E-Commerce spread defeating crypto regulations

Attempts by governments to curb the worldwide use of strong encryption are being eclipsed by the growth of e-commerce and the corresponding need for privacy and Internet security, says a study released this week.

Attempts by governments to curb the worldwide use of strong encryption are being eclipsed by the growth of electronic commerce and the corresponding need for privacy and Internet security, according to a study released this week by the Washington-based Electronic Privacy Information Center (EPIC).

The report, Cryptography and Liberty 2000, An International Survey of Encryption Policy, spotlights the development of policies that favor the spread of strong encryption around the world. "Governments attempting to develop e-commerce are recognising that encryption is an essential tool for transactions and are reversing decades-old restrictions based on national security concerns," reads the study.

The relaxing in January of US export controls on mass-market encryption software illustrated the erosion of efforts to control strong cryptography. The new export laws swept aside former regulations that required companies to obtain a government licence to export encryption products with key lengths higher than 56 bits.

"We won, we've really won. There is no going back," said Phil Zimmermann, creator of the widely used PGP encryption software. "They are letting strong crypto through, and it would be politically difficult to single out one product."

Privacy advocates found another reason to celebrate yesterday, when it was announced that Canada had passed the first privacy legislation in the world that applies to private industry. According to Stephanie Perrin, former director of privacy policy at Industry Canada, the Protection of Personal Information and Electronics Documents Act is based on a model privacy code created by the Canadian Standards Association. "Canadian companies, if they are dealing with American counterparts, oblige them through contract to meet the standards," said Perrin.

She noted that the Canadian Direct Marketing Association supported the Act. "We are the first country in the world to have industry support privacy legislation," Perrin said.

But David Sobel, EPIC general counsel, said that a number of countries, including the UK, India, Belgium and the Netherlands, are still considering proposals that would give public agencies the ability to demand access to encryption keys. Other countries, such as China, Russia and Pakistan, continue to restrict the use of encryption technology.

According to the EPIC report, the continued expansion of e-commerce and lack of international consensus on encryption regulations will frustrate efforts by those countries to continue their restrictive polices. The study added that the availability of encryption on the Internet will also make it difficult for countries to enforce these laws without imposing censorship and surveillance.

"Legislation . . . drives crypto activists to develop new and better forms of encryption," said David Del Torto, executive director of the San Francisco-based Crypto-Rights Foundation, which provides security consulting to human-rights activists.

While Del Torto and other CFP attendees kicked off a weeklong series of discussions into the future of privacy, some companies were still feeling the burden of old encryption laws. Electronic-book software manufacturer Glassbook reported that someone had cracked the 40-bit key used to secure Stephen King's 66-page electronic novella, Riding the Bullet and posted the material on an unsanctioned Web site. The company said it had used a weak 40-bit key to comply with the US government's former encryption export laws, but wasn't able to convert the Glassbook reader technology into a more secure 64-bit length in time for publication.

Join the newsletter!

Error: Please check your email address.

Tags securityprivacye-commerceencryption

Show Comments
[]