Recommended: "How much encryption do we need?"
cypherpunks at openpgp.net
cypherpunks at openpgp.net
Thu Jan 18 12:17:59 PST 2001
-------------------------------------------------------------------------
cypherpunks at openpgp.net has recommended this article from
The Christian Science Monitor's electronic edition.
CSM article about hushmail.
-------------------------------------------------------------------------
Click here to email this story to a friend:
http://www.csmonitor.com/cgi-bin/send-story?2001/01/18/text/p17s1.txt
Click here to read this story online:
http://www.csmonitor.com/durable/2001/01/18/fp17s1-csm.shtml
Headline: How much encryption do we need?
Byline:
Date: 01/18/2001
(TORONTO)'Encryption" is the term for technologies that can be used to wrap your
e-mail and your e-commerce and your Web-surfing in a veil of secrecy.
How much encryption do we need? And how do we get it? Those would seem
to be the basic questions for Web surfers.
Many people hesitate to do business over the Internet because they're
worried about hackers snatching up their credit-card numbers and
electronic eavesdroppers listening in on their e-mail. And so you might
think that there would be more public discussion about encryption -
that it might be, well, a little less cryptic.
But from the beginning of mass use of the Internet, tension has existed
in both Canada and the United States between cybernauts and law
enforcement officials. The technology gurus argue that people need
access to strong encryption if the Internet is to realize its full
potential for electronic commerce. Law enforcement officials,
especially in the US, see potential for online crime and want to be
able to steam open, so to speak, people's e-mail.
And so strong encryption programs - the equivalent of a serious
deadbolt lock - have over the years been classified as sensitive goods,
like missiles or other armaments, subject to government export
controls. Selling them abroad has often meant going through a
cumbersome permit process - often hard for small firms, and even fatal
to their contracts.
All this technology and regulation is changing so fast, that even
people in the industry are hard-pressed to know what the law lets them
do.
HushMail, for instance, which provides a free, ad-supported Web-based
e-mail service protected with very heavy duty 1,024-bit encryption,
started up in Austin, Texas, in May 1999, but located its programmers
in the British West Indies, where encryption law is much more relaxed
than in the US. Now its corporate headquarters is in Dublin, and its
e-mail servers are located in Vancouver. The decision to locate their
servers in Canada, says HushMail spokeswoman Genevieve Van Cleve, was
made "because of its friendly crypto laws and cheap bandwidth."
Ms. Van Cleve accentuates the positives when asked about a recent
decision to locate in Ireland: a booming local economy, a strong
information technology skills base within the labor force, access to
the security-conscious European market.
"If the US were to change all its laws tomorrow, we wouldn't leave
Ireland any more than we'd close the doors on our sales offices in
Utah," she adds. But she says, "It's kind of hard to figure out what
the [US] law is.... The law has never been tested. But it would not be
a smart business move for us to try to test it. We'll leave that to the
Microsofts of this world."
Similarly, a media official at a Canadian encryption firm often cited
as a bright young comer in its field was unable to find anyone willing
to discuss encryption regulation on the record. David Jones, a computer
scientist at McMaster University in Hamilton, Ontario, and the
president of Electronic Frontier Canada, says that by threatening over
the years to introduce domestic controls on encryption, US
law-enforcement agencies have managed to distract privacy advocates
from what he says should be the real issue: abolition of export
controls. Export controls have had the general result of weakening the
encryption standards available off the shelf in the US and Canada, in
Dr. Jones's view.
This analysis is disputed, however, by Brian O'Higgins, founder and
chief technology officer of Entrust in Ottawa. "We make it safe to do
business on the Internet," he says, selling encryption, digital
signatures, and strong authentication technology. "The US government
zeroed out all controls on encryption in January 2000. It was a
180-degree reversal," he says. "They decided e-commerce was more
important than law enforcement."
The US decision has left Canada scrambling. Its crypto laws have at
times given firms here an edge - as HushMail's servers in Vancouver
attest. A year and a half ago, Industry Canada, the commerce ministry,
announced that its policy would be to allow encryption as strong as
anything available anywhere.
"I called it a home run at the time," says Mr. O'Higgins. He
acknowledges, though, that practice hasn't quite caught up with policy.
If laws are less than crystal clear - and there's evidence that in the
US, at least, regulations have been drafted with enough ambiguity to
let regulators decide on permits case by case - there's also an
apparent reluctance to explain why encryption matters.
Says Van Cleve: "I don't think anyone - in business or in government -
has made the case for strong privacy and encryption: Consumers deserve
to be protected, too."
(c) Copyright 2001 The Christian Science Monitor. All rights reserved.
Click here to email this story to a friend:
http://www.csmonitor.com/cgi-bin/send-story?2001/01/18/text/p17s1.txt
The Christian Science Monitor-- an independent daily newspaper providing context and clarity on national and international news, peoples and cultures, and social trends. Online at http://www.csmonitor.com
Click here to order a free sample copy of the print edition of the Monitor:
http://www.csmonitor.com/advertising/order_page.html
More information about the cypherpunks-legacy
mailing list