Interesting People mailing list archives
IP: Crypto Policy Developments in Canada
From: Dave Farber <farber () cis upenn edu>
Date: Wed, 04 Mar 1998 10:40:38 -0500
From: "Stewart Baker" <sbaker () steptoe com> I thought your readers would be interested in the attached report (which I sent to clients last week) about Canada's crypto debate. I was surprised that the press, which has given front-page treatment to a variety of nonevents designed to show that crypto controls are about to expire, completely ignored this development. I continue to think that the tech community and tech writers are misleading themselves by only reading (and writing) stories that announce the imminent end of all controls on encryption. Stewart Baker From: Stewart Baker (sbaker () steptoe com) Elizabeth Banker (ebanker () steptoe com) The Canadian government released a discussion paper yesterday, "A Cryptography Policy Framework for Electronic Commerce," which evidences a surprising willingness to consider domestic regulation of use of encryption and a tightening of export controls. The report invites public comment on several options. The recommendations on export controls are of concern mainly to companies with Canadian-produced encryption products (especially software), and the recommendations on encryption of transient or communicated data will be of concern mainly to telecommunications companies and to companies acting as certification authorities in Canada. The options concerning possible mandated recovery of stored data could affect all encryption providers that sell products in Canada. (This is also the first opportunity offered by a Western government for public comment on the feasibility of mandated key recovery.) Canada, like many other countries, has been prompted to review its encryption policy both by the need for and growing use of strong encryption technology to support personal and business use of electronic communications, as well as the potential frustration of law enforcement and national security objectives resulting from use of such technology. Thus, the Task Force is reviewing Canada's current policy and seeking to update it. The new Canadian policy will also have to be aligned with the Wassenaar Arrangement, of which Canada is a member, and the OECD guidelines on cryptography. The discussion paper proposes a series of options for stored data, real-time communications, and export controls. Stored Data The first option for encryption of stored data would involve no change to the current government policy and would allow market forces to dictate the data protection measures that companies and individuals would put in place. It would be up to individuals and businesses to decide whether to have back-up keys and where to store them. The second option would mandate a minimum level of security and possibly explicitly require business data recovery. This option would involve government mandated standards for certification authorities and others offering key management services. The net result would be a government-sanctioned list of certification authorities offered to the public. The third option would mandate use of key recovery products that allow law enforcement access to stored data with a court order. The government would prohibit the manufacture, use or import of non-key recovery products in Canada. Real-Time Communications Again, the first option presented would involve no change of the current policy. Telecommunications providers would continue to be obligated to assist law enforcement in intercepting and decrypting communications, to the extent able, when presented with a court order. However, decryption capabilities are not universal and most carriers are not required to maintain back-up copies of encryption keys. The second option would require that all carriers that provide encryption service retain the capability to decrypt messages for law enforcement or national security agencies when presented with a court order. The third option broadens the mandate of the second option to include the requirement that any certification authority providing a key for encrypting real-time communications make that key available when presented with a court order. Under this option, encryption products could not be used by individuals or by carriers that would not allow law enforcement access. Export Controls Relaxation of export controls is the first option presented. Relaxation could either be accomplished by adopting the most liberal export controls currently in use by another country or by considering foreign availability during license review. The second option is to maintain the existing policy, including the exception for mass market products and public domain software. Under this option, Canada could continue to be neutral to key recovery products or allow foreign availability to be considered to give key recovery products some preferential treatment. The third option would tighten export controls by eliminating the exceptions for mass market products and public domain software and by also only allowing export of strong encryption with key recovery features. ******************************** See you at INET'98, Geneva 21-24, July 98 <http://www.isoc.org/inet98/>
Current thread:
- IP: Crypto Policy Developments in Canada Dave Farber (Mar 04)