|
Cryptome DVDs are offered by Cryptome. Donate $25 for two DVDs of the Cryptome 12-years collection of 46,000 files from June 1996 to June 2008 (~6.7 GB). Click Paypal or mail check/MO made out to John Young, 251 West 89th Street, New York, NY 10024. The collection includes all files of cryptome.org, jya.com, cartome.org, eyeball-series.org and iraq-kill-maim.org, and 23,000 (updated) pages of counter-intelligence dossiers declassified by the US Army Information and Security Command, dating from 1945 to 1985.The DVDs will be sent anywhere worldwide without extra cost. | |||
The Walsh Report
CHAPTER 5
STRIKING A BALANCE
5.1 A Matter of Proportion
5.1.1 There is a broad split among the advanced industrialised
countries of the world between those where governments have taken policy
initiatives concerning cryptography and those who have simply watched
developments. Even at this stage, it is an instructive question to ask
whether the latter have suffered any disadvantage from a law enforcement,
national security or privacy point of view. The answer seems to be an
emphatic negative.
5.1.2 The moral authority of government is easily exhausted in treating
such a public policy issue and more quickly if this is done in less than
candid and even-handed fashion. As this report noted at its commencement,
the issues touch on the central relationship between the individual and the
state and there is need to ensure government is not substituted for state in
that context. To attempt to play a modern-day Canute, as those who seek to
ban unrestricted access to the Internet and restrict imports of encryption
materials have done, is simply futile in an age of seamless communication
and electronic marketplaces. Those like the United States and Great Britain
who have urged so strongly their preferred positions on the international
stage, eventually announcing them in the middle of 1996 as official policy,
appear to have viewed the issue as primarily a security and law enforcement
issue and secondarily a privacy issue. The British Government, curiously,
stated early in its paper that the policy had been decided on after detailed
discussion between Government departments, adding in the final paragraph
that formal consultation will be undertaken prior to the introduction of
legislative proposals. 56
[para 5.1.3 not available]
5.1.4 The consequence of these 'transparent' efforts by the law
enforcement and security communities in those countries, supported by some
academics and advocates who have argued the cause of data retrieval or
sketched images of unbridled terrorism and organised crime, is the sizeable
suspicion that the key management proposals are intended primarily to
benefit their sponsors. Privacy advocates and guardians, electronic
commerce, offices of budget and management within government, the IT
industry itself have not been as effective in their advocacy though,
arguably, they have more at stake.
5.1.5 Strong support for the broad policy position taken by the present
Australian Government, and its predecessor, was evident through the Review
consultations. In view of the continuous rate of change, technology
development and changing cost structures, there is much to be said for
watching developments. None argued prescription, much less the mandating of
requirements, was a useful approach. And while one or two might see
cryptography as a rare opportunity to cock a snook at the state, there was
general recognition that as a community we must address the looming problem
in the law enforcement and national security areas. What can we do?
5.1.6 It would be sensible now to generate a more informed and broader
discussion of the situation in the Australian community. Those consulted
almost universally presumed the outcome of this Review would be used as a
trigger in that process. While the tax evaders and black economy
participants may rub their hands in glee at the comfort encryption may
afford them, the majority are likely to treat the matter seriously,
recognising the loss of the law enforcement function across a range of
fields such as narcotics and counter- terrorism and further restriction of
the funds available for public works, community services and health care
will affect the type of society we enjoy and hope to leave to our children.
In today's context, any ideal outcome based on a key management system
advocated elsewhere or an amalgam of various systems could too easily be
circumvented by organised crime or terrorists with reasonable capability and
the intention to shield their plans from the investigative agencies of the
state. As such systems are primarily intended to meet the needs of public
safety, it would be futile to impose requirements which are costly and/or
which have a harmful privacy impact but which fail to address their
fundamental purpose.
5.1.7 The approach of this Review is to strike a balance: to ensure the
extant powers of law enforcement and national security agencies to access
and intercept are relevant, to recommend a modest increase to those
investigative powers, to afford some greater protection to their high risk
activities and to acknowledge the benefit which encryption will bring to
people and corporations in securing their data. The Commonwealth Privacy Act
1988 remains the only information privacy law in Australia with legally
binding rules. 57 This statute implemented Australia's commitment to take
the 1980 OECD Guidelines Governing the Protection of Privacy and Transborder
Flows of Personal Data into account in domestic legislation. 58 The
Government has stated its intention of extending the application of the
Privacy Act, which regulates Commonwealth government agencies and all users
of consumer credit information and tax file numbers, to the private sector.
