22 June 1998: Add Fahs and Taylor messages
22 June 1998
Thanks to MO
From: "Brian Gladman" <gladman@seven77.demon.co.uk> To: "UK Crypto List" <ukcrypto@maillist.ox.ac.uk> Subject: EPIC Conference Date: Sat, 20 Jun 1998 16:23:59 +0100 As requested here is a summary of the EPIC Conference. My thanks go to Stefek Zaba who shared his notes with me and without whose help I would not have been able to compile this summary. However, I take all responsibility for any errors, problems or opinions! Many other ukcrypto list particiapnts were present and I would encourage them to add to, or correct, anything I have said. Brian Gladman ---------------------------------------------------------------------------- The 1998 EPIC Cryptography Conference (8th June, Washington DC) *** Keynotes *** There were two Keynote speeches given respectively by Representative Bob Goodlatte and Senator Conrad Burns. Goodlatte is the driver of the SAFE Bill in Congress and Burns the driver of the ProCODE Bill in the Senate. Goodlatte indicated that support for SAFE on the floor was now 250 plus which is a majority. However the Bill was now being scrutinised by a number of 'interested' committees and this was stalling its progress. The Rules Committee would have to resolve this and it appears that the Chairman of this committee is not in favour of the Bill. There appeared to be a US Administration wish to negotiate with Americans for Computer Privacy (ACP) on the crypto issue but a condition here was that SAFE is suspended. He argued that this would be very bad since the US Administration only ever moved on the crypto issue when under pressure. In overall terms I gained the impression that the Bill would be unlikely to succeed this session (I stress that this is MY view - I may be wrong). Senator Burns gave a light hearted summary of crypto issues and argued strongly that constraining technological progress in the crypto area would be very damaging for the US. He suggested that most legislators did not understand the issues involved and this meant that there was a desperate need for education. He characterised Washington DC as "17 square miles of logic free environment" *** Technology: Key Escrow/Key Recovery *** The 'Technology Panel' was led by Dave Banisar of EPIC with Matt Blaze, Bruce Schneier and myself as speakers. Matt Blaze presented an updated version of last year's "11 Cryptographers" report. He pointed out that the conclusions of the original report were unchanged and essentially unchallenged. Bruce Schneier then covered the technical issues of maintaining security with KE/KR solutions. He pointed out that maintaining security in any KE/KR infrastructure would be extremely difficult and well beyond the current state of the art. He pointed people to NSA's analysis of the risks of KE/KR which pointed out these risks very clearly. I presented my paper on KR and its 'conversion' into KE by government support and sponsorship. In particular I emphasised that there was little overlap between the interests of governments in seeking access to information and those of private citizens in maintaining their privacy. Although there were some business requirements for KR, if these were pursued in a way that imposed the on private citizens then mass market Electronic Commerce would be stillborn. *** US Encryption Policy - Where Next? *** The session on US Encryption Policy involved two speakers (Bob Litt and Bill Reinsch) speaking for continued controls and two (David Peyton and Jeffrey Smith) calling for their removal. Bob Litt (US Justice Department) stressed that the law enforcement community did not want to stand in the way of the widespread use of encryption, which they saw as a benefit for law-abiding citizens. But this would have an adverse impact on law enforcement and this could not be ignored. He considered that the law enforcement case had been largely misunderstood and rejected a number of common 'myths': * law enforcement is opposed to the use of strong encryption * the code breaking capabilities of governments gave ready access for law enforcement - the cost of this was way beyond typical law enforcement resources * law enforcement wishes to expand its information gathering capabilities He went on to give examples of cases where intercept had been very important for law enforcement and suggested that if we did not tackle this issue now a future 'crypto related calamity' might result in draconian measures that no one wanted. Bill Reinsch gave a summary of the Administration's position on crypto. He pushed the Key Recovery line and stressed the need for this for stored data (I felt that this was a reaction to the realisation that the case for comms KR was weak, hence requiring a shift of ground on the Administration's part). He said that he saw KR solutions emerging even for comms and seemed to suggest that there were business needs here despite the previous session presentations. He suggested that discussions with other countries indicated that they were moving along the same lines as the US and pointed to UK policy announcements as an example here. Jeff Smith, Counsel to ACP, described the competing interests in the crypto policy debate, emphasising the ACP desire to work co-operatively with the US administration to find solutions. He overviewed the an ACP proposal for the way ahead on crypto policy: * a presidential commitment to oppose any domestic controls * more interim export relief * the formation of a "Net Center" as a forum for the multiple interests to work out a compromise solution. David Peyton, National Association of Manufacturers, made the business case for the deployment of strong cryptographic information protection. He quoted a recent study suggesting that the cost of economic and industrial espionage for the US was now 250 billion dollars (per annum? - this was not clear). He suggested that we were still recovering from the 'Clipper fiasco' but noted that this was still a government standard! He felt that voluntary (user controlled) KR was a valuable possibility but strongly criticised the Administration's "back door" discouragement of non-KR products through such means as the export control regulations. *** Discussion *** A number of interesting points came out in discussion 1. Bill Litt admitted that he had never seen the NRC report - he had been told that it was badly flawed and had not therefore read it!!!! 2. Bill Reinsch was asked about US government Department efforts to obtain exemption from requirements for KR in their systems. He said that he did not think exemptions would be easily obtained (apparently his staff touted this for BXA but he said that they would have to take their own medicine!). 3. Reinar Fuchs (NATO attendee) strongly distinguished - and asked Reinsch to acknowledge the basic difference between - domestic law enforcement, i.e. police, access, under lawful warrant, and mass surveillance by intelligence authorities under such programmes as Echelon. He indicated the hostility in Europe to such government activities. He did not get any answer from Reinsch. Fuchs followed up with a second question asking if intelligence agencies would have to escrow their keys if KE/KR became mandated!! Reinsch suggested that self escrow would be sensible here!!!!!! 4. In response to a question (from me) on why export controls would help in stopping criminals and terrorists from using strong non-KR encryption Bill Reinsch indicated that 'in abstract terms' he could not characterise such controls as 'either fair or effective', they were, however, 'available'. *** Lunch - Jim Bizdos, RSA *** Jim did a good job at criticising the Administration's position on crypto policy. He pointed out that this was exporting jobs and technology leadership from the US at an increasing rate. He suggested that the economic cost of the current policy was already high and could be expected to grow rapidly if it was not changed soon. He expressed amazement that Bill Litt had not read the NRC report and said that he was organising a collection so that a copy could be purchased for him to read! *** International Perspectives *** * Helen McDonald, Industry Canada Helen gave an overview of developments in Canada (Industry Canada is the Canadian equivalent of the US Commerce Dept or the UK DTI). The Canadian Government was working on three fronts: * privacy legislation * establishing a PKI * clarifying crypto policy On privacy, there will be federal legislation in those policy areas which are federally controlled; for the other policy areas, minimum standards have been agreed with the provinces, based on the 1988 OECD "fair information handling" principles. On PKI for federal government use, the intention is to have the foundations in place this year (1998). Though Entrust has the major share of current implementations, the PKI itself is open and will support other products. On crypto policy, Canada has issued an "options" paper and solicited wide public comment. The current position is of no usage or import regulations; export regulations are compatible with the Wassenaar agreement. Hence no restrictions on the export of weak or authorisation-only crypto, nor on Public domain or mass-market products. Current thinking for the future was that Canada's Charter of Rights and Freedoms requires that any restrictions should be proportionate and have a realistic chance of being effective. [I felt that Helen was leaning towards the privacy argument in what she said]. More detail at: http://strategis.ic.gc.ca/SSG/cy00005e.html * Ulrich Sandl, Ministry of Economics, Germany Ulrich gave a very strong statement of the German position on crypto policy and came as close to being critical of the US government as any speaker did. In effect he was outspoken in rejecting US government efforts to impose their crypto thinking on Germany (and others). He emphasised that the privacy of German citizens was of great importance and that the real issue for Germany was not giving law enforcement access but rather that of preventing access by 'foreign agencies' not under German control. He said that there was serious concern in Germany about 'one country's' attempts to impose solutions meeting such needs!!! In my view this talk was, in effect, a strong German rejection of US government efforts for international consensus on KE/KR crypto provisions. * Nigel Hickson, UK Department of Trade and Industry Nigel gave an overview of the recent UK policy developments that members of this list will know well (so I won't repeat them here). He did suggest at one point that the UK industry response to the earlier UK policy paper had been pathetic, with only civil liberties making a serious input (I think that this was a somewhat 'tongue in cheek' statement). He also suggested that the UK law enforcement community should start making their own case rather than asking him to do it for them (and taking the flak as a result!). On a wider front