Security on the Internet

(transcript of radio broadcast)

AVRIL BENOIT (Host, CBC-Radio 'This Morning'):

Now for our regular feature .CA where we look at issues in new technology. Today the controversy over cryptography on the Internet. Cryptography has been around for thousands of years. Julius Caesar used it when he sent commands to his army. He encoded his messages by shifting letters of the alphabet a set number of characters. This was state-of-the-art at the time, but it was also easy to decode.

Now mathematicians use computers to create almost impenetrable codes. That's crucial for electronic commerce as more and more people use the Internet to buy things and to do their banking. And it's important to Canada's young cryptography industry, which will lose a competitive advantage if the government doesn't lift export restrictions on their products. Police are worried that cryptography will make it impossible for them to catch criminals who use the Internet. The federal government is trying to devise a new policy that will satisfy all sides.

We have with us this morning three people involved in the discussion. Benita Baker is with Chrysalis ITS, a company that produces cryptography hardware. Joining her in our Ottawa studio is Brian Ford, chief of the Ottawa-Carleton Regional Police Service. He's also the chairperson of the Law Amendments Committee of the Canadian Association of Chiefs of Police. And Jeffrey Shallit is a computer science professor at the University of Waterloo. He is also co-founder of Electronic Frontier Canada, which was formed to promote the right to privacy on the Internet. And he is in Toronto.

Good morning to you all.

ALL:

Good morning.

BENOIT:

Now, cryptography, of course, is a big long word and it's ... for some listeners it may be completely ... well, I've tried to summarize a little bit how it's been used, but could we start with you, Jeffrey Shallit, with just in layperson's terms, what cryptography is being used for on computers now, and how it works in the computer.

JEFFREY SHALLIT (Computer Science Professor, University of Waterloo; co-founder of Electronic Frontier Canada):

Well, as you said, cryptography is the science of coding and decoding and essentially I think you can think of it as a crime prevention tool. It prevents people from accessing data that they shouldn't have access to. For example, more and more we're doing credit card transactions over the Internet. With cryptography, these transactions can be done securely so that no one can gain access to your number and make unauthorized charges.

As we proceed into the digital age, we're going to have to do contract signing over the Internet. For example, I agree to buy a house from you, even though I've never met you. How can I do it in such a way that you can be confident it's really me who's signing, and so that I can't repudiate later.

There are many other applications, like making sure that your cordless phone calls are secure, preventing industrial espionage if you have a company and you have data records that are critical to your company. You want to make sure nobody can gain access to them. Confidentiality of medical records, etc.

BENOIT:

Now, at the moment, who knows the code? For these kinds of things, who knows the code?

SHALLIT:

Well, I think we have to separate the code, which is the method of coding, from the key. The key is the piece of data that unlocks the encrypted data, the encoded data. The coding methods are widely known. They're available in textbooks everywhere. Students learn them. A high school can invent a piece of software that does essentially unbreakable encryption. They keys are generated by users themselves and can be based on anything they want. You know, their mother's maiden name plus a string of random digits. So you need together ... so cryptography works by applying the key, encoding the data, making it unreadable, it's sent over a line, it's then decoded at the other end by someone who has some information about the key, maybe not all information.

BENOIT:

Benita Baker, what kinds of businesses use cryptography products that your company provides?

BENITA BAKER (Chrysalis ITS):

All kinds of businesses, from financial institutions, stock trading companies, banks, ... Even businesses where there's a lot of people on the road, or virtual private networking where you have people working from the home, ... where you want to transfer information between locations that is confidential.

BENOIT:

Let's get to the issue at hand then. The opening up and giving access to this kind of data. What are you concerns, Benita, for your industry?

BAKER:

Our main concern at this point is that our market extends beyond Canada and the United States and the export controls that are placed upon strong cryptography require that we have to get an export permit for every product that we want to send overseas. That creates a problem for us because the process is cumbersome. The government has, up until this point, attempted to make it as easy for us as possible to do it, but that nevertheless is very difficult because there are no strict guidelines and because every time you want to sell a product you have to get a permit.

BENOIT:

Well, what's wrong with getting a permit? A lot of industries have to get export permits.

