8 April 1998:
Location of Roundtable: Entrust Technologies, Inc., Ottawa. Moderator: Alan Pickering, the former director-general of the Communications Security Establishment -- Ottawa Citizen, April 8, 1998
7 April 1998
Source: Forward by mctaylor of transcription by Carrie Bendzsa <Carrie.Bendzsa@entrust.com>
March 31, 1998
Al Pickering: I think it's an important subject we will be discussing and input from a variety of sources is certainly going to be valuable, I believe. ...then we'll see if there will be some consensus on recommendations that may be made to the government.
Trying to set the stage, you've all read the paper ... Canada's been a leader in communications industry for years, as we all know. It's interesting to note that the information and communications technologies grew six times faster than the Canadian economy during the 1990's. Tremendous growth. From what's happened more recently as electronic commerce is taking over and it's had tremendous growth over the last few years and appears to be the wave of the future. And mainly because people are finally recognizing that this is a better way to do business, whether it's the government trying to deliver a better way to service its citizens, how companies operate internally or with their other partners, clients or customers, financial dealings between banks -- certainly they are leaders in using cryptography and e-commerce approach to try and make their services better to their clients and also moving trillions of dollars round the world every day. Sales and services have been a system EDI started where GM said to their suppliers "if you want to deal with us, this is the system you will use and this is the cryptography you will use and if you want to follow those rules we can operate". But they set the rules and those who dealt with GM had to follow them.
Internet: some are concerned about passing their credit card across the Internet. Could it be intercepted and abused by others?
E-mail: Has grown phenomenally. People would like to have their mail private as much as possible. Right now with paper mail you seal your letter in an envelope and there is the assumption of privacy until it reaches the recipient. People would like to have that same assumption of privacy when they are passing e-mail back and forth.
Global economy: Canada's always been a trading country, that's how we've existed, but it's even more so now where a lot of companies are trying to export -- lot of information flowing back and forth throughout this global economy.
But the key to making all this work is confidence of the users in the system. Confidence in the integrity of the system. Is the information that I am providing to it or receiving from it accurate? Is it coming from the source I anticipated it to come from? Has it been changed en route? Do I have confidence in the system?
Well, certainly, citizens have indicated from the banking point of view with ATM's that they have confidence in that and they can use a card and a PIN and do their banking ... that confidence has been built up over the years. In electronic commerce, that sort of confidence has to be built. But it's based on good cryptography ... that's what will provide the trust and the confidence.
Strong crypto is required to make sure that confidence is there. If you have weak crypto and it's easily broken or compromised, people will lose confidence in the system and to try and regain that confidence is an extremely difficult task.
Now it's a government of Canada objective that Canada will be a world leader in electronic commerce by the Year 2000. This has been stated in the throne speech of September of last year. And to achieve this we must expand the use of electronic commerce internally within Canada as well as globally. And therefore we must have global market access. And Canada has a desire to be recognized as best in class in the electronic commerce world. Companies around this table have gone a long way in making that happen already. Now in the 23rd of Feb, 1998, Industry Canada released this document, "The Cryptographic Framework for Electronic Commerce," building Canada's information economy and society. I'm not so sure I would call it a framework because in fact, instead of setting out a framework it set out a number of possible options in certain critical areas that the government is trying to make decisions. Provided some interesting background and some of the arguments on the plus and minus side of the various options.
The government is really concerned about how to best balance the consumer, business, law enforcement national security interests How do you do that? Over the years, from a control point of view COCOM, within NATO, operated in trying to control the export of particular technologies to areas of the world and countries of the world which were deemed to be not friendly.
Now we have the Wassenaar agreement, where again countries agreed ... certain info and certain technologies should not appear in certain countries.
And therefore it's a difficult task. One position would be, no controls, let everything go but on the other side how does that affect the national security interests of a country?. And so the government is interested in the views of Canadians about how to address these often conflicting concerns and therefore they've asked for public discussion and they want submissions by the 21st of April 1998.
The reason for this is to try and get some input from the various companies and organizations to see what their view is on how the government should address these options. And there are three topics where the government particularly asked for input:
And then in the framework they also asked some other questions:
You can see that it's not an easy black and white issue...things are seldom
that easy in the real world. So we're gathered here to obtain some of your
views. The objective will be to gather some notes, see if we have some consensus
and ultimately to provide your views back to the government.
Brian O'Higgins: Executive VP and CTO, Entrust Technologies: I'd just offer the summary of our comments is that we believe the export controls should be eliminated. We believe there should not be any mandated key escrow or key recovery that would give the government automatic access to keys. We understand that law enforcement definitely has an issue if all communication is encrypted, it gets in the way of doing intercepts and so on, but we believe that 90 percent of law enforcement requirements will be met with commercial products. Of course, If anyone encrypts data and they are keeping that data around, they will keep a backup of the encryption key. It's just common sense, you can't afford to lose a password or lose an encryption key and lose data forever. So absolutely, if it's important and you store it, you keep a backup of the key. That's not true for data which we call Data on the Move or Data in Transit. There is no reason to keep a backup of encryption keys because that is just covering the communication from one server to another server, for example.. If the info is important well then you would store it on the server and if it's stored and encrypted you would keep a backup of the key.
So, commercially it's important to understand the distinctions of data on the move and data in storage. Commercially if you encrypt data in storage, of course you keep a backup of the key and if law enforcement wants to intercept, they would simply show up on the door of your company and say "Here I am, here's my credentials, I'm from law enforcement and I would like the key for this file and if you are a law-abiding company you give them the key the same way you would give them any other information. So that's a very normal event. If law enforcement again, they won't be able to get keys from information (data) that's on the move but if the info was valuable it will be stored at the other end and they could simply go in and get the information when it's on the clear side.
That's the first sort of level, when you talk about recovering keys commercially if you encrypt data for storage, absolutely, you keep the key and if law enforcement wants it they could obtain the key.
There is a notion which originates out of the US that talks about mandating key recovery so it would force any type of encryption to have an encryption key which is held by a ... let's call it a trusted third party. And this does not make sense commercially because commercially, remember, we're still going to keep a backup of the key and if someone comes in and wants it you give them the key. There is no reason to have a third party hold keys for you because you have to deal with all of these third party arrangements and it's very difficult.
So any form of requiring third parties to hold keys, we would call that another form of key escrow and you build systems which are just wired in for government access which become very expensive and unwieldy.
Chart -- key recovery.
If you could imagine ... law enforcement ... what they would like is access to encrypted data, any time anywhere in the world. So effectively they have a copy of everyone's encryption key nicely available to them, they could just go in and get it. So that would be their ideal. And on the other end of the spectrum are freeware products that sit on the Internet. One example is PGP, Pretty Good Privacy, it will encrypt data and there is no keys stored. So, for the law enforcement view: if products like PGP were around everywhere that would really create a problem for them -- but it's zero cost to build any special key recovery concessions into that product.
What will happen? Commercial cryptographic products will start to emerge, Entrust is a very good example, where encrypting data for storage, key recovery is built right into the product. And again, if law enforcement needs to get access to the keys, they would simply knock on the door of the company and we will give it to them. It may be that you can even automate law enforcement access to these keys by in a special investigation giving them an administrative port so they could get a key automatically when they want. And we believe that this meets say, 90 percent of all the law enforcement requirements. And it will happen automatically, at no extra cost because it's just a normal commercial way of behavior. If you require your encryption keys to be held by this trusted third party, well that's a big expense to a company--it makes no sense to give a copy of all your trusted keys to someone else. But that can be done.
Again a great expense and a lot of third party relationships need to be cut on that one. And this is talking about key recovery for information that is stored because you do keep backup keys...and information that's in transit is not key recovery encryption, if you want to make that information in transit key recovery, that's very, very difficult because we have to change protocols. Standard protocols that are called SSL and IPSEC will have to be changed. But supposing they are changed, and they have a way of putting keys in it. That can be done, but the gain to law enforcement is very, very little.
On this chart, remember, law enforcement, the ideal view is that they have access to keys for all communication but you have to remember that a certain amount...I mean...who are they after anyway? Bad guys. But some of the bad guys are going to be smart crooks that plain won't use key recovery crypto so we're never going to get some percentage of the bad guys. We're only going to get the dumb bad guys. And so, when we argue about putting expensive key recovery structures in it's only going to capture say 3-4 percent of the population out there. Some very, very small number.
So the summary of all this is: We believe commercial practices will meet
the bulk of law enforcement requirements. The government will not have to
mandate anything strange. It will just happen automatically at no extra cost
and we can never have a system that meets all of law enforcement requirements.
And if we try to put very complicated infrastructures in between they are
going to be easy to defeat and you are only going to capture the dumb crooks.
So, we believe in removing export controls so strong encryption can be developed
and it can be shipped worldwide. And it really will not impair a lot of law
enforcement activity because if you need data for storage you KEEP your keys
and if someone needs access to the keys and they are qualified to get it
you can give it to them.
Phil Deck: CEO Certicom Corporation: A couple points I would make.
I think that what Brian said makes a lot of sense. I do think that you could easily afford to have a government mandate that says companies do have to take steps to make information available. I don't think that's terribly different from what Brian said but I would agree that you shouldn't have some system that the government puts in place to actually tell companies how they will make information available should that request ever come through a warrant. What I think is important to understand is that the way that cryptography or information should or may be regulated in Canada is completely separate from the way Canadian companies have to go out and sell their products around the world.
