The Fraser Forum
May, 1998

The World-Wide Wiretap?

So you think that a personal e-mail you send
from work is confidential? Don't be so sure.

by Mark Weller, mweller@ihermes.com

When I ask Internet users about their experiences using e-mail, I hear a wide variety of responses and usually a funny story or two. But I have also discovered that most users share one common concern: a worry that e-mail is not very private or secure.

Although it is virtually impossible to intercept e-mail during transmission (it is the rough equivalent of grabbing a beam of light), electronic messages do stop and rest at several points, and at each of these places they can be read. This includes the transmitting PC, the Internet service provider's computer, and the receiving station, as well as any servers or routers along the way. At these points one's e-mail can be read and perhaps copied or forwarded. So it is prudent to never say anything in e-mail that you wouldn't want distributed more broadly. As well, since network servers often back up material automatically, it is unwise to use a system at work for personal mail.

However, since it is clear that occasionally one might want to send information by e-mail that is not for public consumption, the best solution is to encode the message. There are already systems for this in place which are used chiefly by businesses and individuals who have an unusually high need for security. The best systems involve what are called encryption keys or codes. Using these codes, only the person transmitting the data and the person receiving the data have the ability to read an encrypted message. Codes now exist that are technically extremely difficult, and economically prohibitive, to crack.

The problem is, some government agencies, such as those involved with law enforcement and intelligence gathering, don't like the idea that communications may be taking place to which they do not have access. As a result, many policies have been proposed that, while intending to protect the privacy of individuals, would actually result in the erosion of their civil liberties.

For example, in the United States, under laws that were devised for the Cold War, the export of what is called "strong encryption" is prohibited. Concerned that the ability to communicate using unbreakable codes could fall into the hands of the enemy, the US banned the export of any encryption software beyond a certain level of complexity. Encryption programs are currently treated under US law like munitions, and under these laws the export of strong encryption is the equivalent of international arms smuggling.

As well, some law enforcement agencies around the world have expressed alarm at the idea of encrypted e-mail. The US Federal Bureau of Investigation, for example, has proposed a system of "key escrow" which would involve a national encryption key registry. After application for a warrant, the FBI could acquire any key to open up e-mail messages and conduct an investigation. If one were to liken e-mail to a more established medium, the telephone, this system would constitute the world's largest wiretap.

Meanwhile, back at home, in February of this year Industry Canada issued a report entitled A Cryptography Policy Framework for Electronic Commerce which listed a number of policy alternatives for government cryptography regulation. Like the FBI before it, Industry Canada suggested in the report that one policy option might be to ban encoding products that do not allow the government to listen in. Again, the justification for this is law enforcement.

On April 20th, a group of Canada's leading cryptographers issued a joint press release opposing government regulation of cryptography. The core of the press release is encapsulated in the following quote from computer scientist Dr. David Jones, president of Electronic Frontier Canada, a non-profit civil liberties group: "Cryptography is essential for the transition to a wired society. It is the key enabling technology that will allow Canadians to keep our personal information and communications private without fear of eavesdropping, as well as safeguard the security of our online transactions, without fear of fraud. If the government places restrictions on the use of cryptography, it would likely do more harm than good."

A much more rational solution to the problem of privacy would be to continue to allow private encryption codes to be developed without interference by government. Government taking over the administration of the tools needed to ensure privacy will not address concerns about individual privacy. The downside of competitive codes? Law enforcement would be forced to continue to rely on traditional means of investigation, which have served them well enough until now. Concern about hackers gaining access to e-mail does not justify a massive public sector "hack". By allowing a competitive market in key codes to flourish, Canada would develop an electronic mail system that would be inherently more secure and that would respect the right to privacy.

[Note: Dr. David Jones, President of Electronic Frontier Canada, is one of the speakers who will be featured at the upcoming Fraser Institute/Business in Vancouver conference "Electronic Commerce: Free Markets in Cyberspace" to be held in Vancouver on June 24, 1998.]


Copyright © 1998 by The Fraser Institute. All Rights Reserved. Reprinted with permission.