12 April 1997
Thanks to Harka
Date: Sat, 12 Apr 1997 03:22:43 -0400
-----BEGIN PGP SIGNED MESSAGE-----
This is a press release of the German Forum of Computer Professionals for Peace and Social Responsibility (FIfF). It discusses the crypto-proposals of the German government, which are similar to the UK and US proposals. Please note, that this is my own "unofficial" translation of it. All phrases in  are either my additional comments or are phrases, that I couldn't translate directly.
If you want the original German text, e-mail me.
P R E S S R E L E A S E
Forum of Computer Professionals for Peace and Social Responsibility
Bonn, in April, 1997
The Forum of Computer Professionals for Peace and Social Responsibility declare the following to the recently made-public plans and intentions to regulate cryptography internationally and nationally:
Very obvious are the efforts to regulate cryptography. After several tries guidelines to crypto-politics were worked out at the end of March by the OECD. Almost simultaneously, plans from the United States and the United Kingdom for new national crypto regulations became public. Further developments suggest that the [German] Federal Government has also worked out specific plans to regulate cryptographic technology in Germany.
On the current level of planning the [German] Federal Government is considering three variations of regulations:
1. A key-escrow-solution, in which providers of cryptographic services have to provide the keys of customers to law-enforcement, if necessary.
2. A key-escrow-solution, in which only federally licenced providers of cryptographic services are permitted to operate.
3. A key-escrow-solution with simultaneous prohibition of all non-federally-permitted technologies.
The FIfF is seeing herein a serious threat to the development of a society that is increasingly dependent on information transfer. Not only is the protection of privacy now ranking below federal surveillance wishes, but also the protection of all interactions and transactions, that happen on electronic networks. This unacceptable interference [with privacy] is for technical reasons not even accompanied by any plus sides for federal investigators.
The planning of crypto regulations make clear not only the complete neglect of civil rights in our [German] constitution. It is becoming a symbol for the huge deficits in understanding the problems, possibilities and challenges of [...] an information society.
The FIfF sees five areas, where arguments for the damage of crypto regulations can be made:
Why does cryptography have to be regulated by law? From the official side a crypto regulation in Germany is necessary because it's the last missing piece to surveillance of [long distance] information traffic. The law for "Long-distance information traffic surveillance" (FUeV) forces providers of information traffic installations to provide the clear-text of monitored traffic to law enforcement. This can be avoided by end-to-end cryptography by single users. Since telephone and fax [communication] are rarely encrypted, a regulation of cryptography would mainly affect users of electronic networks, who can ensure the postal privacy only through encryption.
It's underlying suggestion is, that encrypted data traffic of suspects [of crime] in electronic networks is the norm and can't be under surveillance. This is not true.
The current laws and regulations are forcing providers of electronic networks to guarantee a surveillance of law enforcement and intelligence services; this is already happening. Up until now no case is known, where the investigation of a crime was made impossible through cryptography. Nevertheless vague threat-scenarios are mentioned, to make an increased surveillance of information traffic more plausible.
In Germany, though, it's hard to observe an under-development in surveillance. While in the United States and its 240 million citizens 1,229 telephone surveillance requests were granted in 1995, Germany with 80 million citizens had in the same time 3,667 requests granted - per citizen 6 times as many surveillance activities as in the USA. In 1996 the number of granted requests increased again 175 percent to 6,428 . No comparison of the crime rates in Germany and the USA can possibly explain these differences [...]. In which way these methods [of surveillance] have contributed to crime investigation is not known, since here a control of the [surveillance] activities is not done, as opposed to the USA.
Although deficits [in surveillance] aren't noticable, the Great Listening Attack and crypto law are to open new fields for surveillance. Through that basic civil rights are increasingly limited.
The protagonists of a crypto law say, that such a regulation would be nothing new, but only an adaptation of [existing] info surveillance to technical developments. This is wrong.
Outlawing all non-licenced crypto technology is reversing current principles of civil rights. The limitation of postal secrecy is only permitting the control of sendings. There are no forced ways of writing, nor are certain languages or ways of expression prohibited. No law is prohibiting to write with secret ink or to use any other means to make messages secret. Somebody opening letters has to do all work of analysis himself -- no sender has to help him with a [correct] letter written according to law. A prohibition of cryptography, despite all current systems of law, would throw the law-conform electronic communication under the dictat of governmentally sanctioned syntaxes. No dictatorship in Germany has ever demanded that.
Electronic networks transport not only letters, even the politicians got that. Using cryptographic technologies therefore is limited not only to postal secrecy, but also to other things worthy of protection.