And we should remember that if we are going to have a Canadian cryptography industry, 95 percent of our product sales will come outside of Canada so what Canada decides to do domestically should have very little to do with how we build and market our products and we can't build our products in a way that is just for Canada, that's just not the way the information security industry works. So when people talk about things like key recovery that can be applied to our domestic situation that may be applied to the way people use cryptography and certainly using products that have those features in it is a good way to meet those requirements should they exist.
But when we regulate, or whether we regulate encryption for export, that's
totally different. I don't believe there's any way that key recovery or key
escrow can work from an export point of view. Certainly no one's going to
buy products that the Canadian government has control over the keys and it's
useless to put those features in if the foreign companies have those key
escrow capabilities themselves. So export, I don't think has any business
having key escrow or key recovery as part of the policy and I think we have
a very serious issue as to whether we can compete from an export basis if
we have export measures that are more strict than other countries have. I
think as well that we have to recognize in this that the US is the big issue.
That we may not like or agree with some of the policies that happen in the
US but we do have to have a relationship with the US and we have to make
sure that our border between Canada and the US remains open for cryptography
products because for all of us that's our biggest market. And I think we
should try and approach the policy in a way to liberalize it to the maximum
extent without incurring the serious wrath of the US whether we agree with
those policies or not. And certainly I think that means at a minimum not
ever having the situation where a Canadian company has a more stringent
regulation over export than one of our US competitors or around the world
in other developed countries. So that's certainly something that we run into
fairly regularly and is a serious impediment to doing business. So if we
can liberalize it to the extent possible without retaliation if you'd like
from the US, then I think that's in our interest.
Ron Walker: KyberPASS Corporation: KyberPASS is in the VPN software technology field and we are exclusively dealing with real-time data transmission encryption and that's the perspective I'm coming from. WE believe the big issue right now for a start up company in a new field with a new product is that we are basically starving to death waiting, not just for the government to make up it's mind, but for us all to understand how we are actually going to export this technology.
We're forced into uncertainty when we are dealing with new opportunities to sell the product to a customer. My resellers in ASIA and Europe, we think we understand the policy, and so we explain that policy to our potential customers and then we go through a process of getting approval to actually getting it shipped. We haven't done it cleanly yet I have to admit. Now we are shipping new product so we are new to the game. But the delays are promised to be something like five days for a standard crypto product and it turns into two months and meanwhile the leads disappear. So our main concern is that it's clarified, it's simplified, we know what it is and we can live with it one way or the other. I agree with the other two speakers about it would be great if there were no controls. I don't expect that's going to happen.
The other thing is, we're really selling to a commercial grade customer. 56-bit DES solves their requirement nine times out of ten or they are not going to buy the product. That's what we're trying to sell. So the issue of multinationals who have offices outside of NA comes up, some of them are dealing with it by keeping their CA's in NA. Others simply walk away for awhile because they are not sure what they are going to do. So those that have made a PKI decision usually have solved that problem, figured it out and are willing to move forward, but we've seen lots of things just dry up on that question alone.
They don't know and we don't really know for sure what's going to be approved after June so it's tough to be new in this business when you're not really sure what the rules are going to be three months from now.
This issue of 56-bit DES -- we would really like to see a blanket permit on behalf of Canadian manufacturers. One that is defined, made available, whether it's under the guise of mass market software or whether it's under the guise of public domain software. Or another one which is simply: we're going to give Canadian manufacturers of crypto products blanket export approval. Then we have a level playing field. Right now a month's delay in getting approval can be the difference in winning or losing a bid. That is an issue, especially when you have any kind of bureaucracy involved with the approval process. I think that's exacerbated with the terminology I read in the document about white lists, for example. White lists smell of certification approval and that simply adds, costs, delay and uncertainty to the marketplace let alone to the actual companies who are trying to get that certification. It also introduces unfair access in a sense that larger companies can in fact afford, better than smaller companies a bureaucratic delay. Therefore, you just see a greater and greater gulf between your ability to compete.
The issue of key recovery techniques is a non-issue. We just won't sell it
if it's there. So if that becomes imposed as an export requirement, certainly
we'll probably see some sales but nothing like we could in terms of the export
of Canadian technology. I read the introduction of this document as really
the intention is as well is to expand our lead in this field. I think we
should continue to do this as well but we can't do it if we impose those
types of controls.
Al Pickering: Comments on Ron's statements?:
Brian O'Higgins: Yes, I wanted to clarify a couple of things
that Ron said. I wanted to emphasize that the Canadian government tries very
hard to work with industry to eliminate delays -- export delays and so on.
Occasionally there's a rough spot if a new question comes up that is maybe
not covered by current policy. Then a delay occurs. A delay to a small company
is death. You just can't hang on. You'd like to know the answer yes or no
so you can get on with life and chase your ideals. But we've found the Canadian
government very responsive and very willing to help and work with industry.
I think a lot of the discussion today, certainly shouldn't appear to be
government bashing. This is all about shaping a new policy. I think Canadian
industry enjoys a very good relationship with government -- it's there to
help, versus the United States where it's very adversarial with industry
and the export authority. So we are working from a good base.
Phil Deck: I would echo that as well. The Canadian government
works very hard to try and deal with these issues but the policy right now
is pretty subjective. And there are a lot of different issues that have to
be taken into account and so it is hard to get a fast response. And in reading
this document which I thought was interesting...I think I know something
about export control but there were a lot of things in here about our current
policy that are news to me. And a lot of things that I don't think in fact
are the real policy and I think that the problem is that it is subjective
and the policy isn't clear enough for people to get quick answers on and
get decisions on and I imagine that there's a lot of things that have to
be juggled in granting an export permit right now and I think those things
have to be clarified so it can move a lot faster. So certainly the intent
to help I think is amazing here in Canada and it's a lot better here than
it is in other countries. But the standard itself and the regulations themselves
are pretty subjective right now.
Tim Hember: TimeStep: Again. I echo what Brian says. I think the policy as it sits today is very well defined and the problems that ... any issues that we have had are actually outside of the domain of the existing policy in the areas of stronger strength encryption and such and that's what this policy re-definition is all about.
I also echo the fact that actually the government has been quite responsive
actually as far as working with us quite willingly to help us grow our business.
Half our business is international and it's growing rapidly and I've found
that the CSE and foreign affairs have worked well in conjunction with us
to promote our business. I'm very encouraged by the fact that they've opened
this up for a policy debate.
Ron Walker: I'd just like to emphasize my point by repeating it. The policy does exist and my point was that the fact that there is a process you have to go through and the policy if you read it specifically appears to be quite clear but there is an awful lot of subjectiveness in how long it's going to take to get an approval and your ability to operate in the field, especially if you are a small company, and I think it's important to encourage small companies as well as large companies, it does delay, the delays exist, we experience them. And even if I knew it was always going to be four weeks, that would be ok. I just don't ever know. And my customers often need to know much sooner than that. And certainly one, a deadline. And what I end up doing is explaining -- well, I'm still waiting for an approval. And they aren't sure whether that is in fact true or whether I'm delaying waiting for a new version of my product. I mean, who knows what they are thinking. So I'm not necessarily bashing the government. They do in fact work hard and they've always been very helpful. But the policy exists.
What I'm concerned about is if the policy becomes much stricter or more
cumbersome, with different types of lists of certifications as are implied
in some of the more extreme cases of the options in this paper that that
will exacerbate the problem and not simplify it.
Al Pickering: It's interesting while, how long it takes to get export approval is not part of the policy discussion here, when you talked about wanting to have a defined time to get an answer a lot of heads were going up and down around the table. So it's obviously a concern and incumbent upon the government to see what they can do to speed up the process or at least try to provide some defined time of when you can get an answer.
David Jones: President, Electronic Frontier Canada: Electronic
Frontier Canada is a federally incorporated non-profit corporation. We were
invited last summer to make a submission to industry Canada. (see copy of
brief -- August, 1997). I agree with the majority of the points that Brian
O'Higgins raised. We are firmly opposed to any policy or legislation that
would limit or prohibit the manufacture, import, export or use of strong
encryption for either stored data or real time communications. It's our opinion
that the most stringent policy options outlined in this framework document
would be unconstitutional, harmful to Canadian society, detrimental to the
Canadian economy, and in the end simply unenforcable. We know for example,
that there is widespread availability of strong encryption software products
and algorithms widely published so that strong encryption is widely available.
A lot of the proposed restrictions on cryptography are based on the largely
speculative and somewhat imaginative risk of international terrorists and
organized criminals using cryptography to communicate in secret. Rather the
greater risk to Canada is if we force Canadians, Canadian companies and
government departments to rely upon weak encryption, it puts us all at
unreasonable risk. And I think that the issue that just arose within the
past 10 days -- it was a Professor at MIT who published a paper "Winnowing
and Chaffing" he outlines a method for effectively communicating in secret
where if your data is transmitted in the clear it's just intermingled with
random data in such a way that someone eavesdropping has difficulty recovering
your message. But since the message is in the clear it may manage to go around
restrictions on the use of encryption products. That's a summary of EFC's
position, I'll pass the mike to someone else.
Lynn Anderson: Enterprise Marketing Manager, Hewlett Packard Canada: Before beginning, I would like to take a moment to acknowledge and thank Entrust Technologies for arranging today's event. I would also like to recognize the authors of the policy framework for electronic commerce in preparing a thoughtful, well-written description of the key issues affecting encryption policies. And finally, I would also like to congratulate the Canadian government for the creation of a procedure that actively seeks private sector input. It is precisely these kinds of initiatives that will enable all of the concerned constituencies to reach a satisfactory solution to this extremely complex issue.