59 There would be much sense in avoiding, particularly during the period
until legislation is introduced into the parliament, a perception that the
privacy of the whole community was to be constrained to address a small
sector need. This would leave the government better placed to act or
intervene legislatively, if that should later be required.
5.1.8 As at October 1996, no 'magic' solution to this problem was in
prospect. There is yet a short time available. The impact of encryption on
the totality of law enforcement and national security interests in Australia
remains fairly negligible, though the problem is only as far away as
tomorrow. What should be done in the interval? Government should continue to
monitor the situation and study the experience of others, as the practices
eventually adopted by major players such as the European Union, the United
States and the OECD will have trans-national impact. There are some
practical steps both to strengthen and maintain the investigative capability
of law enforcement and national security which should be undertaken and some
greater protection given to the covert operational methods of law
enforcement and national security agencies. These are discussed in more
detail in Chapter 6.
5.1.9 The Privacy Commissioner, the New South Wales Anti-
Discrimination Board and various lawyers and academics with a strong
interest in privacy issues were concerned there should be no diminution of
the stringent program of oversight and accountability where intrusive powers
were exercised. 60 I concur entirely with that attitude. A view seemed to
emerge that the Commonwealth's oversight and accountability arrangements
were more effective than those of the States. The Review found general
support for the approach of increasing, to some small degree, the warranted
intrusive powers directed against persons the subject of serious
investigations, rather than imposing a penalty on the whole community by
attempting, in vain fashion, to limit or control the use of encryption.
5.1.10 Some consideration was given to the idea that the department vested
with the driving and coordination function on cryptography policy might
ensure Ministers were kept abreast of developments overseas and the changing
situation and requirements for Australia. On reflection, it was felt this
function would more effectively be discharged by a further review, on terms
similar to this one. There is need for that degree of detachment in the
conduct of a review so that all views may be garnered and synthesised into
policy options. This is more readily extended to a reviewer than an official
with daily responsibility for elements of the policy. A time of late 1997
would allow for the passage of 12 months since this review, a significant
period of technological development, some experience of a deregulated
telecommunications market and any impact on law enforcement and national
security, the preparation by the AFP of the proposed submission on the
impact of the loss of real-time access to voice and data communications 61,
the conclusion of the OECD drafting exercise and legislative proposals being
brought forward in Britain and the United States.
5.2 Export Controls
5.2.1 The Review was invited to examine the effectiveness of
Australia's export controls on encryption technology. How this issue might
be addressed depends very much on the interest being espoused. As the Review
moved among its primary catchment area, parties representing privacy, law
enforcement or national security interests, it was apparent no uniform
judgement could be made. Few who spoke to the Review thought the issue of
Australia's export controls could be divorced from the export controls of
the United States. That the United States was but one of a number of
signatory countries, first to COCOM and more recently to the Wassenar
agreement, seems generally to be ignored. Its super-power status and
position as the principal global software manufacturer prompt an
identification of those agreements with the national interest of the United
States
5.2.2 The Australian government effects controls on the export of
defence and related goods through the Customs Act 1901, the Customs
(prohibited Exports) Regulations and, the guidelines Australian Controls on
tile Export of Defence and related Goods - Guidelines for Exporters. issued
in March 1994 and the Australian Controls on the Export of Technology With
Civil and Military Applications - A Guide for Exporters and Importers issued
in November 1994. The controls specify a range of cryptography products,
such as cryptographic equipment, software controlling the function of
cryptographic equipment, computers performing such functions, mechanical
bits and pieces used in these processes and applications software for such
purposes.
5.2.3 The context of the controls make it clear the government
encourages the export of defence and related goods where these do not
conflict with the national interest or Australia's external obligations. The
Strategic Trade Policy and Operations Section of the Department of Defence
considers export applications and makes recommendations on them. It also
works closely with manufacturers, where possible, to advise on products and
applications eligible for export.
5.2.4 From the vantage point of the Defence Department, and the
Review's terms of reference require particular regard be paid to national
security and defence interests, the principal defensive goal of export
controls is the prevention of the proliferation of 'strong' encryption.
