Privacy Law and Policy Reporter
Roger ClarkeCryptography is the science of converting messages or data into a different form, such that no-one can read them without having access to a `key'. Cryptology or cryptanalysis is the science of `breaking' or `cracking' encryption schemes, that is, discovering the decryption key. `Crypto' is central to any discussion of security, and hence important to particular aspects of the privacy debate. It is also closely linked to the question of anonymity and pseudonymity (see Clarke 2 PLPR 88).
Some of the most important and potentially valuable applications of the global information infrastructure (GII) depend on various forms of security protections. Readers who are unfamiliar with the underlying concepts will benefit from first reading the accompanying primer on p 24, `Cryptography issues in plain text'.
There has been considerable development in both cryptography and cryptology during the last two decades. There have also been lively discussions about the ways in which the various techniques should be used. On one side are the libertarians, who style themselves `crypto-anarchists', and on the other are the organisations and people that might reasonably be described as the `crypto-authoritarian'.
Unfortunately the views of these protagonists are polarised, to the extent that real discussion is seldom engaged. The issues are challenging enough, without the additional confusion that arises from vituperative attacks on one another's motives and values.
The purpose of this paper is to seek a reconciliation of the perspectives. The motivation is to overcome a threat to the development of important services that depend on data transmission security measures, including electronic payments, electronic purchasing and marketing, and electronic communications more generally, while at the same time ensuring protection of personal privacy.
On occasions, this view appears to extend to a presumed right to acquire and decrypt any stored data, and by implication every letter, diary and address-book. In some expressions, such views are qualified by some phrase such as `subject to due process of law'. The clearest exposition of the argument is provided by a senior American academic, Dorothy Denning (see, for example, her article in this issue, p 33).
This perspective is most commonly associated with two classes of organisations. The strongest form of it emanates from national security communities, and especially those of the US. A more moderate form of the argument is expressed by law enforcement agencies.
These communities have been fairly confident of gaining the support of the US Congress for extreme measures: in late 1994 they succeeded in having the Digital Telephony Act passed, requiring all telecommunications operators to adapt their equipment to ensure that the FBI can conduct wiretaps on digital as well as analogue transmissions. For a particularly bitter review of the legislation and its passage, see van Bakel (1996).
Such presumptions are not confined to the US, however. For example, a Ministerial Declaration under the Commonwealth Telecommunications Act 1991 requires all Australian network providers to ensure that they can facilitate interception by designated government agencies. Moreover, the Barrett Report of 1994 recommended further extension of the Commonwealth's ability to intercept communications (see Greenleaf (1994) 1 PLPR 161, and 2 PLPR 172 for subsequent legislation).
Cryptographic techniques threaten the presumed right of security and law enforcement agencies to access any message or data-store. Put briefly, the extreme `crypto-authoritarian' position is that the use of cryptographic techniques should be permitted only if surveillance organisations are capable of decrypting any and every message that is sent from anyone to anyone else, and any and every piece of data that is stored by anyone. The (relatively) moderate `crypto-authoritarian' position is that this should be possible, but generally subject to due process of law, where `generally' means that at least national security agencies need to have a dispensation.
They are therefore opposed to the various schemes put forward by national security and law enforcement lobbies to enable themselves to gain access to any transmitted or stored data. Their point of view is expressed in various forums, in cluding May (1988 and 1995), and the Cypherpunks archive.
The crypto-anarchists' position is in part normative, that is, `government should butt out', and not impose constraints of any kind on behaviour in cyberspace. This stance is based in part on the belief that the state, governments, individuals government agencies, and their staff and contractors, are no more trustworthy than anyone else.
Beyond questions of political philosophy, the crypto-anarchists' position is also future-descriptive, that is, `it's inevitable that governments will be unable to control behaviour on the net'. They assert that `strong' cryptography will be publicly available, irrespective of the efforts of the `crypto-authoritarian' community.
