The 1999 update of this report is now available
CRYPTOGRAPHY AND LIBERTY 1998
AN INTERNATIONAL SURVEY OF ENCRYPTION POLICY
February 1998
Global Internet Liberty Campaign
The Importance of Cryptography
Acknowledgements
This Report was made possible by a grant from the Open Society Institute (http://www.soros.org/osiny.html). EPIC Senior Fellow Wayne Madsen was the principal researcher and writer. Members of the Global Internet Liberty Campaign provided assistance. Lisa Kamm created the HTML version of the Report.
The Importance of Cryptography
Emerging computer and communications technologies are radically altering the ways in which we communicate and exchange information. Along with the speed, efficiency, and cost-saving benefits of the "digital revolution" come new challenges to the security and privacy of communications and information traversing the global communications infrastructure.
In response to these challenges, the security mechanisms of traditional paper-based communications media -- envelopes and locked filing cabinets -- are being replaced by cryptographic security techniques. Through the use of cryptography, communication and information stored and transmitted by computers can be protected against interception to a very high degree. Until recently, there was little non-governmental demand for encryption capabilities. Modern encryption technology -- a mathematical process involving the use of formulas (or algorithms) -- was traditionally deployed most widely to protect the confidentiality of military and diplomatic communications. With the advent of the computer revolution, and recent innovations in the science of encryption, a new market for cryptographic products has developed. Electronic communications are now widely used in the civilian sector and have become an integral component of the global economy. Computers store and exchange an ever-increasing amount of highly personal information, including medical and financial data. In this electronic environment, the need for privacy-enhancing technologies is apparent. Communications applications such as electronic mail and electronic fund transfers require secure means of encryption and authentication -- features that can only be provided if cryptographic know-how is widely available and unencumbered by government regulation.
Governmental regulation of cryptographic security techniques
endangers personal privacy. Encryption ensures the confidentiality of
personal records, such as medical information, personal financial
data, and electronic mail. In a networked environment, such
information is increasingly at risk of theft or misuse. In their
"Resolution in Support of the Freedom to Use Cryptography," members
of the Global Internet Liberty Campaign (GILC) noted that "the use of
cryptography implicates human rights and matters of personal liberty
that affect individuals around the world" and that "the privacy of
communication is explicitly protected by Article 12 of the Universal
Declaration of Human Rights, Article 17 of the International Covenant
on Civil and Political Rights, and national law." See Resolution in
Support of the Freedom to Use Cryptography, September 25, 1996
(Appendix B).
Encryption and Human Rights
In many countries in the world, human rights organizations, journalists and political dissidents are the most common targets of surveillance by government intelligence and law enforcement agencies and other non-governmental groups. The U.S. Department of State, in its 1996 Country Reports on Human Rights Practices, reported widespread illegal or uncontrolled use of wiretaps by both government and private groups in over 90 countries. In some countries, such as Honduras and Paraguay, the state-owned telecommunications companies were active participants in helping the security services monitor human rights advocates. These problems are not limited to developing countries. French counter-intelligence agents wiretapped the telephones of prominent journalists and opposition party leaders. The French Commission Nationale de Contrôle des Interceptions de Securité estimated that there are some 100,000 illegal taps conducted each year in France. There have been numerous cases in the United Kingdom which revealed that the British intelligence services monitor social activists, labor unions and civil liberties organizations. A recent UK bill was enacted that allows for the surveillance of lawyers and priests. In Germany, a bill is currently pending that would allow, for the first time since the Nazi era, the ability to bug journalists' offices. The European Parliament issued a report in January 1998 revealing that the U.S. National Security Agency was conducting massive monitoring of European communications.
Many human rights groups currently use encryption to protect their files and communications from seizure and interception by the governments they monitor for abuses. These include Guatemala, Ethiopia, Haiti, Mexico, South Africa, Hong Kong and Turkey. Other groups such as Amnesty International USA also use cryptographic techniques to digitally sign messages that they send over the Internet to ensure that the messages are not altered in transmission.
