Cryptography and Public Policy

1
Cryptography and Public Policy

CS 99

• John C. Mitchell
• Stanford University

2
Controversy

• Can multiplication be a crime?
• What about exponentiation?

3
Can this really be?

• Legal
• Mary had a little lamb.
• Illegal
• Ary-may ad-pay an ittle-pay amb-lay.

4
Government interest

• Cryptography important in war and espionage
• Army analysts succeeded in breaking and the code
  systems used by the Imperial Japanese Army,
  producing intelligence which many believe
  shortened the war in the Pacific.
• Work begun by the Polish and continued by the
  British decoded German military communications
  encrypted with the Enigma cipher machines. The
  intelligence produced by this effort shortened
  the war in Europe. Federation of American
  Scientists
• Wiretapping traditional in law enforcement

5
Individual and business privacy

• US
• No explicit constitutional right to privacy.
• First Amendment Freedom of speech.
• Fourth Freedom from unreasonable search and
  seizure.
• Europe
• Stronger privacy policies and laws
• Japan
• Less open use of cryptography

6
Echelon Wired News Report 520 p.m. 3.Jun.99.PDT

• Australia recently became the first nation to
  admit it participates in Echelon, a previously
  secret global surveillance network capable of
  intercepting electronic communications anywhere
  in the world.
• Echelon is said to be principally operated by the
  United States National Security Agency and its UK
  equivalent, the Government Communication
  Headquarters. In addition to Australia, the
  system relies on cooperation with other
  signals-intelligence agencies in Canada and New
  Zealand.
• Campbell had been asked to investigate the system
  in the wake of charges made last year in the
  European Parliament that Echelon was being used
  to funnel European government and industry
  secrets into US hands.
• Read for yourself and form your own opinion.

7
German reaction

• Germany Endorses Strong Crypto Wired News Report
  520 p.m. 3.Jun.99.PDT
• In an apparent response to corporate spying
  allegedly conducted in Europe by the United
  States, Germany is encouraging citizens and
  businesses to use strong cryptography ...

8
On the other hand Wired

• Japan More Crime, Less Privacy300 a.m.
  2.Jun.99.PDT
• TOKYO -- Privacy issues have taken center stage
  as Japan prepares to enact legislation allowing
  the police to eavesdrop on phone calls, intercept
  fax and computer transmissions, and read email.
• The draconian measures are ostensibly intended to
  help law enforcement halt premeditated murders,
  trafficking in drugs and guns, and smuggling of
  illegal aliens into Japan.
• At least that's what a bill cobbled together by
  the country's coalition government says.
• More stories, see http//www.privacy.org/

9
Basic conflicts

• Governments
• Intelligence and law enforcement interests
• Individuals
• Preserve privacy
• Control access to information
• Companies
• Preserve intellectual property, business practices

10
US Policy on Cryptography

• History
• Cryptography was province of NSA
• Government slow to adapt to public use of crypto
• Examples
• RSA conference presentation
• Shamir letter (hand out!)
• PGP
• Bernstein Lawsuit

11
Rivest, Shamir, Adelman (1977)

• Rivest scheduled to present paper at FOCS
• IEEE received letter from J.A. Meyer
• Warned that since foreign nationals present,
  violation of US Intl Traffic in Arms Regulation.
• Science journalist Meyer worked for NSA
• NSA denied any connection with the letter
• RSA went ahead with publication, talk
• subsequent inventors subject to secrecy orders

12
Feige, Fiat and Shamir

• Israeli authors submitted paper to conference
• Weizmann Institute filed for US patent
• US secrecy order, sent to Shamir in Israel
• If subject matter has been revealed to any
  person, principals must inform that person of
  secrecy order
• If subject matter disclosed to person in foreign
  country or foreign national, principals must not
  inform that person of secrecy order.
• Shamir also notes that key ideas were presented
  to 4000 researchers at previous conferences and
  asks anyone with documentation to destroy it!

