidentally, to all our international visitors, it is a process for developing public policy that I would highly recommend.
In Industry Canada's own recently published analysis of written submissions, they took note of EFC's inclusion of 14 letters from leading cryptographers who explained that it was "mathematically impossible to distinguish cleartexts from cryptograms" (as I think my demonstration may have already convinced you) and therefore, the only way police proposals "would be remotely workable would be if the government was prepared to prosecute and convict people merely for sending messages that the government could not read -- it would even have to be against the law, for example, to send random bits over a computer network or to send noise over a telephone line."
Industry Canada also noted that EFC's submission included a letter endorsed by the Global Internet Liberty Campaign (GILC) and signed by more than 20 human rights, civil liberties, and consumer protection groups from around the world, who argued that a restrictive policy would be contrary to the Canadian Charter of Rights and Freedoms, and the UN Declaration on Human Rights, harmful to Canadian society, detrimental to the Canadian economy, and in the end, simply unenforceable.
After 18 months of public consultation, the only logical and viable policy direction was clear enough. As Minister John Manley affirmed a week ago, Canadians remain free to use "the very strongest forms of encryption" without any mandatory key recovery or licensing requirements.
As one of my colleagues remarked after hearing the announcement, "The good guys won".
While this is clearly good news, and I know my American colleagues may be somewhat envious, but there are two remaining areas of concern ...
It's not even clear that the public will be given much notice if future restrictions on the use of encryption are about to be introduced. A good example in Canada is the relatively new digital cellular telephones. As in many countries, our telecommunications providers are licensed by the government. Companies that offer digital PCS cell phone service may choose to encode their customers' voice communications to enhance privacy, but they are required, as a condition of license, to provide law enforcement officials with access to "clear voice", whenever necessary. It's a clause that was parachuted in at the last moment.
Since this kind of licensing restriction is a matter of regulation, as opposed to legislation that would receive considerable public debate, decisions affecting the privacy rights of individuals may end up being negotiated behind closed doors and decided between regulators and companies, who may be motivated to deal away the privacy of their customers in return for gains in other areas.
The American company, Cisco Systems, provides another illustration of this phenomenon. You may already know Cisco as the maker or network 'routers', which form the backbone of the Internet. In July of this year, Cisco, along with a dozen other technology firms, announced something they called the "private doorbell feature" for routers that encrypt network traffic. When the FBI or local police want to spy on you, they simply hand a court order to your system administrator who flicks a "network control switch" and then the Cisco software surreptitiously records everything you type or do online, before it gets encrypted. That information is conveniently gathered together in a file that cops can pick up at the end of the day.
Do not underestimate the business world's profit motive, and the willingness of large corporations to deal away your privacy rights in return for government favours.
(holding up diskette)On this diskette, I have a computer program that implements a strong encryption algorithm known as Blowfish, which supports keys up to 448 bits in length. Messages scrambled with this program cannot be unscrambled, even by the most powerful computers, without knowledge of the secret key.
(holding up diskette) ... Is this speech?To me, this question highlights a key difference in the Canadian and American approaches to freedom of expression. In well known American cryptography export cases, like Bernstein and Junger, much of the legal wrangling seems to be wrapped up in determining whether the source code for a computer program is "speech", for the purpose of protection under the First Amendment.
In Canada, our constitution, and specifically the Charter of Rights and Freedoms, provides that everyone is entitled to the fundamental "freedom of thought, belief, opinion, and expression, including freedom of the press and other media of communication".
There can be no doubt that computer languages are "expressive" in the broad sense of the word, ... and so are flag burning, child pornography, and nude dancing, for that matter.
In Canada, we quickly move on to a second step, in which a court can be asked to decide whether any limits prescribed by law are reasonable, appropriately narrow, and proportional, ... with the burden of proof resting on the government.
To me, this makes the free speech debate a more straightforward one. Instead of arguing about the semantics of whether programs are more functional than expressive, the focus is on whether or not the government can come up with a sufficiently persuasive justification for its restriction, and show that their limit does substantially more good than harm.
But cryptography is not a weapon, and as the Global Internet Liberty Campaign has argued recently, it has no place in an international arms control treaty. Cryptography is an inherently defensive technology, that allows the protection of valuable information assests. ... It remains to be seen whether logic or politics will prevail at the latest round of Wassenaar negotiations.
Although I may be prohibited from selling this software to foreigners, oddly enough, a clause in the Wassenaar Arrangement allows me to simply "give it away". In contrast to U.S. policy, where it would be illegal, in Canada, as long as the software is in the public domain, there are no export restrictions. So, if there are any foreign nationals in the audience who would like this as a souvenir, please see me after the session.
BIO
David Jones received his BSc and the computer science gold medal at the University of Western Ontario, received his PhD in computer science at Stanford University, and was a post-doctoral scholar at U.C. Berkeley before taking a faculty position at McGill University and doing research in the Centre for Intelligent Machines. Since 1994, Dr. Jones has been a computer science professor at McMaster University where he conducts research in computational vision systems for robotics and computational models of neural mechanisms underlying visual perception, and teaches in the Theme School on Science, Technology, and Public Policy.
In January 1994, David Jones co-founded Electronic Frontier Canada (EFC), a non-profit organization dedicated to protecting freedom of expression and the right to privacy in cyberspace -- an organization that now has several hundred supporting members across the country. As EFC president, he has provided numerous interviews and appearances in newspapers, magazines, radio, and television, and has been a contributing editor for the online magazine "Convergence". He is now consulted on an almost weekly basis by Canadian and foreign journalists on current issues related to computer technology and society. According to Canada's SHIFT magazine, David Jones is one of Canada's top ten Digerati.
David Jones has also been asked to consult with government departments formulating new policy related to controversial and illegal content on the Internet, and related to Canada's policy on encryption. He has also provided technical advice and testimony for lawyers in cases involving computer technology and has been formally recognized in court as an "Expert in Computer Science".