[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

german crypto laws




-----BEGIN PGP SIGNED MESSAGE-----

This is a press release of the german Forum of Computer
Professionals for Peace and Social Responsibility (FIfF). It
discusses the crypto-proposals of the german government, which are
similar to the UK and US proposals.
Please note, that this is my own "unofficial" translation of it. All
phrases in [] are either my additional comments or are phrases, that
I couldn't translate directly.
If you want the original german text, e-mail me.

Ciao

Harka

====================================================================
                         P R E S S  R E L E A S E
                    of the Forum of computer professionals for
                         peace and social responsibility
                              Bonn, in April, 1997

     Cryptography proposals reverse constitutional rights

The Forum of computer professional for peace and social
responsibility declare the following to the recently made-public
plans and intentions to regulate cryptography internationally and
nationally:

Very obvious are the efforts to the regulation of cryptography.
After several tries guide lines to crypto-politics were worked out
at the end of march by the OECD[1]. Almost simultaneously plans from
the United States[2] and the United Kingdom[3] for new
national crypto regulations became public. Further developments
suggest, that also the [german] Federal Government has worked out
specific plans to regulate cryptographic technology in Germany.


On the current level of planning the [german] Federal Government is
considering three variations of regulation[5]:

1. A key-escrow-solution, in which providers of cryptographic
   services have to provide the keys of customers to
   law-enforcement, if necessary.

2. A key-escrow-solution, in which only federally licenced
   providers of cryptographic services are permitted to operate.

3. A key-escrow-solution with simultaneous prohibition of all not
   federally permitted technologies.

The FIfF is seeing herein a serious threat to the developement of
society, that is increasingly dependent on information transfer.
Not only is the protection of privacy now ranking below federal
surveillance wishes, but also the protection of all interactions
and transactions, that happen on electronic networks. This not
acceptable interferance [with privacy] is for technical reasons not
even accompanied by any plus sides for federal investigators.


The planning of crypto regulations make clear not only the complete
neglect of civil rights in our [german] constitution. It is
becoming a symbol for the huge deficits in understanding the
problems, possibilities and challenges of [...] an information
society.


The FIfF sees five areas, where arguments for the damage of crypto
regulations can be made:

I. Crypto regulations as last building block of surveillance

Why does cryptography have to be regulated by law? From the official
side a crypto regulation in Germany is necessary, because it's the
last missing piece to surveillance of [long distance] information
traffic. The law for "Long-distance information traffic
surveillance" (FUeV)[6] forces providers of information traffic
installations to provide the clear-text of monitored traffic to law
enforcement. This can be avoided by end-to-end cryptography by
single users. Since telefone and fax [communication] are rarely
encrypted, a regulation of cryptography would mainly affect users
of electronic networks, who can ensure the postal privacy only
through encryption.


It's underlying suggestion is, that encrypted data traffic of
suspects [of crime] in electronic networks is the norm and can't be
under surveillance. This is not true.


The current laws and regulations are forcing providers of electronic
networks to guarantee a surveillance of law enforcement and
intelligence services; this is already happening[7]. Up until now no
case is known, where the investigation of a crime was made
impossible through cryptography. Nevertheless vague threat-scenarios
are mentioned, to make an increased surveillance of information
traffic more plausible.


In Germany though it's hard to observe an under-development in
surveillance. While in the United States and it's 240 million
citizens 1229 telefone surveillance requests were granted in 1995,
Germany with 80 million citizens had in the same time 3667 requests
granted[8] - per citizen 6 times as many surveillance activities as
in the USA. In 1996 the number of granted requests increased again
175 percent to 6428 [9]. No comparison of the crime rates in
Germany and the USA can possibly explain these differences [...].
In which way these methods [of surveillance] have contributed to
crime investigation is not known, since here a control of the
[surveillance] activities is not done, as opposed to the USA.


Although deficits [in surveillance] aren't noticable, the Great
Listening Attack and crypto law are to open new fields for
surveillance. Through that basic civil rights are increasingly
limited.


II. Basic rights are reversed


The protagonists of a crypto law say, that such a regulation would
be nothing new, but only a adaption of [existing] info surveillance
to technical developments. This is wrong.


Outlawing all not licenced crypto technology is reversing current
principles of civil rights. The limitation of postal secrecy is
only permitting the control of sendings. There are no forced ways
of writing, nor are certain languages or ways of expression
prohibited. No law is prohibiting to write with secret ink or to
use any other means to make messages secret. Somebody opening
letters has to do all work of analysis himself - no sender has to
help him with a [correct] letter written according to law. A
prohibition of cryptography, despite all current systems of law,
would throw the law-conform electronic communication under the
dictat of governmentally sanctioned syntaxes. No dictatorship in
Germany has ever demanded that.


III. After all, it's your money....


Electronic networks are transporting not only letters, even the
politicians got that. Using cryptographic technologies therefore is
not limited only to postal secrecy, but also other things worthy of
protection.


