lambda 3.02 - Big Brother goes international

[owner-lambda-en at freenix.fr]

---
lambda 3.02
April 14, 1997
Sender: owner-lambda-en at freenix.fr
Precedence: bulk

* Private Communications Under International Scrutiny:
--> Key escrow encryption: The OECD says no, individual countries endorse it
--> A global pact for universal wiretapping gains ground in Europe, with
support of the U.S. and other industrialized nations

* Short-Circuits:
--> Social security data causes privacy concerns in U.S., France


* * * * *

OECD tries to prevent privacy abuses on encryption policy

The Paris-based Organization for Economic Cooperation and Development
released on March 27 its "Guidelines For Cryptography Policy," after more
than a year of intense talks between officials from the 29 governments (see
http://www.oecd.org/dsti/iccp/crypto_e.html).

Yet there was one pleasant surprise: the guidelines do not explicitly urge
governments to establish "key escrow" encryption schemes, although
individual countries will be able to act according to its own wishes, for
"national security" purposes.

According to the Washington, DC-based Electronic Privacy Information
Center, among the eight basic principles adopted by the OECD, one is the
rejection of key escrow encryption (see point 6, "lawful Access"). "The
U.S. sought endorsement for government access to private keys. Initial
drafts of the guidelines included this recommendation. The final draft does
not. OECD countries rejected this approach," said EPIC. The good point is
an "endorsement of voluntary, market-driven development of crypto products.
The OECD emphasized open, competitive markets to promote trade and commerce
in new cryptographic methods."

However, the United States, France and Britain have taken steps to pursue
key escrow schemes -- but northern Europe isn't signing on.

* USA: From EPIC Alert 4.05: "The White House has released a new draft
proposal on key escrow encryption to the Congress. The draft (dated March
12) is entitled the 'Electronic Data Security Act of 1997.' The legislation
is the latest attempt to push forward the result the Administration sought
to achieve with the failed Clipper Chip initiative -- ensuring government
access to all encrypted communications through government-escrowed keys."
Resources:
http://www.epic.org/crypto/
http://www.cpsr.org/cpsr/nii/cyber-rights/web/crypto_amer.html

* France: A decree that will clearly establish the next trusted third-party
scheme for business and individuals has not yet been released by the
government. Draft proposals (see lambda 3.01) mentioned certain "national"
preferences for future TTP agencies. These proposals have divided
government officials (it may be an obstacle to common-market principles
covering the free flow of capital and workers in the European Union). And
the OECD clearly states (see point 8, "International Cooperation") that:
"In order to promote international trade, governments should avoid
developing cryptography policies and practices which create unjustified
obstacles to global electronic commerce. Governments should avoid creating
unjustified obstacles to international availability of cryptographic
methods."

* Britain: The U.K.'s Department of Trade and Industry released its
proposal last month on licensing encryption services. According to Ross
Anderson, the famed Cambridge University-based cryptographer: "Their effect
will be to ban PGP and much more besides," because licensing will be
mandatory. An excerpt of the draft regulations say:

"We intend that it will be a criminal offence for a body to offer or
provide licensable encryption services to the UK public without a valid
licence. [...]
Public will be defined to cover any natural or legal person in the UK. [...]
Encryption services is meant to encompass any service, whether provided
free or not, which involves any or all of the following cryptographic
functionality - key management, key recovery, key certification, key
storage, message integrity (through the use of digital signatures) key
generation, time stamping, or key revocation services (whether for
integrity or confidentiality), which are offered in a manner which allows a
client to determine a choice of cryptographic key or allows the client a
choice of recipient/s."

