lambda 4.02
July 4, 1998
SEARCH
lambda archives
CONTENTS
HOW FRANCE PUT MANDATORY KEY ESCROW AT WORK
-The French law about encryption has been implemented last
March, but the "liberalization" announced has been smooth regarding
privacy
-A mirror FTP server hosted in France has been obliged to stop delivering
PGP freeware, even if the first motive was to use PGP as an efficient authentification
tool, available freely everywhere in Europe.
-Crypto-tourism: the GILC released its 80-nations study
about encryption and the law
-The search for crypto heavens: How Network Associates's PGP sidestepped
US export rules, legally
-How the US is trying to impose key recovery among NAFTA countries
-Serious threats to freedom of encryption use in Canada
SHORT-CIRCUITS
-MEXICO WANTS INTERNET-FREE ZAPATISTAS
-FILTER FANATICS UPDATE (Lambda 4.01) - ACLU on filters and the US Constitution;
Cyberpatrol quarantines DejaNews;
The story goes that France has liberalized its over-regulated encryption policy. But the Technology University of Compiegne (UTC), an engineering private school located in the North of Paris, has learned by mistake that the story seems to be wrong. Again.
The French government has indeed published last February and March long-awaited final decrees and technical rules that enforce a 1996 law that was aimed to give more freedom and less bureaucracy to allow French citizens to encrypt their private communications. According to the last law (implemented in 1993), using strong crypto software was impossible without an improbable government-backed "prior authorization", that used to be given to soft-only crypto software.
Thus UTC staff in the networking department thought it was safe to open a mirror FTP site of pgp.net, an open downloading center for the freeware version of Pretty Good Privacy. Ironically, the first motive was to provide French system operators PGP as an efficient authentification tool, that is available freely everywhere in Europe. Indeed, the French new crypto policy states that signatures-enabling crypto products are now totally free to use, while the furniture of such products is submitted to a "simplified declaration". Of course, Lambda fans know that PGP is the bete noire of French security officials not because its signatures' capabilities...
Thus on April 27, the UTC staff informed Pgp.net administrators that they had to stop mirroring ftp.pgp.net in France, after a mere 6 weeks of life. The email reads:
The networking director of the Compiegne engineering school did not want to explain us in details the whole story, but acknowledged that the first intention was to provide authentification software. The law may have changed, but the motives stay the same : in 1995 the Conservatoire des arts et métiers (CNAM), an 200 years old public education institution, formulated the same demand to the SCSSI : using PGP to authentify communications, essentially inside the CNAM's private LAN. The SCSSI answer was 'no', because of the fact that dual-option capabilities of PGP makes the software a strong-crypto menace.
MANDATORY KEY ESCROW AT WORK
With these particular examples, it's quite difficult to explain the real improvements of the new French policy. Oh yes, as this bulletin reports for a while, it officially endorses the world's first 'key escrow' scheme (known in the law as the "séquestre de clés") to allow wiretaps to go along. And it's definitely not an improvement.
The key escrow rule, for instance, has become de facto mandatory. Because if you don't want to give your private key to a Trusted Third Party (TTP) -- that have to be approved by the French government --, you always need a "prior authorization" to use anything that encrypt data up to a 40 bits key length. In brief: if you don't put your key in custody, you need an improbable green-light in order to protect your privacy.
A user-friendly document and nice table published by the French government speaks for itself (see also the Lambda web version).
Synthèse du nouveau cadre législatif et réglementaire | ||||
Motives |
Functions | |||
Authentification, signature, integrity,... |
Confidentiality | |||
<= 40 bits |
> 40 bits | |||
With Key Recovery |
Without Key Recovery | |||
use |
FREE |
FREE |
FREE |
Need a prior authorization |
furniture |
Need a simplified declaration |
Need a declaration |
Need a prior authorization |
Need a prior authorization |
importation |
FREE |
FREE |
Need a prior authorization |
Need a prior authorization |
exportation |
FREE |
Need a prior authorization |
Need a prior authorization |
Need a prior authorization |
This document -- that clearly reads what is like a mandatory key escrow policy -- will help to amend the last world crypto survey released in February by the Global Internet Liberty Campaign (GILC).