Those who make crypto laws also want the control over the electronic
variants of transactions, that are currently under special privacy
protection rights. The electronic service law of the IuKDG makes it
obvious by stating explicitly electronic banking as an electronic
service. For users of online-banking, online-work and
online-medicine the bank-, service-, and medical secrecy gets
reduced to the information traffic secrecy [law]. Thus the
information traffic secrecy [law] is becoming a strategic basic
[constitutional] right. A crypto law would not only undermine this
basic right, but many others as well. Such a law is a trojan horse
[for the democratic state] in an information society.


IV. Additional problems in reality


Let's assume, a crypto law would be formulated. How would it be
[constitutional] and would it be practicable? To note is a law to
digital signatures in the IuKDG, that indicates [a limitation of
asymmetric] cryptography technologies. This leads to characteristic
problems.


1. A handing-over of an escrowed key to law-enforcement means with
currently available systems, that a unlimited surveillance of the
key-owner is possible, as long as he uses the same [unchanged] key.
This is even in the practice of surveillance an un-precedented
limitation of citizens-rights, which [out-of-proportion nature] is
also clear to cryptography experts and supporters of a [crypto] law:
No one less than Otto Leibrich, Ex-President of the Federal Agency
of Information Technology Security (BSI), publicized, how through
introducing a time-variable in cryptography technologies timely
limits should be set to surveillance[10]. But could the security
agencies have an interest in [such] a lawful technology, that could
not be decrypted anymore, when users could prevent investigation
already through a changed system date?


2. The [available to law-enforcement] private key of a suspect makes
only his incoming data traffic readable, but not his messages to
third persons. In respect to the nature of asymmetric crypto
technologies [...] proofs for an communicated agreement with third
persons to commit a crime are only to be won, if also the keys of
his communication partners are available, and beyond that in certain
circumstances even their partners. The result is a tendency of an
exponential increase of the [circle of] suspects, the surveillances
and the work-load for the investigators. Here is no proportionality
anymore nor effective Investigation.


3. Due to the lack of competent institutions, the federal
government will not be able to avoid using the infra-structure,
that it's currently creating for introducing and issuing digital
signatures, to control crypto keys as well. No law will balance the
loss of trust, when one one side the institution has to hand over
private keys to law-enforcement and on the other hand guarantees
for the security of the digital signature. Would the digital
signature get into the wrong hands, any document could be lawfully
signed. The fear of citizens is understandable, to be [powerless]
to manipulations of federal key mighties. With such a loss of trust
the federal government and companies [that support the digital
signature] shouldn't even bother [to set up the infra-structure].


4. A national crypto law is not able to adress accordingly the
problems of international traffic typical for electronic networks.
To get the crypto keys of a "Mafia Organization", the agencies of
several countries would have to be mobilized. Are the supporters of
a crypto law really serious, that an international co-operation in
getting escrowed keys would function better than the current bad
co-operation in investigating crimes, where electronic networks
were used?


5. Compared to that it's almost neglectable, how such a crypto law
would make harder the life of the software industry. To guarantee a
relation of crypto key and user on the grounds of the law, the
makers of Internet-browsers, for example, [...], would have to
refrain from distributing their products in Germany via the
Internet and instead sell software packages only [in stores] to
persons with ID. Such an effort is affordable only for a few and
wouldn't necessarely strengthen the position of the legal use of
secure systems. When beyond that different and technically
incompatible national regulations were enacted, the much cheered
upon global Electronic Commerce would remain an illusion.


V. A crypto law doesn't make the investigators smarter either


Nobody can overlook this fact: a crypto law can be easily [routed
around]. A legal cryptographic system can be used several times on a
message, in fact, a with an illegal technology encrypted message
could be "packed" in a legal system. Also a crypto law can be
avoided, so that nobody knows: Steganography and other means to use
covert channels hide messages in plain-text files, for example, and
put a veil around the very existence of an encrypted message.


- From the routing around of the crypto law, the federal security
experts hope to actually gain advantages, because out of the circle
of users of illegal crypto technologies, they could win worthy
hints about the organizational structure of the suspected circle of
people.


With the use of steganography such a group of persons is never to
become known [to law-enforcement]. But what would be won, even if a
group of people would be found, that uses the same illegal crypto
system? Their communication would not be decryptable, thus has to
be won through other means. As investigators today are already
sinking in a mountain of papers with protocols of phone
surveillances, in the future they will have to spend even more
effort to investigate groups, who have done nothing wrong but to
use an non-permitted crypto system and communicate incidently with
people, who are suspected of something. Such an effort can't even
be justified by employment-market reasonings. To stamp the users of
non-permitted cryptography automatically to suspects would be
therefore even from an investigative perspective nothing but
nonsense.


- From a technical and practical perspective, a crypto law is nonsense
and un-enforcable. [Some] lawyers though have the opinion, that
independent from the enforcement the law has to be obeyed in any
case. But such a dogmatic viewpoint is hard to balance with a
democratic society.