Today, I would like first to discuss HP's views regarding encryption policy in general, then address the specifics of the policy options outlined in the paper.
HP has played an active role in the debates regarding encryption policy around the world. Several themes or principles have influenced our statements in this regard; they are as follows:
First, Encryption is a critical enabling technology for e-commerce. We have reached the point in the commercial demand for encryption where continued delay in resolving the policy issues, is becoming a serious impediment to its deployment.
Next, HP supports policies that achieve an appropriate balance among the competing interests at stake. For example, privacy, security, industrial competitiveness, public safety, and national security. Where possible, the policy should depend on market drivers to facilitate the inclusion of law enforcement access mechanisms. As a practical matter, the cost of such features will be manageable if law enforcement finds ways to draw on features that exist solely by the virtue of market demand.
Furthermore, regulations should be kept to an absolute minimum. Regulations and bureaucratic processes inject delays and uncertainty, that can be incompatible with commercial effectiveness. In addition, any regulations must be technology neutral. Industry should have the flexibility to design features addressing access needs that are, in their judgement, appropriate from both a commercial and security perspective, as long as the result is a product that meets law enforcement access needs.
A related point is that the policy discussion should not focus on key recovery as the objective. Certainly, we recognize that there is market interest in applying key recovery to stored data applications. But key recovery is not the only, or best solution, for all situations. Thus, the government's focus should be on access to plaintext or, put another way, plaintext recovery.
With all this in mind, government expectations should also be reasonable. For situations in which key recovery is not a commercially viable solution, time is needed to research and develop alternatives. Moreover, regardless of the technological approach taken, there must be grand-fathering to permit interoperability among new products that are plaintext accessible and old products that are not. Users should not have to discard their investments in security. Instead they, should be able to sensibly migrate to the new technology.
Now lets look at export control relief.
Meaningful export control relief is required now. The widespread availability of encryption products, as well as the technical wherewithal to create new ones, suggests the effectiveness of controls is greatly diminished. Continuing the controls as they are, may damage Canadian industry's competitiveness.
At the very least, the exception provided for exports of mass market software with encryption must be broadened to cover mass market hardware products. The current rules provide an unfair market advantage to software publishers.
Let me take a moment and present HP's General Position on the Government Cryptography Policy.
HP will actively work with the Canadian government as well as other governments to resolve cryptography policy issues and achieve near-term policy liberalization, as well as long-term relief.
As part of this, HP recognizes the legitimate national security and law enforcement concerns. We are willing to support commercially viable products that address these concerns. And HP is committed to meeting the diverse security needs of our customers by offering a range of security solutions.
Because we expect that the private sector will need to operate in a changing policy environment we have announced a unique hardware based technology known as VerSecure. It is an international cryptography framework which enables 128-bit and triple DES encryption availability to users running computer applications. This month, HP received approval from the US government to export VerSecure.
VerSecure demonstrates that through technology innovation, compromise between government and commercial interests on cryptography policy can be achieved. VerSecure provides the ability to deliver robust encryption to customers in a world-wide market, limited only by the local country's cryptography policy.
Therefore, as government policies change, VerSecure can ensure that customers will continue to use cryptography in a manner consistent with local law. In the meantime, governments are assured that as these policies change, the commercial security infrastructure can respond to it.
With these general themes as background, let me now turn to the specifics of the policy options.
As you might expect, we favor the market driven approach. In the stored data context, consumers' self-interest will likely lead to the use of products that are recoverable. Therefore, it would be a more cost effective way to satisfy law enforcement's access needs. It is our experience that consumers are skilled at making effective choices.
The concern that some users will not back-up their data should not be a basis to dismiss the market-driven approach. To find a truly compromised policy, both sides of the debate must acknowledge that certain expectations must be lowered. Specifically, seeking guarantees of 100% participation in any market driven solution is not realistic. To the extent that data back-up makes good business sense, law enforcement can take advantage of this practice.
The discussion regarding minimal standards is unclear. It does not specify if those standards must be used and, if so, by whom. In any event, this approach suggests the government will not only tell users that their encryption must be accessible, but also will tell industry how to make access possible. We believe industry should have the flexibility to determine how best to satisfy the access requirement. This is the only way to ensure the results are commercially viable.
The mandatory access option is not preferred in this context as market forces will more likely suffice. This option should be written to be technology neutral.
Let's turn next to Communications Encryption.
We would suggest no changes in the current legal or policy regime are required in this context. For most communications systems today, encryption is only used to secure transmissions over the air. Once in the PSN, the transmissions are decrypted. So long as this remains true, no changes are required. This is an example where the use of encryption does not necessarily mean law enforcement access is blocked.
If more restrictive laws are chosen, they must be written to apply evenly across all affected industries and should not specify any particular technological approach. Again, industry must have the flexibility to meet the requirements with commercially viable technology that satisfies all operational efficiency and security concerns.
And now HP's thoughts on Export Controls
We support the relaxation of export controls but question the utility of the two approaches suggested in the paper. They are mirroring other less-controlling regimes or responding to foreign availability. It has been our experience that export control regimes are written to provide the implementing government flexibility in their approach. Thus, copying another country may not result in the comparable application of the other government's decision criteria.
Foreign availability would be useful under only one circumstance: Where assurances are made that liberalization will occur upon showing advertised products, that offer equal or more robust encryption. Otherwise, we end up with endless debates about what is "available" and whether the foreign product is all it is advertised to be. We must deal with market perceptions. Even if the foreign product is not as good or robust as advertised, these products still directly compete with our export controlled products.
For these reasons, and in recognition of the fact that neither Canada nor like-minded governments can prevent or control widely available encryption through export controls, we make the following 5 recommendations:
In order to accelerate the roll-out of the necessary infrastructure, we would like the government to adopt legislation clarifying the legal status and liability rules attending the use of digital signatures. And finally, we encourage government use of digital signatures and encryption.
Ron Koblovsky: VP Marketing, Milkyway Networks: Before I get started I just wanted to comment on something that Brian said earlier that the intention here is not government bashing and we too over the years have found the cooperation within the government exceptional. The issue is not the level of cooperation within the existing policy but rather the policy is flawed and needs to be changed.
Each of us here is motivated by the opportunity to share in a piece of the information security pie that by all accounts will be very large. The issue is not whether or when the market opportunities will emerge but will Canadian companies like MilkyWay be allowed to emerge on the world stage and reap the benefits of the emerging market opportunities.
Canada holds a unique position in world markets. We are respected for our technological innovation and leadership particularly in hi tech and specifically in the area of communications. The pioneer work in the industry by companies such as BNR, Northern Telecom, Mitel and Newbridge speaks for itself. Today, Canadian companies are well represented in the information security marketplace: A sampling includes companies like Entrust, Excert, Secure Networks, Chrysalis, Certicom, TimeStep, Isolation Systems, KyberPASS, Advanced Encryption Technologies and of course, MilkyWay just to name a handful. We have very fertile ground in Canada for this kind of technology.
I've always believed that Canadian companies have a foot up on the competition in certain geographic markets Because of our history, background and unique Canadian perspective, we are well received and respected in the world markets, particularly in the US and Europe.
I'm not here to debate the need for governments to have access to information for the stated purpose of law enforcement and national security. The topic by its nature and the implications that it raises is very controversial and will not be solved here or in the near future.
My plea in response to the government request for feedback is "Give us a level playing field on which to compete." It sounds simple but it's much more complicated than that. Any degree of regulation that impedes the free flow of products and services across borders will impact on the opportunity for Canadian companies and will limit our ability to compete and succeed in global markets.
During a recent overseas visit, the executives of major corporations said, if we can't get strong encryption though you we'll get it somewhere else. As the cryptographic policy framework document emphasizes, design and manufacturing capabilities are emerging in many nations. Existing government policy is inconsistent, complicated and open to interpretation. Despite good intentions, the result is often a time consuming and barrier-ridden bureaucracy. AS a result we have found ourselves in competitive situations where time is of the essence and our inability to respond quickly puts us at a competitive disadvantage. There are no restrictions on the export of any strength mass market or public domain software for encryption. There are no restrictions on the import for internal use of cryptography. There are no restrictions for exporting strong encryption to the US but there is to Europe. We allow the export of 56-bit albeit temporarily. In the US, companies like Network Associates through a Netherlands subsidiary have found ways to get around the export issue. Sun Microsystems tried something similar with a Russian company. My point is that in the absence of clear policy or direction and in the face of growing revenue opportunities companies will find ways to circumvent or bend the rules to their own purpose. Unfortunately, as Ron mentioned earlier, that plays into the hands of the large organization and relegates small companies to the roles of almost-ran. Again, Please give us a level playing field.
As stated in the policy framework, the policy challenge is to find solutions that will limit criminal misuse without interfering with legitimate business institutional or individual interests. To assume that policy will limit criminal abuse is in my opinion, naive. The variety of key recovery, key escrow and trusted third party encryption requirements have been suggested in recent years by various governments to conduct covert surveillance by the changing environment brought about by new technologies. A group of cryptographers in the US and computer security specialists examined the fundamental properties of key recovery requirements and outlined the technical risks costs and implications of deploying systems that provide government access to encryption keys. The report concludes that insuring the security of such a system is beyond the experience and current competency in this field. In spite of well intentioned policy makers and politicians history has shown us that governments do not always act in the best interests of the individual. So who will be the keeper of the keys? Many large organizations will want to be their own CA and escrow their own keys. Small to medium size companies may look to third party organizations to provide that functionality for them. The one option which is not acceptable is government key escrow or any option that has the faintest possibility that the government may have access to corporate and individual information without at the very least, documented court approvals.
