bulletin lambda 3.02
Private Communications Under International
Scrutiny:
1. Wiretaps: A global pact for
universal wiretapping gains ground in Europe, with support of the U.S. and
other industrialized nations
2. Key escrow encryption: The OECD says no,
individual countries endorse it
Short-Circuits:
Social security data causes privacy concerns in U.S., France
The British watchdog group Statewatch revealed confidential documents from the European Union's intergovernmental meetings that show a global wiretapping system is under way among Europe, the United States and other industrialized countries.
Legally speaking, the resolution and memorandum agreed among the EU's 15 countries have not yet been accepted by national parliaments, so it has no value except as a clear and profound indication of political will.
See the full report, archived on the lambda's server thanks to Statewatch.
Tony Bunyan, the director of Statewatch, published a communique at the end of February explaining the basic purposes of the wiretap plan:
-- fwd message --
"The Council of the European Union and the FBI in Washington, USA have been cooperating for the past five years on a plan to introduce a global telecommunications tapping system. The system takes advantage of the liberalisation of telecommunications -- where private companies are taking over from national telephone systems -- and the replacement of land/sea based lines and microwave towers by satellite communications. Telephone lines are now partly land-based or under sea or via microwave land-based towers but the new generation of telecommunications will be totally satellite-based."
The EU-FBI initiative notes the demise of:
A related disclosure in a book by Nicky Hager shows that instead of "suspects" and "targets" the ECHELON system simply trawls the airwaves for "subversive thoughts" in written form and increasingly in verbal form.
ECHELON is run under the 1948 UKUSA agreement by the US, UK, Canada, New Zealand and Australia."
-- end of fwd message --
The Paris-based Organization for Economic Cooperation and Development released on March 27 its "Guidelines For Cryptography Policy," after more than a year of intense talks between officials from the 29 governments.
Yet there was one pleasant surprise: the guidelines do not explicitly urge governments to establish "key escrow" encryption schemes, although individual countries will be able to act according to its own wishes, for "national security" purposes.
According to the Washington, DC-based Electronic Privacy Information Center, among the eight basic principles adopted by the OECD, one is the rejection of key escrow encryption (see point 6, "lawful Access"). "The U.S. sought endorsement for government access to private keys. Initial drafts of the guidelines included this recommendation. The final draft does not. OECD countries rejected this approach," said EPIC. The good point is an "endorsement of voluntary, market-driven development of crypto products. The OECD emphasized open, competitive markets to promote trade and commerce in new cryptographic methods."
However, the United States, France and Britain have taken steps to pursue key escrow schemes -- but northern Europe isn't signing on.
USA: From EPIC Alert 4.05:
Resources:
http://www.epic.org/crypto/
http://www.cpsr.org/cpsr/nii/cyber-rights/web/crypto_amer.html
France: A decree that will clearly establish the next trusted third-party scheme for business and individuals has not yet been released by the government. Draft proposals (see lambda 3.01) mentioned certain "national" preferences for future TTP agencies. These proposals have divided government officials (it may be an obstacle to common-market principles covering the free flow of capital and workers in the European Union). And the OECD clearly states (see point 8, "International Cooperation") that:
Britain: The U.K.'s Department of Trade and Industry released its proposal last month on licensing encryption services. According to Ross Anderson, the famed Cambridge University-based cryptographer: "Their effect will be to ban PGP and much more besides," because licensing will be mandatory. An excerpt of the draft regulations say:
Anderson commented: "The licence conditions imply that only large organisations will be able to get licences: small organisations will have to use large ones to manage their keys (this was the policy outlined last June by a DTI spokesman).
The main licence condition is of course that keys must be escrowed, and delivered on demand to a central repository within one hour. The mere delivery of decrypted plaintext is not acceptable except perhaps from TTPs overseas under international agreements."
The DTI report: http://www.cl.cam.ac.uk/users/rja14/dti.html
Other resources: http://www.cpsr.org/cpsr/nii/cyber-rights/web/crypto_brit.html
Scandinavia: Despite these measures, the Nordic countries meanwhile released user-friendly plans to offer a secure and non-escrowed electronic mail system, called the Nordic Post Security Service (Denmark, Finland, Norway and Sweden). Every Scandinavian citizen will soon be offered the possibility of opening an e-mail account using smart card technology that allows for digital signatures and strong encryption of up to 1024 bit-length keys, a high level security. The private key will be embedded on the card, and no TTP system is planned.
The Internet site of the U.S. Social Security Administration was closed due to privacy concerns, in that it supplied information about an individual's personal income and retirement benefits, the Washington Post reported April 10. Abstracts from the Edupage press review:
In France, the government adopted on April 2 a draft law that extends the use of social security numbers, known as NIR, to tax authorities (the French equivalent to the U.S.'s Internal Revenue Service). The NIR is one of the most sensitive pieces of social data in Europe, since it classifies individuals according to their place of birth and is linked to all social benefits files. Earlier attempts in the 1970s to extend the NIR to other parts of the government had failed. The government passed these measures officially to fight fraud in social benefits households (minimum salary, housing aid, family pensions, etc.). The national data privacy commission, the CNIL, along with the League for Human Rights, expressed great concerns about the plan, which, if implemented by parliament, could especially harm low-income people.