-Caveat Lector- from: http://cryptome.org/crypto97-ne.htm <A HREF="http://cryptome.org/crypto97-ne.htm">Cryptology: Law Enforcement & National Security </A> ----- Just a taste. Total file is 191KB. Om K ----- 11 July 1999. Thanks to Nick Ellsmore and Brian Gladman. This document available in original Zip-compressed .DOC format: http://cryptome.org/crypto97-ne.zip (zipped 75K; unzipped .DOC 243K; hardcopy 108 pages). ------------------------------------------------------------------------ [4 July 1999] Cryptology: Law Enforcement & National Security vs. Privacy, Security & The Future of Commerce. Nick Ellsmore [EMAIL PROTECTED] "It is dangerous to be right when the government is wrong." -Voltaire. ------------------------------------------------------------------------ Contents PageAcknowledgments 4 Foreword 5 Introduction - Some words to remember... 8 Part I - A Historical PerspectiveCryptology 10 Arms Control: COCOM and the Wassenaar Arrangement 19 Part II - The Current SituationThe Requirement for Cryptography 28 Export Controls in Australian Domestic Law 29 The Walsh Report 42 Global Surveillance 46 The OECD Proposal 50 Part III - The Application of the LawAmerican and Australian Constitutional Guarantees 53 The United States of America 55 Philip Zimmermann and PGP 55 Karn v Department of State, Karn v Department of Commerce 57 Bernstein v Department of State 59 Australia 61 Part IV - The IssuesThe Push for Law Reform 64 Human & Civil Rights 65 Proposed Amendments to Australian Domestic Legislation 68 Self Incrimination and the Right to Silence 74 Departmental Responsibility for Cryptographic Export Controls 75 The need for 'balance' 76 Transparency of Government 78 The 'export' of software over the Internet 79 Key Escrow 87 Defence or Offence? 89 Our Choice 90 Conclusions & Recommendations 91 Opinions 95 Appendix A: BibliographyAustralian WWW Sources 96 International WWW Sources 98 Australian Other Sources 103 International Other Sources 104 Notes ------------------------------------------------------------------------ Acknowledgments Thanks to Greg Taylor at Electronic Frontiers Australia (EFA), Dan Tebbutt, Brian Gladman at the Global Internet Liberty Campaign (GILC), Martyn Evans MP, Senator Richard Alston, Aldo Borgu, Stephen Anderssen at the Defence Signals Directorate (DSD), contributors who have requested anonymity, and the School of Business Law and Taxation at the University of New South Wales (UNSW), Sydney, Australia. Special thanks to Bruce Gordon at the School of Business Law and Taxation at UNSW for overseeing the construction of this paper and providing guidance in relation to legal issues. ------------------------------------------------------------------------ Foreword By Dr Brian Gladman, Crypto Policy Co-ordinator, Cyber-Rights and Cyber-Liberties (UK). A few centuries ago trade began to develop on a world scale because the human race finally mastered the high seas. But there were no laws governing proper conduct and piracy became commonplace. Stealing other people's goods became widespread and, worse still, many major European powers secretly supported pirates to plunder the ships and the trading routes of other Nations. So State sponsored piracy became commonplace. In time, however, the European powers slowly began to realise that this practice was damaging their own interests by allowing the long term benefits of world trade to be subverted for the short term national gains secured through piracy. These nations hence moved to abandon piracy and agreed to respect the right to own, transport and trade goods on the high seas. The rule of law became established for the benefit of all. Cyberspace is now emerging as a new global trading environment and one where, sadly, the behaviour of Nations mirrors that seen previously. As yet there are no laws governing conduct in cyberspace and as a result State sponsored piracy has again become the norm. The Nations that dominate cyberspace show no respect for the information assets of others, which are stolen without a second thought. Moreover, actions are also taken to ensure that the 'weak' in cyberspace remain weak by denying them any means of protection. But Electronic Commerce on a global scale cannot truly thrive in a cyberspace where information piracy and disrespect for the information assets owned by others are acceptable forms of behaviour. Commerce in cyberspace can only emerge when the major powers abandon sponsored 'information piracy' and agree to respect the rights of all cyberspace users to own and protect their information assets. It seems inevitable that things will move in this direction: eventually 'information piracy' will be outlawed but, if past experience is any indicator it will be the 'biggest bully on the block' - the US now, the UK in days gone by - that will be the last to take this step (and, paradoxically, the biggest beneficiary). So, although export controls on cryptography appear 'on the