he referred to support in Europe for measures designed to provide law enforcement access and to the EU dual-use Directive, which would possibly remove internal EU crypto controls but also impose controls on 'intangible goods' (that are currently not controlled). * The French Scene The scheduled representative from France was unable to attend; Deborah Hurley read out a short statement, in which Prime Minister Lionel Jospin's administration was painted as much more aware of E-issues than the previous government. On crypto policy, there is now an intention to have a public consultation and debate process by the end of this year (1998)! * The European Commission The Commission representative did not attend and no position was given for the EU (I was very disappointed about this given the progress now being made by the Commission). * Discussion During discussion Nigel pointed out that the Wassenaar agreement will come up for review shortly (I cannot remember the timescale he quoted). It was also pointed out that if nations could not agree on carrying some form of agreement forward, it would simply lapse [comment: this will be an opportunity for rational action - removal of all crypto controls except those targeted at specific and achievable aims - e.g. preventing military crypto going to terrorists or undemocratic countries.] *** US Export Control Litigation *** This session covered three cases (Bernstein, Junger, and Karn) with their attorneys giving presentations and the US Administration defence attorney also speaking. * Ken Bass - counsel to Phil Karn This case concerned the export from the US of the floppy disc with Bruce Schneier's 'Applied Cryptography' book. The case is based on 'free speech' and 'due process' issues. Ken indicated that in following up the case he had discovered that US crypto export controls are on very shaky ground because they based on the "Emergency Economic Powers Act" which where the President has year-by-year powers to impose short-term economic and trade sanctions. He argued that the repeated use of this procedure was an abuse of these provisions which were not enacted for such purposes. This case had been going a long time - since 1995 - it has gone thorough rulings and appeals; it has suffered delay when crypto control moved from the State Dept to Commerce and when the original judge died. It continues. * Gino Scarselli - counsel to Peter Junger This case is essentially a restraint-of-free-speech case whose central issue challenges the claim of the EAR (Export Administration Regulations) that posting source code on a Web page is in itself an act of export. The code in question is a chapter in a book published on-line by Peter Junger, a law professor. A related free-speech issue is whether Junger can teach this particular class when a non-US student is present. The case has yet to be ruled on at the first (District) court level. [See http://jya.com/pdj.htm] * Cindy Cohn, counsel to Dan Bernstein This case is another challenge to the crypto export legislation, which started in early 1995. Judge Patel's initial rulings established that source code is speech for US legal purposes and potentially protected under the First Amendment; she also ruled the ITAR regulations partly unconstitutional in restricting the "speaking" of crypto source code. Judge Patel issued a relatively narrow decision, affirming the rights of Bernstein and others to export (make available) his source code, but not necessarily removing export regulation. The decision was further narrowed after the Administration made an emergency motion, to affirm only Bernstein's right to export the source code, pending review of the entire judgement. Cindy Cohn's presentation coincided with her recent congressional testimony, available on the Web at: http://www.eff.org/pub/Crypto/ITAR_export/Bernstein_case/19980317.testimony * Tony Coppolino - counsel for US Department of Justice Tony Coppolino has been the Administration counsel in all three of the above cases. He started by saying that the "proper" place for challenges to the substance, as opposed to particular implementation, of US crypto policy is not the courts, but the political process. He faulted Cohn's First Amendment analysis by saying no one was arguing whether source code was speech; but that it has another characteristic as well - that of being an "effective machine". It was the latter that gave the government the right to regulate it. He also argued that 'unreasonableness' or 'illogically' were not grounds on which any regulations can be overthrown - they have to be wildly or recklessly unreasonable for this to succeed! * Micheal Froomkin, Professor of Law, University of Miami Froomkin gave a "futures' view of these legal challenges. The only confident prediction he felt able to make was that the cases would go all the way to the US Supreme Court! Whichever way the decision fell, and at each stage of litigation, it would be necessary to look not only at who had won or lost, but also at how broad or narrow the decision was, and at whether it focussed on the nature of the medium involved. * Discussion - This session evoked by far the most discussion. There was a lively exchange on the characteristics of 'speech' and the fact that speech is always capable of being a 'machine' or 'engine' in evoking or provoking active events. Stefek argued persuasively that the primary function of source code was to convey ideas to other human beings - it this