The public domain product Pretty Good Privacy (PGP) has made `strong' cryptographic techniques available worldwide. There are also many ways in which strict controls will be able to be circumvented, for example by using services which operate beyond the reach of the particular legal jurisdiction (as anonymous remailers do now), or by the sender encrypting the message using a strong encryption technique, before encrypting it again with a state-approved (and therefore nominally `crackable') method.
Crypto-anarchists therefore consider that regulation is futile, and will merely make the process of electronic communications unnecessarily inefficient.
Beyond political philosophy and hard-headed practicality is a third element of crypto-anarchist concern: in their attempts to impose their views on society, both national security and law enforcement communities are prepared to use seriously repressive measures. An example of this is the campaign waged by US law enforcement agencies against PGP's originator, Phil Zimmerman, during 1993-96.
For reviews of the battleground, and of some of the personalities involved, see Levy (1995) and Lewis (1995).
Another approach is the restriction of `strong' encryption mechanisms to approved organisations, and the limitation of other organisations and people generally to `weak' encryption schemes. In this context, a `weak' scheme is one which the NSA is confident it can crack in a reasonable time. At present, this is thought to correspond to symmetric keys up to about 40-56 bits in length, and up to somewhere below 1028-bits in the case of asymmetric keys. (The `crackable' key-length is increasing with the growth in computing power -- although ever more slowly, and with the occasional breakthroughs in cryptology techniques. Weaknesses in implementation can also create opportunities for `crypto-crackers'. For a review of recent cracking activities, see Levy (1996)).
A third alternative is for all organisations and individuals to be required to use keys generated by an approved authority, and/or to escrow their private keys with such an organisation. The strongest form of this sees only one, or a very small number of such agents per country, each of them a government agency.
The US Administration bans the export of devices incorporating strong cryptographic methods which can be used to encrypt data. To do so, it has deemed such things to be armaments for the purposes of the International Traffic in Arms Regulations (ITAR). It has also prevented export of a diskette containing the algorithms, even though they are expressed in books that are routinely exported (Karn 1996). As a further link in this chain of control, it is also seeking to criminalise the use of strong encryption techniques unless the private key is escrowed.
The US is not alone in seeking to impose such restrictions; for example, France, The Netherlands and Russia have also attempted to ban the private use of strong encryption, also with limited success.
From the crypto-anarchist perspective, on the other hand, there should be no limitations on what encryption schemes can be used by citizens and corporations, and no compulsory escrow of private keys. Individuals and organisations should be free to place their private keys in escrow or not, in whatever manner and with whomever they see fit.
They argue that this is not merely a civil libertarian need: they reason that it is not in the interests of corporations to use weak encryption, because it exposes them to the risk of industrial espionage, forgery and financial fraud.
It is in everyone's interests for the temperature of the exchanges to be lowered, and dialogue to be engaged in. This requires the following:
This author is not qualified to debate the appropriateness of intermediate solutions, and this paper is not the place to attempt it; but some of the approaches that appear worthy of consideration are:
Sources of information which reflect such middle positions include EPIC, a public interest advocacy organisation, Carl Ellison (1995), some elements of Denning (1996), and the Standards Australia Draft Standard noted elsewhere in this issue (SA 1996).
In Australia, developments in relation to PKAF are in train, in the context of a Committee of Standards Australia. This includes representatives of industry and government, with considerable interest being shown by the Security Division of the Commonwealth Attorney-General's Department.
It is not clear to what extent the broader public interest will be represented in the Committee and in standards development. Given the importance of these developments to the emergent global and national information infrastructure, and to the economy and society that the GII is spawning, the limited role of public advocates' voices is disturbing and dysfunctional.Roger Clarke, © Xamax Consultancy Pty Ltd, 1996 This paper has benefited from many sources, and the comments of quite a few informal reviewers. Remaining technical errors, misleading expressions and evaluative comments are mine alone; indeed, some of the reviewers are likely to still be in serious disa This paper is available at http://www.anu.edu.au/people/Roger.Clarke/11/cryptoconf.html.
Carter, (1995) `public/private keys and digital signatures -- universal security solutions for EDI and electronic commerce' Australasian EDI Report 3,3 (September 1995).
