Governmental Restrictions on Encryption Products Put Security at Risk

Worldwide, there is a political debate regarding the virtue or otherwise of a control of encryption, in particular whether the import, export, and production of cryptographic tools and their use should be restricted. In several countries legal regulations exist, in some others steps are undertaken towards such regulations. At present an OECD Committee is drafting guidelines on cryptographic policy.

But there are concerns; the Council of European Professional Informatics Societies (CEPIS) - with nearly 450,000 professionals in its 33 member societies, the largest European association of professionals working in information technology (IT) - has agreed the following statement:

Should one wish to employ electronic communication as the main vehicle for commercial and personal interaction, then one ought to be assured, and be able to prove, that messages are

- not disclosed to unauthorised recipients (confidentiality),

- not tampered with (integrity),

- shown to be from the senders stated (authenticity).

It has always been an aim of secure reliable communication to comply with these requirements. The more the information society becomes a reality, the more enterprises, administrations and private persons urgently need the absolute assurance that these requirements are met.

To achieve this, so called "strong" cryptography is available. Several tools based on strong crypto-algorithms are in the public domain and offered on the Internet, others are integrated within commercial products.

A different technique for confidential and even unobservable communication is to use steganography, where secret data are hidden within larger inconspicuous everyday data in such a way that third parties are unable even to detect their existence. Hence there is no way of preventing unobservable secret communication.

To enable surveillance of electronic messaging, many criminal and national security investigators, i.e. police and secret services, demand access to keys used for encrypted communication. In order for this to be effective, escrowing (bonding) of these keys is advocated. However, for the reasons given above, key escrow (i.e. depositing copies of the keys with a "trusted third party", including back-ups) cannot even guarantee effective monitoring. Moreover, key escrow already constitutes a risk for the secrecy of the keys and therefore for the secrecy of the data. This risk is exacerbated in cases of central escrowing.

Besides, the burdens of cost and administrative effort as well as the loss of trust in communications could be significant and are prone to deter individuals and organisations, especially small business users, from gaining the benefits of modern information and communications systems.

Effective electronic surveillance of digital networks is difficult and time consuming, and requires extensive resources. In particular, closed groups such as criminal organisations might even use steganographic techniques to avoid any detection short of physical access to the terminals they use. Thus restrictions on encryption may be of very limited help in the fight against organised crime. On the other hand, the essential security of business and private communication may be seriously imperilled and economically hampered should they be subjected to insufficiently secured key escrow.

On these grounds, CEPIS recommends the following:

(1) The use of cryptography for identifying data corruption or authenticating people/organisations should be free of restrictions and encouraged by governments.

(2) All individuals and organisations in the private and public sectors should be able to store and transmit data to others, with confidentiality protection appropriate for their requirements, and should have ready access to the technology to achieve this.

(3) The opportunity for individuals or organisations in the private and public sectors to benefit from information systems should not be reduced by incommensurable measures considered necessary for the enforcement of law.

(4) The governments of the world should agree on a policy relating to their access to other people's computerised data, while seeking the best technical advice available in the world on:

(4.1) whether and which access mechanisms to computerised data are an effective, efficient and adequate way to fight (organised) crime and mount effective prosecution of criminals, and

(4.2) how to implement the policy whilst minimising the security risks to organisations and individual citizens. (Evaluation and implementation of the policy will require regular review as the technology evolves).


Download the CEPIS Statement: Governmental Restrictions on Encryption Products Put Security at Risk