------- Forwarded Message Date: Tue, 14 Oct 1997 17:08:36 +1000 From: Paul Montgomery <monty@apnpc.com.au> Subject: [Oz-ISP] Interception law IS a threat to ISPs A couple of ISPs in messages under the "Interception" heading have pooh-poohed the new interception law that is going through government processes at the moment. FYI, the following PC Week Australia story shows that it's not something to be sneezed at, if you want to differentiate yourself by offering remote access or VPN services that are secured using encryption. As mentioned in the story, Telstra, OzEmail, Access One, Connect.com.au and Magna Data are only the largest of growing band of ISPs who are already constructing VPNs for business customers. It's going to take more than an a packet sniffer to decrypt secure messages going through your network. If you're preparing a VPN trial with something like Data Fellows' F-Secure VPN software, which doesn't allow for key recovery, then you're up the proverbial creek as regards your obligations under this new law. You'll have to keep an extra key for the Feds, ASIO, NCA etc, and only use cryptography software that includes key recovery. You'll also have to be involved in a lengthy approval process with the Attorney-General's department and the ACA, which is dangerously open-ended. The system will be that you have to submit your plans for new secure network products every year, and the law enforcement agencies have a set amount of time to protest that they can't access it. This process will add three months, at minimum IMHO, to the development of new services. And yes, INTIAA has been keeping an eye on it, but they've been getting the wrong information from the Department of Communication. I wouldn't say they've been lied to, but they've been given the wrong end of the stick. - -- START STORY [from PC Week Australia, October 17, pp 1/38] New Law Hurts Net Security Security forces want access to encrypted ISP traffic By Paul Montgomery [reproduction for commercial purposes not allowed etc etc] The Virtual Private Network (VPN) revolution in Australia is being undermined by new legislation from the Liberal government that would weaken security on communications passing through Internet service providers (ISPs). The Telecommunications Legislation Amendment Bill, which went to a second reading in the Senate last week, is aimed at giving government agencies such as the Federal Police, ASIO and the National Crime Authority access to data and voice traffic—and ISPs will have to fund its implementation. The bill threatens ISPs’ ability to provide secure remote access and VPN services, by compelling them to include an extra cryptographic key for police, in a weakened version of encryption that is called “key escrow”. Any modifications needed to encryption technology would not only weaken security, but mean extra costs passed on to corporate customers. Senator Richard Alston, the Minister for Communications, the Information Economy and the Arts, said in a speech to the Senate that interception was an “essential service” and that Attorney-General Daryl Williams would be given the power to determine the specifics of the proposed law’s effect. Senator Alston recently took over policy coordination for cryptography (see PC Week, October 3, page 12), but the decision on this bill was made back in March. “The introduction of some new telecommunications services have been significantly delayed, with obvious adverse consequences for business and consumers,” Alston said, which sources say is a reference to Telstra’s OnRamp ISDN service. Alston also hinted that the government was lobbying switch vendors, at an international level, to include interception capabilities in their equipment. Chris Cheah, assistant secretary of the networks policy branch at Senator Alston’s department and one of the officials involved in drafting the bill, confirmed that the bill applied to ISP-encrypted VPN and remote access services. “If [ISPs] are offering VPNs which have built-in encryption, and they’re saying to their customers that they will deliver in a secure form to a person at the other end, then they will have to provide decryption,” Cheah said. He stressed, however, that there would be no requirement for an ISP to decrypt an end user’s own encryption. Telstra, OzEmail, Access One, Connect.com.au and Magna Data are already offering VPNs, expected to be a lucrative market for network outsourcing, but a central part of the technology is the security gained from scrambling messages with strong cryptography, using such products as F-Secure VPN from Data Fellows (see page 16). Danny Ng, business development manager for Internet and intranet at Bay Networks, said that because Internet access is not an inherently high-margin business, many ISPs were looking to differentiate themselves by offering outsourced remote access or VPN services. “VPN technology is evolving very quickly, and one of the cornerstones to it is security, which usually means encryption,” Ng said. For major carriers such as Telstra, the delivery point could be the local exchange closest to the agency wanting the interception, but it would most likely remain at the premises for smaller ISPs, according to Cheah. “If ISPs want to get into serious carriage service provision, they will be subject to the same provisions as telcos. That means being able to provide interception capabilities,” Cheah said. The bill also removes the burden of keeping up with Internet technology from police and security agencies by ordering ISPs to prepare annual reports on their plans for new crypto services. Luke Carruthers, secretary of ISP representative body INTIAA (Internet Industry Association of Australia), said that the impression he had from meetings with the government on the bill was that ISPs would not have to decode encrypted transmissions. INTIAA is meeting with the Australian Communications Authority and the government this week to work out the details of the legislation. Carruthers will argue the ISPs’ case. “I would expect this issue to be taken up fairly strenuously by the people who it affects the most,” he said. - -- END STORY - -- Paul Montgomery, Net journalist for PC Week, lives like a JavaBean. mailto:monty@apnpc.com.au Tel: +61-2-9936-8793 Fax: +61-2-9955-8871 ------- End of Forwarded Message