Clarke, (1995) `Transaction Anonymity and Pseudonymity' < 2 PLPR 88>-90.
CDT (1995), at http://www.cdt.org/crypto/
Cypherpunks archive, at: ftp://soda.berkeley.edu/pub/cypherpunks/Home.html, with recent issues mirrored at http://infinity.nus.sg/cypherpunks/
Denning, (1995) `Key escrow encryption: the third paradigm' Computer Security J. (Summer 1995).
Denning D.E. (1996) `The future of cryptography' Proc. Joint Australian/ OECD Conf. on Security, Privacy and Intellectual Property in the Global Information Infrastructure, Canberra, 7-8 February 1996, at: http://www.cosc.georgetown.edu/~denning/crypto/Future.html
(Denning states that her personal position is moderate. However the expression in her papers leads many observers to interpret her as a spokesperson for the US national security interest, for example `key escrow ... would assure no individual absolute privacy' (1996, p 1), her belief that `weak encryption' is sufficient for most people (pp 6-7), and her support for licensing of encryption products only if they enable government to decrypt messages (p 7). On the other hand, and in common with crypto-anarchists, Denning explicitly contemplates a grey or even black market for unlicensed cryptographic products and key escrow schemes (p 8)).
EFF (1995), at http://eff.org/pub/Privacy/
EPIC (1995) `Cryptography policy sources', at: http://www.epic.org/crypto/
Ellison (1995), at http://www.clark.net/pub/cme/html/in-out.html
Garfinkel, (1995) `PGP: Pretty Good Privacy' O'Reilly & Associates, 1995
Greenleaf, (1994) `The Barrett Review: a blueprint for expanding Australian telecommunications interception' 1 PLPR 161.
IBAG (1995) `Commercial use of cryptography', statement by the INFOSEC Business Advisory Group (IBAG), and at: http://guru.cosc.georgetown.edu/~denning/crypto/IBAG.txt
Karn 1996 `Karn v US Department of State -- The Applied Cryptography Case' At: http://www.qualcomm.com/ people/pkarn/export/index.html
Levy, (1995) `Crypto-Rebels' Hot-Wired Electronic Magazine, at http://www.hotwired.com/wired/1.2/features/crypto.rebels.html
Levy, (1996) `Wisecrackers',
Wired 4.03 (March 1996) 128-34, 196-202, at http://www.wired.com/4.30/netbreak
Lewis, (1995) `The NIST Conference', On The Net Column, New York Times, Mon, September 11 1995, and at: http://www.cdt.org/crypto/plewis.html
May, (1988) `The crypto anarchist manifesto', original version at: gopher://locust.cic.net/00/Politics/Extropy.Institute/may.122892.gz, and revised version of 22 Nov 1992, at: http://www.isse.gmu.edu/~pfarrell/crypto.manifesto.html
May, (1995) `Crypto-anarchy and virtual communities' various versions, including Internet Security (April 1995) 4-12, and at http://www.c2.org/~arkuat/consent/Anarchy.html
Orlowski, (1995) `Security imperatives -- the Australian context, IBC Security Conference, Sydney, November 1995, at http://www.anu.edu.au/people/Roger.Clarke/II/Orlowski3.html#pka
SA (1996) `Strategies for the implementation of a public key authentication framework in Australia' Standards Australia, DR96078, April 1996.
Schneier, (1996) `Applied cryptography' Wiley, 2nd Ed., 1996
SET (1996) `Secure electronic transactions specification', February 1996, at MasterCard and Visa
van Bakel, (1996) `How good people helped make a bad law' Wired 4.02 (February 1996) 133-35, 181-86, at http://www.hotwired.com/wired/4.02/features/digitel.html
 `Crypto-anarchists' use the term `crypto-fascist' to refer to people holding the diametrically opposed view to themselves. At least some of the people concerned are appalled by that term. Moreover, it has been used in other contexts in a somewhat different sense (meaning a hidden or surreptitious fascist). At the suggestion of the Editor, I've instead used the descriptive but less aggressive term `crypto-authoritarian'.