Cryptography and the Law
The law is used to regulate
people for their own good and for the greater good of society. Murder, theft,
drinking, and smoking are circumscribed by laws. Generally, the balance between
personal freedom and the good of society is fairly easy to judge; for example,
one's right to fire a gun ends when the bullet hits someone. Cryptography is
also a regulated activity, but the issues are a little less clear-cut, in part
because there is little open discussion of the subject.
People want to protect their
privacy, including the secrecy of communications with others. Businesses want
similar confidentiality. Criminals want secrecy so that they can communicate
criminal plans in private. Governments want to track illegal activity, both to
prevent crime and to apprehend and convict criminals after a crime has been
committed. Finally, nations want to know the military and diplomatic plans of
other nations. As shown throughout this book, cryptography can be a powerful
tool to protect confidentiality, but being able to break cryptography can be a
potent tool for government. Phrased differently, it suits governments'
interests if people cannot use cryptography that is too good (meaning, unbreakable
by the government).
Controls on Use of Cryptography
Closely related to
restrictions on content are restrictions on the use of cryptography imposed on
users in certain countries. In China, for example, State Council Order 273
requires foreign organizations or individuals to apply for permission to use
encryption in China. Pakistan requires that all encryption hardware and
software be inspected and approved by the Pakistan Telecommunication Authority.
And in Iraq, use of even the Internet is strictly limited, and unauthorized use
of encryption carries heavy penalties.
France's encryption policy is
probably the most widely discussed. Import of encryption products is subject to
a registration requirement: A vendor's registration for a mass-market commercial
product is valid for all imports of that product. Use of encryption for
authentication is unlimited. Use of encryption with a key length up to 128 for
confidentiality requires only the vendor's registration. Use of products with a
key length greater than 128 bits requires that the key be escrowed with a
trusted third party.
Such laws are very difficult
to enforce individually. Cryptography, steganography, and secret writing have
been used for centuries. The governments know they cannot prevent two
cooperating people from concealing their communications. However, governments
can limit widespread computer-based use by limiting cryptography in mass-market
products. Although policing 50 million computer users is impossible,
controlling a handful of major computer manufacturers is feasible, especially
ones whose profits would be affected by not being able to sell any products in
a particular country. Thus, governments have addressed cryptography use at the
source: the manufacturer and vendor.
Controls on Export of Cryptography
Until 1998, the United States
led other industrialized nations in controlling cryptography. It did this by
controlling export of cryptographic products, using the same category as
munitions, such as bombs and atomic missiles. Although the law applied to
everyone, in practice it
could be enforced reasonably
only against mass-market software manufacturers. Software makers could export
freely[1] any product using symmetric encryption with a
key length of 40 bits or less. Exceptions allowed stronger encryption for
financial institutions and for multinational corporations using the encryption
for intracompany communication. Cryptography solely for authentication (for
example, digital signatures) was also permitted. Although the law did not
control the use of cryptography, limiting export effectively limited its use
because major vendors could not sell products worldwide with strong encryption.
Cryptography and Free Speech
Cryptography involves not
just products; it involves ideas, too. Although governments effectively control
the flow of products across borders, controlling the flow of ideas, either in
people's heads or on the Internet, is almost impossible.
In a decision akin to
splitting hairs, the U.S. courts ruled that computer object code was subject to
the export restrictions, but a printed version of the corresponding source code
was an idea that could not be restricted. The case in question involved Phil
Zimmermann, the inventor of PGP e-mail encryption. In 1997, Zimmermann
"exported" books containing the printed source code to PGP, and
volunteers in Europe spent 1000 hours scanning the pages of the book; they then
posted this source code publicly on the Internet. To highlight the vacuousness
of this distinction, people reduced the object code of the PGP program to a bar
code and printed that code on T-shirts with the caption "Warning, this
T-shirt may be a controlled munition."
Cryptographic Key Escrow
Although laws enable
governments to read encrypted communications, the governments don't really want
to read all of them. A joking e-mail message or a file with your tax data is
seldom a national security concern. But suppose there was evidence of cheating
on your taxes or your writings were seditious. In these cases the government
could convince a court to allow it to search your home, office, or computer
files. It might then have reason and justification for wanting to read your
encrypted data. So the government devised a scheme in which your encryption
keys would become available only with court authorization.
In 1996 the U.S. government
offered to relax the export restriction for so -called escrowed encryption, in which the government would be able to
obtain the encryption key for any encrypted communication. The key escrow
approach was a part of an initiative known under names such as Clipper,
Capstone, and Fortezza. Ultimately this approach failed; the public feared what
the government could actually access. See [HOF95]
and [DEN99] for more discussion on the
key escrow debate.
Current Policy
The U.S. National Research
Council (NRC) reported the results of an 18-month study [NRC96] to recommend a cryptographic policy for
the U.S. federal government. The report carefully weighed all the factors
affected by cryptographic policy, such as protecting sensitive information for
U.S. companies and individuals as well as foreign ones, international commerce,
enforcing laws (prevention, investigation, and prosecution), and intelligence
gathering. The report's recommendations for policy include the following:
No law should bar the
manufacture, sale, or use of any form of encryption within the United States.
Export controls on
cryptography should be relaxed but not eliminated.
Products providing
confidentiality at a level that meets most general commercial requirements
should be easily exportable. In 1996, that level included products that
incorporate 56-bit key DES, and so these products should be easily exportable.
Escrowed encryption should be
studied further, but, as it is not yet a mature technology, its use should not
be mandated.
Congress should seriously
consider legislation that would impose criminal penalties on the use of
encrypted communications in interstate commerce with the intent to commit a
crime.
In September 1998, the U.S.
government announced that it was opening up export of encryption. Export of
single (56-bit) key DES would be allowed to all countries except seven that
supported terrorism. Unlimited size encryption would be exportable to 45 major
industrial countries for use by financial institutions, medical providers, and
e-commerce companies. Furthermore, the process for applying for permission,
which had been another formidable deterrent, was simplified to a review taking
no more than a week in most cases.
Summary of Legal Issues in Computer Security
This section has described
four aspects of the relationship between computing and the law. First, we
presented the legal mechanisms of copyright, patent, and trade secret as means
to protect the secrecy of computer hardware, software, and data. These
mechanisms were designed before the invention of the computer, so their
applicability to computing needs is somewhat limited. However, program
protection is especially desired, and software companies are pressing the
courts to extend the interpretation of these means of protection to include
computers.
We also explored the
relationship between employers and employees, in the context of writers of
software. Well-established laws and precedents control the acceptable access an
employee has to software written for a company.
Third, we examined the legal
side of software vulnerabilities: Who is liable for errors in software, and how
is that liability enforced? Additionally, we considered alternative ways to
report software errors.
Fourth, we noted some of the
difficulties in prosecuting computer crime. Several examples showed how
breaches of computer security are treated by the courts. In general, the courts
have not yet granted computers, software, and data appropriate status,
considering value of assets and seriousness of crime. The legal system is
moving cautiously in its acceptance of computers. We described several
important pieces of computer crime legislation that represent slow progress
forward.
Related Topics
Privacy Policy, Terms and Conditions, DMCA Policy and Compliant
Copyright © 2018-2023 BrainKart.com; All Rights Reserved. Developed by Therithal info, Chennai.