Why are governments so concerned about the use of cryptography in digital communications? What kind of laws and regulations have they brought in to try to deal with their concerns? How far do such efforts threaten the privacy that organisations need for conducting legitimate business?
Why are governments so concerned about the use of cryptography in digital communications?
Cryptography is a discipline which embodies principles, means and methods for the transformation of data utilized to ensure the confidentiality of data, authenticate the data and to ensure its integrity1. Internet has resulted in data, business and communication being conducted on open networks which are more difficult to control and monitor than traditional channels. Despite its value in ensuring information and data security, many nations regard cryptography as a dual-use technology that can be applied for civil and military purposes, and therefore should be regulated. Governmental concerns particularly revolve around the reduced ability for intelligence and security agencies to perform effective surveillance of computers and electronic communication to uncover, prevent and prosecute illegal activities2.
What kind of laws and regulations have they brought in to try to deal with their concerns?
The Wassenaar agreement3 acts as the principal document on the encryption software export control regimes around the world. Its guidelines base restrictions on the key length of symmetric cryptographic products, and allow the free export of mass-market cryptographic software which complies with such provisions.
This is a preview of the whole essay
OECD Guidelines for Cryptography Policy4 focus on trust, free choice and market-driven development of cryptographic methods. They promote the fundamental protection of privacy and personal data, lawful access to cryptographic keys and the need for a clear liability for cryptography users and service providers. These represent the first international attempt to give policy orientations on several aspects of cryptography, and highlight international cooperation to development of standards and removal of unnecessary trade obstacles.
In an attempt to control the development and access to strong cryptography tools, governments have regulated the general export (and sometimes, import) of cryptography products. The deployment of key recovery systems, including trusted third-party access and key escrow,5 have been proposed to make decryption keys available. These have however not become fully-fledged law due to queries about issues including privacy, effectiveness and costs6.
How far do such efforts threaten the privacy that organisations need for conducting legitimate business?
Electronic commerce is one key driver for the development of the global information society7. The online marketplace needs to ensure safe commercial transactions, key in building consumer trust8, and retainment of sensitive data, whose compromise may have both financial, reputation and competitive consequences. As cryptography tools are one security measure for achieving this, too much restriction is undesirable.
Does regulation of this kind pose a threat to the security of sensitive corporate data?
Organisations that process and store personal data are required to put in place information security measures9. Those that depend on electronic payment systems might, with weak encryption, expose themselves to attacks that misuse the customer's private information. Industry espionage may also prove easier if attackers have the ability to decrypt sensitive communication and stored data of an organisation that has weak or key-forfeiture encryption10.
Balancing national security interests and protecting the security and privacy in commerce, should be the focus of the internet community, to allow available effective cryptography standards and appropriate regulative law to promote a functioning and innovative online market.
1Parviainen, S 'Cryptographic Software Export Controls in the EU' (2000) Faculty of Law, University of Helsinki <http://ethesis.helsinki.fi/julkaisut/oik/julki/pg/parviainen/cryptogr.pdf> accessed 23 April 2013
2Lecture Notes 'Week 4: Cryptography laws and regulations' University of Liverpool LLM <https://elearning.uol.ohecampus.com/bbcswebdav/xid-142628_4> accessed 25 April 2013
3Wassenaar Agreement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies (1995) <http://www.wassenaar.org/publicdocuments/2012/Basic%20Documents%202012.pdf> accessed 23 April 2013
4OECD Guidelines for Cryptography Policy (1997) <http://www.oecd.org/internet/ieconomy/guidelinesforcryptographypolicy.htm> accessed 25 April 2013
5Aljifri H & Sánchez D 'International legal aspects of cryptography' (2003) 22(3) Computers & Security <http://www.sciencedirect.com.ezproxy.liv.ac.uk/science?_ob=MiamiImageURL&_cid=271887&_user=822084&_pii=S0167404803003055&_check=y&_origin=article&_zone=toolbar&_coverDate=30-Apr-2003&view=c&originContentFamily=serial&wchp=dGLzVlV-zSkWz&md5=c2115039bbac220840d385f73abc8232&pid=1-s2.0-S0167404803003055-main.pdf> accessed 24 April 2013 p.196
6Julia-Barcelo R & Vinje T 'Towards a European Framework for Digital Signatures and Encryption' (1998) 14(2) Computer Law & Security Review <http://www.sciencedirect.com.ezproxy.liv.ac.uk/science?_ob=MiamiImageURL&_cid=271884&_user=822084&_pii=S0267364997821309&_check=y&_origin=article&_zone=toolbar&_coverDate=30-Apr-1998&view=c&originContentFamily=serial&wchp=dGLzVlt-zSkzk&md5=9bc2bb5fd1dcad382203434c23973df7&pid=1-s2.0-S0267364997821309-main.pdf> accessed 26 April 2013 p.78
7European Commission 'A European Initiative in Electronic Commerce' (1997) Communication to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions <ftp://ftp.cordis.europa.eu/pub/esprit/docs/ecomcom.pdf> accessed 25 April 2013
8TNS Opinion & Social 'Cyber Security Report' (2012) Special Eurobarometer 390 <http://ec.europa.eu/public_opinion/archives/ebs/ebs_390_en.pdf> accessed 25 April 2013
9Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals With Regard to the Processing of Personal Data and on the Free Movement of Such Data (EU Data Protection Directive) <http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:EN:HTML> accessed 25 April 2013
10Shearer J & Gutmann P 'Government, Cryptography, and the Right to Privacy' (1996) 2(3) Journal of Universal Computer Science <http://www.jucs.org.ezproxy.liv.ac.uk/jucs_2_3/government_cryptography_and_the/Shearer_J.pdf> accessed 25 April p.113