January 26, 1999

DRAMATIC CRACK IN A BASTION OF CRYPTOGRAPHY REGULATION

by Andy Oram
American Reporter Correspondent

CAMBRIDGE, MASS.—The high-stakes battle over computer encryption took a startling turn last Wednesday, when Prime Minister Jospin lifted the French government’s restrictions on cryptography. His “fundamental change of orientation” may be the falling brick that signals the tumbling of international walls against this technology, which enables a wide range of social benefits such as private communications, electronic signatures, and online commerce.

For years France has been methodically fastening manacles on encryption through a 1996 telecommunications law requiring keys to be kept by “trusted third parties.” These organizations would turn keys over to law enforcement agencies when required.

France did not invent the trusted third party concept (also known as key escrow or key recovery); it actually comes from the U.S. But no country ever proceeded as far as France in trying to turn it into law—and the French exercise in trying to implement the idea proved useful to its critics. As I reported in an article nearly a year ago, the concept turns out to require impracticable measures to ensure that computer systems, facilities, and personnel would be secure.

The Prime Minister’s new announcement is an unambiguous change of policy. His rhetoric adheres fully to the principles that have united proponents of strong encryption. Far from calling encryption a threat to security, he declares it “an essential means for protecting the confidentiality of communications and private life.”

Offering a “first step toward liberalization,” Jospin declares that the length of computer users’ secret keys can immediately be raised from the current inadequate 40-bit limit to 128 bits, which is quite secure (unless the spy agencies know something we don’t). As a set of changes that will require “several months” to implement, he recommends that:

With Jospin’s announcement, key escrow evaporates from the palette of French technology policies—and probably will fade from those of other countries as well. France has switched from the most restrictive regulator of encryption among technologically advanced nations to a proponent of complete openness.

Impressive as the reversal is, its timing is even more dramatic, as it comes just six weeks after France joined with 32 other countries to sign an update of a document called the Wassenaar Agreement that promised to tighten restrictions on encryption. The cryptography section of this document now appears to be moot. Several countries’ governments have been distancing themselves from it implicitly or explicitly.

That’s intelligent policy, because the Wassenaar Agreement was designed to stop the spread of weapons. Let governments worry about hydrogen bombs and anthrax spores, not about a useful and life-enhancing technology like encryption. To tell people how long they can make their keys ranks up there in intrusiveness with stopping the shipments of pencils to Iraq (which the U.S. has done because graphite can be used to paint aircraft).

IRIS, a French organization formed to promote rights on the Internet and universal non-commercial public access, praised the government’s policy change. Their commniqué also pointed out that the concern for “protection of private life” should extend to Internet provider connections and the use of social security numbers.

Cryptography expert Stewart Baker speculates that several forces combined to lead to France’s change of heart. He ascribes little influence to civil liberties groups, finding their presence weak. The government listened more to corporate interests who mounted a “significant effort” to remove restrictions so they could protect communications or sell encryption products.

Baker says the European Union, Germany, and the Nordic countries “sniped at” France. But most important perhaps was the “fundamental love affair that France has with high technology. Just as with the Concorde jet and the nuclear power plants scattered around, fruits of earlier dalliances with technology, France hates to be told that it’s backward and doesn’t have a clue about computer networking.”

Further clues suggest that cryptography is breaking free of all restrictions. A conference last week by a leading encryption company, RSA Data Security, became a public relations forum for free encryption. So has its public challenge to crack the government’s standard for maximum security—a challenge won in just 22 hours by a team led by John Gilmore and the Electronic Frontier Foundation.

Exploiting publicly available knowledge about encryption technology, RSA created an Australian development team and obtained approval from its government for the export of products that would be withheld from the world market by the United States. A participant who didn’t want to be identified reported that some very tricky political negotiations were involved, and that the export was approved partly because the product was not for end-users.

According to Baker, so long as France held on to its telecommunications law, proponents of key escrow could push it on manufacturers because key escrow products were the only ones that could be sold in France. With that excuse gone, key escrow will be seen almost universally as a failure.

Marc Rotenberg of the Electronic Privacy Information Center affirms that ministers in the European Union have put great pressure on France to change its policy, up to now perhaps the most restrictive in the world except for Russia (which outlaws the use of encryption). Key escrow is out of line with the privacy goals of the EU.

Barriers at national borders are keeping encryption from fulfilling critical roles on the Internet. Cryptography’s uses extend from protecting user communications at the top to ensuring that systems can trust the routing information exchanged by protocols at the bottom.

Even publishers like encryption, because they can use it to control who gets to copy and exchange intellectual property such as pop songs. I think it no accident that Jospin’s announcement stressed equally the value of encryption and the importance of protecting author’s rights over content, ennobled by his announcement (very much in the manner of the French) as “works of our national culture.”

Despite the vote of Wassenaar representatives to extend their crypto restrictions, Rotenberg says European governments have been heading toward liberalization. Technical experts and privacy advocates have been meeting with policymakers across Europe for years to support the promotion of strong cryptography.

Like the FBI and law enforcement agencies in the United States, the German Ministry of Justice has voiced its support for restricting cryptography, but the opposing side has been more successful than the Congressmen in the U.S. who failed to pass pro-liberalization bills such as the Security And Freedom through Encryption (SAFE) Act. Another liberalization bill will be introduced this year, though.

Great Britain remains the main hold-out for encryption controls in Europe. Ironically, the Labour Party publicly proclaimed that they would oppose U.S.-based proposals for controlling encryption in the campaign leading up to their election. But afterward, they came to the view of the U.S. Clinton administration.

The December changes to the Wassenaar Agreement alarmed privacy experts, and were trumpeted by the Clinton Administration as a sign of its success in pushing key escrow. But now the United States and Great Britain stand alone as the only champions of this policy.

Even within the Clinton Administration, tech-savvy spokespeople like former advisor Ira Magaziner admit that they are unhappy with key escrow when they are pressed for their agenda. And while liberalization acts never got far in Congress, neither did acts imposing new restrictions.

As Gilmore says, “Let us hope that the US Government has a revelation and revolution like that of the French in creating a wiser crypto policy.” I don’t hold such hopes anytime soon. On Friday, Clinton asked for 1.46 billion dollars to protect “critical computer systems”—but he did not mention encryption at all.


Editor, O’Reilly Media
Author’s home page
Other articles in chronological order
Index to other articles