Recommended: "How much encryption do we need?"

cypherpunks at openpgp.net cypherpunks at openpgp.net
Thu Jan 18 12:17:59 PST 2001 

-------------------------------------------------------------------------
cypherpunks at openpgp.net has recommended this article from 
The Christian Science Monitor's electronic edition.

CSM article about hushmail.


-------------------------------------------------------------------------

Click here to email this story to a friend: 
http://www.csmonitor.com/cgi-bin/send-story?2001/01/18/text/p17s1.txt

Click here to read this story online:
http://www.csmonitor.com/durable/2001/01/18/fp17s1-csm.shtml

Headline:  How much encryption do we need?
Byline:  
Date: 01/18/2001
(TORONTO)'Encryption" is the term for technologies that can be used to wrap your 
e-mail and your e-commerce and your Web-surfing in a veil of secrecy.

How much encryption do we need? And how do we get it? Those would seem 
to be the basic questions for Web surfers.

Many people hesitate to do business over the Internet because they're 
worried about hackers snatching up their credit-card numbers and 
electronic eavesdroppers listening in on their e-mail. And so you might 
think that there would be more public discussion about encryption - 
that it might be, well, a little less cryptic.

But from the beginning of mass use of the Internet, tension has existed 
in both Canada and the United States between cybernauts and law 
enforcement officials. The technology gurus argue that people need 
access to strong encryption if the Internet is to realize its full 
potential for electronic commerce. Law enforcement officials, 
especially in the US, see potential for online crime and want to be 
able to steam open, so to speak, people's e-mail.

And so strong encryption programs - the equivalent of a serious 
deadbolt lock - have over the years been classified as sensitive goods, 
like missiles or other armaments, subject to government export 
controls. Selling them abroad has often meant going through a 
cumbersome permit process - often hard for small firms, and even fatal 
to their contracts.

All this technology and regulation is changing so fast, that even 
people in the industry are hard-pressed to know what the law lets them 
do. 

HushMail, for instance, which provides a free, ad-supported Web-based 
e-mail service protected with very heavy duty 1,024-bit encryption, 
started up in Austin, Texas, in May 1999, but located its programmers 
in the British West Indies, where encryption law is much more relaxed 
than in the US. Now its corporate headquarters is in Dublin, and its 
e-mail servers are located in Vancouver. The decision to locate their 
servers in Canada, says HushMail spokeswoman Genevieve Van Cleve, was 
made "because of its friendly crypto laws and cheap bandwidth."

Ms. Van Cleve accentuates the positives when asked about a recent 
decision to locate in Ireland: a booming local economy, a strong 
information technology skills base within the labor force, access to 
the security-conscious European market.

"If the US were to change all its laws tomorrow, we wouldn't leave 
Ireland any more than we'd close the doors on our sales offices in 
Utah," she adds. But she says, "It's kind of hard to figure out what 
the [US] law is.... The law has never been tested. But it would not be 
a smart business move for us to try to test it. We'll leave that to the 
Microsofts of this world."

Similarly, a media official at a Canadian encryption firm often cited 
as a bright young comer in its field was unable to find anyone willing 
to discuss encryption regulation on the record. David Jones, a computer 
scientist at McMaster University in Hamilton, Ontario, and the 
president of Electronic Frontier Canada, says that by threatening over 
the years to introduce domestic controls on encryption, US 
law-enforcement agencies have managed to distract privacy advocates 
from what he says should be the real issue: abolition of export 
controls. Export controls have had the general result of weakening the 
encryption standards available off the shelf in the US and Canada, in 
Dr. Jones's view.

This analysis is disputed, however, by Brian O'Higgins, founder and 
chief technology officer of Entrust in Ottawa. "We make it safe to do 
business on the Internet," he says, selling encryption, digital 
signatures, and strong authentication technology. "The US government 
zeroed out all controls on encryption in January 2000. It was a 
180-degree reversal," he says. "They decided e-commerce was more 
important than law enforcement."

The US decision has left Canada scrambling. Its crypto laws have at 
times given firms here an edge - as HushMail's servers in Vancouver 
attest. A year and a half ago, Industry Canada, the commerce ministry, 
announced that its policy would be to allow encryption as strong as 
anything available anywhere. 

"I called it a home run at the time," says Mr. O'Higgins. He 
acknowledges, though, that practice hasn't quite caught up with policy. 
If laws are less than crystal clear - and there's evidence that in the 
US, at least, regulations have been drafted with enough ambiguity to 
let regulators decide on permits case by case - there's also an 
apparent reluctance to explain why encryption matters.

Says Van Cleve: "I don't think anyone - in business or in government - 
has made the case for strong privacy and encryption: Consumers deserve 
to be protected, too."


(c) Copyright 2001 The Christian Science Monitor.  All rights reserved. 

Click here to email this story to a friend: 
http://www.csmonitor.com/cgi-bin/send-story?2001/01/18/text/p17s1.txt

The Christian Science Monitor-- an independent daily newspaper providing context and clarity on national and international news, peoples and cultures, and social trends.  Online at http://www.csmonitor.com

Click here to order a free sample copy of the print edition of the Monitor: 
http://www.csmonitor.com/advertising/order_page.html

More information about the cypherpunks-legacy mailing list