In this survey, where around 200 countries were asked to describe their policy regarding encryption systems (a total of 80 nations are listed), countries were rated with Green, Yellow or Red categories, indicating how restrictive their policies toward encryption are. While a handful of countries fall in the "Red" section (Belarus, China, Israel, Pakistan, Russia and Singapore), France got a "Yellow/Red" one, along with the United States, India and South Korea.
The GILC report notes the "surprising" policies of the United States, because "virtually all of the other democratic, industrial nations have few if any controls on the use of cryptography."
Well, it's time to add a new pictogram into the survey, which would reads for "Mandatory Key Escrow Policy", which would be well suited for France.
OTHER COMMENTS ON THE NEW FRENCH POLICY
"Today it's more easy to get a 357 Magnum than a serious encryption software", resumes Patrick Forsans, president of the pro-crypto group CITADEL, affiliated to the Electronic Frontiers Foundation. Forsans argues that this policy risks to complicate the spread of public key cryptography in France, because "if you encrypt the message with your addressee's public key, you'll need his private key to decrypt the message. It is clear that a foreigner will not put his private key in custody in france!".
Sources said it's not impossible that the government will try to approve systems that can oblige a French user to encrypt the message with his proper public key also; so the police could read any message sent oversees because the French user's private key is in the TTP's hands. There is also the idea of a "session key", attached to any particular message, that could eventually decrypt the message without asking the addressee's private key.
According to Valérie Sédallian, a French lawyer for the cyber-rights group IRIS,
Ironically, one of the decree published in March states that for every private key a TTP has to give to the wiretapping authority, it will cost a fixed price of FFr 400 - a mere $62 -, paid of course by the French taxpayer (for comparison, there has been a total of 14700 legal phone wiretaps made in France last year).
PGP INC. AND THE SEARCH FOR CRYPTO HEAVENSOne of the curiosities of the GILC survey is Campeone d'Italia, "a small Italian enclave on the shores of Lake Lugano", "totally surrounded by Switzerland". "Although technically part of Italy, it's close affiliation with Switzerland, a non-member of the European Union, has made it a virtual "neutral zone" from European laws, including those dealing with taxation. A company developing encryption in this feudal anomaly would face little or no export restrictions because Campione's border with Switzerland is open (there is also unrestricted access to Liechtenstein) and Swiss laws do not apply in the enclave. There is full Internet access via the modern Swiss PTT network. Because Campione has attracted numerous companies and banks, Italy prefers not to apply its laws to the territory." Switzerland stays in itself a nice crypto heaven, and it helped Network Associates Inc. (NAI) to export its PGP Inc. products in Europe, despite the US export restrictions. NAI, formed after a merger between McAffee and Network General, brought Phil Zimmermann's PGP Inc. business last year. NAI first created a Dutch affiliate, PGP International, based in Amsterdam. But because strict US export rules, NAI is forbidden to provide directly outside the US any strong crypto solutions. In order to sidestep these rules, the trick was to call CnLab Software, a Swiss security company. Said Paul Schoebi, CnLab's managing director, in an interview with the Lambda bulletin: "The [PGP source] code has been exported from the U.S. in printed and publicly available books. Subsequently it has been scanned outside the U.S., configured for the needs of NAI and recompiled. Switzerland has a comparatively liberal policy with respect to the export of security products. This is part of the reason why different security companies have been founded in Switzerland. Doing it in a NAI company would no be acceptable to the U.S. officials. So the code construction has to be done in a non-NAI organization." In a legal document, NAI states that, "The U.S. Export Administration Regulations (EAR), which govern the export of encryption software from the United States, explicitly state: "A printed book or other printed material setting forth encryption source code is not itself subject to the EAR...."" |
CRYPTO BRIEFSThe Electronic Privacy Informaton Center will soon
publish a Treasury Department document that reveals new US attempts to force
its economic allies to adopt strict controls on cryptography. The documents
have been obtained after a Freedom of Information Act request. The Paris-based
Intelligence Newsletter says these pressures were made on NAFTA members,