Over the last few years we have seen the controversy surrounding the US government Clipper Chip and SkipJack technology embedded in -- the implication that there is a back door that the US government could implement a [missing] relative to only one market, the US military. Many US government agencies openly refused to use Fortezza.
The best option in my opinion, is one that provides us to unfettered access
to worldwide markets. Any other option must be viewed with in the context
of the competitive world we live in. Any option which does not provide a
level playing field puts us at a disadvantage. Unfortunately, I believe that
it is virtually impossible to develop such an environment unless restrictions
are lifted. Technology has changed the way we do business and opened up global
markets. Governments need to catch up with the times and recognize the
opportunities and they need to do it quickly. Though there has been some
movement and flexibility over the last few years, not much has really changed.
And in this industry, three years is an eternity.
Brian O'Higgins: Bob mentioned something quickly which I think deserves more emphasis. That is what a US company, Network Associates, has done to get around US export law. In this case, it was the PGP product. It is not possible to export that since it's 128-bit crypto, but they published the source code in a text book with machine readable fonts and printing a textbook is not illegal, that's public domain information so that goes around the world. That text book was then scanned in and effectively the code was recreated from that and what they did was license the trademark to the name which of course, is not an export issue. Now they have the product, PGP available, with European originating technology and they can send it around the world.
I think what we need is a made in Canada policy, we've heard a couple comments
here that while Canada probably doesn't want to annoy trading partners and
annoy the US, it should follow US policy. Well, there's an example of a total
workaround under US regulations and we need a made in Canada policy which
is good for Canadians and good for Canadian companies.
Benita Baker: This whole notion of a level playing field affects us a great deal. Most of our products are greater than 56-bit DES. We require export permits for just about everything we do. We had an incident whereby a subsidiary of an American company in Japan, wanted our products and we could not get an export permit to send it there so in order to get around it we had to ship our product to the US company who then shipped it to Japan. That was kind of frustrating to say the least. Having to get permits for everything we do, I can sympathize with all the comments that have been made here about the export process. I must admit that the government, CSE in particular, have worked really well with us. I have only good and positive things to say ... however ... I think it's the lack of not policy but guidelines for issuing permits. That has been our biggest obstacle because the policy while it exists but it's extremely limited and very subjective as somebody said previously ... so more clarification in the policy is essential to us.
The other issue for us is foreign availability. Really important because one of the things that we've come to realize is that at this point similar products to ours are available through US companies who have been able to get around the US regulations which are at this point a bit more lenient than ours. For those of you that don't know, greater than 56-bit DES is now permitted to be exported from the US for the next two years only so they say "only if a company makes satisfactory commitments to develop and market key recovery products" That's funny. I mean it makes it so easy for American companies to get around the current restrictions. There's even one company who boasts about the fact that they've been able to get around the US policy and they'll help people to do the same. So this is the kind of issue that we're up against on a regular basis.
A quick statistic that I could give you is that according to a study done by Trusted Information Systems as of Sept 1997 there's 1601 cryptography products manufactured and distributed by 941 companies in at least 68 countries. Of that 653 foreign products, which are meaning not US, from 29 countries: 275 of those employ DES. And There's 948 US products, 459 of those with DES. Which means there's a lot of cryptography products out there. A lot of them with DES and a lot of them with the potential to have triple DES which is exactly which we are being restricted from exporting. Within that 133 companies universally, by the way, Germany has 22 products, Canada has 19 and the UK has 18. So, we have a lot of competition out there and we have a very strong feeling that if we do not have foreign availability preferences in our export permit approval process then we will be extremely limited in our competition with these other companies.
Al Pickering: Thank you, Benita. It's interesting that you discuss foreign availability. One of the problems with that is that one foreign sale grounds for a foreign availability claim -- you need five you need ten? Again it goes back to the business of what's the limit? And I guess the other concern about using the foreign availability argument is that if it's available in foreign countries you as a Canadian company have already lost a lead if you will, and you're now in a catch up mode once the decision is finally made so that is clearly a concern that's been expressed to me by a number of companies before.
Brian O'Higgins: Yes, I just want to really emphasize that
one. In the whole Internet space the rule is: First in wins. And that captures
market share. For an Internet product, waiting to be second is not a good
idea. And just another thought that occurred to me: On numbers of export
permits. I think that they used to be relatively infrequent items that came
in the ones and twos and I think last week we put in 29 alone.
Paul Van Oorschot: On the foreign availability question,
regardless of what ends up happening with US policy there is going to be
foreign availability. And so I don't know if it's going to be possible to
keep the US happy and to still have access to compete on global markets so
if we do want to be number one in Canada in electronic commerce I think we
have to try and form our own policy and convince the US to be reasonable.
If we're just going to follow them that might mean that we just have to give
up on trying to be number one.
Tim Hember: This is Tim Hember from TimeStep. Well the issue
with following policy from the US is the fact that what they have is defined
policy and written policy compared to what they do -- kind of a back door
policy with companies in the fact that they are allowing key recovery to
companies -- export of strong cryptography -- to companies that have signed
up to the key recovery. That is not a written policy. And so we can't define
our policy based on their written policy because we'll always be under the
bar as far as a level playing field and we'll always be playing catch up.
Al Pickering: Comments on that particular issue?
Brian O'Higgins: I think that everyone has to recognize
too that US policy is going to be designed to favor US companies. Everyone
... I'm sure the Canadian government realizes this.
Phil Deck: I agree with that too. And one of the problems
with the whole export control debate is it's always been centered in the
US. It's always been amazing to people in the crypto industry that the discussion
happens in the US even though export control happens everywhere. And one
of the things that's happened is that it has become more US-centric and one
thing that Canadian government could do I think for all of us is to work
much more effectively with other developed countries to try and break down
the barriers between developed countries. I think from an export standpoint
all the people around this table are primarily, 90-95 percent, focused on
developed countries. If we could have Europe and Asia and we don't need Libya,
we don't need Saudi Arabia ... that's not our primary market. But we sure
have ... I sure have a problem when we are trying to sell something in Tokyo
and a US company has a better deal than we do on export. It's difficult for
us to reconcile that. So, from the standpoint of leadership and the Canadian
government getting involved in this space ... One good thing that they could
do is to work much better with other developed countries so that at least
we could have the same kind of relationship with the UK and Germany and Japan
that we have with the US where there's an open border between developed
countries. I don't think all of us want to sell to Libya. We just want to
get into the developed countries. And maybe it's better to make the debate
a little more specific to where the real markets are.
Al Pickering: Ok, Dermot do you want to make a few
Dermot Kavanagh: Manager, Regulatory Standards, Nortel: Yes, I'll just make a few remarks, not a direct response to anybody else's yet. Dermot Kavanagh from Nortel, I forgot to mention that. Well Nortel ... we recognize and support the need to balance the interests of electronic commerce, privacy and law enforcement, but we also believe that while Industry Canada is trying to do this, there's a few other things that they need to throw into the equation and some of these would be:
The cost of managing this balance must be sustainable and any legislation or regulations that are introduced must be simple to understand and implement and they must be flexible enough to adapt to changes in this field and they must not put Canadian industry at a competitive disadvantage and must not prevent Canada from being the world leader in e-commerce.
Now that being said, we are not planning to respond directly to the Industry Canada paper, but we are working with fellow members of the Information Technology Association of Canada or ITAC to prepare an ITAC joint response. And this is still a work in progress. We've had one meeting and discussed views and there's a rough draft put together but we're still in the process of responding to it.
So the positions so far that have been put together for this draft on the questions posed by Industry Canada were stored data: we are definitely in favor of the market driven option that was presented which is the status quo.
For real-time communications we're in favor of the option they call assistance, order and selective condition of licence which is the status quo.
For export controls, we did not yet come up with a definite choice among the options that are presented in the Industry Canada paper but we have definitely agreed, that Industry Canada must maintain a flexible approach and under no circumstances put Canadian Encryption Industry at a competitive disadvantage.
My personal view is that Canada should relax the controls but that's just a personal view at this time.
So, some of the remarks made here today are quite interesting to me and I
can certainly bring a lot of them back into ITAC and if there's any companies
here who belong to ITAC, there's another avenue for them to get their views
Al Pickering: Thank you, Dermot.
Tim Hember: I want to take a shot at this. I'm representing TimeStep in making 5 recommendations. Just a bit of background ... The Internet, otherwise referred to as the information highway or the global information infrastructure, it will become the predominant means by which individuals, corporations and governments communicate and conduct business because it provides unprecedented access to and exchange of information. Another fundamental thing is that in the information age, proprietary and or confidential information in it's digital form is emerging as the most valuable asset.
The nature of the Internet is open and ubiquitous making it an ideal infrastructure for business communications. However, that very nature exposes users to breaches of confidentiality, disruption of their operations, destruction of their intellectual property and outright theft. Users of the information highway have the need, the responsibility and the right to protect both access to and the confidentiality of their information and cryptography is a key technology that provides this protection and enables the effective use of modern methods of communication.
Now historically, cryptography was used to secure the communications and hence national security of governments during war and cold war initiatives. As a result of the information age, cryptography is now used almost exclusively by individuals, corporations and governments to protect their confidential and proprietary information. Cryptography basically enables the effective use of modern methods of communication. The information highway will become the overwhelmingly predominant means of conducting business and Canada is currently a world leader in the global communications marketplace.
