Australian Key Escrow Bill Before Parliament for VPNs

[Anonymous]

------- Forwarded Message

Date: Tue, 14 Oct 1997 17:08:36 +1000
From: Paul Montgomery <monty at apnpc.com.au>
Subject: [Oz-ISP] Interception law IS a threat to ISPs

A couple of ISPs in messages under the "Interception" heading have
pooh-poohed the new interception law that is going through government
processes at the moment. FYI, the following PC Week Australia story
shows that it's not something to be sneezed at, if you want to
differentiate yourself by offering remote access or VPN services that
are secured using encryption. As mentioned in the story, Telstra,
OzEmail, Access One, Connect.com.au and Magna Data are only the largest
of growing band of ISPs who are already constructing VPNs for business
customers.

It's going to take more than an a packet sniffer to decrypt secure
messages going through your network. If you're preparing a VPN trial
with something like Data Fellows' F-Secure VPN software, which doesn't
allow for key recovery, then you're up the proverbial creek as regards
your obligations under this new law. You'll have to keep an extra key
for the Feds, ASIO, NCA etc, and only use cryptography software that
includes key recovery.

You'll also have to be involved in a lengthy approval process with the
Attorney-General's department and the ACA, which is dangerously
open-ended. The system will be that you have to submit your plans for
new secure network products every year, and the law enforcement agencies
have a set amount of time to protest that they can't access it. This
process will add three months, at minimum IMHO, to the development of
new services.

And yes, INTIAA has been keeping an eye on it, but they've been getting
the wrong information from the Department of Communication. I wouldn't
say they've been lied to, but they've been given the wrong end of the
stick.


- -- START STORY [from PC Week Australia, October 17, pp 1/38]

New Law Hurts Net Security
Security forces want access to encrypted ISP traffic
By Paul Montgomery
[reproduction for commercial purposes not allowed etc etc]

The Virtual Private Network (VPN) revolution in Australia is being
undermined by new legislation from the Liberal government that would
weaken security on communications passing through Internet service
providers (ISPs).

The Telecommunications Legislation Amendment Bill, which went to a
second reading in the Senate last week, is aimed at giving government
agencies such as the Federal Police, ASIO and the National Crime
Authority access to data and voice traffic—and ISPs will have to fund
its implementation.

The bill threatens ISPs’ ability to provide secure remote access and VPN
services, by compelling them to include an extra cryptographic key for
police, in a weakened version of encryption that is called “key escrow”.

Any modifications needed to encryption technology would not only weaken
security, but mean extra costs passed on to corporate customers.

Senator Richard Alston, the Minister for Communications, the Information
Economy and the Arts, said in a speech to the Senate that interception
was an “essential service” and that Attorney-General Daryl Williams
would be given the power to determine the specifics of the proposed
law’s effect.

Senator Alston recently took over policy coordination for cryptography
(see PC Week, October 3, page 12), but the decision on this bill was
made back in March.

“The introduction of some new telecommunications services have been
significantly delayed, with obvious adverse consequences for business
and consumers,” Alston said, which sources say is a reference to
Telstra’s OnRamp ISDN service.

Alston also hinted that the government was lobbying switch vendors, at
an international level, to include interception capabilities in their
equipment.

Chris Cheah, assistant secretary of the networks policy branch at
Senator Alston’s department and one of the officials involved in
drafting the bill, confirmed that the bill applied to ISP-encrypted VPN
and remote access services.

“If [ISPs] are offering VPNs which have built-in encryption, and they’re
saying to their customers that they will deliver in a secure form to a
person at the other end, then they will have to provide decryption,”
Cheah said.

He stressed, however, that there would be no requirement for an ISP to
decrypt an end user’s own encryption.

Telstra, OzEmail, Access One, Connect.com.au and Magna Data are already
offering VPNs, expected to be a lucrative market for network
outsourcing, but a central part of the technology is the security gained
from scrambling messages with strong cryptography, using such products
as F-Secure VPN from Data Fellows (see page 16).

Danny Ng, business development manager for Internet and intranet at Bay
Networks, said that because Internet access is not an inherently
high-margin business, many ISPs were looking to differentiate themselves
by offering outsourced remote access or VPN services.

“VPN technology is evolving very quickly, and one of the cornerstones to
it is security, which usually means encryption,” Ng said.

For major carriers such as Telstra, the delivery point could be the
local exchange closest to the agency wanting the interception, but it
would most likely remain at the premises for smaller ISPs, according to
Cheah.

“If ISPs want to get into serious carriage service provision, they will
be subject to the same provisions as telcos. That means being able to
provide interception capabilities,” Cheah said.

The bill also removes the burden of keeping up with Internet technology
from police and security agencies by ordering ISPs to prepare annual
reports on their plans for new crypto services.

Luke Carruthers, secretary of ISP representative body INTIAA (Internet
Industry Association of Australia), said that the impression he had from
meetings with the government on the bill was that ISPs would not have to
decode encrypted transmissions.

INTIAA is meeting with the Australian Communications Authority and the
government this week to work out the details of the legislation.
Carruthers will argue the ISPs’ case.

“I would expect this issue to be taken up fairly strenuously by the
people who it affects the most,” he said.

- -- END STORY

- -- 
Paul Montgomery, Net journalist for PC Week, lives like a JavaBean.
mailto:monty at apnpc.com.au Tel: +61-2-9936-8793 Fax: +61-2-9955-8871

------- End of Forwarded Message