New in Cyberspace: The Frontiers Are Back!
bulletin lambda 3.01
Your Customs Officer Is Watching
You
CDA countdown:
The Supreme Court Has Some Clues on Knocking Down the CDA
Crypto update
: France and the OCDE
New in Cyberspace: On March 6, the French security agency SCSSI gave its approval for a secured payment protocol called C-SET, or Chip-Secured Electronic Transaction. After one look at this European version of the US standard of SET, which will be completed this year, one might ask: "Why bother?" Your customs officer might well reply: "For me!"
C-SET re-draws the boarders of the real world in cyberspace -- where national boundaries were scheduled to have been given up forever. Moreover, the system could easily be used to escrow private communications, because encrypted messages will be transmitted to a third party in order for police to have a lawful access to its secret key.
The Intelligence Newsletter (http://www.indigo-net.com/intel.html) first reported in its Feb. 26 edition that C-SET could be used as a national shield for controlling money transfers, and thus be used as an intermediary between the law enforcement agencies, the vendor and the buyer. French security officials agreed to accept C-SET because it is compatible with future trusted third-party systems, dedicated to assuring national governments that all encrypted communications will be key-escrowed.
"The French Finance Ministry has not yet decided to apply taxes and duties for online transactions, but C-SET is the adequate system to do that", says Claude Meggle, director of security at the French Groupement des Cartes Bancaires (a consortium of 200 French banks), the main architect of C-SET. "It is a way for national states to keep their sovereignty, without hindering international commerce".
In France and other European countries, credit cards are so-called "smart cards." Embedded with microchips, it is a more secure way to authenticate -- and identify -- the buyer than a hand-written signature. The GCB was not fully satisfied by the SET standard, which "provides only software security as it doesn't include a smart card," the Intelligence Review reported. "As a result, the 'certificate' which enables a customer to be identified when making an electronic purchase is stored on his hard disk. This exposes it to all types of attack, and makes the system less than 'portable' -- the certificate is linked to the computer and not the person. The C-SET is exactly the opposite," the newsletter added.
Hardware is needed to use C-SET; a PIN-number pad manufactured by state-owned Bull's smart card division CP8 will be sold for less than 500 FF (US$100), Meggle told lambda bulletin. When the users are connected to a virtual mall, they'll have to type their 4-digits secret code (as it is today with bank cards), and the transaction will be transferred to a distant server owned by the bank. Thus this go-between server will be based in the country where a user has his or her bank account, and the same bank plays the role of a TTP. The user's privacy and anonymity will be protected, but only from the merchant's point of view.
Banks-turned-TTPs will have to keep records of all transactional data for law-enforcement purposes. Recently, officials at the main money laundering agencies of industrialised countries met to discuss the problems caused by the Internet. C-SET could be one way to keep money transfers under the close eye of the law. The European Commission agreed to the system being tested as a possible future standard, and all major European countries have plans to test it in the near future (from Germany to Belgium, UK, Spain, etc.)
It is no surprise that the SCSSI, one of the most conservative cryptography agencies in the world -- which considers the US technology lead on encryption as a national threat -- first refused to allow C-SET to encrypt a part of the transaction. The TTP compatibility was seen as a necessary condition for approval. Meggli said the encrypted material uses a DES-based 56-bit key, while a RSA public-key system (1024-bit length) is used for transmission.
As Meggle acknowledged, this PIN-pad based identification system could
be also used as a way to identify users that send encrypted messages in
private communications. The TTPs will have to keep a record of connections
-- as all banks are doing today to officially fight fraud -- and give a
user's private key to police authorities if called upon to do so.
Well before the U.S. Supreme Court hears arguments on the constitutionality of the CDA, David Sobel, EPIC's legal counsel, reminded the electronic community that the Court handed down a decisive decision two years ago. Excerpts from the EPIC Alert 4.04 newsletter herewith:
--- begin fwd message ---
To avoid potential criminal liability under the CDA's "indecency" provision, information providers would, in effect, be required to verify the identities and ages of all recipients of material that might be deemed inappropriate for children. If upheld, the statutory regime would thus result in the creation of "registration records" for tens of thousands of Internet sites, containing detailed descriptions of information accessed by particular recipients. These records would be accessible to law enforcement agencies and prosecutors investigating alleged violations of the statute. Such a regime would constitute a gross violation of Americans' rights to access information privately and anonymously.
Two years ago, the Supreme Court upheld the right to anonymous speech in McIntyre v. Ohio Elections Commission. EPIC believes that the Court's rationale in that case applies with even greater force to the Internet "indecency" provisions now under review. The Court noted in McIntyre that:
Whether the millions of individuals visiting sites on the Internet are seeking information on teenage pregnancy, AIDS and other sexually transmitted diseases, classic works of literature or avant-garde poetry, they enjoy a Constitutional right to do so privately and anonymously. The Communications Decency Act seeks to destroy that right. If upheld, the CDA would render the Internet not only the most censored communications medium, but also the most heavily monitored.
"EPIC is confident that upon review of the legislation and its impact upon free speech and privacy rights in emerging electronic media, the Supreme Court will affirm the lower court decision invalidating the CDA as fundamentally at odds with the Constitution."
--- end fwd message ---
The EPIC said that following the oral argument, the Reno v. ACLU plaintiffs and lawyers will hold a news conference to offer in-depth analysis and commentary (approximately 11:30 a.m. ET). The event will be cybercast live via RealAudio on the World Wide Web.
Links to the cybercast will be available at:
http://www.epic.org/cda/
http://www.aclu.org/issues/cyber/trial/appeal.html
French officials at the SCSSI and the prime minister's office are worried that aspects of the government's crypto policy may be regarded by the European Commission in Brussels as an obstacle to common market principles. The government's law outlining a TTP key-recovery system, voted by the legislature last summer, has yet to be enacted by ministerial decree. An initial version of the decree (see lambda 2.13) stated that only French employees (of companies held with a majority of French capital) would be allowed to act as a TTP in the country. Whether the law would violate rules concerning the free flow of capital and workers in the European Union is uncertain. However the French government has something in its favor (for better or for worse) regarding possible anti-competitive practices in this area: The EC is prohibited from making decisions that may overlap with issues of national security.
Meanwhile, the Paris-based OECD is to publish its guidelines on international cryptography procedures (lawful access, condition of TTP systems, etc.) at the end of March. The report has been approved by both the OECD expert group and division committee with slight changes in the wording, and now needs only the endorsement of the OECD Council of Ministers.