Because strong security products are available worldwide from uncontrolled sources, attempts to control the spread of security solutions are basically futile and are harmful to our domestic economy. TimeStep fundamentally supports the liberalization of Canada's cryptographic policy and we're working, in cooperation with the Canadian federal government, to ensure that Canada's new cryptographic policy both promotes Canadian business while maintaining the interests of the Canadian government. And so five recommendations:
Number one: Do not restrict the use of export of cryptography by strength of security. Technology advances have driven and will continue to drive demand for stronger security. Controls that are tied to security levels often lag behind technology and commercial need. And they lag behind solutions that are available from other countries. Controls that are tied to security levels place domestic security and communication vendors at a disadvantage and they also force the regular updating of policy. Furthermore, the actual level of security is really not measurable because its affected by a combination of many factors, including length of keys, exponents, sizes, session key sizes, duration of key life to name just a few. To base policy on a single factor is an oversimplification.
Ok. Recommendation number two. Do not make any policy distinction based on type of solution. If the distinction between software and hardware is blurring ... the result of cryptography is the same whether encryption occurs in software or hardware. Furthermore, this business about mass market and public domain software rules are basically loopholes in the current policy. They are not beneficial because they do not add any value in serving the governments needs or concerns. Furthermore, they are detrimental because they create an un level playing field between exporting domestic security and communication vendors that have solutions in different categories.
Number three. Do not restrict export of cryptography by application but DO restrict export of cryptography by country to which its being exported to. Canadian corporations will increasingly conduct business with international partners, customers and vendors via extranets which are collaborative networks conducted securely over the Internet or the information highway. The limitation of commercial security product export by application will directly limit the future effectiveness of Canadian corporations conducting business internationally. Export of commercial security should continue to be controlled by export permits. And this is in conjunction with the Wassenaar arrangement.
Number four. Not only disencumber but promote the use and export of Canadian security products to the extent that security products are available worldwide from uncontrolled sources. Again, attempts to control the spread of security solutions are futile and harmful to the domestic economy. Promoting the use of Canadian solutions will obviously strengthen Canada's economic position in the information age. Furthermore, promoting the use of Canadian security and communications solutions versus solutions from other countries enables the Canadian government intelligence agencies visibility, access, understanding and control of solutions deployed internationally. So Canada has to promote their use and export.
Number Five: This is where I'm taking a step back a bit. TimeStep acknowledges the challenges of maintaining lawful state access to secured communications. IN consideration of this, TimeStep recommends that Canadian government explore and exhaust all methods of access that are permitted under existing law before creating new laws. If lawful state access cannot be satisfied by existing law and if lawful state access is essential for government to promote the use and export of commercial security solutions then TimeStep will consider supporting the development and implementation of key recovery methods.
In summary: The security of information is critical to the proliferation of the information highway. We feel that our recommendations will promote the information highway and Canada's position as a world leader in telecommunications and data security. These recommendations take into consideration existing law and international agreements such as the Wassenaar arrangement and thus they promote Canadian business while maintaining the interests of the Canadian government.
Al Pickering: Thank you. Yes, Paul.
Paul Van Oorschot with Entrust: Two comments on some of Tim's remarks. One is regarding the mass market and generally available software which are exemptions. The history of the Wassenaar arrangement and the COCOM before that was the general acknowledgement that things that are generally available or are mass market -- they cannot be controlled so why not just acknowledge it? That's in fact why that was written in to the Wassenaar arrangement. And so, if we extend that now and we see that encryption technology in general is now widely available, the natural extension of what's reasonable is -- do what's reasonable. We can't control things ...
Tim Hember: Leveling the playing field for everything.
Paul Van Oorschot: Yes. The second comment goes back to the Wassenaar arrangement. It actually says that permits are required for certain technologies and cryptography is one of them. Now however, it doesn't say that you should or should not grant an export permit.
Tim Hember: Yes.
Paul Van Oorschot: One of the problems with this arrangement is that some countries implement the Wassenaar arrangement by saying, "yes we need a permit, send us a letter, here's your permit.
Tim Hember: that's right.
Paul Van Oorschot: And other countries say: yes, you need a permit and you request one and then they say, well no, in fact that's not allowed to be exported. So just requiring a permit is very vague and we need to again to have the details on not only is a permit required but will one be granted and if so what are the conditions under which it will be granted.
Tim Hember: I agree Paul. I'm recommending liberalizing within the framework of the Wassenaar arrangement.
Phil Deck: Ya, I just wanted to echo. Another thing which Tim said which I completely agree with. There are existing laws about government access to company information and in most cases those laws are completely appropriate for what's happening in the market today and I can't see why we need a lot more regulation. If there's a law that says you have to be able to produce records if demanded by a court, that shouldn't be any different whether they are paper or binary. And if you can order to fulfill that requirement, you have to get some kind of key recovery system yourself or go and buy one then you can just go ahead and do that. In applying existing laws and existing rights of access for government law enforcement to the digital world is a much more appropriate way to do it than to come up with some other sophisticated mechanism that may impose a whole lot of cost. Companies have a responsibility to respond to laws and to be able to make information available if a court demands it and that shouldn't be any different whether it's paper or digital.
Bob Koblovsky: Milkyway Networks. I guess there's really two points that I wanted to make. One of them is: regardless of what Canada does in absence of consultation with our partners, whatever agreements we do strike up are open for interpretation and we've already run into that situation and dependent on how that's interpreted it either can be a benefit or a detriment to us. So I think it's important to understand when the government is talking to our other partners is that the interpretation is similar because additional policies whatever they may be, if they are too big and are open for interpretation don't necessarily solve the problem and in fact may create additional problems for us.
Al Pickering: Ok. Do you have anything to say Todd?
Todd Finch from Netscape: I think a lot of people around the table know what Netscape's views and positions are on particularly, encryption and the exportation of security technology. Jim Barksdale our CEO has stated numerous times both in front of Congress and to the public that the regulation and policy of encryption should not be managed by governments. And I think, listening around the table, particularly comments coming from Robert, really kind of emphasize if the governments goal is to increase the competitiveness and be the most competitive electronic or digital economy in the world we need to deal with this as we need to deal with many other commerce topics in a competitive, aggressive format to help advance the cause, not prevent the cause from moving forward. And so, from my observations, there's a couple of things.
One is, there was a great comment made about us following or trying to adhere to or compliment US policy when in actual fact the US nature is to protect the individual and the Canadian nature is to protect the group. Canada is very supportive of the community whereas the US is very supportive of the individual. I think in some ways that that can be a conflict and we should really consider what our policies are in supporting the US encryption laws.
Secondly, the opportunity ... We in Netscape Canada are trying to help Canadian companies become competitive in the electronic community and what we're finding is Canada is losing a lot of its intellectual property. The people and the talent that are creating a lot of this technology, specifically encryption technology, are going south of the border or elsewhere if the technology or freedom to develop and deliver that technology is limited in Canada.
So we want, I want to make sure that from a Netscape perspective we are reiterating what we are communicating down in the United States is that encryption policy should not be something focused from a government perspective. We think there needs to be regulatory control but we don't think the policies should be mandated by federal governments. We think it would be very damning for what we are trying to accomplish. And then finally, the word export is a very relative word when you talk about Cisco doing $3 billion a year LAST year, history, on online digital revenues. If you look at Dell Computer doing $3 million dollars a day and that is happening today, that is happening globally. We think that digitally there can't be the distinction of a country having the ability or not having the ability to communicate in general.
Al Pickering: Interesting comments. Any others around the table?
Certainly from what we've heard so far it would appear that the general consensus is no controls. I guess if your view is that you want to sell and that's all then that's the easiest and the best way to go. There might be some concern on the part of the people in the federal government who have to deal with other countries and they've already signed agreements on how some of these things will be done. And do we just throw them to the wolves and let them worry about that and try and provide a different leadership approach.
It certainly makes it awkward for them where people from governments have sat around the table and in their views they've arrived at decisions which say this is the best way all things considered and it's clear that people around this table don't agree with that position. I think that would be a fair assumption from what I've heard.
Perhaps times are changing which is a bit of a cliche. Certainly what's happening in the global economy is times are a changing and very very rapidly and perhaps it's a case of what applied in the past in the way various governments did their job and in their agreements in trying to look after national security interests and law enforcement concerns, perhaps it is time for change. That has been argued here that normal commercial practice will provide appropriate law enforcement access to information and if you are talking about communications it's virtually impossible to intercept and do whatever it is that you're trying to do, wiretapping. Certainly from the government point of view that is a major concern, how do they deal with allies?
Earlier, Phil had made a comment about Canada getting too far out of step with the US in particular. And it's something that I think companies should be considering. While if Canada took an approach that no controls were in place. How would the US react? And I think people should go into these recommendations with their eyes open. It's been stated that the US government has found ways around regulations that they've agreed to when it suits their purposes and the US companies purposes to the detriment of Canadians and others.
There's evidence of that having occurred. By the same token I think it's clear from what we've seen and from the way the US operates in the world that they could be very tough in dealing with people and to try to make them accede to whatever objectives they have within the US. And as Phil indicated, it's possible that while the US is a major market for companies around this table and other Canadian companies, if Canada went too contrary to what the US objectives are, it's possible that a lot of business could be lost in the United States.
