bulletin lambda 3.02

April 14, 1997


Private Communications Under International Scrutiny:
1. Wiretaps: A global pact for universal wiretapping gains ground in Europe, with support of the U.S. and other industrialized nations
2. Key escrow encryption: The OECD says no, individual countries endorse it

Short-Circuits:
Social security data causes privacy concerns in U.S., France


Wiretaps

Europe is launching a universal wiretap network

 

The British watchdog group Statewatch revealed confidential documents from the European Union's intergovernmental meetings that show a global wiretapping system is under way among Europe, the United States and other industrialized countries.

Legally speaking, the resolution and memorandum agreed among the EU's 15 countries have not yet been accepted by national parliaments, so it has no value except as a clear and profound indication of political will.

See the full report, archived on the lambda's server thanks to Statewatch.

Tony Bunyan, the director of Statewatch, published a communique at the end of February explaining the basic purposes of the wiretap plan:

-- fwd message --

"The Council of the European Union and the FBI in Washington, USA have been cooperating for the past five years on a plan to introduce a global telecommunications tapping system. The system takes advantage of the liberalisation of telecommunications -- where private companies are taking over from national telephone systems -- and the replacement of land/sea based lines and microwave towers by satellite communications. Telephone lines are now partly land-based or under sea or via microwave land-based towers but the new generation of telecommunications will be totally satellite-based."

The EU-FBI initiative notes the demise of:

A related disclosure in a book by Nicky Hager shows that instead of "suspects" and "targets" the ECHELON system simply trawls the airwaves for "subversive thoughts" in written form and increasingly in verbal form.

ECHELON is run under the 1948 UKUSA agreement by the US, UK, Canada, New Zealand and Australia."

-- end of fwd message --


Encryption

OECD tries to prevent privacy abuses on encryption policy

 

The Paris-based Organization for Economic Cooperation and Development released on March 27 its "Guidelines For Cryptography Policy," after more than a year of intense talks between officials from the 29 governments.

Yet there was one pleasant surprise: the guidelines do not explicitly urge governments to establish "key escrow" encryption schemes, although individual countries will be able to act according to its own wishes, for "national security" purposes.

According to the Washington, DC-based Electronic Privacy Information Center, among the eight basic principles adopted by the OECD, one is the rejection of key escrow encryption (see point 6, "lawful Access"). "The U.S. sought endorsement for government access to private keys. Initial drafts of the guidelines included this recommendation. The final draft does not. OECD countries rejected this approach," said EPIC. The good point is an "endorsement of voluntary, market-driven development of crypto products. The OECD emphasized open, competitive markets to promote trade and commerce in new cryptographic methods."

However, the United States, France and Britain have taken steps to pursue key escrow schemes -- but northern Europe isn't signing on.

USA: From EPIC Alert 4.05:

"The White House has released a new draft proposal on key escrow encryption to the Congress. The draft (dated March 12) is entitled the 'Electronic Data Security Act of 1997.' The legislation is the latest attempt to push forward the result the Administration sought to achieve with the failed Clipper Chip initiative -- ensuring government access to all encrypted communications through government-escrowed keys."

Resources:
http://www.epic.org/crypto/
http://www.cpsr.org/cpsr/nii/cyber-rights/web/crypto_amer.html

France: A decree that will clearly establish the next trusted third-party scheme for business and individuals has not yet been released by the government. Draft proposals (see lambda 3.01) mentioned certain "national" preferences for future TTP agencies. These proposals have divided government officials (it may be an obstacle to common-market principles covering the free flow of capital and workers in the European Union). And the OECD clearly states (see point 8, "International Cooperation") that:

"In order to promote international trade, governments should avoid developing cryptography policies and practices which create unjustified obstacles to global electronic commerce. Governments should avoid creating unjustified obstacles to international availability of cryptographic methods."

Britain: The U.K.'s Department of Trade and Industry released its proposal last month on licensing encryption services. According to Ross Anderson, the famed Cambridge University-based cryptographer: "Their effect will be to ban PGP and much more besides," because licensing will be mandatory. An excerpt of the draft regulations say:

"We intend that it will be a criminal offence for a body to offer or provide licensable encryption services to the UK public without a valid licence. [...]
Public will be defined to cover any natural or legal person in the UK. [...]
Encryption services is meant to encompass any service, whether provided free or not, which involves any or all of the following cryptographic functionality - key management, key recovery, key certification, key storage, message integrity (through the use of digital signatures) key generation, time stamping, or key revocation services (whether for integrity or confidentiality), which are offered in a manner which allows a client to determine a choice of cryptographic key or allows the client a choice of recipient/s."

Anderson commented: "The licence conditions imply that only large organisations will be able to get licences: small organisations will have to use large ones to manage their keys (this was the policy outlined last June by a DTI spokesman).

The main licence condition is of course that keys must be escrowed, and delivered on demand to a central repository within one hour. The mere delivery of decrypted plaintext is not acceptable except perhaps from TTPs overseas under international agreements."

The DTI report: http://www.cl.cam.ac.uk/users/rja14/dti.html
Other resources: http://www.cpsr.org/cpsr/nii/cyber-rights/web/crypto_brit.html

Scandinavia: Despite these measures, the Nordic countries meanwhile released user-friendly plans to offer a secure and non-escrowed electronic mail system, called the Nordic Post Security Service (Denmark, Finland, Norway and Sweden). Every Scandinavian citizen will soon be offered the possibility of opening an e-mail account using smart card technology that allows for digital signatures and strong encryption of up to 1024 bit-length keys, a high level security. The private key will be embedded on the card, and no TTP system is planned.



Short-Circuits:

Social security data causes privacy concerns in U.S., France

The Internet site of the U.S. Social Security Administration was closed due to privacy concerns, in that it supplied information about an individual's personal income and retirement benefits, the Washington Post reported April 10. Abstracts from the Edupage press review:

"The shut-down followed receipt by the Administration of a harshly critical letter written by a bipartisan group of legislators who said the site's security systems were inadequate. To obtain information, a computer user needed merely to supply a name, address, telephone number, place of birth, Social Security number, and mother's maiden name -- items that are available in many private databases."

In France, the government adopted on April 2 a draft law that extends the use of social security numbers, known as NIR, to tax authorities (the French equivalent to the U.S.'s Internal Revenue Service). The NIR is one of the most sensitive pieces of social data in Europe, since it classifies individuals according to their place of birth and is linked to all social benefits files. Earlier attempts in the 1970s to extend the NIR to other parts of the government had failed. The government passed these measures officially to fight fraud in social benefits households (minimum salary, housing aid, family pensions, etc.). The national data privacy commission, the CNIL, along with the League for Human Rights, expressed great concerns about the plan, which, if implemented by parliament, could especially harm low-income people.


A report by Jerome Thorel
English proof-reader: Ken N. Cukier