BAKER:

There's nothing wrong with getting a permit. We don't, in fact, have a problem with it. The problem is that the guidelines are not clear, so at this point the current policy is very subjective. You never know whether, when you submit an application for a permit, whether you're going to get it in 24 hours, or in 2 months. There's a number of unclear issues at this point.

BENOIT:

But Canada has signed on to this agreement, the Wassenaar Arrangement.

BAKER:

Right.

BENOIT:

And that was just a couple of years ago, and this is ... there was a reason Canada signed on. What was that?

BAKER:

Well, yes, we're part of this agreement, and in fact, the agreement does call for export controls on strong cryptography. Unfortunately, it doesn't say what the control should be. So consequently every country that's part of this agreement has its own policies. And there's no unanimity ... (mumbled)

BENOIT:

Unanimity.

BAKER:

Yes. Among the countries. So while we're part of this, we're nevertheless in it on our own. Like our policies are different from other countries.

BENOIT:

Okay, well, let's look at the criminal aspect to this though. Chief Ford, you have some concerns about what happens with this technology when it becomes available to the general public. What are they?

BRIAN FORD (Chief, Ottawa-Carleton Regional Police Service; Canadian Association of Chiefs of Police):

Well, from out point of view, I agree with the professor when he says it is a crime prevention tool ... from a crime prevention point of view. The security of data from a commercial, and ... I'm speaking more from the economic and the financial institution point of view.

BENOIT

Right.

FORD:

It is very ... it's necessary and it's important for them to do their transactions and ...

BENOIT:

And not worry about hackers.

FORD:

Absolutely. And we don't ... you know, and we don't argue with that, and quite frankly, if we need to access financial institutional records and even if they are encrypted, with the appropriate search warrants in cases, we can access that. Our concern is ... and we just want to be able to access that, and certainly that we get not encrypted data, but that we get decrypted data from them.

The other ... our real problem is the real time data that's coming over, down the lines, in terms of communication. Voice communication can now be encrypted quite easily, as well as ... and the professor talked about the Internet. There's a wide use of the Internet for criminal activity. One for laundering money, and for the transmission of pornography, and child sexual exploitation, drug transactions, ... A lot of these are being conducted over the Internet. And we're talking about real time data which has a life span of milliseconds, in terms of being able to capture the data.

We're looking ... you know, I mean, our proposal to government is that there be some sort of third party key holder, but we realize, you know, after a lot of discussion with industry, that's not really feasible or realistic. And quite frankly, what we're seeing now ... we want to sit down with industry and the government and work out a feasible and realistic arrangement where we can access this information.

BENOIT:

What was the third party key holder idea? Who would hold that key?

FORD:

Well, that was one of the issues that really had never been sort of developed any further, and you know, our view probably was that keys would be held by some sort of government institution or something like that. And industry has a real fear that that is then subject to theft. And that's a very realistic fear, and you know, when you're first developing these things you say, well, you know, that's not really a problem, but you know, it really could be, because we're talking billions of dollars that are going to be transacted. That's a hugely tempting process.

So anybody can be tempted at that level, and certainly we've had enough examples of people giving secret information away in very ... and people who are alleged to have been cleared to the highest security levels, so I ... we understand that. And basically what we're now doing is wanting to sit down with industry and sit down with government and try to work out some way that we can access information, particularly real time information in certain cases.

And the professor's quite right. Anybody can work up an illegal ... not off-the-shelf, but their own personal encrypted data, using methodology, ... all you have to have is computer expertise and they can do it, and there's nothing we can do about that.

BENOIT:

But Jeffrey, what are your concerns then? If the police ... The police want to have, obviously, evidence-gathering ability in the area of computers and information that they have in other types of crime-fighting ventures. What worries do you have about where we're headed with this new policy that will be worked out?

SHALLIT:

Well, I'm glad to hear that the quest for key recovery, which is kind of quixotic, has been abandoned, because I think it's quite fruitless. But we have three concerns at Electronic Frontier Canada. The first is, that demanding that people speak in a way that the government can understand is essentially a violation of the Charter. It's a violation of my right to speak.

BENOIT:

And fundamentally, people don't trust the government enough to let them understand, right?

