&
The Globe & Mail
Wednesday, April 22, 1998

Encryption issue hoists Ottawa onto a tightrope

by Geoffrey Rowan, growan@globeandmail.ca

Canadians are good with a secret, but Ottawa may blow it.

Yesterday was the last chance for people to comment on Industry Canada's report, A Cryptography Policy Framework for Electronic Commerce. It offers possible scenarios for government regulation of cryptographic hardware and software, which make codes to keep digital files secret.

The government needs to balance the interests of police -- who want to be able to read or listen to any communication any Canadian might have -- with those of civil libertarians who oppose any snooping, and of business, which just wants to make a buck.

But one of the scenarios offered in the report is a law that makes it illegal to use an unbreakable code. That would be more than a tad rough on civil liberties, pointless as a deterrent to crime, and disastrous for Internet commerce and Canada's fledgling cryptography industry.

For private citizens, such a law would be outrageous in its potential to invade privacy, says Jeff Shallit, a computer science professor at the University of Waterloo. He's also vice-president of Electronic Frontier Canada, a non-profit group devoted to ensuring the provisions of the Charter of Rights and Freedoms are preserved in the digital age.

Besides being wrong-headed, it's unenforceable, Mr. Shallit adds.

"It's certainly possible to pass a law saying anything you send must be sent [uncoded]. But what if I want to speak in Yiddish with my grandfather, and CSIS doesn't have someone who understands Yiddish? Or what if I want to speak Navajo, or if I want to send random bits?"

An anticryptography law fails as a deterrent to crime for the simple reason that criminals are unlikely to obey the law. It is a comparatively simple matter for any technologically adept high-school student to get and use an unbreakable encryption program.

But this type of law would serve as a huge deterrent to Internet commerce, which is having a hard enough time getting off the ground as it is. Business still hasn't found the secret to successful mass commerce on the Internet, and if you remove consumers' ability to encrypt personal and financial information, it never will.

This seems unimaginable from a federal government that says it is committed to making Canada the most connected nation on Earth by 2000.

But even if Ottawa only outlaws the export of strong cryptography -- as the United States has done -- there would be painful repercussions for Canadian business.

This country has developed an international reputation for cryptography. The University of Waterloo has produced an inordinate number of cryptographers, which are kind of the extreme sports version of a mathematician.

Ian Goldberg, for example, is the Waterloo graduate -- now at the University of California at Berkeley -- who recently broke the code used to encrypt conversations on 80 million cellphones around the world. It took him and a colleague about 10 hours.

Mississauga-based Certicom Corp., which makes encryption software, was founded by three Waterloo professors and it has attracted major investment from Microsoft co-founder Paul Allen. Entrust Technologies Ltd. of Ottawa is also building Canada's reputation as a fertile base for cryptographic talent.

Banning the use of so-called strong cryptography would stifle this industry or at least drive it out of the country. The United States is already seeing hints of this. Sun Microsystems Inc. of Mountain View, Calif., has set up a group in Russia to develop strong cryptography to get around U.S. export laws.

Domestically, the U.S. government is faced with the same balancing act as Ottawa. It has been making noises for months, telling industry to come up with a solution or face regulation of the domestic use of encryption so that police agencies would be able to understand any communication.

Indeed, when Mr. Goldberg broke the cellphone code, it appeared to have been dumbed down to make it easier for police agencies to crack.

A strong lobby by U.S. industry has so far held off regulators and there have been signs Washington might ease export restrictions.

Canada's lack of such restrictions is one reason Certicom recently signed a major licencing deal with a subsidiary of Nippon Telegraph and Telephone Corp. of Japan. That unit, NTT Electronics Corp., owns a piece of Certicom's U.S. competitor, RSA Data Security Inc., but it chose Certicom because of this country's kinder cryptography export policy.

If Canada's policies change and we lose our status as a secret society, such deals will disappear, along with the promise of a digital land.


Copyright © 1998 by The Globe & Mail. All Rights Reserved. Reprinted with permission.