was not the case we would write software directly in binary! It was also pointed out that the PGP transfer to Europe using paper and high quality scanning had progressed this technology for source code reconstruction to the point where there the control of source code export would how require the banning of books. The response to this was interesting in that most of the people present did not feel that the export of books would be challenged. Some, however, thought that such technological developments might well lead down this path! *** OBSERVATIONS - DANGER ZONE *** From here on this stuff is *** my opinion *** with no attempt to be objective or balanced! * Crypto Controls It was clear that the 'stand off' between governments and their informed citizens on crypto issues remain as big as ever. The US administration is determined to continue with its stance even though the US informed public roundly rejects its approach. All groups representing the public, commerce and business were against crypto controls and clearly wanted them removed. No-one on this side of the argument spoke for controls in order to provide for public safety or security and, while the argument for such was understood, the general view seemed to be: * controls do not, and cannot, have the desired effect but impose great economic (and social) damage * on balance the widespread deployment of cryptography would be positive for society - "cars kill but we do not ban cars as a result" was a quoted argument. There seems to be a recognition within the US administration that export controls are ineffective and unfair but there seems little if any activity to find more effective or acceptable approaches. * Key Escrow and Key Recovery The US and UK governments are pushing Key Recovery despite unchallenged concerns about its effectiveness when deployed in a form that meets their needs. Given the weaknesses it will introduce in terms of national information protection (economic and industrial intelligence gathering) this is surprising. Germany appears to be the one country in Europe that has recognised this problem and set its crypto policy with this in mind. Probably the issue here is whether a particular Nation believes it gains more from spying on other Nations than others do in spying on it. The recent revelations about Echelon (which were referenced several times at the Conference) have bought this issue home to a number of non-English speaking European Nations in particular. This is leading to an increasing group of Nations who no longer support the US policy line (note, however, that US Officials still claim support for their policy). This situation was most in evidence in what Germany said at the Conference but I have heard similar views expressed by representatives of several other EU countries in recent months. It is possible, therefore, that the balance of view in Europe is now shifting towards crypto deployment rather than the continuation of crypto controls. This is certainly the tone of some recent EU Directives (although Nigel noted moves in Europe in the opposite direction). There was even a hint that France might be considering a softening of its strong stance on crypto controls by seeking opinions of its citizens on such matters - I never thought that I would live to see this! Brian Gladman, 20th June 1998
Date: Mon, 22 Jun 1998 15:16:46 -0400 From: Rainer Fahs <101544.3054@compuserve.com> Subject: EPIC Conference To: <ukcrypto@maillist.ox.ac.uk> Thanks Brian, Good summary, however, two minor points, First, it is Rainer Fahs, not Fuchs. Secondly, and this is a little more important, yes, I am currently employed by a NATO civil agency. I was wearing a second hat at the conference, which is the one from the European Institute for Computer Anti Virus Research (EICAR). Within EICAR we have some people who are concerned about the privacy issues and we have established an international Working Group to look even deeper into all of the aspects, not only from an IT Security, but also from the legal point of view. At the EPIC conference, I have stated my personal opinion which is not necessarily the one of my employer. However, at the Copenhagen hearing, I recommended to Mr Schlickmann from DG XIII, that the EC Directive should indicate that it would cover legal requirements of law enforcements but no further requirements of intelligence services. If they want their requirements to be covered, they should lay them open for public scrutiny. Regards Rainer Fahs
Date: Tue, 23 Jun 1998 00:17:01 +1000 To: ukcrypto@maillist.ox.ac.uk From: Greg Taylor <gtaylor@efa.org.au> Subject: Re: EPIC Conference [Snip Gladman] Thanks for an excellent report Brian (and Stefek). It's more comprehensive than my notes on the meeting so I can't add much ;-) >During discussion Nigel pointed out that the Wassenaar agreement will >come up for review shortly (I cannot remember the timescale he quoted). >It was also pointed out that if nations could not agree on carrying >some form of agreement forward, it would simply lapse My notes say November, but there has been a recent report in Australia (LAN Magazine, June 1998) that the meeting will be in September. This will be a significant development that will affect the future of crypto policy globally. We'll be doing our bit to lobby the Australian government representatives to adopt a common sense approach, which may mean letting it lapse ;-) Greg Taylor Crypto Committee Electronic Frontiers Australia