Those who make crypto laws also want control over the electronic variants of transactions that are currently under special privacy protection rights. The electronic service law of the IuKDG makes it obvious by stating explicitly electronic banking as an electronic service. For users of online-banking, online-work and online-medicine the bank-, service-, and medical-secrecy get reduced to the information traffic secrecy [law]. Thus the information traffic secrecy [law] is becoming a strategic basic [constitutional] right. A crypto law would not only undermine this basic right, but many others as well. Such a law is a trojan horse [for the democratic state] in an information society.
Let's assume, a crypto law would be formulated. How would it be [constitutional] and would it be practicable? To note is a law to digital signatures in the IuKDG, that indicates [a limitation of asymmetric] cryptography technologies. This leads to characteristic problems.
1. A handing-over of an escrowed key to law-enforcement means with currently available systems, that a unlimited surveillance of the key-owner is possible, as long as he uses the same [unchanged] key. This is even in the practice of surveillance an unprecedented limitation of citizens-rights, which [out-of-proportion nature] is also clear to cryptography experts and supporters of a [crypto] law:
No one less than Otto Leibrich, Ex-President of the Federal Agency of Information Technology Security (BSI), publicized, how through introducing a time-variable in cryptography technologies time-limits should be set to surveillance. But could the security agencies have an interest in [such] a lawful technology, that could not be decrypted anymore, when users could prevent investigation already through a changed system date?
2. The [available to law-enforcement] private key of a suspect makes only his incoming data traffic readable, but not his messages to third persons. In respect to the nature of asymmetric crypto technologies [...] proofs for an communicated agreement with third persons to commit a crime are only to be won, if also the keys of his communication partners are available, and beyond that in certain circumstances even their partners. The result is a tendency of an exponential increase of the [circle of] suspects, the surveillances and the work-load for the investigators. Here is no proportionality anymore nor effective Investigation.
3. Due to the lack of competent institutions, the federal government will not be able to avoid using the infrastructure, that it's currently creating for introducing and issuing digital signatures, to control crypto keys as well. No law will balance the loss of trust, when on one side the institution has to hand over private keys to law-enforcement and on the other hand guarantees the security of the digital signature. If the digital signature gets into the wrong hands, any document could be lawfully signed. The fear of citizens is understandable, to be [powerless] to manipulations of federal key mighties. With such a loss of trust the federal government and companies [that support the digital signature] shouldn't even bother [to set up the infrastructure].
4. A national crypto law is not able to adress accordingly the problems of international traffic typical for electronic networks. To get the crypto keys of a "Mafia Organization", the agencies of several countries would have to be mobilized. Are the supporters of a crypto law really serious, that an international co-operation in getting escrowed keys would function better than the current bad co-operation in investigating crimes, where electronic networks were used?
5. Compared to that it's almost neglectable, how such a crypto law would make harder the life of the software industry. To guarantee a relation of crypto key and user on the grounds of the law, the makers of Internet-browsers, for example, [...], would have to refrain from distributing their products in Germany via the Internet and instead sell software packages only [in stores] to persons with ID. Such an effort is affordable only for a few and wouldn't necessarely strengthen the position of the legal use of secure systems. When beyond that different and technically incompatible national regulations were enacted, the much cheered global Electronic Commerce would remain an illusion.
Nobody can overlook this fact: a crypto law can be easily [routed around]. A legal cryptographic system can be used several times on a message, in fact, an illegal technology-encrypted message could be "packed" in a legal system. Also a crypto law can be avoided, so that nobody knows: Steganography and other means to use covert channels hide messages in plain-text files, for example, and put a veil around the very existence of an encrypted message.
- From the routing around of the crypto law, the federal security experts hope to actually gain advantages, because out of the circle of users of illegal crypto technologies, they could win worthy hints about the organizational structure of the suspected circle of people.
With the use of steganography such a group of persons is never to become known [to law-enforcement]. But what would be won, even if a group of people would be found, that uses the same illegal crypto system? Their communication would not be decryptable, thus has to be won through other means. As investigators today are already sinking in a mountain of papers with protocols of phone surveillances, in the future they will have to spend even more effort to investigate groups, who have done nothing wrong but to use an non-permitted crypto system and communicate incidently with people, who are suspected of something. Such an effort can't even be justified by employment-market reasonings. To stamp the users of non-permitted cryptography automatically to suspects would be therefore even from an investigative perspective nothing but nonsense.
- From a technical and practical perspective, a crypto law is nonsense and unenforcable. [Some] lawyers though have the opinion, that independent from the enforcement the law has to be obeyed in any case. But such a dogmatic viewpoint is hard to balance with a democratic society.
