1995-10-24

Subject: Euro-Encryption / Re: Summary and looking ahead [cr-95/10/19]

Andy wrote:

>    How do we answer the Council of Europe's proposal to outlaw PGP
>    and similar forms of encryption that protect private
>    communications from the eyes of governments?  Can we start a
>    campaign in European countries to preserve the right of people to
>    choose the encryption they want to use?

I must say that the 34-members Council of Europe, which has small
executive powers, does not have plan to forbid the use of PGP. The
recommendations the CoE adopted on sept 11 (see the Web site
http://www.privacy.org/pi/intl_orgs/coe/info_tech_1995.html), is a
general attempt to prevent governments against computer crimes as a
whole.

But Andy is right when he states that the risk of taking such a ban is
really in the air, since governments want to control the content of
information through computer and telephone networks (as in the real
life), not, as announced, as a "law enforcement" purpose, but surely
as a way to maintain sovereignty over economic intelligence.  With
strong crypto, a State is blind concerning competitiveness, economics,
and defense.

The real executive body which could urge state to pass laws is the
"Council of Ministers" -- do not confuse with the Council of Europe --
of the 15-members European Union, the former European Community. This
"Council" is the meeting of all governments representatives, and are
above the European Commission (the well-known Brussels-based
organisation), which has limited powers in environment, education,
research, BUT no power at all in term of security and defense.  Member
states like France and the UK would never let outsiders decide their
policy in terms of national security (ie, nuclear "force de frappe"),
and encryption IS, in essence, a domain of national security.

The risk would come soon in Europe, since the Senior Officers Group for
Information Security (SOG-IS) has a plan under the arm to urge European
states to create trusted third parties agencies to keep escrowed keys at
the disposal of national justice establishments. The SOG-Is has 18 members
: 15 from the EU (Austria, Finland and Sweden are freshman), but also from
the AELE (Switzerland, Norway... and I miss the last one, perhaps
Liechtenstein).

Jerome Thorel
--------------------------------------
Journaliste / Free-lance reporter               Avec l'aide du
Carte de presse / ID Presscard: 72052     Conservatoire National
76 r Ph. de Girard F-75018 Paris                des Arts et Metiers
tel  331-40358010, fax-40370853            <http://web.cnam.fr>

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Sender: Bill W Smith Jr <•••@••.•••>
Subject: Re: encryption, search, and due process [cr-95/10/21]

> Sender: •••@••.•••
>
> Kurt wrote:
> >Strong cryptography is a thing not anticipated by the Constitution; a lock
> >that cannot be picked, a door that cannot be forced.
>
> That's one way to frame the analogy.  Another would be to say that if the
> government suspects you're sending felonious encrypted messages, then it
> can get a warrant to search your premises, seize you're computer, etc.  In
> light of remailers, et al, could you see a workable interpretation in that
> direction?
>
> Even more to the point, I'm allowed to send a strongly coded message in a
> first class envelope.  So your argument about an unprecedented "unbreakable
> door" doesn't hold, fortunately.

How about this one? It would be perfectly legal, even under the legislation
being considered, for me to use PGP to encode a file, put it on a diskette,
and mail it via the US Mail to it's destination. I would be prevented only
from transferring it via the 'Net. (Hell, I could even dial up the
destination computer and transfer it via uucp!) It would seem to me that
the purpose of this legislation is PURELY to prevent the convenient use
by the general public of instantaneous tranfer of encrypted data.

BTW, what about the commercial interests in the 'Net? Many (including
MickeySoft and VISA) are working on secure communications protocols for
credit card data and such. If that does not require hard encryption, what
does?

------------------------------------------------------------------------------
Bill W Smith Jr <•••@••.•••>                    (Compuserve) 76460,1443
Senior Programmer                       Around Utah, past Phoenix,
Sunland Resources, Inc.              over San Antonio, through Orlando...
(713) 955-2800 (Voice)                       Nothin' but 'Net!
(713) 955-7564 (Fax)       Houston Rockets - 1994 & 1995 NBA World Champions!

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Sender: •••@••.••• (Allen  L  Marshall)
Subject: I have no privacy here.

        In the real world, I can pull down the shades.  I can wrap that
private letter in an extra piece of paper before sealing it in the
envelope.  I can hide out in a corner if I don't want to be noticed.

        Here, I don't have these luxuries.  For all I know, I might be
monitored typing this.  This letter might be read a dozen times before it
gets to its destination.  And though I'm sure there is a way to prevent it,
I can be fingered at my home machine if someone really wanted to find me.

        Cryptography doesn't create a more secure environment than the real
world.  It tries to put the digital world on a par with the real world's
privacy.  Cryptography is that shade I can pull down to keep people from
peering in on what I'm doing.  It's that extra piece of paper I put around
that love letter.  (Now, if I could just use it to hide out....)

+++++++++++++++++++++++++++++++++++++
        You're going to be looking at my .sig in a few seconds.  It's got
my snail address.  Seems to make me a hypocrite, but let me explain.  I'm
on the Internet so I can be easily contacted.  That's my choice.  If I
decide I don't want to be easily contacted or that I don't want my email
read at every turn it makes, I should have that choice too.
                                     +++++++++++++++++++++++++++++++++++++++++++

Thanks,
Allen

+-------------------------------------------------------+
+ Mi parolas esperante!  |||||     Je parle francais!   +
+-------------------------------------------------------+
                   •••@••.•••
   http://www.netaxs.com/people/cratagus/homepage.html
   {Allen Marshall, PO Box 14, Beverly, NJ 08010 USA}

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Sender: •••@••.•••

Kurt brought up the analogy of freedom in cyberspace as compared to other
personal freedoms that we do not have in the United States.  The one thing
that no one else brought up in replies that I have seen posted is the
protection of due process when those rights are usurped by the "necessity" of
"keeping the peace".  How will our cyber-rights be protected?  What due-process
protections are there being advanced to protect a person from having their
computer system taken and kept by authorities for unspecified lengths of time,
while that person's life and living are put on hold for the duration?  Perhaps
key-escrow is a "necessity" to maintain "peace", but I am interested in how my
rights as a citizen will be protected.  If they cannot be protected, is this
an example of the cure being deadly?

Thanks for listening.

Connie Page


 ~=-=-=-=-=-=-=-=~=-=-=-=-=-=-=-=-=~-~=-=-=-=-=-=-=-=~=-=-=-=-=-=-=-=-=~
 Posted by Andrew Oram  - •••@••.••• - Moderator: CYBER-RIGHTS (CPSR)
You are encouraged to forward and cross-post messages for non-commercial use,
pursuant to any redistribution restrictions included in individual messages.
 ~=-=-=-=-=-=-=-=~=-=-=-=-=-=-=-=-=~-~=-=-=-=-=-=-=-=~=-=-=-=-=-=-=-=-=~