[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Australia and Encryption Policy



Ross Anderson posted a message on the net recently stating that
Australia was proposing an encryption policy that would force residents
to use weak cryptography while banks would get key escrow.  His source
was a talk by Steve Orlowski, who is Assistant Director, Security
Management, in the Australian Attorney-General's Department.

Attached is a copy of an open letter by Mr. Orlowski in response to
that post.  He is not proposing that individuals be forced to use weak
encryption.  Key escrow would be an option available to anyone wanting
a high level of encryption.  Organizations and individuals could escrow
their own keys if desired.

This message and his letter may be forwarded.

Dorothy Denning
---------------

Dear

Thank you for your comments on the subject of the use of encryption by
private individuals.

Firstly I would like to make the point that the debate has arisen from
one person's interpretation of a paper I gave at a conference on
"Cryptography Policies and Algorithms"  The full text of that paper is
now available on the net at

	http://commerce.anu.edu.au/comm/staff/RogerC/RogersHome.html

The paper carries a disclaimer at the top that the views are mine and
do not necessarily represent the views of the Australian Government.
The paper sets out the Government's policy on telecommunications
interception, which includes the issue of the use of cryptography as:
"As a result of the Report, Australia is, among other TI issues,
monitoring the impact of encryption in the telecommunications
interception area and will re-examine matters in 1997 following the
opening of the telecommunications area to full competition."
Telecommunications covers both voice and data communications.

The last paragraph of the paper says that there is a need to expand the
cryptography debate to cover the needs of individual users in the
context of the information superhighway rather than current Internet
users.  The paper also points out that issues suh as cost, convenience
and public confidence in cryptography systems will be the main issues.
Public confidence is explained in terms that as long as it meets the
general requirement for privacy it will be acceptable.  I still
maintain that the general user of the superhighway in the next century
will be satisfied with a lower level of encryption which will meet that
and cost and user friendliness requirements.

On specific point made in the Internet message, the paper does not
suggest, either directly or by implication, that individuals should be
banned from using encryption.

Regarding the use of higher level encryption, the paper supports the
concept of commercial key escrow where organisations hold their own
keys but may be required to provide them in response to a court order.
The same would apply to individuals who could either hold there own keys
or store them with a commercial body.  Access to those keys would be by
court order and in that respect is no different to existing procedures
for the interception or seizure of telephone conversations or paper
records.  There is no suggestion that these basic principles, and
protection of individual's rights in general, should be changed

If individuals were to use lower level encryption there would be no
need for them to maintain copies of any keys for such systems.  To my
mind this is preferable to a requirement for keys to be maintained for
all encryption systems, which could be the result if universal key
escrow were introduced.

Finally on the question of interception, the general public expects a
reasonable level of law enforcement to ensure the protection of their
person and property.  Governments are required to find a balance
between this and the rights of individuals to privacy.  Part of this
balance is to ensure that law enforcement authorities convince a court
that there is a need to carry out an interception.  There is no
suggestion that this fundamental approach should be changed.  The paper
certainly does not suggest tha the Attorney-General's Department should
become a centralised interception authority.  In fact such a role would
not be consistent with its role as a source of advice to Government.

I hope the above clarifies both the Government's policy and my personal
views on these matters.

I consider this to be an open letter and have no objection to it being
used as such.

Yours sincerely

Steve Orlowski