The FIfF has the opinion, that a crypto law would even more increase the already not shyly used surveillance of information traffic in Germany. It reverses constitutional rights and principles. It threatens drastically the constitutionally protected citizens-rights in electronic transactions and interactions. It would lead in practicality to severe additional problems with laws and will certainly not make the work for investigators any easier. The problems that come with such a regulation will also not be solved through law-dogmatism. The severe damage for civil rights, democracy, but also economical interests, are opposed by a very thin advantage. With that background, every rational analysis would therefore have to come to the conclusion, to avoid a regulation of cryptography.
That the federal government is not doing that, despite consultations with acknowledged experts over several years, is either a proof for lack of knowledge or the willing neglect of the consequences.
The very similar regulations of the OECD, Great Britain, the USA and the West German plans are out-of-sync with the visions of a global, democratic information society.
Instead of a limitation of cryptography it is according to the FIfF necessary to:
1. Increase the availability and use of cryptography,
2. Not hinder the use of cryptography through limitations or prohibitions,
3. Make the free choice of crypto systems possible,
4. Support the development of secure crypto systems,
5. Increase the protection for electronic transactions and interactions,
6. Evaluate the use of federal surveillance of communication regularly, independently and in-depth.
1 Cryptography Policy Guidelines; Recommendation of the Council, http://www.oecd.org/dsti/iccp/crypto_e.html
3 Minister for Science and Technology: Licensing of Trusted Third Parties for the Provision of Encryption Services; http://www.cl.cam.ac.uk/users/rja14/dti.html
4 Presserklaerung des forschungspolitischen Sprechers von Buendnis 90/Die Gruenen, Dr. Manuel Kiper: http://www.gruenebt.de/aktuell/pm/indizes/in970236.htm
5 am konkretesten: C. Schulzki-Haddouti: Kanthers Kurs auf das Kryptoverbot; in: http://www.heise.de/tp/te/1146/fhome.htm
6 vgl. die Stellungnahme des FIfF zur FUeV unter http://hyperg.uni-paderborn.de/0x83ea6001_0x0036ce9
7 Erste Faelle einer Ueberwachung von Internet-Accounts wurden bekannt in: 30.000 Telephonate mitgehoert; in: Sueddeutsche Zeitung, 2.12.96, S. 15
8 USA: Newsweek 20.5.96, Bundesrepublik: Bt-Drs 13/3618
9 Bt-Drs. 13/7341
10 Otto Leiberich: Verschluesselung und Kriminalitaet II, in: BSI-Forum der KES 1/95
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * Forum InformatikerInnen fuer Frieden und FFFF I fff FFFF gesellschaftliche Verantwortung (FIfF) e.V. F I f F Reuterstr. 44, D-53113 Bonn FFFF I fff FFFF E-mail: firstname.lastname@example.org F I f F Tel.:xx49-228-219548 Fax: -214924 F I f F CL/GRUPPEN/FIFF und http://hyperg.uni-paderborn.de/~FIFF forum computer professionals for peace and social responsibility * * * * * * * * * * * * * PGP-Key on request * * * * * * * * * ==================================================================== /*************************************************************/ /* This user supports FREE SPEECH ONLINE ...more info at */ /* and PRIVATE ONLINE COMMUNICATIONS! -> http://www.epic.org */ /* E-mail: harka(at)nycmetro.com (PGP-encrypted mail pref'd) */ /* PGP public key available upon request. [KeyID: 04174301] */ /* F-print: FD E4 F8 6D C1 6A 44 F5 28 9C 40 6E B8 94 78 E8 */ /*<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>*/ /* May there be peace in this world, may all anger dissolve */ /* and may all living beings find the way to happiness... */ /*************************************************************/ -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAgUBM08quzltEBIEF0MBAQEn1gf/Ww87W3y3SrI6bK6Qg9iCgC6E40HSCkrB 2tFV3Zy+k7KtegHPrLikKhX1inJ+vEYPadHLhH1K45eGRJ/4lr4G3Pg+ozYNRalQ KAIeoD4XQNY4nOvm6+vMlg5lOhkObB5z4pf7H5P6j48c0HSKEITPk5ExBo7g5Hcv gl+yOrXYioEbSEScFkGYjvTh6zPNEqsr7Ma7nucON5OlqRe71Rdtn9FiGWSkxgTZ rRg1bnB6geksL/OeKz6neYXIfWuyFEoHs19sLo7gqGcCaib6nn+bs+qrWikJeY5L dWNzpoeqUSW46mZtUwC3IastDE2YhKuh7ffYPCG1v5AvaBG0NCZ4Sg== =fpKk -----END PGP SIGNATURE----- If encryption is outlawed, only outlaws will have encryption...
Note: PGP sig may appear invalid due to hypertext conversion.
Hypertext by JYA/Urban Deadline.