Mexico and Canada. The North American Trade Automation Prototype (NATAP),
aimed at harmonizing customs rules among its three members, elaborated Trade
Software Packages in which key recovery facilities are implemented. The
Treasury memo apparently considers the NATAP as an ideal Information Recovery
Center, into which Canadian and Mexican businesses would be pressured to
put their private encryption keys in custody. - Ironically, the Canadian government released in February a document that listed possible scenarios for government regulation of cryptographic hardware and software. In response, Electronic Frontiers Canada reported in April that "fourteen of Canada's leading cryptographers have signed letters opposing government regulation of cryptography." EFC says, "The Industry Canada report suggests that, in deference to law enforcement and national security concerns, one policy option might be to ban cryptographic products that do not allow the government to listen in." -Reference EFC - The Economic Strategy Institute, a think-tank, said in a report that "The U.S. economy could suffer a loss of at least $35 billion over the next five years if the government realizes its plans for restrictions on data-scrambling technology", reported the San Jose Mercury News. "Urging the government to abandon its current policies on encryption, [ESI] calculated billions in losses to the software industry and the national economy at large. That bolsters the high-tech industry's case in the running, five-year battle with the government over technology used to scramble the transmission and storage of digital data on everything from the telephone system to the Internet." -Source: SJMN, 04-1-1998. |
An action alert released on April 28 by two Canada-based organisations, the World Association of Community Radio Broadcasters and the (AMARC), and the International Freedom Of Expression Exchange (IFEX), said "the Mexican government is looking for a way to prevent the Zapatista National Liberation Army (Zapatistas or EZLN) from circulating its point of view via the Internet".
The main source is PULSAR, a community radio network in Latin American, which reported that "many Mexican authorities believe that the constant stream of foreigners who have been arriving in the state of Chiapas, where the uprising took place, is due to the information posted by the EZLN over the Internet and updated daily". Even if President Ernesto Zedillo's government also began, at the end of 1996, to use the Internet and to disseminate information about the conflict with the EZLN in Chiapas. The government has used the web pages of the Ministry of the Interior and Notimex, the state news agency, to post their point of view regarding the conflict in Chiapas.
According to Pulsar, the government is now looking for any regulation or law which could stop the Zapatistas from using Internet technology. The Zapatistas have stated that they will not allow their freedom of expression through the Internet to be taken away.
Silly idea, that is, because the main propaganda posted on the Net by "Sub" Marcos folks are hosted in the United States or abroad,
- A new ACLU report considers mandatory blocking software in public libraries as "inappropriate and unconstitutional". The report, called "Censorship in a Box: Why Blocking Software is Wrong for Public Libraries", "continues a line of argument the ACLU first made in a well-received 1997 report and furthers its critique of industry plans to adopt blocking mechanisms and expand them to libraries and schools. The report comes as more and more librarians are being pressured to install the software on library terminals to prevent minors from accessing objectionable materials."
The report also criticized a plan in the Senate to condition Internet funding for schools on the use of blocking software (The "Internet School Filtering Act").
Filtering inaccuracies were already reported in a document last year, called "Is Cyberspace burning?".
- The Censorware Project, an organization which battles the use of blocking software by public institutions including schools and libraries, announced in April that it has learned that federal courts are using the WebSENSE censorware product, at least in the Eighth, Ninth and Tenth judicial circuits (covering twenty-two states and Guam). WebSENSE was installed by the Administrative Office of the Courts, apparently without the knowledge or consent of the judges themselves.
The same organisation already reported in February that the Cyberpatrol software blocks DejaNews, an important research resource. Susan Getgood, the company's director of marketing for CyberPatrol, recently announced that the product would continue to blacklist Deja News due to the occurrence of sexual speech on Usenet, even if Deja News does not permit the downloading of Usenet graphics.