IP: Crypto Policy Developments in Canada

[Dave Farber <farber () cis upenn edu>]

From: "Stewart Baker" <sbaker () steptoe com>


I thought your readers would be interested in the attached report (which I
sent
to clients last week) about Canada's crypto debate.  I was surprised that the
press, which has given front-page treatment to a variety of nonevents designed
to show that crypto controls are about to expire, completely ignored this
development.  I continue to think that the tech community and tech writers are
misleading themselves by only reading (and writing) stories that announce the
imminent end of all controls on encryption. 


Stewart Baker


From:  Stewart Baker (sbaker () steptoe com)
           Elizabeth Banker (ebanker () steptoe com)


     The Canadian government released a discussion paper yesterday, "A 
     Cryptography Policy Framework for Electronic Commerce," which 
     evidences a surprising willingness to consider domestic regulation of 
     use of encryption and  a tightening of export controls.  The report 
     invites public comment on several options. The recommendations on 
     export controls are of concern mainly to companies with 
     Canadian-produced encryption products (especially software), and the 
     recommendations on encryption of transient or communicated data will 
     be of concern mainly to telecommunications companies and to companies 
     acting as certification authorities in Canada.  The options concerning 
     possible mandated recovery of stored data could affect all encryption 
     providers that sell products in Canada.  (This is also the first 
     opportunity offered by a Western government for public comment on the 
     feasibility of mandated key recovery.)
     
     
     Canada, like many other countries, has been prompted to review its 
     encryption policy both by the need for and growing use of strong 
     encryption technology to support personal and business use of 
     electronic communications, as well as the potential frustration of 
     law enforcement and national security objectives resulting from use 
     of such technology.  Thus, the Task Force is reviewing Canada's 
     current policy and seeking to update it.  The new Canadian policy 
     will also have to be aligned with the Wassenaar Arrangement, of 
     which Canada is a member, and the OECD guidelines on cryptography.
     
     The discussion paper proposes a series of options for stored data, 
     real-time communications, and export controls.
     
     Stored Data
     
     The first option for encryption of stored data would involve no change 
     to the current government policy and would allow market forces to 
     dictate the data protection measures that companies and individuals 
     would put in place.  It would be up to individuals and businesses to 
     decide whether to have back-up keys and where to store them.
     
     The second option would mandate a minimum level of security and 
     possibly explicitly require business data recovery.  This option would 
     involve government mandated standards for certification authorities 
     and others offering key management services.  The net result would be 
     a government-sanctioned list of certification authorities offered to 


     the public.
     
     The third option would mandate use of key recovery products that allow 
     law enforcement access to stored data with a court order.  The 
     government would prohibit the manufacture, use or import of non-key 
     recovery products in Canada.
     
     Real-Time Communications
     
     Again, the first option presented would involve no change of the 
     current policy.  Telecommunications providers would continue to be 
     obligated to assist law enforcement in intercepting and decrypting 
     communications, to the extent able, when presented with a court order. 
     However, decryption capabilities are not universal and most carriers 
     are not required to maintain back-up copies of encryption keys.
     
     The second option would require that all carriers that provide 
     encryption service retain the capability to decrypt messages for law 
     enforcement or national security agencies when presented with a court 
     order.
     
     The third option broadens the mandate of the second option to include 
     the requirement that any certification authority providing a key for 
     encrypting real-time communications make that key available when 
     presented with a court order.  Under this option, encryption products 
     could not be used by individuals or by carriers that would not allow 
     law enforcement access.
     
     Export Controls
     
     Relaxation of export controls is the first option presented.  
     Relaxation could either be accomplished by adopting the most liberal 
     export controls currently in use by another country or by considering 
     foreign availability during license review.
     
     The second option is to maintain the existing policy, including the 
     exception for mass market products and public domain software.  Under 
     this option, Canada could continue to be neutral to key recovery 
     products or allow foreign availability to be considered to give key 
     recovery products some preferential treatment.
     
     The third option would tighten export controls by eliminating the 
     exceptions for mass market products and public domain software and by 
     also only allowing export of strong encryption with key recovery 
     features.
     




********************************
See you at INET'98, Geneva 21-24, July 98   <http://www.isoc.org/inet98/>