SHALLIT:

Well, I think we have some reasons not to always trust the government. Largely it's trustworthy, but there certainly have been incidents that make it untrustworthy in many people's minds. If I want to speak in a language, such as Cree or Inuit or Yiddish, that not many people speak, and perhaps no one in the police investigating the crime under consideration can speak, well, that's not a violation of the law, or at least it shouldn't be, as far as I can see.

Our second worry is that having a large number of keys in a central location is a very attractive target for thieves. And 14 of the world's leading cryptographers have written a report entitled, The Risks of Key Recovery, in which they describe in detail what these risks are, and they point to theft as a very real concern.

BENOIT:

Are are we talking inside jobs, or people actually being able to break in?

SHALLIT:

Well, certainly a disgruntled insider is an important danger, but we've had incidents where people in income tax divisions have looked at returns of famous people, and if you know you had access to the keys of Céline Dion and could read her personal mail, maybe you would be tempted to do so.

But also, for outside thieves, for hackers to break in and obtain keys. And once you have keys, you can do anything. You can read all communications, you can spoof, that is, you can assume the identity of the person. So it's very risky. And the third reason, I think maybe the most important reason, is that it's simply infeasible, it is infeasible to block the use of strong cryptography by individuals.

Now the police chief referred to illegal cryptography. Well, it's currently not illegal for domestic use of cryptography. But it is currently ... it is infeasible, it is simply infeasible. We've had 15 of Canada's leading cryptographers sign a letter in which they agree that such controls are infeasible.

You can order the sea not to come in, but the sea will come in whether you like it or not. It is simply so widespread, so easy to do, a high school student can do it, and so undetectable. In other words, if I send a message that's been encoded, let's say, with a method like RSA, which is one of the leading methods, and I send it to you, ... and the police say, "Well, you're sending encoded data", and I say, "No, I'm just sending random data. I just felt like sending some random bits." There is no way, even in principle, without access to my secret key, that they can prove whether I was sending random data or whether I was sending encrypted data.

So cases just will be thrown out of court. There would be no way to give any evidence one way or the other.

BENOIT:

But Chief Ford, you probably have a lot of thoughts about this whole area of ... well, because obviously you're trying to fight crime and crime is rampant, increasingly so, on the Internet. The industry says look, this is going to kill our business. What do you have to say to that?

FORD:

Well, it was a bad choice of words. I didn't mean illegal encryption. I mean, you know, not off-the-shelf encryption, not manufactured encryption though ... It's just somebody who develops their own. And I agree with the professor, we have the right to speak in any language, we do, and that includes encryption. And we have the right to privacy. And you know, we have laws that protect that privacy and that right to have it in any language you want.

I guess, in real terms, we're looking for the interpreter, so that we can interpret the data that's coming our way. Our real concern is being able to access information. I mean, there's an abundance of cases where, in child pornography, in child sexual exploitation, drug dealings that are taking place on the Internet, and in many cases, they're using encrypted data. We're just ... basically what we're saying is, we realize that there is a real concern on the part of industry and the part of individuals and their right to privacy. What we're saying to industry, number one, we want to work with you and somehow sort of work around the issue of this third party looking ... holding a key, but also have an ability, when necessary and under the right legal framework, in terms of having a judicial warrant, properly ... through the proper processes, to be able to access data. And by that we mean data could be voice data, it could be ... because voice can be encrypted. What we're looking for is some way to do that. Probably there might be someone in industry who might see that there's something worthwhile, because we're not talking ... because we're talking global information here, and some way of developing some system for decrypting in a more timely fashion, and in a real time fashion. So where basically we've said to industry at the last meeting I was at, look, we want to work with you, we want to be ... we see this as a real need for the safety and security of our communities, we want to partner with you and we believe in that partnership and we think we can work together to resolve this. And I quite agree to the point that was made with our companies, Canadian companies, shouldn't be sort of hamstrung in terms of trying to sell their product in the global marketplace. Certainly not from our point of view, we're not restricting it. We think that they should be on a competitive, level playing field with other world companies as well.

BENOIT:

Well, Benita Baker, I'm interested to hear what you think at this point, because Ottawa is coming through ... there's a huge effort now to have some kind of new cryptography policy to balance these rights of law enforcement and the rights of privacy of companies that you create these programs for. How can Ottawa do that?

