Forwarded From: privacy <anon@juno.com>
http://www.newscientist.com/ns/19990306/forum.html
Under lock and key
By Duncan Graham-Rowe
GOVERNMENTS hate things going on that they don't know about. Not long ago,
many governments insisted that they should have the ability--and the
right--to decipher all coded messages. The US government, for example,
tried to get organisations to use its clipper chip for encryption. Only
the government, of course, would hold the numbers, or keys, that would
enable it to read anything encoded by the chip. Encryption looked set to
become a major civil liberty issue.
The subject might seem somewhat esoteric. Indeed, many people have never
even heard of it. But whether you know it or not, you almost certainly
depend on computer encryption already. Banks, for example, use encryption
software to safeguard their customers' personal identification numbers, or
PINs.
Many other businesses, and individuals, also have good reasons for wanting
to be sure that information such as a credit card number sent over the
Internet is not being intercepted--or at least cannot be read if it is.
Human rights organisations, for example, often use cryptography to relay
sensitive information.
People who send coded messages obviously want to use strong encryption
software, the best available. And while there is no such thing as an
uncrackable code, strong encryption comes pretty close. Even with the
fastest supercomputers, it could take years to break most properly encoded
messages.
And this is what gets governments so worried. Strong encryption makes
eavesdropping on other people's communications practically impossible.
Many governments argue that being able to decode encrypted messages is
essential if they are to crack down on criminal activity, such as the
distribution of child pornography on the Internet.
As a result, a number of Western governments, including France, Britain
and the US, have spent years quietly trying to introduce various versions
of what is called key escrow. The idea is that government approved
agencies, called "trusted third parties", would be set up to hold the
encryption keys on our behalf. Then, when the police want to decode a
particular message or set of communications, they would present a warrant
to these agencies.
It sounds reasonable, but such a system would be open to abuse and far
from secure. Besides favouring encryption systems that are easy to crack,
key escrow represents a weak link in what would otherwise be an almost
impenetrable chain.
Worse still, it wouldn't even achieve what it was designed for. If key
escrow was in place, few criminals would be stupid enough to use it. In
fact, criminals would probably be the only ones with any real privacy.
And while all those whose job it is to fight crime argue that this would
nevertheless provide a good way of flushing out criminals, to do this
effectively you would have to know where to look in the first place, which
is a somewhat circular argument.
So is it really worth jeopardising our privacy on the off chance that the
police might catch a few careless criminals? Not according to the French.
Last month, France denounced its own well-established policy of banning
commercial encryption, after 200 companies complained to the government
about key escrow. Prime Minister Lionel Jospin openly admitted that key
escrow was useless in fighting crime and therefore unwarranted.
And even the US seems to be backing down, after a spate of TV commercials
aimed at embarrassing the government brought the issue out in the open.
It also seems likely that export laws will be relaxed so that strong
encryption software such as Pretty Good Privacy (PGP) is no longer
classified as munitions and banned from export.
Britain's Department of Trade and Industry seems to be following suit.
After nearly five years of consultation, the e-commerce bill is rumoured
to be published this week. Although the official line has been that the
government favours key escrow, euphemistically calling it a voluntary
system of cryptography, the message that this is unacceptable appears to
have been drummed home not just by industry bodies but also, according to
popular rumour, by the former trade minister Peter Mandelson.
This is a welcome change of heart. It is just a pity that it has come not
from governments recognising the futility of key escrow or from listening
to the cogent arguments of civil libertarians, but merely in response to
pressure from industry.
>From New Scientist, 6 March 1999
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
Received on Thu Mar 11 17:30:11 1999