Transcript Semantic Consistency in Information Exchange

CS 99
Cryptography and Public Policy
John C. Mitchell
Stanford University
Controversy
Can multiplication be a crime?
What about exponentiation?
Can this really be?
Legal
• Mary had a little lamb.
Illegal
• Ary-may ad-pay an ittle-pay amb-lay.
Government interest
Cryptography important in war and espionage
• Army analysts succeeded in breaking and the code
systems used by the Imperial Japanese Army,
producing intelligence which many believe
shortened the war in the Pacific.
• Work begun by the Polish and continued by the
British … decoded German military communications
encrypted with the Enigma cipher machines. The
intelligence produced by this effort … shortened
the war in Europe. [Federation of American Scientists]
Wiretapping traditional in law enforcement
Individual and business privacy
US
• No explicit constitutional right to privacy.
– First Amendment: Freedom of speech.
– Fourth: Freedom from unreasonable search and seizure.
Europe
• Stronger privacy policies and laws
Japan
• Less open use of cryptography
Echelon
Wired News Report 5:20 p.m. 3.Jun.99.PDT
 Australia recently became the first nation to admit it
participates in Echelon, a previously secret global surveillance
network capable of intercepting electronic communications
anywhere in the world.
 Echelon is said to be principally operated by the United States
National Security Agency and its UK equivalent, the Government
Communication Headquarters. In addition to Australia, the
system relies on cooperation with other signals-intelligence
agencies in Canada and New Zealand.
 Campbell had been asked to investigate the system in the wake
of charges made last year in the European Parliament that
Echelon was being used to funnel European government and
industry secrets into US hands.
Read for yourself and form your own opinion.
German reaction
Germany Endorses Strong Crypto Wired News Report
5:20 p.m. 3.Jun.99.PDT
In an apparent response to corporate spying allegedly
conducted in Europe by the United States, Germany is
encouraging citizens and businesses to use strong
cryptography ...
On the other hand …
[Wired]
Japan: More Crime, Less Privacy
3:00 a.m. 2.Jun.99.PDT
TOKYO -- Privacy issues have taken center stage as
Japan prepares to enact legislation allowing the
police to eavesdrop on phone calls, intercept fax
and computer transmissions, and read email.
The draconian measures are ostensibly intended to
help law enforcement halt premeditated murders,
trafficking in drugs and guns, and smuggling of
illegal aliens into Japan.
At least that's what a bill cobbled together by the
country's coalition government says. …
More stories, see http://www.privacy.org/
Basic conflicts
Governments
• Intelligence and law enforcement interests
Individuals
• Preserve privacy
• Control access to information
Companies
• Preserve intellectual property, business practices
US Policy on Cryptography
History
• Cryptography was province of NSA
• Government slow to adapt to public use of crypto
Examples
•
•
•
•
RSA conference presentation
Shamir letter (hand out!)
PGP
Bernstein Lawsuit
Rivest, Shamir, Adelman
(1977)
Rivest scheduled to present paper at FOCS
IEEE received letter from “J.A. Meyer”
• Warned that since foreign nationals present,
violation of US Int’l Traffic in Arms Regulation.
Science journalist: Meyer worked for NSA
NSA denied any connection with the letter
RSA went ahead with publication, talk
… subsequent inventors subject to secrecy orders
Feige, Fiat and Shamir
Israeli authors submitted paper to conference
Weizmann Institute filed for US patent
US secrecy order, sent to Shamir in Israel:
• If subject matter has been revealed to any person,
principals must inform that person of secrecy order
• If subject matter disclosed to person in foreign
country or foreign national, principals must not
inform that person of secrecy order.
Shamir also notes that key ideas were presented
to 4000+ researchers at previous conferences and
asks anyone with documentation to destroy it!
Phil Zimmermann, PGP
PGP author hounded by Federal officials
1993: informed that Grand Jury in San Jose
investigating charges of exporting PGP
1994: on return to US, detained in Customs,
• luggage searched, interrogated about itinerary,
public speaking, prior trips -- without counsel
• Customs Service promised to subject him to the
same hassle upon every re-entry into the US
Investigation dropped in 1996
Bernstein Case
Daniel J. Bernstein
• Then Berkeley Ph.D. student in Mathematics
• Wrote an encryption program
• Wanted to post on Internet for discussion and
scrutiny
• Asked State Department. Reply:
– need license as arms dealer to post algorithm
– if he applied for a license, request would be denied
Bernstein
cont’d
EFF-sponsored case
• Bernstein sued
– Commerce Department, other agencies
• Claimed export control laws
– restrain constitutionally protected speech
– overly broad to serve protect national security
• Case was filed in federal district court
– Following three favorable rulings, the case went before
the 9th Circuit Court of Appeals on December 8, 1997
Court rulings
Bernstein I, April 15, 1996:
• source code is speech protected by First Amend
Bernstein II, December 6, 1996:
• export control laws on encryption are
unconstitutional prior restraint on speech
Bernstein III, August 25, 1997:
• restrictions on publication are unconstitutional
prior restraint on speech even as written under the
new Commerce Department regulations
Appeals Court
(starting Dec, 1997)
Determine whether export control laws and
regulations violate the First Amendment
May 6, 1999: District Court upheld 2-1
Export restrictions against encryption are an
unconstitutional prior restraint of free
expression, impermissible under the First
Amendment
The Wassenaar Arrangement
Wassenaar Arrangement signed 1995
• Involves 33 countries
Objective of the Arrangement
• Prevent accumulation of military capabilities that
threaten regional and int’l security and stability
Controls export of cryptographic products
• Classified as dual-use goods having civilian and
military applications
Wassenaar in more detail
 In July 1996, after two years of negotiations, 33 countries
approved guidelines and procedures for the Wassenaar
Arrangement on Export Controls for Conventional Arms and
Dual-Use Goods and Technologies.
 Wassenaar Arrangement members seek to coordinate export
controls on conventional arms as well as "dual-use" advanced
materials and technology -- those that have both military and
civilian applications.
 The aim of the group is to prevent advanced arms and
technology from going to pariah states like Iraq, Libya, and
North Korea and to regions of instability like South Asia.
 Clinton administration officials have characterized [it] as a work
in progress that should, over time, become as effective and
reliable as any of the other non-proliferation regimes.
Wassenaar continues ...
 Cryptography experts meeting in Vienna in Sept 1998
 Plenary session in Dec 1998
 Results
• Additional controls over export of cryptography introduced into
Wassenaar Arrangement.
• This has been widely condemned and has lead to the
establishment of cryptography mirror sites around the world.
• In 1999 there is likely to be pressure within Wassenaar to
control intangible exports.
See ACM Computers, Freedom and Privacy
Canadian Wassenaar Policy
In compliance with the current version of the Wassenaar
Arrangement, Canadian government prohibits export of strong
encryption products. As a result, Canadian high-tech companies
like Entrust, Certicom, Timestep, and KyberPASS are prevented
from selling to foreign customers hardware and software
products that offer the best level of privacy and security.
A provision known as the 'General Software Note', however,
specifies that "public domain" software can be freely exported.
"Paradoxically, our government enforces a policy that says we
can't sell the fruit of our labours, but on the other hand, we can
give it away for free”.
French Policy
France has restricted domestic use and
supply of cryptography
• authorization and declaration required for almost
all cryptography
Slightly liberalized in 1996
• law mandating key deposits with Trusted Third
Parties
Domestic use of crypto liberalized in Jan 1999
US Export Policy
Weak cryptography exportable
Strong cryptography not exportable
Software havoc
Other issues:
• Clipper and key escrow debates, ...