VI. Conclusion


The FIfF has the opinion, that a crypto law would even more
increase the already not shyly used surveillance of information
traffic in Germany. It reverses constitutional rights and
principles. It threatens drastically the constitutionally protected
citizens-rights in electronic transactions and interactions. It
would lead in practicality to severe additional problems with laws
and will certainly not make the work for investigators any easier.
The problems that come with such a regulation will also not be
solved through law-dogmatism. The severe damage for civil rights,
democracy, but also economical interests, are opposed by a very
thin advantage. With that background, every rational analysis would
therefore have to come to the conclusion, to avoid a regulation of
cryptography.


That the federal government is not doing that, despite
consultations with acknowledged experts over several years, is
either a proof for lack of knowledge or the willing neglect of the
consequences.


The very similar regulations of the OECD, Great Britains, the USA
and the West-German plans are out-of-sync with the visions of a
global, democratic information society.


VII. Demands

Instead of a limitation of cryptography it is according to the FIfF
necessary to:

1. increase the availability and use of cryptography,

2. not hinder the use of cryptography through limitations or
   prohibitions,

3. make the free choice of crypto systems possible,

4. support the development of secure crypto systems,

5. increase the protection for electronic transactions and
   interactions,

6. evaluate the use of federal surveillance of communication
   regularly, independently and in-depth.

              --------------------------
1 Cryptography Policy Guidelines; Recommendation of the Council,
http://www.oecd.org/dsti/iccp/crypto_e.html
2 http://www.cdt.org/crypto/admin_397_draft.html
3 Minister for Science and Technology: Licensing of Trusted Third
Parties for the Provision of Encryption Services;
http://www.cl.cam.ac.uk/users/rja14/dti.html
4 Presserklaerung des forschungspolitischen Sprechers von
Buendnis 90/Die Gruenen, Dr. Manuel Kiper:
http://www.gruenebt.de/aktuell/pm/indizes/in970236.htm
5 am konkretesten: C. Schulzki-Haddouti: Kanthers Kurs auf das
Kryptoverbot; in: http://www.heise.de/tp/te/1146/fhome.htm
6 vgl. die Stellungnahme des FIfF zur FUeV unter
http://hyperg.uni-paderborn.de/0x83ea6001_0x0036ce9
7 Erste Faelle einer Ueberwachung von Internet-Accounts wurden
bekannt in: 30.000 Telephonate mitgehoert; in: Sueddeutsche
Zeitung, 2.12.96, S. 15
8 USA: Newsweek 20.5.96, Bundesrepublik: Bt-Drs 13/3618
9 Bt-Drs. 13/7341
10 Otto Leiberich: Verschluesselung und Kriminalitaet II, in:
BSI-Forum der KES 1/95

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
Forum InformatikerInnen fuer Frieden und         FFFF I  fff  FFFF
gesellschaftliche Verantwortung (FIfF) e.V.      F    I  f    F
Reuterstr. 44, D-53113 Bonn                      FFFF I  fff  FFFF
E-mail: [email protected]                         F    I  f    F
Tel.:xx49-228-219548  Fax: -214924               F    I  f    F

CL/GRUPPEN/FIFF   und
http://hyperg.uni-paderborn.de/~FIFF
forum computer professionals for peace and social responsibility
* * * * * * * * * * * * * PGP-Key on request  * * * * * * * * *

====================================================================


/*************************************************************/
/* This user supports FREE SPEECH ONLINE     ...more info at */
/* and PRIVATE ONLINE COMMUNICATIONS! -> http://www.epic.org */
/* E-mail: harka(at)nycmetro.com (PGP-encrypted mail pref'd) */
/* PGP public key available upon request.  [KeyID: 04174301] */
/* F-print: FD E4 F8 6D C1 6A 44 F5  28 9C 40 6E B8 94 78 E8 */
/*<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>*/
/* May there be peace in this world, may all anger dissolve  */
/* and may all living beings find the way to happiness...    */
/*************************************************************/

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQEVAgUBM08quzltEBIEF0MBAQEn1gf/Ww87W3y3SrI6bK6Qg9iCgC6E40HSCkrB
2tFV3Zy+k7KtegHPrLikKhX1inJ+vEYPadHLhH1K45eGRJ/4lr4G3Pg+ozYNRalQ
KAIeoD4XQNY4nOvm6+vMlg5lOhkObB5z4pf7H5P6j48c0HSKEITPk5ExBo7g5Hcv
gl+yOrXYioEbSEScFkGYjvTh6zPNEqsr7Ma7nucON5OlqRe71Rdtn9FiGWSkxgTZ
rRg1bnB6geksL/OeKz6neYXIfWuyFEoHs19sLo7gqGcCaib6nn+bs+qrWikJeY5L
dWNzpoeqUSW46mZtUwC3IastDE2YhKuh7ffYPCG1v5AvaBG0NCZ4Sg==
=fpKk
-----END PGP SIGNATURE-----


If encryption is outlawed, only outlaws will have encryption...