Anderson commented: "The licence conditions imply that only large
organisations will be able to get licences: small organisations will have
to use large ones to manage their keys (this was the policy outlined last
June by a DTI spokesman).
The main licence condition is of course that keys must be escrowed, and
delivered on demand to a central repository within one hour. The mere
delivery of decrypted plaintext is not acceptable except perhaps from TTPs
overseas under international agreements."
The DTI report: http://www.cl.cam.ac.uk/users/rja14/dti.html
Other resources:
http://www.cpsr.org/cpsr/nii/cyber-rights/web/crypto_brit.html

* Scandinavia: Despite these measures, the Nordic countries meanwhile
released user-friendly plans to offer a secure and non-escrowed electronic
mail system, called the Nordic Post Security Service (Denmark, Finland,
Norway and Sweden). Every Scandinavian citizen will soon be offered the
possibility of opening an e-mail account using smart card technology that
allows for digital signatures and strong encryption of up to 1024
bit-length keys, a high level security. The private key will be embedded on
the card, and no TTP system is planned.

* * * * *
Europe is launching a universal wiretap network

The British watchdog group Statewatch revealed confidential documents from
the European Union's intergovernmental meetings that show a global
wiretapping system is under way among Europe, the United States and other
industrialized countries.

Legally speaking, the resolution and memorandum agreed among the EU's 15
countries have not yet been accepted by national parliaments, so it has no
value except as a clear and profound indication of political will.

See the full report, archived on the lambda's server thanks to Statewatch:
http://www.freenix.fr/netizen/swreport.html

Tony Bunyan, the director of Statewatch, published a communique at the end
of February explaining the basic purposes of the wiretap plan:

-- fwd message --
"The Council of the European Union and the FBI in Washington, USA have been
cooperating for the past five years on a plan to introduce a global
telecommunications tapping system. The system takes advantage of the
liberalisation of telecommunications -- where private companies are taking
over from national telephone systems -- and the replacement of land/sea
based lines and microwave towers by satellite communications. Telephone
lines are now partly land-based or under sea or via microwave land-based
towers but the new generation of telecommunications will be totally
satellite-based."

The EU-FBI initiative notes the demise of:
1. state-owned telephone companies
2. nationally-based telephone systems is concerned about:
3. the problems faced with intercepting "mobile" phones and encrypted
communications and wants to ensure:
4. there is harmonisation of national laws on interception
5. to ensure that telecommunications provider business cooperate with the
police and internal security
6. the equipment produced has standards which can be intercepted
7. as many countries as possible to sign up and thus create a de facto
global system (through provisions of equipment etc to third countries).

A related disclosure in a book by Nicky Hager shows that instead of
"suspects" and "targets" the ECHELON system simply trawls the airwaves for
"subversive thoughts" in written form and increasingly in verbal form.
ECHELON is run under the 1948 UKUSA agreement by the US, UK, Canada, New
Zealand and Australia."

-- end of fwd message --

* * * * *
Short-Circuits:

Social security data causes privacy concerns in U.S., France

The Internet site of the U.S. Social Security Administration was closed due
to privacy concerns, in that it supplied information about an individual's
personal income and retirement benefits, the Washington Post reported April
10. Abstracts from the Edupage press review:
"The shut-down followed receipt by the Administration of a harshly critical
letter written by a bipartisan group of legislators who said the site's
security systems were inadequate. To obtain information, a computer user
needed merely to supply a name, address, telephone number, place of birth,
Social Security number, and mother's maiden name -- items that are
available in many private databases."

In France, the government adopted on April 2 a draft law that extends the
use of social security numbers, known as NIR, to tax authorities (the
French equivalent to the U.S.'s Internal Revenue Service). The NIR is one
of the most sensitive pieces of social data in Europe, since it classifies
individuals according to their place of birth and is linked to all social
benefits files. Earlier attempts in the 1970s to extend the NIR to other
parts of the government had failed. The government passed these measures
officially to fight fraud in social benefits households (minimum salary,
housing aid, family pensions, etc.). The national data privacy commission,
the CNIL, along with the League for Human Rights, expressed great concerns
about the plan, which, if implemented by parliament, could especially harm
low-income people.

--- end of lambda 3.02 --- www.freenix.fr/netizen/302-e.html
Jerome Thorel, April 1997.
English proof-reader: K. N. Cukier
---
To unsubscribe the lambda bulletin, send to majordomo at freenix.fr the
following command:
unsubscribe lambda-en
to subscribe:
subscribe lambda-en <your e-mail>
###