Crypto Wars

What is it?

For several decades, individuals and organizations concerned with protecting their personal privacy and corporate secrets have been engaged in a heated battle with government officials to gain the right to freely employ encryption techniques and technologies to safeguard their information.

Executive Summary

On May 2005 the FIPR declared[1] the crypto wars are finally over - and we've won! How ever this now seems to have been premature as on the 10 May 2006 Liam Byrne Home Office minister of state has promised Parliament that he will turn on Part 3 of the Regulation of Investigatory Powers Act after a consultation.

The crypto wars started in the 1970s when the US government started treating cryptographic algorithms and software as munitions and interfering with university research in cryptography. In the early 1990s, the Clinton administration tried to get industry to adopt the Clipper chip - an encryption chip for which the government had a back-door key. When this failed, they tried to introduce key escrow - a policy that all encryption systems should leave a spare key with a "trusted third party" that would hand the key over to the FBI on demand. They tried to crack down on encryption products that did not contain key escrow. When software developer Phil Zimmermann developed PGP, a free mass-market encryption product for emails and files, the US government even started to prosecute him, because someone had exported his software from the USA without government permission.

In its dying days, John Major's Conservative Government proposed draconian controls in the UK too. Any provider of encryption services would have to be licensed and encryption keys would have to be placed in escrow just in case the Government wanted to read your email. New Labour opposed crypto controls in opposition, which got them a lot of support from the IT and civil liberties communities. They changed their minds, though, after they came to power in May 1997 and the US government lobbied them.

However, encryption was rapidly becoming an important technology for commercial use of the Internet - and the new industry was deeply opposed to any bureaucracy which prevented them from innovating and imposed unnecessary costs. So was the banking industry, which worried about threats to payment systems from corrupt officials. In 1998, the Foundation for Information Policy Research was established by cryptographers, lawyers, academics and civil liberty groups, with industry support, and helped campaign for digital freedoms.

The crypto wars ended in the USA when Al Gore, the most outspoken advocate of key escrow, was found by the US Supreme Court to have lost the presidential election of 2000.

In the autumn of 1999, Tony Blair finally conceded that controls would be counter-productive. But the intelligence agencies remained nervous about his decision, and in the May 2000 Electronic Communications Act the Home Office left in a vestigial power to create a registration regime for encryption services. That power was subject to a five year "sunset clause", whose clock finally ran out on 25th May 2005.

PGP

"Phil" Zimmermann made any attempt to control the spread of encryption technology moot, by successfully distributing a free easy to use public key encryption program around the world. Without the release of that code, the software environment as we see it today might have been quite different.

Several lawyers volunteered their services to Phil when the US government made him the target of a three-year criminal investigation, because the government held that US export restrictions for cryptographic software were violated when PGP spread all around the world. Many people around the world helped in this case, especially all the donors to the defence fund. The government dropped its case when they realised the methods used to distribute the code were protected on free speech grounds.

RIP

Regulation of Investigatory Powers Act 2000 is a UK law with the most controversial section was Part III of the Act which might require persons to supply the cryptographic key to a duly authorised person. Where duly authorised person was framed very widely.

FIPR ran a successful campaign to limit the scope of the Regulation of Investigatory Powers Act. Originally this would have allowed the police to obtain, without warrant, a complete history of everyone's web browsing activity (under the rubric of `communications data'); a FIPR amendment limited this to the identity of the machines involved in a communication, rather than the actual web pages.

In September 2003, Home Secretary David Blunkett announced wide-ranging extensions to the list of those entitled to see information collected under the RIPA. The list now includes job centres, local councils, and the Chief Inspector of Schools. Civil rights and privacy campaigners have dubbed these extensions a "snoopers' charter".

Check out Regulation of Investigatory Powers Act where cover this in far more detail.

Electronic Communications Act 2000

A UK law that clarified that electronic signatures where valid proof under the law and also attempted to regulate the provision of cryptographic services in the UK. The section covering cryptographic services has since been repealed.

Clipper Chip

The Clipper Chip would have included encryption in devices such as telephones and modems, but at the price of storing an escrowed key with the US government, so they could defeat the encryption at any time.