surface' to be a significant cause of delay in the emergence of the global electronic market, they are, in reality, only a symptom of a deeper malaise. The fundamental need is for the rule of law to be established in cyberspace, including a universal respect for the right to own and trade 'information assets', mirroring the respect now shown for these rights in the physical world. Without such changes, cyberspace - on which the emergence of the global electronic market depends - will never become the dominant trading environment of the 21st century. ------------------------------------------------------------------------ Introduction - Some words to remember... Before reading this paper, it is important to have a general understanding of some of the most important concepts in cryptology. The following is an explanation of the terminology which should be understood before reading the body of the paper: There are two ways to conceal a message. The first, steganography, involves concealing the existence of the message. This could be implemented by the use of invisible ink, or by concealing a secret message in apparently normal text - the message can be made up of every ninth letter. The second concealment method is cryptography, which doesn't conceal the existence of the message, but rather transforms it into unintelligible text which is meaningless to outsiders. Strong cryptography refers to cryptography of 64-bit strength or more, and weak cryptography refers to cryptography of a weaker than 64-bit strength. A code is a set of all the words that will be used in any given message and the words (or numbers) with which to replace them. For example, It's Raining on Wednesday may be code for a given fighter plane to start a bomb run. There is no systematic method for generating or breaking a code - the only way to break a code is to guess correctly or get a copy of the list of codes. A cipher uses a given system for scrambling information. This may take one of two forms: transposition or substitution. A transposition cipher keeps the same letters as the original message but changes their order. For example, PIC LTO CIA SPE is a very simple transposition of "special topic" - reverse the order of the groups of letters to get to the plaintext. A substitution cipher actually changes the letters in the message. The most famous substitution cipher is the Caesar cipher, which is explained in the section on history. While a code operates on entire words or even sentences, ciphers often operate at a smaller level - for example, operating on individual letters. If you communicate using a code, you can only say something if a codeword exists to say it. Using a cipher, you can say anything. The information to be scrambled is the plaintext. The scrambled information is either ciphertext or codetext, depending on the method. The final message sent is a cryptogram. If a message is not enciphered at all, it is cleartext. While cryptography is the encoding of information, cryptanalysis (sometimes also called codebreaking) is the study of breaking codes and ciphers. Together, cryptography and cryptanalysis make up cryptology. ------------------------------------------------------------------------ Part I: A Historical Perspective "It must be that as soon as a culture has reached a certain level, probably measured largely by its literacy, cryptography appears spontaneously - as its parents, language and writing, probably also did. The multiple human needs and desires that demand privacy among two or more people in the midst of social life must inevitably lead to cryptology wherever men thrive and wherever they write. Cultural diffusion seems a less likely explanation for its occurrence in so many areas, many of them distant and isolated." - David Kahn, The Codebreakers Cryptology Cryptology has played a very important part in the history of civilisation as we know it today. From the first uses in Ancient Egypt to the beheading of Mary Queen of Scots and the Enigma codes of WW II, the making and breaking of ciphers and codes has been very influential. The following is a brief history of cryptology - how we got to where we are today. The source of most of this information is David Kahn's 1967 book The Codebreakers, which to date is the most comprehensive and readable book on the underrated history of pre-computer codes and ciphers. * * * The first known use of cryptography is circa 1900 BC, in Egypt. An Egyptian scribe uses unusual hieroglyphic symbols in place of the more ordinary and common ones. This deliberate transformation of the writing is the oldest text known to do so.(1)This use is better described as protocryptography(2), as there was no intention to keep the information secret. In the Old Testament of the Bible, written circa 500-600 BC, a simple substitution cipher known as ATBASH appears in Jeremiah 25:26 and 51:41. In this cipher, the last letter of the Hebrew alphabet replaces the first, and vice versa. In two instances, "Babylon" is replaced with "Sheshach."