And I think you should go into recommendations with your eyes open in saying "Well if that should happen, if Canada should say no controls and if the US should react very negatively and say, "Ok, one way or another we'll stop you from making any sales in the United States can you still survive?" Is the rest of the global market adequate to keep you going or would other countries react to the way the US might react and say: If the US won't buy it, we won't.
I'd like to hear some discussion on that concern.
Bob Koblovsky Milkyway Networks: Right now the United States represents about 60 percent of the worldwide market for my products so ya sure I want to have access to that market. It also happens to be the most competitive market in the world. So there are pluses and minuses to both sides of that. If I look at how this market is going to evolve on a go forward basis, Europe is probably the fastest growing market for this kind of technology in the world and it's expected that certainly within the next four to five years for my particular products, firewalls and access products, the actual size of the market in terms of the global market, will actually even out somewhat between Europe and the United States. I know that doesn't answer your question Al.
Al Pickering: I'm not sure there is an answer (Laughter).
Bob Koblovsky: I'd like to play in all of those market places but the point here is really, if you ask us as organizations and companies out there whose primary motivation is to go out and generate revenue, we want an unfettered, uncompetitive marketplace where we can freely trade our goods. That's our first choice. In the absence of that we recognize that there are mitigating circumstances that may result in alternatives. What we're saying, certainly what I'm saying, I don't want to put words in everyone else's mouths, is give us a level playing field and ensure that the rules and regulations are consistent across the board and are interpreted consistently across the board so that we aren't put in a position where we are coming from behind all the time.
Al Pickering: I guess the problem the government faces with that is in trying to create a level playing field, in my eyes, the people who have been involved in the past thought they were doing exactly that. And I guess what we've seen from what you are saying is that the playing field is not level because of the interpretation and the workarounds if you will to the regulations and the agreements. Which poses the question: Would it be any different in the future if the government tried to find a level playing field in so far as agreements or understandings or interpretation is concerned will you still find yourself at a disadvantage?
Phil Deck: If you think the Canadian policy or its application is subjective, the US is ten times worse. You can't figure out what you're going to be competing with when it's an American company because you don't know what they are going to get. And my comment about the US government was not that we should follow US government policy. It's that we just have to take it into account. It's easy for us to negotiate with ourselves and propose what we want but they'll have some ideas about that too. I hope no one ever explains cryptography to Jesse Helms because he wouldn't help our industry either. (Laugh)
And so we just have to be somewhat concerned about policies that emerge in the US that we find maybe that we don't agree with but we have to live with anyway. And I just don't know why the other developed countries don't do more to try and cooperate to try and to some degree counter the power of the US. Clearly the computer industry is based in the US. There's a lot of influence there, but we're not the only people in this position. The UK and Germany and other countries are trying to battle the same issues and have the same interests as ours. And to me there could be more cooperation of those countries.
Al Pickering: Brian?
Brian O'Higgins: I'm still considering your comments about the US position. I don't think we need to be ... yes we have to consider it, but let's not get overwhelmed in getting too paranoid about it all. If the US doesn't like products from Canada one approach is that they would put domestic controls, so import restrictions into the United States about what products are allowed in there. That's extremely unlikely. Of course, US government could decide what it wants to purchase and that, absolutely, that's a very useful tool and governments use that as they only, they have a policy that says they only buy what they like. That's fair game and of course, again, market demand will go there. But the US is such an open market people are going to buy what solves their problems and it's very unlikely that there's going to be import restrictions so the market is free for anyone to provide equipment to.
Al Pickering: Yes, I wasn't necessarily supporting the US position, I was being a bit of a devil's advocate saying that people should go into these things with their eyes open and make some assessment on what's the likelihood of something happening and then go along with whatever you decide.
Ralph Doran, Jetform: We're coming at this from a different perspective in that primarily we're a user of security technology, crypto technology, we're not a provider, although tactically today we do provide some out of the box capability that's really because the infrastructure isn't in place that will allow us to leave that up to you folks. And what's really driving us isn't governments or countries or the desire to get into specific territorial markets, it's global companies. We primarily sell to global companies. Many of them are US based and they're driving us to put security features into our technologies because they don't see borders. They don't want to implement, if they have to when they get inside certain borders, special technologies, special solutions so anything that any government is doing that slows the adoption rate and the implementation of infrastructure hurts everybody that lives on top of the products that you folks are selling. I would look to global companies like the Coca-Colas and the McDonald's and so on to be providing pressure on governments like the US government as well as the industry itself. We've got some allies in that field.
Phil Deck: (inaudible) ... that a US company can put there ... can buy technology and deploy it anywhere without restriction so it's more when they ship it to other countries or other companies and so that's why it's a little harder to get their support because Coca-Cola can put absolutely strong encryption in everywhere they operate for their own use. So it's really in dealing with foreign companies that are located other places that we all get into trouble. And we have a particular problem because we are an OEM supplies so a lot of our US customers intend to then reexport their product everywhere else in the world and I suspect if the US government was upset with us then that would make our lives more difficult too.
Bob Koblovsky: Milkyway Networks again. You know, Ralph brought up a good point and I think it's a dilemma that the government is in and that is that by it's very nature the market that we work in is a global market where we have over the last fifteen to twenty years with the technology and our approach and certainly with the advent of the Internet essentially eliminated borders. Government by their very nature work within the confines of borders. And I certainly don't pretend to have the answer as to how you're going to deal with that but that's a very significant dilemma.
Al Pickering: Well it's a very good point. As I said, times change and borders used to be sacrosanct and you could control everything that went across, it was fairly easy but that's certainly not the case today. It's a completely different global situation in which we find ourselves. One of the additional topics the paper asks us to look at is what government action could accelerate rollout of infrastructure for secure electronic commerce? And I guess, one of the answers that's been provided already is get out of the way. Is that sort of a fair summation of the views around the table?
Tim Hember: I think they can also promote the proliferation of solutions by their own use. And they are doing that. I mean the public-key infrastructure and also the information highway that they are assembling and also the deployment of the secure GDIS (?) network. I mean these are all adoptions of modern cryptographic communications solutions.
Dermot Kavanagh: Yes, on the question, it's Dermot Kavanagh from Nortel again. On this question you just asked, this additional question what government can do to stimulate the infrastructure. The ITAC paper I mentioned did take a crack at that one, I didn't mention it in my first remarks and so far we've come up with these points.
By being a role model in the use of such services in its dealings with the public, through enabling legislation at all government levels, through harmonization of such legislation at a national, regional and international level. And through allowing the marketplace to be the major control factor of such legislation. This is rough but this was sort of the first crack at that question.
Brian O'Higgins: I interpret that as: to get out of the way. (Laughter around room) Which is fine, ya. And Tim mentioned, I think the government neglects a very strong club and that's its own clout and purchasing power. Government departments are huge and if they are looking to buy a messaging system or whatever, it's enough of a bulk purchase that vendors would jump through hoops to provide what it is that they want. That's their biggest club for sure is their purchasing dollars rather than their legislative approach.
Al Pickering: Ya, when I said get out of the way I meant as far as controls are concerned and so on. And certainly it's been the government policy for a number of years now to provide that leadership that you've been talking about Tim, in the introduction of the public-key infrastructure and the commitment that the government will operate and provide services to Canadian citizens electronically certainly by the year 2000. We're supposed to have PKI implemented by the end of 1998. It will operate between certain departments and then outside of government. There's a lot of discussion going on between the government and the provincial governments and the municipal governments as well -- how can they operate together. Of course it's required that good technology and appropriate technology is on either end of communications and distribution of information. So there's a lot of leadership I think coming from government along that line.
Brian O'Higgins: That's absolutely right. The Canadian activity in public-key infrastructure is world leading. The impact is really I don't think appreciated in a lot of industry and a lot of governments because it's such a major, major benefit -- electronic commerce can't happen unless you have strong security and strong security you need an infrastructure to really support that, for any two people to talk to each other in a safe and secure way. So Canada will be first in the world with that infrastructure. And of course the whole world is going to electronic commerce for all types of transactions. Canadian companies are going to benefit tremendously because they are going to be the first ones to provide all these extra applications that help people get on board.
And then you look at the number two country in the world to roll out PKI? It's Singapore. Not a really big surprise there. The whole economy is really IT based. They are trying to be the Hong Kong of the future. To be that trading hub into the East. Kind of a quiet event, last November at the APEC conference, Canada and Singapore agreed to cross-certify public-key infrastructures. And this is going to happen in the next few years and it will enable this automatic electronic commerce corridor. So, Canada has done a tremendous amount and I just don't want to see leadership squandered by policy that says "We want to follow" so we really need this made in Canada policy to help keep things rolling.
Tim Hember: I'm just curious. What I hear from people here is are we prepared to take the wrath of the United States and go out on a limb and propose a policy that liberalizes it significantly within the Wassenaar arrangement?
Al Pickering: Well, that was basically the question I was putting to the table. The consequences that should be faced. From what I've heard it would sound like looking at the three areas of discussion, the encryption of stored data -- certainly what I heard is that should be market driven. There should be no mandate by the government that companies within Canada should be required to keep information backed up through key backup and all the rest of it. I believe that's what I heard. By the way if you have different views please come on. That on communications, the encryption of real-time communications, there should be maintain the status quo in that. That there be selective discussions and selective applications of rules which would require communications organizations to provide access when required for law enforcement purposes.
I guess one question that comes to my mind there. When you are talking about communications -- it used to be that communications were on copper wires usually or something around the world. Now communications travel all sorts of ways. Computers that talk using communications or controlling communications and communications systems connect computers. Is it appropriate that there be one regime for the electronic commerce side of things but something else for common carrier communication systems? Just a question. But certainly what I heard was the status quo should be maintained.