Matt Blaze defeated the encryption on the clipper chip making it useless. There was also a strong economic reason, there was no worldwide market for encryption products with an explicit back door for the U.S. government. The other reason, however, is public opposition. The debate was loud, public, and effective. And a significant part of that debate came about as a result of the public release of PGP, which let the strong cryptography cat out of the bag in an irreversible way.

Michael Froomkin wrote to important papers about Clipper, Cryptography, the Clipper Chip, and the Constitution and Planet Clipper

ITAR

The US International Traffic in Arms regulations which restricted the export of strong cryptography, slowing its adoption to protect, for example, e-commerce transactions.

The strong demand for secure E-commerce, the failure to prevent the world wide distribution of PGP and the fact that the rest of the world continues to develop and some would say sup pas the USA in encryption caused the downfall of ITAR.

VOIP

Quotes

Ross Anderson "We told government at the time that there was no real conflict between privacy and security. On the encryption issue, time has proved us right. The same applies to many other issues too - so long as lawmakers take the trouble to understand a technology before they regulate it."

Phil Zimmermann "It's nice to see the last remnant of the crypto wars in Great Britain finally laid to rest, and I feel good about our win. Now we must focus on the other erosions of privacy in the post-9/11 world."

Ross Anderson "clever crooks don't use crypto for secrecy. They are aware that the main problem facing law enforcement is not traffic processing, but traffic selection."

Links

Organisations

The Foundation for Information Policy Research is an independent body that studies the interaction between information technology and society. Its goal is to identify technical developments with significant social impact, commission and undertaken research into public policy alternatives, and promote public understanding and dialogue between technologists and policy-makers in the UK and Europe.

The Jericho Forum, whose membership includes many chief security officers from FTSE 100 companies, is pushing for the removal of encryption restrictions.

People

Cryptographer Phil Zimmermann released a freeware encryption program called Pretty Good Privacy. In 2006 he released Zfone, a program designed to prevent electronic eavesdropping of VOIP phone calls.

Ross Anderson, Chair of FIPR and Professor of Security Engineering at Cambridge University

The late Professor Roger Needham, who was a founder and trustee of FIPR, as well as being Pro-Vice-Chancellor of Cambridge University, a lifelong Labour party member and, for the last five years of his life, Managing Director of Microsoft Research Europe, once said: `Our enemy is not the government of the day - our enemy is ignorance. If ignorance and government happen to be co-located, then we'd better do something about it.'

Matt Blaze

Brian Gladman wrote the paper that was used by the Global Internet Liberty Campaign as the basis for its drive to kill off the Wassenaar restrictions on non-military cryptography. The Wassenaar Arrangement Campaign

Press

2006-05-19 - Spy Blog - RIPA Part 3 - "UK Crypto wars" debate to resume?
Summary: We would advise anyone interested in strong Cryptography to lobby the Minister of State for Policing, Security and Community Safety and Members of Parliament before the Home Office publishes its Draft Code of Practice.There is every danger that the Home Office will seek to "publicly consult" only with "stakeholders" such as the vested interests of the Government , Police and Intelligence Agencies, and to pretend that their views are somehow balanced by the vested commercial interests of large Telecommunications and Internet Service Provider companies.
2005-04-28 - silicon.com - Security bosses seek to dissolve encryption bans
Author: Dan Ilett
Summary: An international security consortium is set to lobby governments around the world to withdraw restrictions on encryption standards. The Jericho Forum, whose membership includes many chief security officers from FTSE 100 companies, will push for the removal of encryption restrictions within the next three-to-five years.

Documents

  • 25 May 2005 The Crypto Wars Are Over!
  • The Electronic Communications Act 2000 received Royal Assent on the 25th May 2000. Part I provides for the Secretary of State to create a Register of Cryptography Support Services. s16(4) reads: "If no order for bringing Part I of this Act into force has been made under subsection (2) by the end of the period of five years beginning with the day on which this Act is passed, that Part shall, by virtue of this subsection, be repealed at the end of that period."
  • [1] RIP Part III

"in an intelligible form" (Richard Clayton)

References

  1. http://www.fipr.org/press/050525crypto.html