(3)Once again, however, there is no intention to keep the enciphered words secret, and the use of cryptography is civil in nature. The first military use of encryption occurred around 475 BC, and it was the Spartans who used a device called the "skytale" to implement a transposition cipher for rendering communications between Spartan leaders and their subordinates unreadable to interceptors. The skytale was a staff around which parchment or leather was wrapped, and the message was then written down the length of the staff. When the leather or parchment was unwound from the staff, the letters were unintelligible until wrapped around a staff of the same thickness by the receiver of the message.(4),(5) The skytale is therefore an early example of a transposition cipher. It should be noted, however, that the historical accuracy of the skytale's use as a cryptographic device has been questioned by an article in Cryptologia in late 1998.(6) The first military use of a substitution cipher occurred during Caesar's reign, around 50-60 BC, and was named after him. The Caesar cipher is the simplest of substitution ciphers, and involves replacing each plaintext character with the letter three ahead in the alphabet. The number three was Caesar's choice - any number can be used. The two alphabets were written one above the other: A B C D E F G H I J K L M N O P Q R S T U V W X Y Z D E F G H I J K L M N O P Q R S T U V W X Y Z A B C The plaintext characters (top row) were replaced with the characters on the bottom row. Hence SPECIAL TOPIC would become VSHFLDO WRSLF. Another example of a Caesar cipher is the classic computer HAL in 2001: A Space Odyssey. A single letter shift right turns H-A-L into I-B-M. Looking at such a cipher today, it is hard to believe that it kept anything concealed from anyone - all it takes is about 25 English characters for an able cryptanalyst to reconstruct the plaintext through the use of frequency tables(7) - but in Caesar's day, when few people could read at all, it was good enough.(8) Despite the ease with which a Caesar cipher can be decrypted, it lives on today in the ROT13 encryption program. The ROT13 program uses a Caesar cipher which replaces each letter with the letter 13 ahead (ie "A" with "N" etc.). A rotation of 13 characters is special because with 26 letters in the alphabet, running the encryption program over the ciphertext returns to the plaintext (as "N" becomes "A" etc.). This program is not, however, intended to be used for security!(9) Bruce Schneier, the author of Applied Cryptography, talks of two kinds of encryption - one keeps your kid sister from reading your work, the other stops the NSA. ROT13 is most definitely the former. Written somewhere between 0 and 400AD, the Kama Sutra of Vatsayana lists cryptography as the 44th and 45th of 64 arts men and women should know and practice.(10) The 44th is "the art of understanding writing in cipher, and the writing of words in a peculiar way," and the 45th is "the art of speaking by changing the forms of words." At roughly the same time all around the world, cryptography in its most basic forms was springing up. This was the time when the level of sophistication and competency with language that Kahn referred to as leading to the spontaneous appearance of cryptography had been reached. (11) During the Dark Ages in Europe, writing itself almost disappeared.(12) For this reason, between 500AD and 1400AD, Western cryptography stagnated.(13)When cryptography appeared again, it was at the most basic level. Messages were being sent with words written backwards, or vertically. Dots were substituted for vowels, and foreign alphabets were used.(14) Towards the end of this period, some famous names turned their hands to cryptography. Francis Bacon, (c. 1214-1294) the English philosopher listed five methods of secret writing in his Epistle on the Secret Works of Art and the Nullity of Magic.(15) About 1390, Geoffrey Chaucer also contributed to the history of cryptography by using a substitution cipher of invented symbols in his book The Equatorie of the Planetis. (16) As cryptography began to lean more towards the concealment of information - due to increased military and government use - it began to be considered a black art. The gaining of knowledge from unintelligible text was considered akin to reading entrails or tealeaves.(17) Through all these hundreds of years when cryptography had been progressing, its partner cryptanalysis had not yet been developed. Cryptology, as the combination of cryptography and cryptanalysis, was born among the Arabs. The role of cryptology in history is generally not well understood, and is easily understated. It is not widely known that the beheading of Mary, Queen of Scots, was a direct result of the cryptanalysis and decipherment of secret messages sent between Mary and her conspirators in France. The messages were intercepted and read by Thomas Phelippes, Queen Elizabeth's cryptographer.