Governments should stay out of encryption, says conference
- 22 May, 1997 22:00
Attempts by governments and law enforcement agencies to control the encryption of electronic messages is holding back electronic commerce while achieving no real benefit in preventing crime, experts warned this week.
At the Scrambling for Safety conference held Monday at the London School of Economics, speaker after speaker warned that any of the proposed schemes that require users to deposit their encryption keys with some third party will be insecure and will have little or no impact in detecting crime.
Most of their anger was aimed at the UK government's recently published discussion paper which proposes the use of trusted third-party companies to hold encryption keys.
Defending the proposals were two officials from the UK Department of Trade and Industry, who insisted that trusted third parties offer a good balance between the need for privacy and the need to prevent crime.
But Ross Anderson from Cambridge University's Computer Laboratory said the proposal was "an attempt to centralise trust, and to make it easier for the intelligence services."
He said the previous Conservative government had conceived the scheme "to help their friends in the city (the financial sector)," since it would result in most people paying a fee, probably to a bank, to hold their encryption key.
"Encryption is marginal to law enforcement," he said, adding that access to the content of private messages, through phone-tapping, had played a role in only one criminal conviction in London during the last 12 years.
Whitfield Diffie, a distinguished engineer at Sun Microsystems Inc. and a pioneer in the cryptography field, said that the interests of business coincide with those of individual citizens when it comes to cryptography.
"For successful business to thrive, we need to have trusted communications," Diffie said. Legitimate businesses would be deterred from using communications that they felt could be tapped, while illegal businesses would find their own encryption schemes to avoid detection, he said.
Alistair Kelman, a lawyer who has defended several people accused of computer-related crime, wondered about who could really be trusted to hold encryption keys.
"With their low public image and history of falsely denying that that their own systems could be breached, who could trust the banks?" he asked. "And if not the banks, can we put more trust in accountants, or even lawyers?"
Phil Zimmermann, the creator of the PGP (Pretty Good Privacy) encryption software, also made a passionate call for governments to stay out of private telecommunications.
Zimmermann, who spent three years fighting to avoid imprisonment by the U.S. government for creating PGP, said his software is used around the world by people battling against oppressive regimes.
He said PGP has used in the Balkans by people fearing government oppression, by those in Central America by those documenting human rights abuses, and is even now being deployed by resistance groups in Burma, who use it to encrypt information in their jungle camps.
"I recently met with some of those people and gave them help with using PGP," Zimmermann said, "In doing that I was committing a federal crime because it is illegal to offer cryptographic advice to foreign nationals."
Further condemnation of the government proposals (both US and UK) came from the commercial world.
Carl Ellison of Cybercash said the idea of a global Public Key Infrastructure will be technically inadequate to avoid two people with the same name being mistaken for each other, and it will do nothing to reduce fraud. And he disliked the power it gave governments over individuals.
"Any mechanism that gives government access works against the citizen's right to attempt to keep a secret," said Ellison, "What we have to ask is whether it is right for the government to have unrestricted covert access, and is it anti-social to have a private conversation?"
In the meantime, it looks as if there will be little progress in getting global agreement on how to manage encryption.
John Dryden, an official with the Organization for Economic Cooperation and Development, said that although the OECD produced guidelines in March, it would be premature to expect any concrete proposals soon.