On export controls there should be no controls, that's what most people seemed to favour if not everybody. Certainly make sure there's no competitive disadvantage to Canadian companies when they are dealing with the rest of the world. I'd say there's still a question that it would appear that people are prepared to accept what might be the wrath of other countries where Canada has made agreements and I guess people within foreign affairs and Industry Canada and other departments would have to assess to what they have committed when they have signed these various agreements and arrangements that would say that we will provide a level playing field by all of us controlling cryptography in this particular case the same way. I'd say there's certain evidence that that control has not been leveled but people have made those agreements.
It would be difficult I believe for the government to go back to the table and say all bets are off, i know we signed that but nevertheless we're going to go down this different path. But that may be a problem that bureaucrats and ministers get their high executive salaries to solve. And leave it to them.
I also think I was getting the view that the companies feel that the government should be commended for their leadership provided so far in the introduction of electronic commerce within government and what it's trying to do within the country. Supports the view that the country should try to be a class leader. That we should do whatever we can to increase sales wherever possible throughout the world and particularly within Canada. And that we would encourage the government to in their discussions with other countries and in the application of any restrictions that may be deemed that must stay in place that they would lean on the liberal side and perhaps provide a bit more leadership in standing up to some of these regulations and agreements that have been agreed to in the past -- mainly because times are changing. They may have been appropriate in the past in a different world situation, a different technology situation, but now things are slightly different. Would that be a fair summary of what we've talked about today so far?
Tim Hember: I do fully believe that we can liberalize the use and export of cryptography within the framework of our agreements and arrangements with other countries to meet the needs of the people around the table. And I stress the fact that we can do that while remaining within those frameworks and then we should urge the government to open discussions with other countries to actually liberalize the framework itself.
Al Pickering: Is that generally agreed around the table? (heads nodding in agreement).
Paul Van Oorschot: Just to add to that. If we maintain the requirement for export controls or maintain the requirement to get export permits and the permits specify what the conditions are, that's within the existing policy, we can change what the conditions are because I don't know -- that's not part of Wassenaar or other agreements that I'm aware of -- that does continue to give governments control and certainly that could be argued that that's within the current framework.
Tim Hember: One clarification. Conversely, I strongly do not recommend that the government go outside of the framework and fly in the face of the other countries. That they've done agreements with. I strongly recommend that anything that we propose does not go outside the existing arrangements and policies.
Al Pickering: Would people agree with that statement -- I don't see a lot of what I would call positive support for that in body language at least.
Phil Deck: That's a ... one to agree with. Since there's no real policy.
Al Pickering: So what you're saying is that to continue to operate within the Wassenaar arrangement but be liberal in your interpretation and application of what you think the other countries are requesting you to do?
Phil Deck: Yes and recognize that at the current time in many cases we're at a disadvantage to the US because of their very subjective granting of permits so that they may have a policy that seems very rigid...we in the marketplace on a day to day basis find lots of people who seem to have a much better deal than the US government might advertise.
Al Pickering: Benita?
Benita Baker, Chrysalis: I got the impression from the way people were talking that it's not the export controls but maybe the implementation of them. It was the procedures and the guidelines which either existed or not existed. That was the major hindrance to shipping your product. So perhaps we would say that if we had to live within export controls that it would be absolutely necessary to have the policies for approval of permits extremely clear moving forward.
Al Pickering: Yes, you're looking for transparency in the system are you. And what are the criteria. Ron it goes back to your statement for the 56 bit key for example, it was agreed that it could go period. That was it.
Tim Hember: I agree fully that there has to be clarity in the policy and in the execution of policy, but there has to be change in policy. There has to be, and again I reiterate. You can't restrict by strength of security and you can't restrict by type of solution. And you can't restrict by application. So I think there has to be a change in existing policy.
Todd Finch: Just further to the policy discussion. I think that they are quite inter-related -- the security policy and us being a leader in the commerce community, this new digital community are quite inter-related. My belief is that if we try to encourage the leadership of those policy makers to have responsibility for both sides of that effort. Meaning, whoever is setting policy for security should also be trying to take the leadership role globally on forging that policy to afford global economic communications, commerce and in this global economy, if we want to take a leadership role by the year 2001 and security is a significant part of the policies of electronic commerce, we should probably try to get some champion at that level. Creating the policy not just to help our position in Canada but to help the position globally for other companies.
Al Pickering: Just for clarification purposes. Going back to key backup. There was a statement made that we should just let commercial practice rule and there would be no mandatory requirement on the part of government that companies or organizations should maintain key backup internally for law enforcement purposes if a warrant was provided. Is that the agreement around the table.
Paul Van Oorschot: I think what I heard around the table
was that if the existing laws, independent of key recovery require access
to information to be made available then there's no requirement for new laws.
So there's no requirement for new laws.
So the key recovery might be a way to fulfill their responsibility to provide access.
Al Pickering: So in fact what you're saying is don't tell them how to do it. Just make sure they understand the requirement that information be available when needed.
Bob Koblovsky: I would suggest that any major or midsize corporation that is implementing a security policy will have embedded in that security policy some form of key recovery, data recovery that is already going to be there. You don't need to mandate. It's already common sense.
David Jones, Electronic Frontier Canada: An issue with regards to key recovery that hasn't been raised yet is the notion of offline financial transactions. There are companies like Mondex Canada that have a smart card based system and that the key economic viability of a system like Mondex is that the cost per transaction is very low. A fraction of a penny. There's encryption...the system depends critically upon encryption. Their plan is to have millions of dollars flowing through this kind of smart card based economy. If there was a government requirement to have key recovery a system like Mondex would be completely crippled. It would be a whole segment of the industry that just not work if there was a key recovery requirement. So I think that's another thing to keep in mind.
Brian O'Higgins: Great example.
Al Pickering: Could you come to a microphone?
Female Observer: I am a consultant but I think Brian knows that I do work within the law enforcement community a fair bit and there's a couple of things that I would like to comment on and then one question. And I think the comments may help you formalize things. With the respect to the US reach, there was a question about why other similarly positioned countries perhaps have not cooperated more fully. I don't think it's a surprise or a secret to any one around the table how big the US reach is. And I would suggest that it's exactly for those reasons that you don't see other allied countries who have exactly the same problems facing us as we do.
The United States is a huge economic force and while within the crypto sector in certain countries they might not have a big impact, they certainly do have dominance in a lot of countries about whether or not they buy aircraft or space equipment or other things. And you also cannot overlook the military and intelligence relationships that are decades and decades old. And there's as much greyness and rumor attached to them as reality probably and they are certainly a little bit culturally behind but they are realities nonetheless.
Perhaps one of the things you might want to consider when you make recommendations about export controls is the fact that we have an export/import control act that is in fact sovereign and is not based or operationalized on the fact of an international agreement. Because that is in fact how the current one works. If Wassenaar expired and there was nothing to replace it they would not be able to manage an export control regime under current law. So that might be something you might want to think about is actually making a Canadian law.
I think that probably most law enforcement people, and I'd like to point out that law enforcement and lawful access applies as much to the Competition Act, Revenue Canada's administered acts, environmental acts, not just the criminal code. And others. I think that most law enforcement defined in that perimeter would agree that probably commercially 90 percent of their problems could be solved in white collar. Unfortunately, a lot of the criminals, organized and otherwise are not big corporations where you can go and serve a warrant. I'm not sure that if the Hell's Angels were running their own PKI that they would necessarily respond favourably to a warrant. And that is their concern.
And I think if people around this table, and I think that law enforcement would be really heartened to hear the support that does exist for their problem, could actually present solutions not tie the big bow ... but for those non-established entities that do engage in criminal activity and those are usually the worst forms of criminal activity, drug trafficking, environmental organized crime is becoming a very big thing and they very much rely on different forms of communication. They would not be likely to be storing data regardless of how important their messages might be deemed to be. For exactly the purpose of not having them ever captured.
So if there are ways and means -- because law enforcement is certainly not expert, nor do they even pretend to be in the world of crypto -- and so they need some help and some options to be given to them if they can see a place for them. Because of course, they're not going to be able to use the defensive "well we did it to benefit Canadian industry" if the entire Canadian public is down on them because a child pornographer got away with something. And so there's that balance too. So I think if you can offer them suggestions in your paper I think it would be really beneficial.
Tim Hember: Unfortunately, it's a dilemma. Because it's equivalent to the old adage of mandating that the Hell's Angels not use machine guns.
Female Observer: You guys or all experts, or many of you, are experts in crypto-analysis. And I think there are different ways of doing things other than key recovery. And there are different ways of attacking things then brute force. And what I'm suggesting is that perhaps those of you who have specialized expertise and knowledge of different ways then perhaps "plain text" ... I forgot who said the issue was really plain text collection because most of those agencies that have access written in legislatively would prefer not to be involved in doing their own crypto-analysis. They would prefer to get the plain text from someone else and not get into that. So, those were the sorts of comments or options to think about ...
Tim Hember: Plain text. Yes, plain text assumes access at the source.
Female Observer: Possibly. It was just a comment to try and get ...
Al Pickering: Yes, that's useful.
Female Observer: Because very often when it's a crypto debate or a privacy debate or similar sort of debate, it's always no, no, no, you can't have it, you can't do it. But there's never a "But you could maybe do this." And I think that would go a long way in softening some of the barriers between us all -- I think a lot of them are perceived rather than real. Thank you.