(18),(19) The title "father of western cryptology" is given to Leon Battista Alberti, an artist-scholar, who in the late fifteenth century became the first cryptologist to use a polyalphabetic substitution cipher(20) - a cipher that uses more than one alphabet for substitutions, and hence defeats the common methods of decrypting substitution ciphers, such as the Caesar cipher. In Alberti's polyalphabetic cipher, the alphabet used for encipherment is changed every few words. Alberti also took the step of using a code and a cipher, and enciphering the code words.(21) This depth of encryption made Alberti's cipher unbreakable during the Renaissance. In fact, this class of cipher was not broken until the 1800s.(22)However, they were not often used as they took much time and effort, and a single error in decryption rendered the rest of the message unrecoverable. This was the danger with polyalphabetic encipherment. Alberti's encryption was not entirely academic, however - it was used by the Union army during the American Civil War.(23) In 1518, Johannes Trithemius took Alberti's cipher one step further and changed the alphabet used for encryption after every letter.(24) The first systems of cryptography using "keys" appeared around 1553. This key system, although infinitely more complex, remains the basis of encryption today. The greatest single leap in the creation of military ciphers was the invention of the telegraph, and later that of the radio.(25) "During the eighteenth and nineteenth centuries, cryptology became an almost universal practice, and non-secret codes came into existence for the use of merchants, bankers and businessmen as the use of Morse telegraphy became vital to expanding business as well as diplomatic operations." (26) During the nineteenth century, those governments that had previously used codes made the transition to ciphers. Once there was the capability of virtually instantaneous communication, foreign armies were employing machines to try to cope with the flood of encrypted messages.(27) "During the period 1914-1918 German messages totalling over one hundred million words had been intercepted by the Allies."(28) With each new technology invented, a means of encrypting data sent using that technology was invented. This first telephone scrambler was invented by James H. Rogers in 1881. This was only five years after Bell invented the telephone itself.(29) Mechanical encryption devices started appearing around the early 1920s, which were designed to automate encryption. Many of these machines were based on "rotors," a system where a mechanical wheel, or multiple wheels, were used to perform the required substitution.(30) Each rotor was an arbitrary permutation of the alphabet, and replaced one letter with another. The trick to these machines was having multiple rotors, and having the rotors shift between letters.(31) The best known rotor device is the Enigma, the machine used by the Germans during WW II. The Enigma had five rotors, a plugboard for entering the message, and a reflecting rotor that caused each rotor to operate on each letter twice. (32) As complicated as this system was, it was broken during WW II, first by a team of Polish cryptographers, then by the British as the Germans modified the machine as the war progressed.(33) In The Codebreakers, Kahn makes the observation that "[m]odern western cryptology emerged directly from the flowering of modern diplomacy."(34) This is agreed to by Bielewicz, in Secret Language: "It was the world of diplomacy and warfare of the early European states that developed the modern science."(35)It is this history of military and diplomatic cryptography that has current intelligence and law enforcement agencies feeling threatened by strong cryptography in the hands of the masses, and more specifically the potential for strong cryptography to fall into the hands of criminals. This fear is present in a 1994 Report into telecommunications interception in Australia - The Barrett Report - which concluded that "[w]hile Australian agencies all report that encryption has not been a problem to date, it is likely to become one in the future."(36) A good response to this perceived threat is found in the 1998 book Privacy on the Line, in which Diffie and Landau make the timely observation that: "[t]he availability of wiretaps - legal or otherwise - for more than a lifetime has given us generations of police who cannot imagine a world without them."(37) As cryptography crossed the line from art to science, mathematicians started investing their time in creating stronger ciphers. The invention of the computer aided their work no end, and it is now true that the personal computer can encipher information to the point where without the key, the information is unrecoverable within the lifetime of the storage medium. This rapid development of cryptographic power has left legislators and governments in its wake, especially given that until recently there was very little demand for non-government cryptographic capabilities.