Various commentators thought Australia's export controls may have had some
effect in this regard though they suspected American export controls have
much the greater impact. A claimed by-product or secondary benefit is that
export controls may have aided the Australian cryptographic industry,
enabling it to export and market more competitively in the region. This
claim, couched in the subjunctive tense, was disputed by many but does not
bear on the primary defensive goal of export controls.
5.2.5 From a strategic perspective of the IT industry in Australia,
changes to United States export controls, certainly changes of the order
advocated in the Republican bills before the Congress, were considered
deleterious by sections of industry. This view was based on the premise that
all strategic decisions of the industry have been predicated on the
expectation that export controls, Australian and American, would not
significantly vary. The more controlled relaxation of export controls
announced by the United States Vice-President on 1 October 1996 mark a
departure from that planning base but are less extreme than some have
advocated. 62
5.2.6 There were, however, more particular indications of a negative
side to export controls. Software and hardware manufacture is dominated by
the United States, so business, IT or otherwise, has to ensure product
compatibility when buying products. It was said, almost uniformly,
Australian products tended to be more expensive (from small amounts to some
thousands of dollars), less convenient (US software applications may be
purchased in thousands of shops but hunting is often required to find the
Australian equivalent) and problems of compatibility frequently arise with
systems geared to American products and applications. Major banks have the
capacity to step around this problem and purchase off-shore.
5.2.7 When particular judgements were offered about the impact of
United States export controls, the point was always made that the United
States was one of a considerable number of countries linked first under
COCOM and more recently under the Wassenar agreement and should not,
therefore, be viewed as acting alone. This was uniformly countered with the
view that the United States position as a military and economic super-power,
combined with its dominant position in the software production market, gave
it the critical voice in any grouping to which it belonged or sponsored.
5.2.8 Some irritation was expressed with the export licence system.
Certainly, there was appreciation that 'continuing licences' had been
introduced by DSD, enabling manufacturers to export to foreign countries or
specified companies for a 12 month period, without reference back to the
Directorate.
5.2.9 It is a truism to note that research and development take time. A
strong view was put to the Review by the IT industry that incentives to
undertake R&D in Australia are diminishing and likely to continue to do so.
Even without the pressure which a relaxation of US export controls would
cause, a migration of both technology and the research and development
effort from Australia is likely. Any amelioration of the export control
regime would likely hasten that trend.
5.2.10 A common banking industry view was that while Australian
encryption products were always available, they did not always meet business
needs. American products normally offered functionality, but their
availability was frequently uncertain. End user licensing is seen as a
problem for banks as the purpose is often wider than the commercial
transaction and any part- escrowing of keys would render the system
insecure. Consequently, banks are sometimes forced to rewrite software or
undertake substantial work to link or cause to interface two separate
products. Because some of these couplings are 'unnatural', the expected
productivity benefits are reduced.
5.2.11 One consequence of the abolition of US export controls or
substantial contraction of them is likely to be an outbreak of a condition
which might be termed 'key length envy' - the assumption that by simply
lengthening the key a greater degree of security is obtained. Of itself this
contention is simplistic. What matters is the key space, or the pool from
which keys are drawn, the soundness of the operating system and the
operator's procedures. Providing the algorithm is sound, the operating
standards are high and functionality is not adversely affected, a longer key
will offer more security than a shorter one. Key length estimates are
normally geared to what is required in 20 years' time and that is considered
adequate protection against concerted efforts to discover them. There is a
general wariness in some business circles of the enormous amount of idle
time which exists for the computing power of large-scale corporations and
the purposes to which that power might be put, but that, as they say, is
another story.
Footnotes:
56 Paper on Regulatory Intent Concerning Use of Encryption on Public
Networks, issued by the Department of Trade and Industry. London. 11 June
1996, paragraph 2 and paragraph 16. See Annex D.
57 Nigel Waters, 'Street Surveillance and Privacy" in Privacy Law & Policy
Reporter, Vol 3, No 3, June 1996, p 49.
58 The OECD Guidelines are attached as Annex E to this report.
59 A discussion paper to this effect was issued by the Attorney-General in
September 1996.
60 While these views have been made clear in publications and writings, they
were repeated to the Review during discussions in Sydney on 10-11 July 19%.
61 See finding 1.2.19.
62 The United states Vice President's statement on encryption is set out in
Annex F
Chapter 6
----------------------------------------------------------------------------