TORONTO - Attempts by governments to curb the worldwide use of strong encryption are being eclipsed by the growth of electronic commerce and the corresponding need for privacy and Internet security, according to a study released yesterday by the Washington-based Electronic Privacy Information Center (EPIC).
The report, Cryptography and Liberty 2000, An International Survey of Encryption Policy, spotlights the development of policies that favor the spread of strong encryption around the world. "Governments attempting to develop e-commerce are recognizing that encryption is an essential tool for transactions and are reversing decades-old restrictions based on national security concerns," reads the study.
The relaxing in January of U.S. export controls on mass-market encryption software illustrated the erosion of efforts to control strong cryptography. The new export laws swept aside former regulations that required companies to obtain a government license to export encryption products with key lengths higher than 56 bits.
"We won, we've really won. There is no going back," said Phil Zimmermann, creator of the widely used PGP encryption software. Zimmermann is in Toronto this week for the annual Computers, Freedom and Privacy (CFP) conference. "They are letting strong crypto through, and it would be politically difficult to single out one product."
Privacy advocates found another reason to celebrate yesterday, when it was announced that Canada had passed the first privacy legislation in the world that applies to private industry. According to Stephanie Perrin, former director of privacy policy at Industry Canada, the Protection of Personal Information and Electronics Documents Act is based on a model privacy code created by the Canadian Standards Association. "Canadian companies, if they are dealing with American counterparts, oblige them through contract to meet the standards," said Perrin. The legislation applies to companies in industries that are subject to Canadian federal regulation.
She noted that the Canadian Direct Marketing Association supported the Act. "We are the first country in the world to have industry support privacy legislation," Perrin said.
But David Sobel, EPIC general counsel, said that a number of countries, including the U.K., India, Belgium and the Netherlands, are still considering proposals that would give public agencies the ability to demand access to encryption keys. Other countries, such as China, Russia and Pakistan, continue to restrict the use of encryption technology.
According to the EPIC report, the continued expansion of e-commerce and lack of international consensus on encryption regulations will frustrate efforts by those countries to continue their restrictive polices. The study added that the availability of encryption on the Internet will also make it difficult for countries to enforce these laws without imposing censorship and surveillance.
"Legislation . . . drives crypto activists to develop new and better forms of encryption," said David Del Torto, executive director of the San Francisco-based Crypto-Rights Foundation, which provides security consulting to human-rights activists.
While Del Torto and other CFP attendees kicked off a weeklong series of discussions into the future of privacy, some companies were still feeling the burden of old encryption laws. Electronic-book software manufacturer Glassbook Inc. in Waltham, Mass., reported that someone had cracked the 40-bit key used to secure Stephen King's 66-page electronic novella, Riding the Bullet and posted the material on an unsanctioned Web site. The company said it had used a weak 40-bit key to comply with the U.S. government's former encryption export laws, but wasn't able to convert the Glassbook reader technology into a more secure 64-bit length in time for publication.
For more enterprise computing news, visit Computerworld online. Story copyright © 2000 Computerworld, Inc. All rights reserved.
RELATED LINKS