(38) Ciphers as used by computers have two main components: an algorithm and a "key". There are two types of key systems: asymmetric and symmetric. In asymmetric (also known as 'public key') encryption, one key is public but the other key is kept secret. A message is encrypted using the public key and can only be decrypted by using the private key.(39) The keys, while being a pair, are created such that it is impossible in practice to determine the private key from the public key. In symmetric (also known as 'secret key') encryption, the same key is used to encrypt as to decrypt. The practical weakness of symmetric cryptography is the security needed when transferring the key. To ensure the security of the key, public key encryption is often used for the communication of the secret key to be used for symmetric encryption, which is preferable for both security and speed. In both asymmetric and symmetric encryption, the bigger the range of possible keys, the longer it will take to break the cipher. Even with the international defence community's most powerful computer technology, it is possible for any person to encrypt data so that it is not currently possible to decrypt the data without the secret key. * * * Arms Control: COCOM & The Wassenaar Arrangement The power of an encryption system is expressed by the length (in bits) of the key. The most common encryption used today - the Data Encryption Standard (DES) - uses a 56-bit algorithm. This means that there are 256 different permutations - in other words, there are 72,057,594,037,927,936 possible keys. While this is a lot of keys, a code-cracking contest was won recently by a group of computer experts who cracked a 56-bit key in 22hrs and 15mins.(40) While this may seem a long time, it is without a large investment of money or specialised equipment - both things many national Departments of Defence have at their disposal. Even in the civilian domain, with a machine costing between US$1 million and US$1.5 million, the 56-bit DES system can be cracked in an average of 3.5 hours.(41) However, the difficulty of cracking a symmetric cipher rises exponentially. For an n-bit key, there are 2n possible keys to cycle through in a brute force attack. Hence each bit added to the key length doubles the amount of time required to try every possible key. William Crowell, Deputy Director of the US National Security Agency (NSA) stated in a 1997 US House of Representatives' Committee on International Relations hearing that with current technology, a 64-bit algorithm would take 7,000 years to crack, and a 128-bit algorithm would take 8.6 trillion times the age of the universe.(42) While being a typical national security exaggeration, it is true that 128-bit encryption is for all intents and purposes currently "uncrackable," and is becoming more widespread by the day.(43) It has been estimated by senior cryptographers that to protect a message for 20 years will take a minimum of 90-bit encryption.(44) >From this comes the conflict between law enforcement and national security on the one side, and personal privacy, confidentiality, and human rights on the other. As the Australian Information Industry Association stated in its Draft Policy on Encryption: "[e]ssentially the argument is whether to put the demands of crime-fighting before those of protecting the privacy of businesses and individuals."(45) The conclusion of Gerard Walsh's Review of Policy Relating to Encryption Technologies ("The Walsh Report") - performed on invitation from the Attorney-General's Department with the task of offering a view on whether legislative or other actions are required to cater for national security and law enforcement interests while being conscious of privacy issues(46) - identifies the conflict thus: "[S]trong cryptography, imminently available to the mass market, will offer significant enhancement of data security and personal and corporate privacy, but also provide a powerful shield behind which criminals and others may operate."(47) The control of encryption is presently achieved through the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies (The Wassenaar Arrangement), a multilateral agreement intended to restrict the proliferation of products with potential military applications. Encryption is explicitly included in the section regarding "dual-use goods and technologies" - products which have a genuine use in the civilian realm, whilst remaining potentially dangerous if used in war.(48),(49) Prior to the Wassenaar Arrangement, a similar function was performed by the Coordinating Committee for Multilateral Export Controls (COCOM), which was established in 1949 to control strategic goods and technology. Unusually, COCOM did not ever have a treaty or executive agreement, instead it was based on informal agreement and a rule of unanimity. The secretariat was located in Paris and member countries had permanent delegates.