Friday, April 24, 1998
vol 8, no 8, page 1

Industry debates encryption policy

by Carol Neshevich

The Canadian government should, for the most part, stay out of encryption policy issues.

That's the message Brian O'Higgins, executive vice-president and CTO of Ottawa-based Entrust Technologies Inc., delivered during a round-table discussion held in Ottawa regarding Canadian encryption regulations.

"We believe the export controls (on encryption technology) should be eliminated. We believe there should not be any mandated key escrow or key recovery that would give the government automatic access to keys", O'Higgins said.

"We understand that law enforcement definitely has an issue if all communication is encrypted -- it gets in the way of doing intercepts and so on -- but we believe that 90 per cent of law enforcement requirements will be met with commercial products."

The discussion was held to gather industry opinion in response to an Industry Canada document issued in February called A Cryptography Policy Framework for Electronic Commerce. The document asked for public input on what options people favoured in three categories: stored data, real-time communications, and export controls. The government wanted all public submissions in by April 21.

Participants at the industry round-table included Entrust Technologies, Certicom Corp., Milkyway Networks, Hewlett-Packard Canada Ltd., Kyberpass Corp., and the Information Technology Association of Canada, among others.

Near the end of the lengthy discussion, round-table chair Alan Pickering, former director-general of Canada's Communications Security Establishment, summed up the participants' comments.

"From what I've heard, looking at the three areas of discussion, it would sound like in the are of encryption of stored data, (people think) it should be market-driven", he said. "As for encryption of real-time communications, we should maintain the status quo in that ... but there should be selective discussions and selective applications of rules which would require communications organizations to provide access only when required for law enforcement purposes."

And in the area of export controls, he said: "There should be no controls -- that's what most people here seem to favour, if not everybody."

Currently, Canada is a member of a 33-nation agreement -- the Wassenaar Arrangement -- that requires export controls on a long list of "dual-use products", including cryptography. Canada created a policy based on that which restricts the export of customized encryption software or hardware.

Initially, the policy stated that customized encryption software or hardware products with a key length of 40 bits or less were exportable without a permit, and banking or financial institutions were permitted to export 56-bit DES products.

But in December 1996, Canada changed the policy for a 12-month trial period to allow the export of 56-bit customized encryption software or hardware with embedded encryption to most countries. This has been extended to June 30, 1998, until more decisions are made regarding Canada's encryption policies.

At the industry discussion, one of the hot topics was mandating key recovery.

"There's a notion which originates out of the U.S. that talks about mandating key recovery, so it would force any type of encryption to have a key to be held by what they call a trusted third party", Entrust's O'Higgins said. "This doesn't make sense commercially, because commercially, remember, we're still going to keep a back-up of the key. So if someone comes in and wants it, you can give them the key."

The participants also discussed problems with giving key recovery to the government and law enforcement bodies. Phil Deck, CEO of Certicom Corp., explained why he thought it was just a bad idea for Canada.

"I don't believe there's any way key recovery or key escrow can work from an export point of view", he said.

"Certainly nobody's going to buy products that the Canadian government has the keys for, and it is useless to put those features in if the foreign companies have those key escrow capabilities themselves."

But Deck said there is a certain place for the government in this area. "I do think you could easily afford to have a government mandate that says companies do have to take steps to make information available (if necessary)", he said.

There was also a great deal of discussion comparing Canada to the United States, and what would happen if Canada's encryption policy differed too greatly from U.S. policy.

As it stands now in the United States, software manufacturers are allowed to ship 56-bit encryption to foreign countries provided they supply the U.S. government with a key. Permits must be granted for all export of 128-bit encryption.

Deck brought up the notion that Canada shouldn't try to stray too far from U.S. policies so as to upset trading partners -- a notion which some participants did not seem happy with. But he responded by saying, "My comment about the U.S. government was not that we have to follow U.S. government policy, just that we have to take it into account. Clearly, the computer industry is based in the U.S., there's a lot of influence there."

Todd Finch from Netscape Communications Canada Inc., added Canada needn't follow U.S. policy, because Canada and the United States have some fundamental differences that should be considered. "The U.S. nature is to protect the individual, while the Canadian nature is to protect the group."

Tim Hember of Ottawa-based TimeStep Corp., recommended "liberalizing within the framework of the Wassenaar Arrangement" -- meaning more loosely interpreting the policies -- which several others agreed with.

"I do fully believe we can liberalize the use and export of cryptography within the framework of our agreements and arrangements with other countries to try to meet the needs of the people around the table", Hember said.

Copyright © 1998 by NetworkWorld. All Rights Reserved. Reprinted with permission.