Everybody, it seems, is anxious that data transmitted over the Internet is secure and free from interception or corruption. Ordinary email users and Net enthusiasts want their privacy protected for the same reasons as users of the traditional mail systems. Likewise, e-commerce traders are anxious that electronic transactions will be fully secure so that customers and potential customers will feel confident about giving out credit card numbers to make purchases over the Internet.
The advent of increasingly sophisticated encryption techniques now makes it practically impossible to intercept and decrypt data in transit if it has been sufficiently strongly encrypted (see panel). This has been particularly welcomed by an unlikely coalition of ponytails and pinstripes - the Net enthusiasts and the e-commerce practitioners - but it is seen as a major headache for governments.
The prospect of terrorists or drug barons communicating across the Net with such security which could be beyond the decryption techniques of even the US military has become a cause of great concern in the US and elsewhere. The US government sees cryptography as a munition, and places very onerous controls on its exportation. FBI director Louis Freeh told a US senate subcommittee: "Network service providers should be required to have some immediate decryption ability," permitting FBI agents to readily descramble encrypted messages passing through their systems.
Although we have no encryption laws in force in Ireland, we are signatories to the Wassenaar Arrangement. Under its terms, the export of all cryptography keys greater than 56 bits would require a licence.
The 31 Wassenaar signatories include all 15 EU member-states, along with the US and Russia. This arrangement, first signed in 1995, was updated in December 1998. Its provisions are not direct - each state has to implement them in national legislation. France, Spain, Belgium, Austria, the Netherlands, and Italy have enacted legislation, but there is a considerable variation of attitude towards encryption among the EU member-states.
In June 1998, a framework for Irish policy on cryptography was published by the Department of Enterprise. It proposes that users should have the right to strong and safe encryption, and also that legislation will be enacted to oblige encryption users to release plaintext or crypto keys upon a lawful authorisation.
If the last proposal is to be introduced, then it is possible the government will opt for "key-escrow" as a means of key recovery. A legal term, escrow refers to the holding of a deed by a trusted third party (TTP) to take effect when a certain condition has been fulfilled.
Under key-escrow, your private key would be held in trust by a third party, and if you came under suspicion it would be made available to the authorities. Understandably, this has been met with cynicism by the unusual alliance of cyber civil-libertarians (who don't like regulation) and e-business people, who don't want potential customers scared off by any weakening of their security.
Where can we find a suitably trustworthy third party, anyway? In some countries where key-escrow has been mooted, the banking institutions have been seen as the logical TTP. People trust them with their money, so why not with a crypto key? It is hard to see this idea being an uncontroversial runner in Ireland in light of the recent scandals involving financial institutions.
This is far from being the only issue. Even if an acceptable TTP were found, what would trigger key recovery? Key-escrow has also been widely criticised as:
cumbersome (managing keys for everyone in the country would be a logistical nightmare)
insecure (any breach of security at the TTP would endanger the keys of all users)
unfair (ordinary users would be forced to use key-escrow, but terrorists and drug-dealers seem unlikely to sign up).
Regardless of which parties are in government in this country over the next few years, it is probable that they will opt for a panEU agenda on cryptography and digital-signature legislation. However, it is less easy to predict how security concerns will be reconciled with the individual's right to free speech and the promised right to strong encryption.
Fintan Gibney is an IT consultant with CBT Systems (fintang@mailcity.com)