Electronic Commerce News
Tuesday, April 7, 1998
vol 3 no 14

Canada mulls liberal encryption exports

Neighbour wary of irking United States

by Charles Flippen

The world is not waiting on the United States to dictate encryption controls.

A policy debate fostered by an interagency task force in Canada is an example of another foreign country considering more liberal regulations than the United States - something that worries domestic vendors.

The Canadian Task Force on Electronic Commerce published in February a 35-page "policy framework" outlining potential levels of regulation concerning public key recovery and export controls.

The Canadian government is reviewing its policies to ensure a balance between the security concerns of law enforcement agencies and market demands for strong encryption, says Helen McDonald, director general of policy development with the task force.

The task force is accepting public comments on the paper through April 21. Some software developers are commending Canada for inviting them to join in the discussion process.

"What's unique about what is happening in Canada is the government is going out and soliciting input on what the policy direction should be", says Paul Van Oorschot, chief scientist with Dallas-based EnTrust Technologies.

Entrust held a roundtable of software industry executives last week to generate comments on the paper.

Seeding Electronic Commerce

McDonald, who also is an official at Industry Canada, the Canadian equivalent of the Department of Commerce, says her agency wants to foster the adoption of electronic commerce systems among Canadian businesses. Industry Canada wants to make "Canada one of the more connected countries in the world", she says.

Strong encryption is critical to that goal. "If you don't get business and consumer confidence, [electronic commerce] won't work", she says. "Part of what we're trying to do is build trust and build confidence in electronic commerce." Export controls on encryption software have been one of the most contentious issues in the U.S. electronic commerce industry and Canada is no different.

Controlling Exports

Until December 1996, Canadian developers could ship custom encryption hardware and software with key lengths no greater than 40 bits. At that time, Canada declared a one-year trial period during which vendors could export 56-bit products. The government has extended the trial period through June.

The task force suggests Canada could: roll back its regulations, potentially matching the most liberal export policies; maintain the current 56-bit export limit on custom software; or extend the limits to restrict mass market and public domain software.

Liberalizing policies would be an "aggressive" move that could bring about pressure from allied nations - including the United States - to renew tight restrictions, the paper warns.

But, Van Oorschot says loosing Canadian software companies from export restrictions is the only way for businesses like his to remain competitive. Since some countries have virtually no controls on cryptographic exports, "the only level playing field is to have liberalization of export controls across the board", he says.

"Otherwise, the Europeans will take over the [information technology] markets related to security", Van Oorschot says. "And the same thing is true in the States ... they may lose their dominance in the IT sector if electronic commerce is taken over by a European security provider who can [sell] stronger cryptography worldwide."

Export controls are an anachronism left over from Cold War restrictions on munitions, he says. "This is the aftermath of that and it no longer makes sense to control this because it is available worldwide already", he says.

South Of The Border

In the United States, the Department of Commerce bars developers from exporting encryption software longer than 56 bits, unless they are granted an exemption. The federal regulation is being challenged in court.

At the same time, the Security and Freedom through Encryption Act is winding its way through the U.S. Congress. Know as the SAFE Act, H.R. 695 was amended last fall and would codify the Commerce Department's regulation. Also, the Senate is considering a bill that would create an advisory board to approve levels of encryption for exported software.

Canada can't ignore U.S. policy for fear of riling its trading partner to the south. But neither can the country forget about nations happily exporting strong cryptography.

"We're watching what you guys are doing because we're big trading partners", McDonald says. "[But] if somebody's going to open their gates and flood the market [with strong encryption], it's hard to go the other way."

Software developers agree there is a fine line to walk.

"We have to recognize in this that the U.S. is the big issue. We may not like or agree with some of the policies that happen in the U.S., but we do have a relationship", said Phil Deck, CEO of Canadian vendor Certicom Corp. at the EnTrust roundtable. "We have to make sure that our border ... remains open for cryptography products because that's our biggest market."

Protecting IT Dominance

EnTrust's Van Oorschot urges the United States to consider liberalizing its own policies. Entrust is a division of Toronto-based Northern Telecom [NT] (Nortel) and keeps its research and development headquarters in Ottawa.

As a result, its electronic certificate management products and public key infrastructures are subject to Canadian control.

"U.S. policy is formed in order to favor U.S. companies, but what the U.S. has to be worried about is losing out in the IT market", Van Oorschot says.

Upset by U.S. dominance of the information technology market, European nations, such as Ireland, Finland and Switzerland, will continue to have liberal export rules, Van Oorschot predicts. "That will force the hand of the U.S. and they will have to give up billions of dollars of revenue ... or they will have to liberalize controls", he says.

(Phil Deck, Certicom, (905) 507-4220, http://www.certicom.com/ ; Helen McDonald, Industry Canada, (613) 947-7466 ; Paul Van Oorschot, EnTrust Technologies, (613) 247-3184, http://www.entrust.com/ )

Canada Reviews Key Recovery

In addition to export controls on encryption software, the Canadian Task Force on Electronic Commerce is reviewing regulations that cover key recovery for stored data and real-time communications.

In its 35-page cryptography paper, the commission raises questions about ensuring that law enforcement agencies can decode stored data for an investigations.

Stored data options include:

While large businesses view backup of stored data as good business practice, no one can be assured that all businesses will provide for back up in a unfettered "laissez-faire" environment, the paper suggests.

Regarding real-time communication, Canada now requires telecommunications companies, when served with a court order, to help law enforcement agencies decrypt messages traveling through their facilities. Only wireless providers of personal communication services and local multipoint communication services are subject to the rule.

With increasing competition in the Canadian telecommunications industry, a patchwork approach may create an "uneven playing field among communication providers," the task force writes.

To combat the potential inequities, the report proposes requiring all communications providers offering encryption services - wireless and wireline -to be able to decode messages for law enforcement agencies on receipt of a court order.

In addition, it is considering forcing any certification authority that provides encryption keys for Internet telephone, telnet or World Wide Web transactions to aid decryption.

(Task Force on Electronic Commerce, (613) 947-7466, http://strategis.ic.gc.ca)

Copyright © 1998 by NewsEdge Corporation. All Rights Reserved. Reprinted with permission.