WESTERN GOVERNMENTS WANT SURVEILLANCE OF ELECTRONIC MAIL
Together with the USA, the EU Governments are seeking to empower their law enforcement authorities and intelligence services to intercept telecommunications. State authorities will be able to tap your phone and read your e-mail, whenever and wherever they wish.
We have earlier reported on the EU-sponsored ‘Memorandum of Understanding’ on the interception of telecommunications. The Memorandum aims at obliging service providers and manufacturers to technically enable interception (see FECL No. 44: "'Memorandum of Understanding' on the interception of telecommunications" and "Interception of telecommunications: the German model"). In the following article, Anders R. Olsson addresses other joint EU-US plans in the same domain: state authorities will be able to read your private e-mail. These plans, if realised, would put an end to confidential telecommunications.
Encryption a pre-requirement for confidential communication
The only technical means of ensuring that an e-mail message can be read only by the person(s) to whom it is destined is to encrypt (encode) it, using an electronic encryption-key. Only correspondents who share this key can decode and read the encrypted mail.
With the rapid advance of information technology, society’s need for encryption is enormous. Users must be able to:
send confidential messages accessible only to the "right" addressee;
put their electronic signature on documents; and
authenticate electronic documents.
By "document" we mean here anything that can be communicated in digital form - i.e. texts, images, film or sound.
It is quite natural and nothing new that individuals, firms, organisations and public authorities feel a need in certain contexts to communicate discreetly or secretly.
As a matter of fact, encryption has existed since ancient times as a means of handling secrets. But thanks to computer technology, the practice of encryption has become both safer and faster. As soon as correspondents have exchanged electronic encryption-keys, they can communicate confidentially via computer networks. Moreover, encryption can be used to "sign" and authenticate documents. With an electronic signature the sender A confirms for all receivers that A and no one else is the author of the message. An electronic "stamp" represents a guarantee that a document has exactly the form and content it was initially given by its author.
Here we are dealing with one-way encryption, that is encryption codes function in one direction only. The "key" making it possible to decode and read the encrypted document can be handled openly and circulated without restrictions. The fact that one can read a text after having decrypted it with, for example, the national taxation authorities’ open "key" proves that the text actually originates from these authorities. But this key cannot be used the other way round - i. e. it cannot be used for converting a text to something that looks like a document of the national taxation authorities.
This sort of encryption works very well in practice and will underlie all computer-based commercial activities, where purchaser X must be completely sure that vendor Y really is Y, and vice versa. We will need encryption keys not only as consumers but also as citizens - for voting, making income returns, filing appeals by e-mail. The "keys" will consist in electronically readable "smart cards".
More and more digital documents will be accepted as documentary evidence. This applies to contracts, receipts and vouchers, accountancy records, as well as court decisions and decisions of other public authorities. Many of the IT professionals' visions of the future - electronic money, the "friction-free" market and "electronic democracy" - are inconceivable without safe encryption.
As far as technology and theory are concerned, the problems are solved. In many countries, some public authorities and private firms are already using digital documents.
Yet, for this development to really get under way, there is a need for international standards and agreements of various sorts - and for cheap and easy to handle encryption software.
The key controversial issue today is whether these encryption programmes will be made really "crack-proof", or whether they will be proof against everybody except the police and the state security services.
No privacy from police and secret services?
Police circles in the EU and the USA are trying hard to push through international regulations making it possible for them to intercept any e-mail message they wish. This is necessary, they say, in the fight against organised criminals and terrorists who abuse the Internet. As a consequence, influential police and security people in the USA and in Europe are demanding no less than that anybody using encryption be obliged by law to deposit the key at the state authorities.
For the time being, most Western countries have no restrictions on the use of encryption. Any encryption programme may be used and there is no obligation to deposit the key. In France, however, encryption on public nets is permitted only with state authorization and provided that the encryption-key has been deposited with the appropriate authority.
The US government has made several attempts at the national level to push through a similar obligation to deposit encryption-keys - with little success as yet. The best known attempt was the so-called clipper Chip project which triggered massive protests from American civil liberties organisations.
On the international level, however, advocates of strict restrictions on encryption appear to be more successful. Above all the USA is trying by various means to prevent the spreading of computer programmes for safe encryption. Thanks to its technological advantage the USA all but imposes its export control rules on the other Western countries. In these regulations, encryption programmes are placed on the same sensitivity level as plutonium and advanced radar techniques.
But knowledge of how to create safe encryption algorithms is already widespread. Anyone can get advanced encryption programmes free of charge from the Internet. If you have such a programme on your laptop when crossing the border, e.g. between Sweden and Denmark, you run the risk of being fined. If, instead, you delete your programme before crossing the border and reload it via the Internet as soon as you have reached Danish territory, you are acting in full compliance with the law.
