[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CEPIS Statement on Cryptography Policy: Governmental Restrictions on Encryption Products Put Security at Risk

>X-POP3-Rcpt: holger@mail
>Return-Path: <fiff-l-request@dia.informatik.uni-stuttgart.de>
>X-Sender: kara@telematik.iig.uni-freiburg.de
>Date: Mon, 25 Nov 1996 23:23:11 +0200
>To: fiff-l@dia.informatik.uni-stuttgart.de
>From: kara@telematik.iig.uni-freiburg.de (Kai Rannenberg)
>Subject: CEPIS Statement on Cryptography Policy: Governmental Restrictions
on Encryption
> Products Put Security at Risk
>Cc: kara@iig.uni-freiburg.de (Kai Rannenberg)
>Dear Colleagues,
>please find following a cryptography policy statement agreed on by the
>Council of European Professional Informatics Societies (CEPIS).
>The statement has also been placed into the WWW in ASCII and html form.
>Easiest access is via the CEPIS "Legal & Security Issues" Network (CEPIS
>LSI Network) web page on
>Further there is a press release based on the statement, which can be
>reached via the CEPIS LSI Network web page, too.
>In case of questions or comments regarding this issue
>please feel free to contact me
>Best regards
>Kai Rannenberg, Secretary CEPIS LSI Network (kara@iig.uni-freiburg.de)
>PGP key available on request and in http://www.iig.uni-freiburg.de/~kara/
>Council of European Professional Informatics Societies (CEPIS)
>Governmental Restrictions on Encryption Products Put Security at Risk
>Worldwide, there is a political debate regarding the virtue or otherwise of
>a control of encryption, in particular whether the import, export, and
>production of cryptographic tools and their use should be restricted. In
>several countries legal regulations exist, in some others steps are
>undertaken towards such regulations. At present an OECD Committee is
>drafting guidelines on cryptographic policy.
>But there are concerns; the Council of European Professional
>Informatics Societies (CEPIS) - with nearly 200,000 professionals in its 20
>member societies, the largest European association of professionals working
>in information technology (IT) - has agreed the following statement:
>Should one wish to employ electronic communication as the main vehicle for
>commercial and personal interaction, then one ought to be assured, and be
>able to prove, that  messages are
>- not disclosed to unauthorised recipients (confidentiality),
>- not tampered with (integrity),
>- shown to be from the senders stated (authenticity).
>It has always been an aim of secure reliable communication to comply with
>these requirements. The more the information society becomes a reality, the
>more enterprises, administrations and private persons urgently need the
>absolute assurance that these requirements are met.
>To achieve this, so called "strong" cryptography is available. Several tools
>based on strong crypto-algorithms are in the public domain and offered on
>the Internet, others are integrated within commercial products.
>A different technique for confidential and even unobservable communication
>is to use steganography, where secret data are hidden within larger
>inconspicuous everyday data in such a way that third parties are unable
>even to detect their existence. Hence there is no way of preventing
>unobservable secret communication.
>To enable surveillance of electronic messaging, many criminal and national
>security investigators, i.e. police and secret services, demand access to
>keys used for encrypted communication.  In order for this to be effective,
>escrowing (bonding) of these keys is advocated.  However, for the reasons
>given above, key escrow (i.e. depositing copies of the keys with a "trusted
>third party",including back ups) cannot even guarantee effective
>monitoring.  Moreover, key escrow already constitutes a risk for the
>secrecy of the keys and therefore for the secrecy of the data. This risk is
>exacerbated in cases of central escrowing.
>Besides, the burdens of cost and administrative effort as well as the loss
>of trust in communications could be significant and are prone to deter
>individuals and organisations, especially small business users, from
>gaining the benefits of modern information and communications systems.
>Effective electronic surveillance of digital networks is difficult and time
>consuming, and requires extensive resources.  In particular, closed groups
>such as criminal organisations might even use steganographic techniques to
>avoid any detection short of physical access to the terminals they use.
>Thus restrictions on encryption may be of very limited help in the fight
>against  organised crime.  On the other hand, the essential security of
>business and private communication may be seriously imperiled and
>economically hampered should they be subjected to insufficiently secured
>key escrow.
>On these grounds, CEPIS recommends the following:
>(1)       The use of cryptography for identifying data corruption or
>authenticating people/organisations should be free of restrictions and
>encouraged by governments.
>(2)      All individuals and organisations in the private and public
>sectors should be able to store and transmit data to others, with
>confidentiality protection appropriate for their requirements, and should
>have ready access to the technology to achieve this.
>(3)       The opportunity for individuals or organisations in the private
>and public sectors to benefit from information systems should not be
>reduced by incommensurable measures considered necessary for the
>enforcement of law.
>(4)       The governments of the world should agree on a policy relating to
>their access to other people's computerised data, while seeking the best
>technical advice available in the world on:
>(4.1)   whether and which access mechanisms to computerised data are an
>effective, efficient and adequate way to fight (organised) crime and mount
>effective prosecution of criminals, and
>(4.2)   how to implement the policy whilst minimising the security risks to
>organisations and individual citizens.
>(Evaluation and implementation of the policy will require regular review as
>the technology evolves).
>Further Information:
>Council of European Professional Informatics Societies (CEPIS)
>7 Mansfield Mews
>GB London W1M 9FJ
>United Kingdom
>Tel/fax: +44 171 637 5607
>E-mail: cepis@bcs.org.uk
>URL: http://www.bcs.org.uk/cepis.htm
>The CEPIS Legal & Security Issues Network
>URL: http://www.wi.leidenuniv.nl/~verrynst/cepislsi.html
>E-mail: Kai Rannenberg (kara@iig.uni-freiburg.de), Secretary
>Kai Rannenberg (kara@iig.uni-freiburg.de)
>PGP key available on request and in http://www.iig.uni-freiburg.de/~kara/
>Abteilung Telematik                         Phone:                  -4926
>Institut fuer Informatik und Gesellschaft   Fax:         +49-761-203-4929
>Universitaet Freiburg                       Secr.:                  -4964
>Friedrichstr. 50
>D-79098 Freiburg