[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ukcrypto] Vergleich Kryptopolitik de / uk.

----- Forwarded message from Brian Gladman <gladman@seven77.demon.co.uk> -----

From: "Brian Gladman" <gladman@seven77.demon.co.uk>
To: "UK Crypto List" <ukcrypto@maillist.ox.ac.uk>
Subject: Re: Germany Frees Crypto
Date: Thu, 10 Jun 1999 12:09:44 +0100

>From: Nigel Hickson <nigelhickson@compuserve.com>
>To: <ukcrypto@maillist.ox.ac.uk>
>Cc: Cryptography List <cryptography@c2.net>
>Sent: 03 June 1999 22:20 PM
>Subject: Re: Germany Frees Crypto
>Many thanks for translation; saves the DTI purse.  Policy
> very similar to ours (DTI).

In some respects I think Nigel is right to suggest that the German crypto
policy announcement contains some elements that mirror aspects of UK policy.
At the same time, however, any objective assessment of the German
announcement, including its general tone and many of its details, gives a
somewhat different perspective and suggests that there are a number of
significant differences that cannot easily be dismissed.

I would cite the following extracts from the english translation of the
German text as evidence of clear differences between the UK and the German
positions (I omit discussion of areas of similarity).

"The Federal Government has no intention of restricting the free
availability of encryption products in Germany. It regards the use of secure
encryption as a decisive prerequisite for data protection for the public,
for the development of electronic business transactions and for the
protection of company secrets. The Federal Government will thus actively
support the spread of secure encryption in Germany. This particularly
includes the promotion of security-consciousness among the public, in the
economy and in the administration."

Firstly, it is significant that the there is immediate recognition of the
central importance of encryption for "data protection for the public",
something that the UK government has consistently failed to do in its own
encryption policy.

The German text clearly recognises the ***public*** interest - the best we
have out of the UK government is to recognise the ***business*** interest.
If anyone doubts this difference, look at the groups consulted in the study
prior to the publication of the PIU report on "Encryption and Law Enforcemen

Of course the reasons for this are obvious - Germany sees Echelon as a
threat whereas we (that is the UK government) sees it as an asset.  This
policy difference, and the reasons for it, could hardly be more transparent.
Duncan Campbell and the European Parliament have done a good job here.

Secondly, we can see from the text that the German government will
***actively support*** the spread of secure encryption in Germany.  This is
the exact opposite of UK government policy as I understand it.

So Nigel, could you please obtain a public statement, from an appropriate UK
government minister, announcing that it is now UK government policy "TO

I and many others on this list would welcome such a statement, which I
assume should now be possible if you are right about the similarity of UK
and German positions.  After all, it would hardly be accurate to suggest
that the two policies are similar if one actively supports the widespread
deployment of encryption while the other actively discourages it.

"The use of cryptographic procedures is extremely important for efficient
technical crime prevention. This applies both to guaranteeing the
authenticity and integrity of data traffic and to protecting

This is a statement of the ***benefits*** of encryption in combating crime,
something that never gets the coverage it deserves in UK government policy
(I accept that it is not completely absent).

"To date, the abuse of encryption technologies in Germany has not caused any
serious problems in the process of criminal prosecution. However, this fact
cannot be used to make a forecast for the future."

This is a much more honest assessment of the law enforcement problem posed
by encryption than has ever appeared in any UK policy statements.  It is
quite obvious to anyone who studies these issues that encryption does not
pose any serious threat to current law enforcement activities in the UK.
The policy here is at very most a reaction to a perceived ***future
threat***, which our civil servants continuously attempt to justify with
what Nicholas Bohm rightly characterises as 'dodgy statistics' in order to
suggest that this is a current and 'urgent' problem. It isn't.

In contrast the German position is honest and straightforward - "its not a
problem now, but it might be in future, and if this proves to be the case we
may ***then*** have to take action".  This is exactly the policy that I and
many others suggested almost three years ago in response to the first round
of UK policy deliberations.

"3.      For reasons relating to the security of the state, the economy and
society, the Federal Government considers it indispensable that German
manufacturers be capable of developing and manufacturing secure and powerful
encryption products. It will take steps to improve the international
competitiveness of this sector."

Germany will provide strong encryption products for the international
market.  Not exactly a ringing endorsement of Wassenaar and a clear
indication that Germany will join the growing group of nations that will
seek to remove export controls on cryptographic products.

Many are surprised at the way the US (and the UK) have been able to dupe
their European partners into applying crypto export controls that are
actually being used to their disadvantage.  Given that these nations must
have known about Echelon for many years before it became public knowledge,
it is not obvious why the changes in encryption policy made by France,
Germany and other non-Echelon nations have taken so long.

The answer is very complex but it boils down to a battle in each country
between two lobbies within government - the 'crypto-averse' intelligence
community and the 'crypto-friendly' information (and information
infrastructure) protection community.  The complexity arises because
international intelligence sharing arrangements are different in different
areas, my guesses being:

1. criminal intelligence - shared interest among most nations
2. military intelligence - no comment
3. political intelligence - ad hoc, determined by circumstances
4. economic intelligence - no shared interest - 'dog eat dog'

This means that there will always be a heated debate between different
factions when considering the overall balance of advantage in the
intelligence business in any one country. When politicians eventually have
to decide whether to back exploitation or protection, the decision "do we
get more from other nations than other nations get from us" is never an easy
one.   And anyone who thinks that this is about law enforcement is living on
another planet.

But the above list shows why we can expect to see the 'Anglo Saxon' nations
increasingly making use of criminal intelligence as the primary 'cover
story' for advocating continued crypto controls in Wassenaar.

[I should make it clear that I am NOT offering here any evidence from my
civil service career either for or against the existence of economic
intelligence. Of the four areas listed above, the only one I have ***any***
knowledge of is item 2].

My advice to the US and UK governments is to give up cryptography export
controls in Wassenaar (and elsewhere) while these governments still have
some credibility left.  These controls are well past their 'sell by' date,
they undermine the protection which e-commerce and the global information
society now need and, most of all, their continued advocacy will put
politicians and civil servants increasingly at odds with their public in an
acrimonious battle which no longer makes any real sense.  The future
problems that cryptography might pose for society will be more easily
countered if we all invest the resources consumed by this issue to more
constructive ends.

Nations will also need to consider item 4 above: economic intelligence.   If
we want the rule of law to apply in cyberspace, nations will have to respect
information assets owned by others and this means giving up item 4 for the
very same reasons that nations eventually recognised the need to stop
sponsoring piracy on the high seas in the past.

Nations gave up their sponsorship of piracy then when they came to realise
that they each gained more from a safe global trading environment than they
did in encouraging pirates to plunder the trade routes of other nations.  We
are now in an analogous situation in cyberspace with some nations claiming
to support the global information society - a development which requires
respect for the information assets of others - whilst secretly pursuing
economic intelligence collection in what amounts to a direct modern analogue
of the State sponsored piracy of past ages.

The global information society (and the associated global electronic trading
environment) cannot truly flourish while nations sponsor (or are perceived
by others to sponsor) information piracy in cyberspace.


Returning to the question "are German and UK policies on encryption
similar", I leave others to decide for themselves. My own view is that they
are significantly different in terms of the principles they advocate.

    Brian Gladman

----- End forwarded message -----