Why is a critical e-commerce technology still subject to Cold War controls? Dan Tebbutt investigates.
When the Department of Defence wants to prosecute you as a terrorist, it's time to find a lawyer. But when the defendants are among Australia's leading Internet software developers, the whole industry should be alarmed. Especially when the alleged crime is publishing a world-beating software package on the Internet.
In an interview with trade publication LAN Magazine last month, a senior Defence official threatened to prosecute Brisbane-based cryptographers Tim Hudson and Eric Young. The duo are world renowned for SSLeay, a freeware implementation of the Secure Sockets Layer (SSL) protocol used worldwide to safeguard credit card numbers and provide secure Internet shopping. In April Hudson and Young attracted further attention with Cryptozilla, an ambitious effort to solder SSLeay security onto the public source code for Netscape Navigator 5.0. Because US laws prevent Netscape from shipping the safest version to international users, Cryptozilla was enthusiastically hailed as the first legally-available Netscape browser with trustworthy security (see "Turning wine into water").
But the Defence Department, which controls Australia's cryptography policies, was not amused. Robbie Costmeyer, director of strategic trade policy and operations, argues that Cryptozilla contravenes Australian export laws and undermines Australia's reputation as "a responsible country that can control its citizens".
"There are good reasons for export controls -- if there are no controls there will be anarchy," he says. "We can't decontrol everything because people want to sleep safely in their beds and that's the environment we're trying to give them," adds Costmeyer in a vein reminiscent of Jack Nicholson's front-line commander in the movie A Few Good Men.
Because Cryptozilla is legal under the Customs Act, Defence contemplated prosecuting the developers under the Weapons of Mass Destruction Act, a law designed to keep munitions out of the hands of terrorists. Subsequently Costmeyer indicated the law "may not be apt in this case" -- but the spectre of legal action carrying jail terms and heavy fines could scare Australian developers away from security markets.
Why are Web browsers classified under the same laws that control nuclear and biological weapons? It's largely a hangover of the Cold War, when encryption was reserved for military communications and subject to strict government controls.
Today cryptography is used to safeguard routine e-commerce transactions like Internet shopping and digital signatures for email. Encryption underpins Web-based customer services like online banking. Victoria's Maxi Multimedia kiosks for accessing government information and the new Gatekeeper scheme to deliver Commonwealth services electronically both rely on strong encryption.
The Federal Minister for the Information Economy, Senator Richard Alston, portrays Australia's "generous" cryptography policies as a golden opportunity for Australian companies. Local innovators have the chance to corner lucrative security markets beyond the reach of dominant multinationals like IBM, Microsoft and Sun, who are generally prevented from shipping their safest e-commerce products beyond US borders. Yet the Minister emphasises that the Government's attitude falls short of a total green light.
"We are very keen to promote the growth of trade in encryption technology, but we do have to be mindful of law enforcement considerations," he says. "I think the balance will move in favour of commerce rather than law enforcement."
Curiously, Australia stands alongside Israel and South Africa as the only developed nations still administering encryption policy through defence. The US Government moved cryptography to the Commerce Department in October 1996 and the Department of Trade and Industry runs commercial security policy in the UK. But locally a three-person team at the Defence Signals Directorate (DSD) in Canberra handles all export approvals and technical assessment for government purchasing.
This ongoing anomaly defies a recommendation by the Walsh Report, a pivotal and controversial review of Australia's cryptography policies conducted in 1996 by a former deputy director of ASIO. The Government initially suppressed this document before an edited text was obtained under the Freedom of Information Act. Walsh advocated transferring crypto controls to the Attorney-General's Department. "Defence's framework ... is inextricably linked with sensitive and classified applications. This would appear to make Defence a less than obvious choice for the role in question," the report concludes.
And contrary to Alston's enthusiasm, Defence is preparing to expand Australia's cryptography restrictions. Current law does not apparently cover software posted on the Internet. The Government disputes this interpretation, yet Costmeyer is leading an international effort to extend export controls to cover software on the Net (see "Fighting the tide"). This would not mean a total ban on encryption exports -- but they would require approval by Canberra, potentially adding costs and delay into software shipments where same-day turnaround is often required.
Costmeyer branded as "irresponsible" exporters who use the Net to distribute products without permission. "They have a moral obligation to comply with the law," he said. "We do have the national security at stake here."
But Tim Hudson is calling Defence's bluff.
"How could anyone seriously consider Cryptozilla a threat to Australia's national security when full-strength encryption packages are widely available on the Net? Strong cryptography has been available from Australian Internet sites for almost a decade with full knowledge of the DSD," he claimed. "Crypto-export restrictions are based on the premise that the Internet does not exist and there no competent programmers or mathematicians elsewhere in the world."
The encryption emperor now stands naked. Even the CIA spooks cannot prevent near-instantaneous electronic export of restricted Internet products, including the US-only releases of Netscape, Internet Explorer and HotJava (see www.replay.com). Thousands of programmers and academics have encryption expertise and products are readily available around the world (see table).
That's why online civil liberties group Electronic Frontiers Australia (EFA) last week called for abolition of Australia's cryptography restrictions. "The regulations impose unnecessary constraints and costs on business while doing little to achieve their aim of restricting availability of cryptographic software," wrote EFA in a letter to federal parliamentarians.
"Unless there is a relaxation of the Cold War mentality in relation to encryption policy, electronic commerce will never achieve its full potential," EFA spokesman Greg Taylor says.
This article was published in The Australian, Tuesday 14 July 1998, page
55.
Full text © copyright Dan
Tebbutt.
Remove anti-spam measures to send email.