Additional information on the use of encryption technology by
international human rights organizations is contained in the briefing
paper "Encryption in the Service of Human Rights," produced by Human
Rights Watch
(http://www.aaas.org/SPP/DSPP/CSTC/briefings/crypto/dinah.htm).
GILC and Encryption
The Global Internet Liberty Campaign was established in June 1996 to protect civil liberties and human rights in the online world. Among the principles adopted by GILC at its original meeting was the belief that users of the Internet should have the right to "encrypt their communication and information without restriction."
In September 1996, GILC issued its "Resolution in Support of the Freedom to Use Cryptography" at an international conference sponsored by GILC in Paris. The resolution was addressed to the Organization for Economic Cooperation and Development (OECD). GILC urged the OECD to base its policies on "the fundamental rights of citizens to engage in private communications." Subsequent guidelines adopted by the OECD recognized that the "fundamental rights of individuals to privacy, including secrecy of communications and protection of personal data, should be respected in national cryptography policies and in the implementation and use of cryptographic methods."
GILC continues to monitor activities concerning the freedom to use
cryptography around the world. GILC maintains an extensive collection
of resources about encryption policy at the GILC web site. Members of
GILC offer training in the use of cryptographic methods to human
rights organizers, journalists and political activists.
Purpose of the Survey
This survey was undertaken by the Electronic Privacy Information Center (EPIC), on behalf of GILC, to provide a comprehensive review of the cryptography policies of virtually every national and territorial jurisdiction in the world. Unlike previous surveys of international cryptography policy, the GILC survey is based on direct contact with over 200 nations and territories. Territories were included because their economic policies are often different from their mother countries.
We sent letters to the embassies, United Nations missions, government ministries, trade boards, and information offices of some 230 countries and territories. The letters inquired about four major areas concerning cryptography policies:
- controls maintained by the governments on the domestic use of cryptography in their countries;
- controls maintained by the governments on the importation to their countries of computer programs or equipment that permit cryptography;
- controls maintained by the governments on the exportation of domestically developed computer programs or equipment that permit cryptography; and
- identification of the agency or department of the governments responsible for setting policy on the use, importation, or exportation of cryptographic technology.
We referred to a preliminary survey commissioned by the U.S. National Institute of Standards and Technology (NIST) in September 1993 that first attempted to collect information on the cryptographic policies of foreign countries. This report concentrated mainly on the policies imposed by the Cold War-era Coordinating Committee on Multilateral Export Controls (COCOM), a grouping of Western nations that was abolished in 1994 and replaced by the Wassenaar Arrangement./1/
We also referred to a report prepared by the U.S. Department of Commerce and the National Security Agency for the Interagency Working Group on Encryption and Telecommunications Policy, obtained by EPIC under the Freedom of Information Act. The report, dated July 1995, is titled A Study of the International Market for Computer Software with Encryption. Commerce and NSA attempted to obtain and analyze copies of the laws and regulations from as many encryption-producing nations as possible. The two agencies based some of their research on the NIST report, State Department cables (messages) from U.S. embassies abroad, and reports from U.S. Foreign Commercial Service representatives to the Commerce Department's Bureau of Export Administration. However, much of the report was based on personal interviews with foreign government representatives in the intelligence community.
Recognizing the problems encountered by the Commerce Department and NSA in their surveys, we determined that the best way to determine cryptography polices around the globe was to contact directly the various embassies and diplomatic missions. The reasoning was that governments themselves are best able to authoritatively explain their policies, especially on such a technical area. We patterned our survey after one conducted in 1989 by the Computer Science and Law Research Group (GRID) of the University of Quebec, on behalf of the government of Canada, which analyzed the data protection policies and laws of over 150 countries. We also consulted the very useful Crypto Law Survey that is maintained by Bert-Jaap Koops. That survey includes descriptions of crypto policies in many of the world's countries as well as links to important source documents (http://cwis.kub.nl/~frw/people/koops/lawsurvy.htm).