(50) Australia was not a member of COCOM until April 11, 1989 following changes in Australia's export controls bringing them in line with those operated by the Committee.(51) In the early 1990s, as part of the fallout of the Cold War, it was decided that COCOM's East-West focus was no long appropriate. In June 1992, COCOM members invited the former Soviet republics to participate in a COCOM Cooperation Forum on Export Controls. At the Forum's first meeting, in Paris in November 1992, representatives from all Eastern European democracies, the Baltic states, and all but three of the former Soviet republics attended.(52) It was this forum that laid the path for the removal of COCOM itself. A new agreement was needed to "deal with risks to regional and international security and stability."(53) On the 16th November 1993, a High Level Meeting (HLM) of the COCOM member states agreed to terminate COCOM and establish a new arrangement. This was confirmed at a further HLM in Wassenaar, Netherlands on 29-30 March 1994. COCOM ceased to exist the next day, 31 March 1994. On 30 March 1994, The White House issued a press release stating that: "The members of COCOM have agreed to end the Cold War regime effective tomorrow. The end of the Cold War and the disintegration of the Soviet Union and the Warsaw Pact led us and our allies to the view that COCOM's strategic rationale was no longer tenable."(54) Agreement to establish the "Wassenaar Arrangement" was reached at the HLM on 19 December 1995.(55) The inaugural Plenary meeting of the Wassenaar Arrangement was held 2-3 April 1996 in Vienna, Austria, which is now where the office of the Wassenaar Arrangement Secretariat is located. Unlike COCOM, the member countries do not have permanent delegates, rather they send delegates to the meetings as they arise. Australian delegates to Wassenaar meetings have included representatives from the Department of Foreign Affairs and Trade and the Defence Signals Directorate. This meeting resumed on 11-12 July 1996, and final consensus on the "Initial Elements", the basic document of the Wassenaar Arrangement was reached. The new control lists came into effect 1 November 1996.(56) Whereas the COCOM regime consisted of 17 member states, The Wassenaar Arrangement expanded this to have 33 cofounding countries. The 33 cofounders were made up of the original 17 COCOM states (predominantly the member states of NATO): Australia, Belgium, Canada, Denmark, France, Germany, Greece, Italy, Japan, Netherlands, Norway, Portugal, Spain, Turkey, United Kingdom and United States; the six COCOM "cooperating countries": Austria, Finland, Ireland, New Zealand, Sweden and Switzerland; and new members Russian Federation, Czech Republic, Hungary, Poland, Slovak Republic, Argentina, Republic of Korea, Romania, Bulgaria and Ukraine. In an explanatory document regarding the Wassenaar Agreement, the Secretariat stated that: "[t]he Wassenaar Arrangement was designed to promote transparency, exchange of views and information and greater responsibility in transfers of conventional arms and dual-use goods and technologies, thus preventing destabilising accumulations."(57) The Wassenaar Arrangement is implemented through the use of "control lists," which are lists negotiated at the Wassenaar Arrangement meetings, and contain sensitive goods and technologies which the parties to the Arrangement wish to control. These lists are intended to be incorporated into the domestic law of the signatories to the Arrangement. In Australia, these lists are incorporated into the Defence and Strategic Goods List which is referred to in the Customs Act. Whether the Wassenaar Arrangement fosters transparency is very questionable, and as Dr Brian Gladman, Crypto Policy Co-ordinator for Cyber-Rights and Cyber-Liberties (UK) stated, via email, of the situation in the United Kingdom, "[The Wassenaar Arrangement] is an 'arrangement' and not a 'treaty' and this means that the UK government can agree to it without having to take its case through Parliament. Thus UK citizens cannot challenge it." Analysts in the United States have estimated that existing export controls could cost the US software industry more than $30 billion in lost sales.(58) Despite this, the Wassenaar Arrangement Secretariat's explanatory document also claims that "[t]he Arrangement does not impede bona fide civil transactions."(59) Until the Wassenaar Arrangement meeting of December 1998, the Arrangement attempted to ensure this was so by including an exemption for mass market and public domain software from the controls of the Arrangement. This exemption, the General Software Note (GSN), stated that: The Lists do not control "software" which is either: 1. Generally available to the public by being: a. Sold from stock at retail selling points without restriction, by means of: 1. Over-the-counter transactions; 2. Mail order transactions; or 3. Telephone call transactions; and b. Designed for installation by the user without further substantial support by the supplier; or 2. "In the public domain".