August 11, 1998

LITTLE-KNOWN INTERNATIONAL AGREEMENT MAY DETERMINE INTERNET PRIVACY

by Andy Oram
American Reporter Correspondent

CAMBRIDGE, MASS.—Half-way around the world, a movement has started that may shake the security policies of nations on almost every continent. Electronic Frontiers Australia, a civil liberties organization focusing on electronic networks, has announced a campaign to free public cryptography from an international agreement called the Wassenaar Arrangement.

The matter at hand is whether governments will continue to regard cryptography as a hazardous material to be locked up by defense agencies and transported only by carefully inspected carriers. This is the historic view of encryption as a munition, harking back at least to the “loose lips sink ships” days of World War II. The view persists in U.S. Department of Commerce export controls, and internationally in the Wassenaar Arrangement.

Or should governments recognize that cryptography is an everyday part of computer use, online commerce, and even basic protection for the computing and network infrastructure? That is what cryptography has become in the wake of mathematical advances of recent decades, driven forward by the winds of fast, low-cost computers and the widespread but vulnerably open architecture of the Internet.

Civil liberties groups around the world like the EFA, along with businesses engaging in electronic commerce or offering computer products for sale, have been trying to enlighten government policy-makers over the past several years to the importance of free-flowing cryptography products. The new EFA Wassenaar campaign aims directly at a roadblock to the free use of cryptography.

The 1994 Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies (named after the town in the Netherlands where it was signed) is a typical expression of George Bush’s “New World Order.” It replaced a Cold-War arms-control regime called COCOM, expanding the members to include states from the former Soviet Union.

The arrangement is a pledge by participating countries not to ship dangerous technologies to non-participating countries. While some prohibited elements are obvious, such as warships and missiles, more subtle threats are addressed under the provision for “dual-use” technologies—things that are legitimately sought for constructive purposes but can be turned to terrorism or war. The dual use provision explicitly includes encryption.

To be sure, the provision is rather odd, since it exempts shrink-wrapped and public-domain encryption software. Thus, it is more reactive than prescriptive: instead of decreeing what types of software can be exported, it simply allows the export of any software that has managed to find a public following.

So in its current form, the Wassenaar Arrangement is no threat to the free flow of encryption. That may be why I have never seen it mentioned during the past four years of statements from many U.S. agencies about encryption policy, even though the U.S. is a signatory.

Signatories also include Great Britain (which is considering cryptography restrictions, immediately criticized as similar to U.S. proposals) and France (which has passed a very restrictive law, discussed in another article of mine). In none of their public documents can I find a reference to the Wassenaar Arrangement. The key European Commission statement on encryption (“Towards A European Framework for Digital Signatures And Encryption”), which acknowledges the crucial role cryptography plays in modern communications, makes only one casual reference to Wassenaar. OECD documents I have found contain no references at all.

The danger lies in future revisions to the Wassenaar agreement. According the EFA, “there seems little doubt that some of the Nations represented will seek to use the next round to move towards a more repressive cryptography export control regime.” And in Australia, the attempted shift is openly debated.

I doubt that more than a handful of Americans have heard of the Wassenaar Arrangement. But in Australia, awareness is much higher. Current government policies explicitly cite the arrangement in their proposed domestic restrictions on encryption, which resemble those proposed in the U.S. by the FBI and the Clinton Administration.

Both countries maintain tight export controls on any encryption that is strong enough to withstand a determined attack. These controls go far beyond the Wassenaar agreement, but the disparity may well be resolved in the next round of talks—with Wassenaar unfortunately being the one to change.

According to the EFA, the Australian government hopes to persuade the Wassenaar signatories to extend export controls so that they cover shrink-wrapped software, public-domain software, and “intangibles” such as delivery of encryption software over the Internet.

The EFA is now on the counter-offensive, trying to organize groups in as many countries as it can to propose that encryption be removed from the arrangement.

EFA is an organization somewhat like the better-known Electronic Frontier Foundation in the U.S., although the two are independent. A month ago the EFA started a domestic campaign to liberalize the restrictive and ill-documented policies that apply to encryption in Australia. In the international campaign started on July 30, they are raising consciousness worldwide about the little-known Wassenaar provisions.

One can argue whether Wassenaar is effective even in its larger goals. Listening to news of missing plutonium in Russia, nuclear tests in India and Pakistan, and increasingly sophisticated weapons turning up in the hands of drug dealers everywhere, I question whether the New World Order is winning over the weapon “have-nots.”

Few countries impose any controls on encryption, whether or not they participate in Wassenaar. An exhaustive survey of 78 nations’ policies by the Electronic Privacy Information Center showed that only a handful have restrictions. These include Australia and the U.S., of course. The countries imposing restrictions would have a much easier time pushing regulation at home if they could point to an international agreement mandating such control.

International competition may be the wedge that finally drives open encryption policies. Already, products with strong encryption are being announced from companies in various countries that have no export restrictions.

U.S. companies, afraid of losing the enormous e-commerce market, have formed an alliance called Americans for Computer Privacy that has pressured the government to loosen restrictions and launched a public ad campaign. Every year, someone introduces a bill into Congress attempting to liberalize federal policy, although so far such bills have succumbed in a stalemate which can be broken neither by the FBI and its supporters or by those who wish to provide strong encryption for all.

Like any computer technology, encryption becomes more deeply embedded and seamlessly integrated into products as its benefits are grasped. The time may already be here that encryption is more like an attribute of software than a feature that can be optionally omitted.

And in this new era, attempting to regulate encryption may become like trying to legislate which fasteners are used to hold together the furniture, equipment, and appliances freely traded on world markets. The many types of encryption and the many roles it can play might well overwhelm efforts at legal control.


Editor, O’Reilly Media
Author’s home page
Other articles in chronological order
Index to other articles