Survey Responses
A 100 per cent response was the goal of our survey, but external events dictated some non-responses. For example, the Embassy of Cambodia in Washington referred us to the Ministry of Posts and Telecommunications in Phnom Penh. After faxing that agency, Cambodia was rocked by a coup d'etat, several cabinet ministers fled or were executed, and no further information was forthcoming. A facsimile sent to the Finance Ministry of Montserrat in Plymouth, the island's capital, was shortly followed by the eruption of the Soufriere Hills volcano, which destroyed the capital city and sent most of the island's population into exile. Queries made to the embassies of Afghanistan, Congo (Brazzaville), Congo (Kinshasa), Comoros, and Sierra Leone were not answered, due likely to the civil wars in those nations.
The signatories of the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies served as a baseline for the determination of the cryptography export policies of some countries. By July 1996, the arrangement was acceded to by 31 countries: Argentina, Australia, Austria, Belgium, Canada, the Czech Republic, Denmark, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Japan, Luxembourg, the Netherlands, New Zealand, Norway, Poland, Portugal, the Republic of Korea, Romania, the Russian Federation, the Slovak Republic, Spain, Sweden, Switzerland, Turkey, the United Kingdom and the United States. Bulgaria and Ukraine have also acceded to the arrangement. The Wassenaar Arrangement controls the export cryptography as a dual-use good, i.e., one that has both military and civilian applications. However, Waasenaar also provides an exemption from export controls for mass-market software. However, software containing cryptography may be subject to controls as a dual-use item. The confusion brought about by such a contradiction was apparent in the responses of some countries regarding their presumed obligations under Waasenaar.
Reported countries have been grouped into three categories
regarding controls on cryptography. A
"Green" designation signifies
that the country has either expressed support for the OECD Guidelines
on Cryptography, which generally favor unhindered legal use of
cryptography, or has no cryptography controls. A
"Yellow" designation signifies
that the country has proposed new cryptography controls, including
domestic use controls, or has shown a willingness to treat
cryptographic-enabled software as a dual-use item under Waasenaar. A
"Red" designation denotes
countries that have instituted sweeping controls on cryptography,
including domestic use controls. Some countries do not fit neatly
into one of the three categories, but trends may show them as being
borderline, i.e.,
"Yellow/Red."
Summary of Results
We found that most countries in the world today do not have controls on the use of cryptography. In the vast majority of countries, cryptography may be freely used, manufactured, and sold without restriction. This is true for both leading industrial countries and for countries in emerging markets. We also noted that recent trends in international law and policy suggest greater relaxation in controls on cryptography. The OECD Cryptography Policy Guidelines and the Ministerial Declaration of the European Union, both released in 1997, argue for the liberalization of controls on cryptography and the development of market-based, user driven cryptography products and services. These new multi-national agreements have implications for controls that currently restrict the use of cryptography. In France, for example, it is likely that domestic restrictions will be liberalized as French law is brought in line with the trade requirements of the European Union.
There are a small number of countries where strong domestic controls on the use of cryptography are in place. These include Belarus, China, Israel, Pakistan, Russia, and Singapore. There are an even smaller number of countries that are currently considering the adoption of new controls. These include India, South Korea and the United States.
The policies of the United States are the most surprising, given the fact that virtually all of the other democratic, industrial nations have few if any controls on the use of cryptography. The position may be explained, in part, by the dominant role that state security agencies in the U.S. hold in the development of encryption policy.
Index by Country
Conclusion of the Survey
Few countries today have controls in place that restrict the use of cryptography. Many countries, large and small, industrialized and developing, seem to be ambivalent about the need to control encryption technology. For many countries, cryptography policy is not a significant national issue. For those that have considered the topics, interests in electronic commerce and privacy appear to outweigh the concerns expressed by law enforcement.