13
Phil Zimmermann, PGP

• PGP author hounded by Federal officials
• 1993 informed that Grand Jury in San Jose
  investigating charges of exporting PGP
• 1994 on return to US, detained in Customs,
• luggage searched, interrogated about itinerary,
  public speaking, prior trips -- without counsel
• Customs Service promised to subject him to the
  same hassle upon every re-entry into the US
• Investigation dropped in 1996

14
Bernstein Case

• Daniel J. Bernstein
• Then Berkeley Ph.D. student in Mathematics
• Wrote an encryption program
• Wanted to post on Internet for discussion and
  scrutiny
• Asked State Department. Reply
• need license as arms dealer to post algorithm
• if he applied for a license, request would be
  denied

15
Bernstein contd

• EFF-sponsored case
• Bernstein sued
• Commerce Department, other agencies
• Claimed export control laws
• restrain constitutionally protected speech
• overly broad to serve protect national security
• Case was filed in federal district court
• Following three favorable rulings, the case went
  before the 9th Circuit Court of Appeals on
  December 8, 1997

16
Court rulings

• Bernstein I, April 15, 1996
• source code is speech protected by First Amend
• Bernstein II, December 6, 1996
• export control laws on encryption are
  unconstitutional prior restraint on speech
• Bernstein III, August 25, 1997
• restrictions on publication are unconstitutional
  prior restraint on speech even as written under
  the new Commerce Department regulations

17
Appeals Court (starting Dec, 1997)

• Determine whether export control laws and
  regulations violate the First Amendment
• May 6, 1999 District Court upheld 2-1
• Export restrictions against encryption are an
  unconstitutional prior restraint of free
  expression, impermissible under the First
  Amendment

18
The Wassenaar Arrangement

• Wassenaar Arrangement signed 1995
• Involves 33 countries
• Objective of the Arrangement
• Prevent accumulation of military capabilities
  that threaten regional and intl security and
  stability
• Controls export of cryptographic products
• Classified as dual-use goods having civilian and
  military applications

19
Wassenaar in more detail

• In July 1996, after two years of negotiations, 33
  countries approved guidelines and procedures for
  the Wassenaar Arrangement on Export Controls for
  Conventional Arms and Dual-Use Goods and
  Technologies.
• Wassenaar Arrangement members seek to coordinate
  export controls on conventional arms as well as
  "dual-use" advanced materials and technology --
  those that have both military and civilian
  applications.
• The aim of the group is to prevent advanced arms
  and technology from going to pariah states like
  Iraq, Libya, and North Korea and to regions of
  instability like South Asia.
• Clinton administration officials have
  characterized it as a work in progress that
  should, over time, become as effective and
  reliable as any of the other non-proliferation
  regimes.

20
Wassenaar continues ...

• Cryptography experts meeting in Vienna in Sept
  1998
• Plenary session in Dec 1998
• Results
• Additional controls over export of cryptography
  introduced into Wassenaar Arrangement.
• This has been widely condemned and has lead to
  the establishment of cryptography mirror sites
  around the world.
• In 1999 there is likely to be pressure within
  Wassenaar to control intangible exports.
• See ACM Computers, Freedom and Privacy

21
Canadian Wassenaar Policy

• In compliance with the current version of the
  Wassenaar Arrangement, Canadian government
  prohibits export of strong encryption products.
  As a result, Canadian high-tech companies like
  Entrust, Certicom, Timestep, and KyberPASS are
  prevented from selling to foreign customers
  hardware and software products that offer the
  best level of privacy and security.
• A provision known as the 'General Software Note',
  however, specifies that "public domain" software
  can be freely exported.
• "Paradoxically, our government enforces a policy
  that says we can't sell the fruit of our labours,
  but on the other hand, we can give it away for
  free.

22
French Policy

• France has restricted domestic use and supply of
  cryptography
• authorization and declaration required for almost
  all cryptography
• Slightly liberalized in 1996
• law mandating key deposits with Trusted Third
  Parties
• Domestic use of crypto liberalized in Jan 1999

23
US Export Policy

• Weak cryptography exportable
• Strong cryptography not exportable
• Software havoc
• Other issues
• Clipper and key escrow debates, ...

24
(No Transcript)
25
(No Transcript)
26
(No Transcript)
27
(No Transcript)