Civil Rights Organisations Support Strong Encryption Policy in Germany
(A German translation of this document was sent to the Ministers of the Interior and the Economy, and to Chancellor Kohl.)
9 May 1997
The undersigned organizations would like to comment on recent developments in the German government’s policy toward digital encryption. This technology is becoming increasingly important as more and more people depend on digital technologies like digital telephones, electronic mail, and online purchasing. To protect sensitive information, prevent corruption of monetary and informational transmissions, and ensure that correspondents can verify each other’s identities, strong encryption technology is critical.
We would like to support the statements of Economics Minister Guenter Rexrodt, on May 2, 1997, strongly opposing limits on encryption. An open market, unfettered by inappropriate government restictions, is the most beneficial encryption policy in regard both to individual privacy and to the development of robust electronic commerce.
On April 28, 1997, Interior Minister Manfred Kanther called for legal restrictions on encryption, proposing that the only services allowed would be those that permit the police to decode and read any transmissions. We are writing to offer an expert opinion in opposition to this position and to request that the government adopt Minister Rexrodt’s position against restrictions.
While Minister Kanther’s proposal is similar to those raised in other countries, it is not the currently dominant thinking among policy-makers.
In the United States, where the first key recovery proposal (commonly known as “Clipper”) was introduced, it has never won strong adherents in Congress. In fact, several law-makers recently introduced legislation called the Security and Freedom Through Encryption act, which guarantees the freedom to use any form of encryption and countermands key recovery proposals.
In March, 1997, the Organization for Economic Co-operation and Development (OECD) rejected U.S. proposals to base national encryption policy on key recovery. On March 27, 1997 the OECD issued cryptography recommendations that warn against “unjustified obstacles to international trade and the development of information and communications networks” and “legislation which limits user choice.”
On July 24, 1996, key Internet standard-setting bodies, the Internet Architecture Board (IAB) and the Internet Engineering Steering Group (IESG), rejected attempts to put private keys in the hands of government.
The British Labour Party, before winning the May 1 national elections, released a manifesto called “Communicating Britain’s Future” in which they explicitly rejected key recovery, declaring: “We do not accept the ‘clipper chip’ argument developed in the United States for the authorities to be able to swoop down on any encrypted message at will and unscramble it…Attempts to control the use of encryption technology are wrong in principle, unworkable in practice, and damaging to the long-term economic value of the information networks.”
There are several political and technical difficulties with key recovery. First, it would involve an unprecedented level of government intrusion into daily life, because the government would potentially have access to all digital communications by all people living within the borders of the country, as well as anyone outside the country exchanging information in digital form with people within. There is a long history of abuse of surveillance techniques by government officials. It is unfeasible to assume that government employees would refrain from asking for keys without just cause, or that the companies holding on to these keys would refuse to surrender them in response to an inappropriate request. In this context it is worth remembering that agents from one country often penetrate the security forces of another.
In the United States, memories remain of the widespread illegal use of surveillance by the FBI against political opponents of the government in the 1950’s through 1970’s. Despite the passage of laws to prevent future abuse, incidents continue to come to light where the highest authorities break laws to obtain information.
Similar abuses have been documented in many other countries. The practice of wiretapping the civilian population to suppress political and civil rights was widespread throughout the Eastern Bloc, and continues unabated in many Asian and Latin American countries today. Citizens working peaceably for basic rights like free speech or democratic governance are routinely harassed, tortured, and murdered by their own governments, often as a result of surveillance techniques. Establishing an international regime that glorifies the “right” of governments to successfully wiretap their citizens will have serious consequences for basic human rights all over the globe.
Second, centralized storage for keys presents an irresistible target for intruders. One of the central principles of network security is that there cannot be a complete guarantee against break-ins. The United States military has experienced break-ins many times, as have huge numbers of private organizations. One must assume that malicious intruders with large financial or other incentives will, at times, crack the security of the Trusted Third Parties (TTPs). By contrast, in the highly popular technology known as “public key encryption,” each private key is held only by an individual.
Third, human weakness must be considered. The employees of the TTP will be subject to the temptation to share keys due to bribes, vengeful motives, or simple curiosity.
In short, government access and key recovery are inescapably insecure and subject to abuse. Furthermore, they’re bad for business: German companies making encryption products will be at a competitive disadvantage with companies in other countries where encryption is not restricted.
The most secure form of digital transaction is one where the users choose their own keys and are responsible for managing the keys themselves. In some such systems, users’ “public” keys are published in order to make each user’s identity verifiable by any recipient. Normally the “private” keys are held securely by each user, never being revealed to anyone else. An organization may choose to recover its members’ private keys so that information cannot be lost to the whole organization, though in contrast to most government-inspired recovery schemes, such keys would normally be “backed up” to another location inside the company rather than being given to an outside firm to guarantee government access. These practices can flourish without government intervention. To use licensing as a subterfuge to quietly undermine the privacy of citizens is intolerable.
TTPs are useful because they allow individuals and organizations that have no prior knowledge of each other to communicate with the assurance that neither is being impersonated. But this service should not be used as a Trojan horse in which to sneak a system under which the government can access the keys—a system that undermines trust.
In the United States, key recovery has been criticized by virtually every public interest group that has taken an interest in the subject. Outside of law enforcement agencies, most commentators have declared that the threat of increased terrorist or criminal activity is not so great as to justify the requirement that all members of society surrender their privacy.
Government attempts to impose key recovery are likely to eliminate privacy for the average citizen when communicating using telephones or computer-mediated networks. The rights of free speech, free association, personal privacy, financial privacy, private property, and doctor- and attorney-client privilege, would all be weakened or eliminated. The role of digital transactions in our future is too important to permit such risks.
ALCEI - Associazione per la Liberta nella Comunicazione Elettronica Interattiva (Electronic Frontiers Italy), http://www.alcei.it/
American Civil Liberties Union, http://www.aclu.org/
AUI - Association des Utilisateurs d’Internet (Association of Internet Users), http://www.aui.fr/
Bevcom Internet Technologies, http://www.bevcom.org/
Center for Democracy and Technology, http://www.cdt.org/
CITADEL Electronic Frontier France,
Computer Professionals for Social Responsibility, http://www.cpsr.org/
Cyber-Rights & Cyber-Liberties (UK), http://www.leeds.ac.uk/law/pgs/yaman/yaman.htm
Digitale Burgerbeweging Nederland (Digital Citizens Foundation Netherlands), DB-NL, http://www.db.nl/
EFF-Austin (Austin, Texas USA),
Elektronisk Forpost Norge (Electronic Frontier Norway),
Electronic Frontier Foundation, http://www.eff.org/
Electronic Frontiers Australia, http://www.efa.org.au/
Electronic Privacy Information Center, http://www.epic.org/
FrEE - Fronteras Electrónicas España (Electronic Frontiers Spain), http://www.las.es/free/
Open Society Institute, http://www.soros.org/
Privacy International, http://www.privacy.org/
team quintessenz, http://www.quintessenz.at/
XS4ALL Internet, http://www.xs4all.nl/
Created before October 2004