Bob Koblovsky: When we start talking about the need for law enforcement to have access to this information to protect society or for national interests ... it's been proven over and over again that the high level criminals use crypto NOW, will continue to use crypto and probably will never use PKI, most likely they may use secret-key but the reality is that they can use that technology. It's available. So if we eliminate them as falling into this category then we start moving down the hierarchy of who the criminals are that we can really go after. And it seems to me that in that PKI environment the ones that are more likely to use it are probably more like the petty criminals -- are those the ones that we are focusing on or is it on the higher level ones because regardless of what we do, they will continue to use cryptography -- anyways, they will probably use a lot stronger cryptography then most of use have access to. In fact some of them have access to strong military cryptography today. So I think we need to be really careful in what it is that we want to do and who are the criminals that are being targeted. Because we may be putting in all sorts of policies and procedures that essentially miss the mark.
Female Observer: Options and solutions. That's the one thing that I don't quite understand about the US policy because I don't see a lot of benefits for domestic law enforcement.
Paul Van Oorschot: One option along that line is to consider a law which makes it a crime to use cryptography for the purpose of concealing certain activities and that's a very different approach to actually requiring that all the honest folk implement key recovery to satisfy law enforcement needs when they bear the cost and no one seeks any reward.
Female Observer: I'm not really convinced that would be particularly useful for a couple of reasons. One, there's the whole idea of self-incrimination and secondly, usually it would be under a warrant that you would be wanting to get this information and that's under very extreme circumstances so very serious crime or where you can prove that no other way could we get this information. And it would be not reasonable, I don't think, that a law enforcement agency would decide to charge someone for criminal use -- that might be a $250 fine and 5 days in jail -- if they're investigating a major drug enterprise or a major organized crime enterprise in some other form. So I think that there's more negatives to that idea, because then you get into interpretation and I don't think it would be useful in the long run because if you are investigating something and you spend a lot of resources, are you going to blow you're entire operation to charge someone with basically a petty offence? Probably not. It wouldn't be very cost-effective or really beneficial.
Brian O'Higgins: Just kind of another way of looking at things. I think that we have to ... it's going to be given that communications between individual ... they need to be private and secure and if you look at the big picture you look at intelligence has gone on since the dawn of civilization I'm sure and people always had private communications with each other. That's the way life is. And only in the last 50 years or so, the law enforcement and intelligence communities have had the luxury of being able to pull signals off the air in an automated fashion. Now that's a temporary blip. And now it's going back to status quo. So there's just no way of stopping this. And they have to err along the lines of using other methods of getting access -- law enforcement put body wires on people so they can listen on the plain text, I think.
Female Observer: I think that it's unreasonable to suggest that law enforcement doesn't have a role on or in the information highway or within the GII. Telephones were created, therefore investigative techniques followed. The Internet is expanding and infrastructure is emerging. My real fear is, and I've had this discussion with privacy advocates, that if you push them far enough into a corner, and there is enough concern in the public -- and certainly there is a huge concern although often it is a little overblown -- is that maybe then they'll start looking at expanding powers. So what can in fact happen, if you talk about going back to the status quo, that we could see an erosion of privacy rights. I've had people say "Well, tell them to use parabolics" Ok so rather than that person on that phone, you'd like them to get the whole apartment floor -- 12 apartments with god knows how many people in it.
So I think that the government has made a commitment and in the last ITAC report, the final report said that the criminal code and other laws had to be reviewed to ensure that law enforcement interests, and again, that includes the competition act and the environment act, and you guys should be concerned about that from a competition point of view because you may have multinationals in here behaving in a manner that's detrimental to you and if there's absolutely no way to get access to certain things during the course of an investigation ...
I'd like to mention that the competition act, Industry Canada, has obviously looked at interception of private communications as an important enough investigative tool to now amend their own act -- The Competition Act amendment for allowing the competition bureau to have the power to do interception. You are right, it is going back to the status quo but do you want it to become the Wild West? Because every argument about electronic crime or electronic protecting against electronic crime can then be turned over -- if there's a penetration, if a crime is committed, it can't be prosecuted or investigated if the crypto is there that can't be read.
Al Pickering: It's not easy. Paul?
Paul Van Oorschot: Just a follow up to that. I don't know if you've seen the book called Privacy on the Line written by Whitt Diffie and Susan Landau. Most Americans stand up for their rights more than anyone else and they have quite an elaborate discussion in that book about the continual battle between the rights of the individual and the state. And so, I recommend reading it, Privacy on the Line.
Al Pickering: Any other comments from others? Yes, Bob.
Bob Little: Thank you. My name is Bob Little from Little and Associates. I'm in the business of providing advice on how to deal with governments and to governments on how to deal with certain private sector issues. I would like to make three quick points.
The first is the importance of this group if it decides to coalesce around a series of recommendations that they start -- as many have -- from stating clearly what the ideal situation would be. And not to try to begin to compromise or to reach some sort of a middle ground too early in the process because that is the work of the bureaucrats who will have to take the views of many who are replying and many of the others will come without any intent to compromise. That's my first point.
The second point is -- to reemphasize the need to deal with the law enforcement and intelligence requirements in a way that says very simply. What they want is to be able to continue to do what they think they can do now. They don't want more, but they don't want less. And the issue is to try to point out clearly what it is that they still have but also what they can no longer expect to have. And if you can provide them with that input this will be very helpful to decide whether it should be as it is or whether there has to be the beginning of change which I think many recognize is the case.
In the third instance, I'd like to comment on the affect of the American situation on Canadian trade policy. I begin from the premise that this issue that we are dealing with today is only one of many and you have to put it in with salmon and pork belly and shakes and shingles or whatever else is on the issue today. So you can't expect your particular problem to be one that can be dealt with in isolation. It has to be dealt with across a number of areas. Therefore, what the government can most benefit from is your advice on how to continue to maintain a competitive opportunity which means that you have to emphasize things like jobs and economic growth which I haven't heard very much about today which I think would be important, but at the same time not to position the Canadian government so that it's irritating deliberately the American relationship in a way that is not going to help across the whole of the trade front. And that can be done I think by maintaining that we are in a position of competitive advantage but we're not trying to set ourselves up to beat the Americans over the head because that's what irritates them --even though it's what we're upset with them about, it also upsets them -- so we do have a legitimate requirement to be able to maintain an economic capability in this particular industry sector.
Al Pickering: Good points, Bob. Any other comments?
Jim Bagnall: Question on size of market/what portion exported. ($1 billion) mumbled discussion around the table.
Phil Deck: It's going to be less than $100 million right now I would think. But I think the important thing is that cryptography will be contained in every information technology product. So if you are exporting an information technology product, whether it is a cell phone, a PDA, a PC, an operating system, a CA, an e-mail software package ... all of those things have to have cryptography built in. JetForm is a good example. You wouldn't call them an information security provider but it's essential to their business that they be able to provide security within their product and so it becomes relevant.
Todd Finch: From Netscape's perspective, one of the things that we have studied quite intensely is the business opportunity that requires some level of security to be able to conduct that business. And Forrester measures it at $300 billion over the next four years. So they think in four years time, the market will be about a $300 billion opportunity. That's in US dollars. That is actually the financial opportunity from a transactions perspective. The value of the transactions. The other thing in the US that seems to be blurring the issue and it's been talked about both directly and indirectly, is the implications of taxation on these transactions and what the relations of THAT and the security control and the encryption capabilities have to do as well. Somebody brought up here that legal jurisdiction transcends particular law and gets into taxation and other regulatory bodies and I think that there's a big concern by government that taxation is going to be even more important than law. Being able to understand what is going back and forth from a communications and transactions level.
Brian O'Higgins: For these numbers that Jim was asking ... the numbers probably sound small today because the market is just starting. A company like Entrust is a good example because we are one of the market leaders and it's an early market and we're at an early stage. But we've experienced greater than 100 percent growth rate. And the way we start is 50 percent of the world's market is in the US so the first people that would use encryption technology are financial departments and governmental departments in the US and Canada -- as you would expect. And then it rolls out to financial institutions worldwide.
So the adoption in Europe of Internet technologies is generally about two years behind the US. So only now we are starting to see expansion into the outside market. And the total value to Canadian corporations is maybe $100 million last year in revenue to companies just specifically related to security and probably some small percentage is overseas. The growth rate is huge -- triple digit growth because they expand as the Internet does and security is one of the hottest areas in information technology so again the growth rate is dramatic.
So we're only -- it's only last year and this year that we really hit the export issue head to head. It used to be a problem for one or two companies in smaller market segments. And now it's general stuff. It's everything -- it's electronic commerce. And it's needed worldwide all at once. And this is the year that the market really starts to take off.
Al Pickering: Yes, we're just at the hockey stick ready to go. Just a personal view, the future that cryptography would be in everything. Anything to do with communications or IT will have it embedded.
Paul Van Oorschot: The other reason is because there is such rapid growth and because as we said earlier the rule of the Internet is the first in wins having an export policy or a government policy which allows us to succeed as Canadian companies -- it's critical that we have that facilitated in the short term before the market is lost.
Al Pickering: Good point. Anything else?
Lynn Anderson: Maybe I can help out. I just found some statistics. According to Yankee Group the market for security products could be worth as much as $4 billion US by the Year 2000 and the current size is about $250 million worldwide. Security products.
Al Pickering: Any other comments or questions or views to be expressed. If not ... thanks very much for participating and hopefully what goes forward will be useful to the government as they try and make their decision on what the policy should be.
Thank you very much.