Some major U.S. allies oppose the U.S. attempt to export its concept of key recovery. The U.S. has tried to enlist the support of countries like Brazil, Singapore, South Africa, Brunei, Indonesia, Vietnam, and Malaysia to support its international key recovery proposals. There has also been a smaller-scale effort by the U.S. to win the support of other developing countries in Latin America, Africa, Asia, and the Pacific. All of these countries were contacted in our survey, however, only a few responded. It is doubtful, based on the results of our survey, that the U.S. is achieving much in the way of success vis à vis the developing nations./2/
We also concluded that many national intelligence and law enforcement agencies seem to have "hijacked" the cryptography issue for their own benefits, in many cases leaving foreign affairs and trade ministries, unaware of what policies governments are following. Our own quizzical responses from some embassies in Washington, including those of large countries like Australia, support this argument. The July 1997 Bonn Ministerial meeting, which endorsed the OECD Cryptography Guidelines and stressed the need for privacy, was heavily attended by trade and science ministers. However, the German Justice Minister and the Cypriot Interior Minister even endorsed the final communiqué of the meeting.
The unrestricted use of techniques to protect personal privacy, such as encryption, remains an important concern for the international civil liberties and human rights communities. It should be anticipated that efforts by national governments to restrict the use of this technology will be opposed by these organizations.
There appears to be an awareness gap between those electronic privacy and major human rights groups that are concerned about cryptography and their counterparts in developing nations that have not been sufficiently informed on the subject. It is necessary to launch an education campaign to inform various political, labor, social, ethnic and minority rights, religious, humanitarian assistance, and other groups on the benefits and techniques of using cryptography. This is especially important as such groups continue to rely more on the Internet for communications and public education.
Attempts by the United States to influence the development of restrictive national and international regimes on the use of cryptography should be raised as a political and civil rights issue by sympathetic political parties and organizations. While our survey indicates a general ambivalence by a majority of the world's nations on the unrestricted use of cryptography, there is reason to believe that this situation could significantly change. The combined and formidable resources of American and other law enforcement and intelligence agencies as well as international structures like Interpol and the G-8, could be successful in forcing the world to adopt an international encryption key management infrastructure. Our major goal must be to prevent such an occurrence.
Footnotes
/1/ These countries are Australia, Austria, Belgium, Canada, Denmark, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Japan, Luxembourg, Netherlands, New Zealand, Norway, Portugal, Spain, Sweden, United Kingdom, and United States. Others have subsequently acceded to the agreement.
/2/ In a January 28, 1997 speech to the RSA Data Security Conference in San Francisco, U.S. special ambassador for cryptography, David Aaron, stated that U.S. allies "support the concept of lawful access by governments" to encrypted files and communications and that "many governments in the interest of public safety, want stronger controls than we have."
- The envoy made some specific points about what all governments
in the world want with regard to cryptography, i.e.,
- All governments recognize the need for international
cooperation to create a KMI (Key Management Infrastructure) and
certificate services to facilitate privacy and electronic
commerce;
- All support the concept of lawful access by governments and
the use of trusted parties and/or key escrow as a possible
mechanism.
- Many governments, in the interest of public safety, want
stronger controls than we have. They have, or are considering,
domestic controls on the use of encryption within their
borders.
- Virtually every government has expressed unhappiness with the
US decision to release 56 bit non-key recovery products even with
key recovery commitments. Several have criticized the absence of
internal US controls.
- They are concerned that the increased availability of such products without key recovery could undermine their ability to protect the public safety within their borders.
Our survey contradicts all the aforementioned points. We discovered that not only is there confusion about if, or how, to address cryptography use among nations, but there appears to be a great deal of confusion within governments on what, if any, policies to pursue. Moreover, a large number of countries failed to respond to our survey, indicating either a lack of understanding of the issue or a lack of concern on their part. Countries staking their future on the ability to access the Internet for electronic commerce noticeably did not respond to our survey. These include Bangladesh, Barbados, Bermuda, Chile, Egypt, Ghana, Jamaica, Malaysia, Mauritius, New Zealand, Saint Lucia, Sri Lanka, Thailand, Trinidad and Tobago, and Venezuela.