BAKER:

Well, first of all, I must say I'm really pleased to hear what Chief Ford has to say with respect to where industry sits in this issue. It's important to realize that if people really want to get strong cryptography, they're going to get it, regardless of where it comes from. If export policies are too restrictive in Canada, there are companies and countries elsewhere in the world that sell strong cryptography and have export policies that are far more lenient. So it's going to be available.

BENOIT:

To criminals. BAKER:

To criminals, if they want it, that's right. So keeping all that in mind, we can look at it from a strictly economic issue. And this is a burgeoning industry in Canada. It's the foundation of electronic commerce, and it's really important that we maintain our current reputation as leaders in high technology and make these products available and be able to compete on a global scale.

BENOIT:

Does that mean that if the police come to you and say, look, we're doing an investigation, could you please give us the key to such and such an account. What do you do?

BAKER:

What do you do?

BENOIT:

If they have a search warrant, for example?

BAKER:

Well, we believe that the issue of key recovery is one of sound business practice. So if any corporation is going to be using strong cryptography, then they should have the ability to have a spare key. There are a number of things that could happen, ... you could lose your key, or lose access to your key, and you should be able to recover your data in that way. So ...

SHALLIT:

But for real time encrypted communication, keys are frequently generated on the fly, just for the purpose of the short conversation, and then discarded afterwards. And it's, I think, completely infeasible when you consider the millions of conversations that would be taking place every day, and transactions every day, to have these billions and billions of keys archived, just for the sole purpose that one out of every billion would be useful in tracking down a crime.

BAKER:

Yeah, I would agree with that.

SHALLIT:

It would be incredibly expensive, and I think infeasible.

BENOIT:

But you're militating for the right to privacy on the Internet in this kind of thing, but you have no sympathy for the poor police officer who's trying to figure out this crime and looking at this stuff flying by? It's impossible.

SHALLIT:

I certainly have sympathy, but I think the proper way to deal with it is something that was hinted at by Chief Ford, which is, we need a more high tech police force. We need police who are training in ...

BENOIT:

Hacking.

SHALLIT:

... cryptographic methods, in hacking, and therefore they wouldn't be restricted to simply doing what industry tells them is feasible. They'd be able to learn on their own what methods are available and apply them under court order in a legitimate fashion.

BENOIT:

Could it ever be legitimate, Chief Ford, hacking, on the police's part?

FORD:

Well, it could only be legitimate for us to intercept any kind of communication, ... it could only be legitimate with the appropriate judicial process having taken place.

BENOIT:

So, in other words, no.

FORD:

No.

SHALLIT:

Well, with a court order.

FORD:

With a court order, yes. I mean, we've always ... part of the thing we're trying to do is, with the government, is allow the government to direct or allow ... get them to legislate a policy to allow the Communications Security Establishment to provide assistance to Canadian law enforcement as well. And that is a group that has a considerable expertise in this area. Although, the development of encryption is moving so fast, and keeping up with ... I agree with the professor that somebody can develop a key, throw the key away every time they speak or every time they send data down the line, and there is no, absolutely no simply solution, and we understand that. What we're basically saying is, we said to the industry at the last meeting, look, we need your help. We said, we obviously can help you, because there are going to be people who take advantage of this as well, to commit crimes against the very institutions, and I'm talking about the financial institutions that are doing it. So it's in their interest to help us. It's a two-way street. We're all part of this community, and we're all looking for a way to develop a process without our community, make our communities safer and better places to be, and that includes in the area of financial institutions. And that includes large scale frauds which affect us all.

BENOIT:

Well, good luck with it. Thanks very much.

Benita Baker is with Chrysalis ITS, an Ottawa company that produces cryptography hardware. Brian Ford is Chief of the Ottawa-Carleton Police Service. He's also chair of the Law Amendments Committee of the Canadian Association of Chiefs of Police. Jeffrey Shallit is a computer science professor at the University of Waterloo, and co-founder of Electronic Frontier Canada, which was formed to promote the right to privacy on the Internet.

The recommendations on a new federal policy on cryptography should be available by late fall, or early next year.

.CA is a regular feature on This Morning.