Global Internet Liberty Campaign Statement on Canadian Crypto Policy April 20, 1998 Helen McDonald Director General, Policy Development Task Force on Electronic Commerce Industry Canada 20th Floor, 300 Slater Street Ottawa, Ontario   K1A 0C8 CANADA Dear Ms. McDonald: We are writing in reference to your call for public comments to the document "A Cryptography Policy Framework for Electronic Commerce -- Building Canada's Information Economy and Society", available on the world-wide web at: http://strategis.ic.gc.ca/crypto We, the undersigned, are members of the Global Internet Liberty Campaign (GILC) [1], a coalition of international organizations that is committed to defending civil liberties and human rights on the Internet. One of the principles we have identified as being important for fundamental human rights, such as freedom of expression, freedom of association, and the right to privacy, is that people around the world who are using computer networks must be able to encrypt their communications and information without government interference [2]. We wish to express our firm opposition to any policy or legislation that would limit or prohibit the manufacture, import/export, or use of strong encryption (without key recovery) for stored data or real-time communications. In particular, we are firmly opposed to the following proposals, (as detailed in Part 4: Policy Options of the document mentioned above). 1. "the government could prohibit the manufacture, import, and use of non-key-recovery [encryption] products in Canada." 2. "Carriers [of real-time telecommunications] would be prohibited from transmitting messages unless in plaintext or encrypted by key-recovery hardware or software." 3. "The export of strong cryptography would only be permitted if the products had approved key-recovery provisions." It is our informed opinion that such policy or legislation would be contrary to international human rights treaties, harmful to Canadian society, detrimental to the Canadian economy, and, in the end, simply unenforceable. Freedom of expression, freedom of association, and the right to privacy are explicitly protected by Canadian and international law, including: the Charter of Rights and Freedoms (sections 2,7,8), the Universal Declaration of Human Rights (articles 12,20), and the International Covenant on Civil and Political Rights (article 17,22). First, the policy mentioned above would unreasonably infringe upon and interfere with the right of Canadians to exercise their freedom of expression and freedom of association. As we move towards a global economy, and especially in a country as large as Canada, individuals, associations, unions, and corporations need to be able to communicate and share information with each other over long distances while still protecting their privacy. Second, it would unreasonably deny Canadians the opportunity to use strong encryption products to exercise their right to privacy and to protect the confidentiality of their personal communications and the security of their financial transactions. Third, it would unreasonably hinder and interfere with the use of encryption products whose legitimate use is essential to the transition to a wired economy. Strong encryption is essential to the growth and success of electronic commerce. Any requirement for key-escrow or key-recovery creates an inherent and unnecessary risk of unlawful interception of personal communications, or unlawful access to sensitive financial transaction data by criminals. Consumer confidence is crucial to the success of electronic commerce and reliance on weak or vulnerable methods would pose an enormous obstacle to growth. These risks have been well documented by leading experts in cryptography [3] and computer network communication [4]. Fourth, it would be unenforceable in practice, since the basic mathematical and algorithmic methods for strong encryption (without key recovery) are published and well known and can easily be implemented in software by any bright high-school student with access to a personal computer. Such strong encryption software is already widely available on the Internet, for anyone to download, for free. Finally, we note that very few countries favour the development of key-escrow or key-recovery techniques and infrastructures. Instead, the recent international trend is to liberalize cryptography policies. In a survey we conducted earlier this year [5], we found that virtually all countries allow the use, manufacture, sale, and distribution of encryption products without restriction. The Organization for Economic Cooperation and Development (OECD) [6] and the Ministers of the European Union [7] have also made clear their support for the development and widespread use of strong cryptographic techniques. Your sincerely,   Associazione per la Libertà nella Comunicazione Elettronica Interattiva (ALCEI) -- http://www.nexus.it/alcei Campaign Against Censorship of the Internet in Britain (CACIB) -- http://www.liberty.org.uk/cacib/ Center for Democracy and Technology (CDT) -- http://www.cdt.org/ CITADEL Electronic Frontier France -- http://www.citadeleff.org Computer Professionals for Social Responsibility -- http://www.cpsr.org/ Cyber-Rights & Cyber-Liberties, UK -- http://www.leeds.ac.uk/law/pgs/yaman/yaman.htm Derechos Human Rights (DHR) -- http://www.derechos.org/ Digital Citizens Foundation Netherlands (DB-NL) http://www.db.nl/ Electronic Frontier Canada (EFC) -- http://www.efc.ca/ Electronic Frontier Foundation (EFF) -- http://www.eff.org/ Electronic Frontiers Australia (EFA) -- http://www.efa.org.au/ Electronic Frontiers Texas -- http://www.eftexas.org Electronic Privacy Information Center (EPIC) -- http://www.epic.org/ Equipo Nizkor, Spain -- http://www.derechos.org/nizkor Förderverein Informationstechnik und Gesellschaft (FITUG), Germany -- http://www.fitug.de/ Fronteras Electrónicas España (FrEE), Spain -- http://www.arnal.es/free/ Human Rights Watch (HRW) -- http://www.hrw.org Index on Censorship -- http://www.indexoncensorship.org/ Internet Society (ISOC) -- http://www.isoc.org/ NetAction -- http://www.netaction.org/ Privacy International -- http://www.privacy.org/pi/ Quintessenz, Austria -- http://www.quintessenz.at References: [1] Global Internet Liberty Campaign, ( http://www.gilc.org/ ) The Global Internet Liberty Campaign was formed at the annual meeting of the Internet Society (ISOC) in Montreal in June 1996.   [2] GILC Resolution in Support of the Freedom to use Cryptography, September 1996, ( http://www.gilc.org/crypto/oecd-resolution.html )   [3] The Risks of Key Recovery, Key Escrow, and Trusted Third-Party Encryption, May 1997, ( http://www.crypto.com/key_study/report.shtml ) This is a very influential paper by some of the top cryptographers in the world: Hal Abelson, Ross Anderson, Steven M. Bellovin, Josh Benaloh, Matt Blaze, Whitfield Diffie, John Gilmore, Peter G. Neumann, Ronald L. Rivest, Jeffrey I. Schiller, Bruce Schneier.   [4] IETF Statement on Cryptographic Technology and the Internet (RFC-1984), August 1996, ( http://info.internet.isi.edu/in-notes/rfc/files/rfc1984.txt ) This statement was prepared by the Internet Engineering Task Force (IETF) and in particular the Internet Architecture Board (IAB) and the Internet Engineering Steering Group (IESG) which oversee and develop the architecture and standards for the Internet.   [5] GILC Crypto Survey, Cryptography and Liberty: An International Survey of Encryption Policy, February 1998, ( http://www.gilc.org/crypto/crypto-survey.html ) A survey of crypto policies in almost 80 countries has found that most countries do not restrict the use of encryption.   [6] The OECD Cryptography Policy Guidelines, March 1997, ( http://www.oecd.org/dsti/sti/it/secur/prod/e-crypto.htm )   [7] European Union's Ministerial Declaration on Global Information Networks, July 1997, ( http://www2.echo.lu/bonn/final.html )