|
|||||||
Cryptome DVDs are offered by Cryptome. Donate $25 for two DVDs of the Cryptome 12-and-a-half-years collection of 47,000 files from June 1996 to January 2009 (~6.9 GB). Click Paypal or mail check/MO made out to John Young, 251 West 89th Street, New York, NY 10024. The collection includes all files of cryptome.org, cryptome.info, jya.com, cartome.org, eyeball-series.org and iraq-kill-maim.org, and 23,100 (updated) pages of counter-intelligence dossiers declassified by the US Army Information and Security Command, dating from 1945 to 1985.The DVDs will be sent anywhere worldwide without extra cost. |
10 June 1999
From: "Brian Gladman" <gladman[at]seven77.demon.co.uk> To: "UK Crypto List" <ukcrypto[at]maillist.ox.ac.uk> Subject: Re: Germany Frees Crypto Date: Thu, 10 Jun 1999 12:09:44 +0100 >From: Nigel Hickson <nigelhickson[at]compuserve.com> >To: <ukcrypto[at]maillist.ox.ac.uk> >Cc: Cryptography List <cryptography[at]c2.net> >Sent: 03 June 1999 22:20 PM >Subject: Re: Germany Frees Crypto > >Colleagues > >Many thanks for translation; saves the DTI purse. Policy > very similar to ours (DTI). In some respects I think Nigel is right to suggest that the German crypto policy announcement contains some elements that mirror aspects of UK policy. At the same time, however, any objective assessment of the German announcement, including its general tone and many of its details, gives a somewhat different perspective and suggests that there are a number of significant differences that cannot easily be dismissed. I would cite the following extracts from the english translation of the German text as evidence of clear differences between the UK and the German positions (I omit discussion of areas of similarity). --------------------- "The Federal Government has no intention of restricting the free availability of encryption products in Germany. It regards the use of secure encryption as a decisive prerequisite for data protection for the public, for the development of electronic business transactions and for the protection of company secrets. The Federal Government will thus actively support the spread of secure encryption in Germany. This particularly includes the promotion of security-consciousness among the public, in the economy and in the administration." Firstly, it is significant that the there is immediate recognition of the central importance of encryption for "data protection for the public", something that the UK government has consistently failed to do in its own encryption policy. The German text clearly recognises the ***public*** interest - the best we have out of the UK government is to recognise the ***business*** interest. If anyone doubts this difference, look at the groups consulted in the study prior to the publication of the PIU report on "Encryption and Law Enforcement". Of course the reasons for this are obvious - Germany sees Echelon as a threat whereas we (that is the UK government) sees it as an asset. This policy difference, and the reasons for it, could hardly be more transparent. Duncan Campbell and the European Parliament have done a good job here. Secondly, we can see from the text that the German government will ***actively support*** the spread of secure encryption in Germany. This is the exact opposite of UK government policy as I understand it. So Nigel, could you please obtain a public statement, from an appropriate UK government minister, announcing that it is now UK government policy "TO ACTIVELY SUPPORT THE SPREAD OF SECURE ENCRYPTION IN THE UK". I and many others on this list would welcome such a statement, which I assume should now be possible if you are right about the similarity of UK and German positions. After all, it would hardly be accurate to suggest that the two policies are similar if one actively supports the widespread deployment of encryption while the other actively discourages it. --------------------- "The use of cryptographic procedures is extremely important for efficient technical crime prevention. This applies both to guaranteeing the authenticity and integrity of data traffic and to protecting confidentiality." This is a statement of the ***benefits*** of encryption in combating crime, something that never gets the coverage it deserves in UK government policy (I accept that it is not completely absent). --------------------- "To date, the abuse of encryption technologies in Germany has not caused any serious problems in the process of criminal prosecution. However, this fact cannot be used to make a forecast for the future." This is a much more honest assessment of the law enforcement problem posed by encryption than has ever appeared in any UK policy statements. It is quite obvious to anyone who studies these issues that encryption does not pose any serious threat to current law enforcement activities in the UK. The policy here is at very most a reaction to a perceived ***future threat***, which our civil servants continuously attempt to justify with what Nicholas Bohm rightly characterises as 'dodgy statistics' in order to suggest that this is a current and 'urgent' problem. It isn't. In contrast the German position is honest and straightforward - "its not a problem now, but it might be in future, and if this proves to be the case we may ***then*** have to take action". This is exactly the policy that I and many others suggested almost three years ago in response to the first round of UK policy deliberations. --------------------- "3. For reasons relating to the security of the state, the economy and society, the Federal Government considers it indispensable that German manufacturers be capable of developing and manufacturing secure and powerful encryption products. It will take steps to improve the international competitiveness of this sector." Germany will provide strong encryption products for the international market. Not exactly a ringing endorsement of Wassenaar and a clear indication that Germany will join the growing group of nations that will seek to remove export controls on cryptographic products. Many are surprised at the way the US (and the UK) have been able to dupe their European partners into applying crypto export controls that are actually being used to their disadvantage. Given that these nations must have known about Echelon for many years before it became public knowledge, it is not obvious why the changes in encryption policy made by France, Germany and other non-Echelon nations have taken so long. The answer is very complex but it boils down to a battle in each country between two lobbies within government - the 'crypto-averse' intelligence community and the 'crypto-friendly' information (and information infrastructure) protection community. The complexity arises because international intelligence sharing arrangements are different in different areas, my guesses being: 1. criminal intelligence - shared interest among most nations 2. military intelligence - no comment 3. political intelligence - ad hoc, determined by circumstances 4. economic intelligence - no shared interest - 'dog eat dog' This means that there will always be a heated debate between different factions when considering the overall balance of advantage in the intelligence business in any one country. When politicians eventually have to decide whether to back exploitation or protection, the decision "do we get more from other nations than other nations get from us" is never an easy one. And anyone who thinks that this is about law enforcement is living on another planet. But the above list shows why we can expect to see the 'Anglo Saxon' nations increasingly making use of criminal intelligence as the primary 'cover story' for advocating continued crypto controls in Wassenaar. [I should make it clear that I am NOT offering here any evidence from my civil service career either for or against the existence of economic intelligence. Of the four areas listed above, the only one I have ***any*** knowledge of is item 2]. --------------------- My advice to the US and UK governments is to give up cryptography export controls in Wassenaar (and elsewhere) while these governments still have some credibility left. These controls are well past their 'sell by' date, they undermine the protection which e-commerce and the global information society now need and, most of all, their continued advocacy will put politicians and civil servants increasingly at odds with their public in an acrimonious battle which no longer makes any real sense. The future problems that cryptography might pose for society will be more easily countered if we all invest the resources consumed by this issue to more constructive ends. Nations will also need to consider item 4 above: economic intelligence. If we want the rule of law to apply in cyberspace, nations will have to respect information assets owned by others and this means giving up item 4 for the very same reasons that nations eventually recognised the need to stop sponsoring piracy on the high seas in the past. Nations gave up their sponsorship of piracy then when they came to realise that they each gained more from a safe global trading environment than they did in encouraging pirates to plunder the trade routes of other nations. We are now in an analogous situation in cyberspace with some nations claiming to support the global information society - a development which requires respect for the information assets of others - whilst secretly pursuing economic intelligence collection in what amounts to a direct modern analogue of the State sponsored piracy of past ages. The global information society (and the associated global electronic trading environment) cannot truly flourish while nations sponsor (or are perceived by others to sponsor) information piracy in cyberspace. ------------------- Returning to the question "are German and UK policies on encryption similar", I leave others to decide for themselves. My own view is that they are significantly different in terms of the principles they advocate. Brian Gladman