&
Wired News
Thursday, April 2, 1998

Crypto Canucks: Hands Off Our Keys!

by James Glave, james@wired.com

The leaders of Canada's cryptography industry convened in the nation's capital Tuesday to offer their government a little political advice: get out of the way.

The meeting was hosted by Entrust, and was observed by the Royal Canadian Mounted Police (RCMP) which, on a federal level, plays a similar role to that of the FBI in the US. The group is out to sway the course of pending policy that would determine, in part, the continuing competitiveness of the flourishing Canadian computer security industry - and the degree to which Canadians will be able to communicate among themselves in secret.

The consensus among the group was that Canada should continue its current stance of not implementing any domestic crypto controls, and liberalize its existing export policies.

"We are firmly opposed to any policy or legislation that would prohibit the export of encryption products, for either stored or transmitted data", said David Jones, president of the electronic privacy organization Electronic Frontier Canada (EFC), at the meeting.

Like the US, Canada regulates the offshore export of strong encryption technology on the basis that enemies of the state might use it to conceal covert communications. That policy is now up for review, and - in a further mirror of recent stateside events - one scheme under consideration is mandatory "key recovery".

Such a scheme, though an unlikely route, could give the RCMP and other law enforcement agencies, such as the Canadian Security Intelligence Service (the nation's unofficial spy agency) the keys to any stored or transmitted encrypted data.

In February, Industry Canada - a government branch overseeing electronic commerce policies - invited public feedback on A Cryptography Policy Framework for Electronic Commerce, a document that maps out several potential future directions for the nation's cryptography laws. And while Canada has a long tradition of seeking public input on major policy initiatives, there is little national awareness of cryptography issues, according to EFC's Jeffrey Shallit.

"The government is driving the report", said Shallit. "There is a good chance that [Canada is] going to regulate this stuff", he said.

Helen McDonald, director general of policy development with Industry Canada, said that her division, the Electronic Commerce Task Force, was expecting a formal submission based on Tuesday's conference. Further, she said that though the paper has circulated widely, there is little consensus in Ottawa on the encryption issue.

"If there were [consensus], we wouldn't be putting out the paper", McDonald said.

Canada is a signatory to the Wassenaar Arrangement, an international agreement on munitions transfers and sales. Currently, Canada allows the export of encryption products with key lengths of up to 56 bits, but there are exceptions, including so-called "mass market software" such as email programs, or public domain software.

Some industry representatives find the export approval process too slow. Under the current scheme, companies must apply to the Foreign Affairs ministry for export permits on a case-by-case basis, a tedious process that the Canadian vendors said places them at an unfair disadvantage over more nimble US competitors.

"My plea ... is 'give us a level playing field on which to compete, where the rules and regulations are the same across the board, so that we are not coming up from behind [US security vendors] all the time'", said Bob Koblavski, vice president of marketing at Milkyway Networks.

"Any degree of regulation that impedes the free flow of products and services across borders will impact the opportunities for Canadian companies and will limit us in our ability to to compete and succeed in global markets", Koblavski said.

Large sections of the Canadian cryptography industry are already not subject to export controls, including digital signature technologies. However, should Canada liberalize its crypto policies even further, it runs the risk of complicating trade relationships with the US, said Phil Deck of Certicom, which licenses a version of elliptic curve encryption.

Presently, crypto products move freely between the two countries, but one view has it that a major liberalization in Ottawa may alarm Washington and threaten Canadian relations with US trading partners.

"Speaking as a Canadian, one of the things that is really sad is that by far, the key restraint on the Canadian crypto policy is American policy", said the EFC's Jones.

"We need a made-in-Canada policy which is good for Canadians and good for Canadian companies", Entrust's Brian O'Higgins agreed in Tuesday's meeting.

Part of what is slowing that, EFC representatives said, is that the issues aren't discussed among the 30 million Canadian citizens who would be most affected by them.

"There are not a lot of good sources in the media for Canadians to even know what is at stake", said Jones. "And it is not necessarily in the government's or industry's interest to even get the public involved, because it complicates the matter", he suggested.

But another government official said that cryptography issues barely register among most Canadian citizens because, in general, Canadians trust their government to see to their privacy interests.

"It is, to a degree, true that in Canada we rely on our government for a lot more than you do in the US, [the idea being that] 'the government is going to look after me from cradle to grave, and they will also look after my privacy'", said Peter Luttmer of British Columbia's Office of the Information and Privacy Commissioner.

And while the specter of mandatory government key recovery rears its head in the current Canadian white paper, Luttmer said that he sees no indications of a law enforcement agenda to push that option through to legislation.

"There is a reluctance within our government to step into that area of control", Luttmer said.

Luttmer said that Canadians put their trust in a network of provincial privacy commissioners to act as mediators and watchdogs on privacy issues, and to ensure that their privacy interests are taken care of.

"The public has a comfort level with the privacy commissioners looking after that type of thing for them", he said. "You can give us credit for watering down the thrust toward key escrow in Canada", he said.

But David Jones said that Canadians should not sit so politely, and that the FBI's desire to see mandatory government key recovery built into US communications products could easily blow in a northward direction.

"The RCMP are kind of envious of [FBI director] Louis Freeh's position", said Jones. "He has some cheerleaders in the RCMP in Canada."


Copyright © 1998 by Wired Ventures Inc. All Rights Reserved. Reprinted with permission.