Government, Cryptography and the Right To Privacy

Jenny Shearer and Peter Gutmann

Presented by

Paul Conti

4/3/00

Presentation Layout

Introduction

The State

Standards Dilemma

The Citizen

The Market

Conclusion

Introduction

Consequences of Government ControlImbalance of power relationship

Surveillance of citizens

Disruption of int’l commerce because of lack of powerful cryptography and no standardization

Human rights abuses

Limit political potential of I*net politics

Introduction Cont.

The Problem: Public use of free, easy to use, strong cryptography.

Strong cryptography: cryptography which the government cannot break.

Government Reaction: Try to implement more restrictions on cryptography

Key forfeiture, weak encryption

Done with much resistance

Introduction Cont.

Privacy as a right vs. national security

Loss of communications privacyMonitor dissent

New Zealand

Hard for less democratic countries

Data Security

Cryptography classed as “munitions”Hardware & software implementations cannot be exported without permission

Central issue: key forfeiture

Covert RegulationPatent secrecy orders

Cut funding

Discourage standardization

Harrasment of encryption providers

Key Forfeiture

Key forfeiture: involuntary relinquishing of keys to trusted agencies

No suitable agency found so far

Terrible track records for government agencies and protection of data

Non-government agencies also flawed

Weak Encryption

Weak encryption: encryption capable of being broken by government

Problem: Other agencies and bad guys can break it too.

Especially applies to banking

Electronic payment systems

Medical and personal data

Political Implications

Why a chaotic international cryptographic situation?

Democracy can’t cope

Citizens have predefined notion of cryptography – leave it to the govt.

Infringement of internet “community” will bring backlash

The State

United States

Cryptography as munitions

Export allowed if encryption is weak or crippled

NetscapeNormally 128-bit session key

Exported with only 40 secret bits, 88 free

Cracked many times

Challenge to policy, denied – national security

The State Cont.

Pro Regulation: France, Russia, GermanyFrance: Export of cryptography needs approval, Foreign companies register keysRussia: Presidential decree – all cryptography government approvedUse regulation for spying; U.S. has tooHard to regulate people using other encryption. e.g. PGP

The State Cont.

Anti-encryption regulation: U. K.Most political parties favor broad use of encryptionReasons: wrong in principle, unworkable in practice, damaging to long-term economics of information networkRule #1 for all: Don’t export cryptography to the “bad” countries –Lybia, Iraq, etc.

The Standards Dilemma

United states and national interest

Government’s most used reason for regulation

Govt. places national security issues and economic interests before Internet development

Interoperability Issue

Lack of well-recognized international standards including interoperability hinders the use of cryptography

One internationally standard encryption algorithm – DES

Approved with much resistance

NSA -“worst mistake ever”

Interoperability Issue Cont.

Similar problems with Triple-DESEasily incorporated into a system with DESBackwards compatible with single DES with an appropriate choice of keysNSA opposed, agencies weakenedOppose civilian use, but developed its own encryption for militaryResult - still no standards

Privacy of Voice Comm.

Privacy protection through encryption ignored

Cell phones easily interceptable

Encryption could have saved $1.5 million dollars/day

GSM phones used A5 encryption – altered to suit governments needs

Government Covert Action

NSA is a big bully

Discourage research, attempt to block patents, impede symposiums, prevent release of software, issue death threats

Public /media outcries usually stopped them

The Citizen

Electronic Frontier Foundation formed to fight for electronic civil rights

Stress cryptography, quell hacking

Clipper Chip

Uses NSA skipjack algorithm; used for voice transmissions; capstone for dataObjection: Key forfeiture system would bring universal surveillance Other problems: key forfeiture system could be easily bypassed, messages can be forged with out encryption key, FBI planned to outlaw all other encryption

Clipper II –“Clipper’s Revenge”

Govt. outlined 10 criteria to allow for exportable encryptionProblem: Clipper II had weak encryption through short keys and key forfeitureShort key requirement allowed for legal access via escrow agentsPossible to decrypt messages without keyOnly compatible with government productsConductive to U.S. spying of other countries

Cryptography Regulation

Tough for government to justify regulation

“Four Horsemen of the Infocalypse” justification

Actual evidence hard to find

Intelligence agency $28 billion budget, more than housing or education

Can avoid regulation with steganography

The Market

Internet marketplace growing

Secure cryptography needed to protect transactions

Isolationism will cause U.S. to fall behind cryptography of other countries

No standards likely for future

Conclusion

Cryptography slow to advance because of politics mostly.Government will continue to try to impose regulations, while getting oppositionInternationally, a weapon of e-commerceProtected heavily by countriesIf other countries become too advanced, deregulation will be necessary

Conclusion cont.

Government trade-off between security, civil rights, and economic advantageCivilian use of strong cryptography will tip the scales of power a little, show social progress. Research into cryptography should be open and results freely distributableDid you find the steganography?

Conclusion cont.

Questions/Comments?