In view of this, it may seem somewhat bizarre that the governments of the USA, France and a number of other countries are so stubbornly pressing for export control and compulsory depositing of encryption-keys. Do they really believe that criminal organisations, spies and terrorists will deposit their keys? Are they really not aware that their action will only deter innocent citizens, companies, health care authorities, and many others with a legitimate interest in safe encryption from communicating by e-mail?
Be that as it may, stubborn they are. The controversy is now being fought out in the OECD and the EU. But the respective working groups are negotiating behind closed doors. According to individuals with insight into the current negotiation process, the USA is taking advantage of its technological supremacy to press countries with a more liberal view into accepting its restrictive policy goals. Countries unwilling to "co-operate" have been made to understand that they risk being subjected to US export restrictions.
Thus, a lot seems to be at stake: the sanctity of the mail, citizens’ right to privacy and people’s confidence in the new computer technology. In many contexts, electronic data communication will be used only provided the correspondents can be sure their messages will not end up in the wrong hands.
Fight against crime or political policing?
"I do not believe that the demand for the compulsory depositing of encryption keys has much to do with fighting against terrorists or drug dealers. This is just an excuse. Everybody - even the police and security services - realise that the real villains will never deposit any keys. Instead, I believe that the point is really to snoop on politically "interesting" people - radicals, intellectuals, journalists, labour union leaders, etc., and also established political leaders, both of the opposition and in the government". This is the blunt assessment of Gunnar Klein, a Swedish medical doctor and encryption expert. Klein knows what he is talking about. He was recently appointed chairman of the European body responsible for developing IT standards in the field of health care. He has also worked for the EU with data-security techniques in health care.
Many types of information being sent require watertight confidentiality protection, Gunnar Klein points out - data in the fields of health care, social welfare, and police and justice. In the private sector firms need to protect many types of information - e.g. offers, contracts, construction plans, research and accountancy records. Lawyers must be able to communicate confidentially, etc.
The various proposals concerning the depositing of keys that have been presented in Europe and the USA in recent years would enable law enforcement authorities to decrypt the data communications of a suspect. In most countries similar rules already apply when the police want to open mail or tap telephones. While such surveillance measures usually require prior authorization by a judge when carried out by the police against criminal suspects, eavesdropping by intelligence services is often not subject to any judicial control. Thus, according to Gunnar Klein, British courts authorise an average 8000 eavesdropping operations per year. At the same time, the US National Security Agency, at the request of the British authorities, intercepts the telecommunications of an additional 40,000 people on the UK territory - without any involvement of a court but in full compliance with British law. Thus, people’s fear of state abuse of interception is not always ungrounded, Klein stresses.
In the last analysis, people’s acceptance of eavesdropping depends on their trust in the state agencies involved. Klein names the example of the French intelligence service. It has become widely known that French intelligence assists French companies in spying on competitors: "Not long ago, regular French police arrested several persons who had broken into IBM’s European headquarters in Paris and were in the process of installing eavesdropping devices. It eventually appeared that the burglars were working for French intelligence".
Illegal eavesdropping activities by the Swedish security police and the recent revelation of long-standing snooping activities by the Norwegian police aimed at large numbers of citizens considered politically "unreliable" or otherwise interesting (see FECL No. 43: "Judicial inquiry into Norwegian surveillance police" and No.49: "Minister steps back after new snooping scandal") indicate that a certain lack of respect for the law is a widespread phenomenon among secret services beyond France.
Most important, however, are the international implications of an obligation to deposit encryption keys. International companies would have to deposit their keys in every country where they do business. Journalists and tourists would have to deposit their keys whenever they travelled. And the objective of the advocates of compulsory depositing of keys seems to be that a court in country A should be empowered to decide on the use of an encryption key which has been deposited in country B.
One should also bear in mind the implications of an international acceptance of key depositing for countries with less stable democratic systems. "Are we going to provide the authorities of such countries with the possibilities of playing Big Brother?", asks Gunnar Klein, and he points to other enormous practical problems that are likely to arise. Key depositing is both expensive and risky. "The numbers of keys will be enormous. In some applications the key is changed every five minutes during an on-going conversation. For each deposited key additional data on how and when the key in question is used must be stored. This means that, for instance, firms must disclose more secrets than just encryption keys - for example, whom they are communicating with and on which occasions. And security measures around these key deposits will pose gigantic problems".
Other countries should not give in to US pressure, stresses Gunnar Klein. Instead they should introduce legislation establishing clearly that the right to privacy and secrecy through encryption is a human right.
Anders R. Olsson (Stockholm)
Contact: Tel: +46/8 7393211, E-mail: anders.r.olsson@swipnet.se