(60) Australia, despite being a signatory of the Wassenaar Arrangement, did not allow this exemption. In the "Statements of Understanding" preceding the Defence and Strategic Goods List, the aforementioned General Software Note is prefaced with: With the exception of Category 5, Part 2 (Information Security) . . . this list does not control "software" which is either: . . . [continued as above](61) Along with Australia, four other countries also disallowed the GSN waiver: The USA, New Zealand, France and Russia.(62) At the December 1998 meeting of the Wassenaar Arrangement countries, it was decided to allow the export of sub-64 bit mass-market encryption products. This was essentially a concession to the reality that already existed, which was then traded off against the strengthening of restrictions placed on stronger encryption. Essentially, the US Government's doctrine of "if the Government can't easily crack it, you can't export it," has been adopted by the member countries.(63) In a public statement issued from Vienna on 3 December 1998, it was declared that the amendments: "included . . . the modernisation of encryption controls to keep pace with developing technology and electronic commerce, while also being mindful of security interests."(64) The General Software Note has now been exempted for Category 5, Part 2 (Information Security) of the Dual-Use List. In its place is a new note which states: "5.A.2 and 5.D.2 do not control items that meet all of the following: a. Generally available to the public by being sold, without restriction, from stock at retail selling points by means of any of the following: 1. Over-the-counter transactions; 2. Mail order transactions; 3. Electronic transactions; or 4. Telephone call transactions; b. The cryptographic functionality cannot easily be changed by the user; c. Designed for installation by the user without further substantial support by the supplier; d. Does not contain a "symmetric algorithm" employing a key length exceeding 64 bits; and e. When necessary, details of the items are accessible and will be provided, upon request, to the appropriate authority in the exporter's country in order to ascertain compliance with conditions described in paragraphs a. to d. above."(65) The similarities to the GSN are obvious, but the additions are striking and blatant attempts to keep the encryption genie in the box. While (d) restricts the strength of the encryption to 64 bits - a strength widely accepted as being inadequate, (e) ensures that national security agencies can get the code to the algorithms used for encryption to help them figure out how to break them. The increased restrictions on cryptography came as a surprise given the recent outspokenness of many member states, including Canada, Ireland and Finland who have announced pro-cryptography policies.(66) In addition to these countries, many multinational corporations such as IBM, Sun, Microsoft and Netscape have lobbied against restrictions limiting the security they can include in the software sold on the international market.(67) Not surprisingly, the push for increasing restrictions was led by the United States, the international superpower of communications intelligence. David Aaron, the American special envoy on cryptography left the meeting claiming success, and claimed the new restrictions: "enable[d] governments to review the dissemination of the strongest encryption products that might fall into the hands of rogue end-users." --[more at site]-- Aloha, He'Ping, Om, Shalom, Salaam. Em Hotep, Peace Be, Omnia Bona Bonis, All My Relations. Adieu, Adios, Aloha. Amen. Roads End Kris DECLARATION & DISCLAIMER ========== CTRL is a discussion and informational exchange list. Proselyzting propagandic screeds are not allowed. Substance—not soapboxing! These are sordid matters and 'conspiracy theory', with its many half-truths, misdirections and outright frauds is used politically by different groups with major and minor effects spread throughout the spectrum of time and thought. That being said, CTRL gives no endorsement to the validity of posts, and always suggests to readers; be wary of what you read. CTRL gives no credeence to Holocaust denial and nazi's need not apply. Let us please be civil and as always, Caveat Lector. ======================================================================== Archives Available at: http://home.ease.lsoft.com/archives/CTRL.html http:[EMAIL PROTECTED]/ ======================================================================== To subscribe to Conspiracy Theory Research List[CTRL] send email: SUBSCRIBE CTRL [to:] [EMAIL PROTECTED] To UNsubscribe to Conspiracy Theory Research List[CTRL] send email: SIGNOFF CTRL [to:] [EMAIL PROTECTED] Om