[2424] in cryptography@c2.net mail archive
[Cdn] Proposed policy changes causing angst
daemon@ATHENA.MIT.EDU (Anonymous)
Tue Mar 31 13:51:22 1998
Date: Tue, 31 Mar 1998 20:18:07 +0200 (MET DST)
To: cryptography@c2.net
From: nobody@REPLAY.COM (Anonymous)
Computing Canada
Volume 24, Issue 11 - March 23, 1998 (www.plesman.com)
Proposed policy changes causing angst:
Analysts and businesses issue challenge to suggested cryptography policy
reform
(page 1)
by Greg Enright, Computing Canada
Canadian businesses and industry analysts warn that proposed changes
to Ottawa's cryptography policy could severely threaten corporate
privacy.
The revisions are being considered in the areas of encrypted stored
data, encrypted real-time communications anda Canada's policy on the
export of encryption products to other countries. Until April 21,
Industry Canada is accepting public feedback through its Web site
(strategis.ic.gc.ca).
For each area, the government has presented three options for the
revamped policy, ranging from minor alterations to much more extreme
changes. It is the more radical suggestions that have many in the IT
community worried.
For encrypted data stored by organizations, for example, the
government has suggested that a law be passed that would make the use
of encryption products without key recovery capability illegal. This
would make it difficult for companies to encrypt their proprietary
information in a way that would make it understandable only to them.
It would also allow access to law enforcement agencies such as the
RCMP if needed for legal proceedings.
Some individuals, however, feel the government should not have any
say in how a company chooses to handle its data. "In a free country
like Canada I should be able to send e-mail to my colleague in
Vancouver in secret, period, without having to give the keys to the
government or the police," said David Jones, president and secretary
of Electronic Frontier Canada Inc., an IT industry watchdog. "I should
be able to what I want to do."
Jones, who is also a professor of computer science at McMaster
University in Hamilton, Ont., added that Canadian businesses that are
planning their e-commerce strategy should be very concerned about such
proposals.
"If the government imposes a policy that says indiviuals can't use
strong encryption, that it has to be weak enough for the government to
eavesdrop on, then it's also true that it's weak enough that criminals
can eavesdrop on it or commit fraud. It creates a tremendous
vulnerability."
Bill Kossmann, a business analyst for David Thompson Health Region, a
Red Deer, Alta., health authority, said it would be small and medium-
sized businesses that would be hit the hardest by such a policy.
"It's an intrusion on the privacy of the smaller company and the
individual because certainly the organized crime folks and larger
organizations, and certainly intelligence communications, have
encryption that cannot be broken," he said.
Bill Munson, director of policy at the Information Technology
Assoication of Canada (ITAC), said that by putting a company's stored
electronic data in the hands of anyone unknown, including the
government, the possibility of information being leaked to ne'er-do-
wells automatically rises.
"The more people that know (about your information), the greater the
possibility of leaks. Leaks happen anyway, but this is a way of perhaps
opening up the possibilities."
Helen McDonald, director general, policy development for the task force
on electronic commerce at Industry Canada, said the proposals are only
proposals, and that reaction such as Kossmann's and Jones' is what the
government wants to hear. "There isn't a hidden agenda here," she said.
"I would expect that there would be concerns with the government
inserting itself in a market, especially such a new market."
McDonald added that the concerns of investigators at the RCMP and CSIS
also have to be taken into account.
"It's really a law enforcement argument that takes over," she said. "How
do we ensure that we can continue to decrypt and collect evidence?"
Jones, however, said he thinks it would be very unlikely that a
government investigation would be hindered by encryption.
"They seem to be willing to throw away the privacy rights of 30 million
Canadians and to jeopardize the the financial viability and security of
any Canadian business that wants to engage in electronic commerce. It
doesn't seem like a fair trade-off."
Privacy infringement would not be the only thing organizations would
have to deal with in such changes were introduced, according to Munson.
"Business would always be concerned about the red tape involved. Are
there forms to be filled out, are there inspectors coming around, how
often are they to be filled out?" he said.
While a policy that would allow such openness in terms of government
access to coporate data sounds "Big-Brotherish" to Munson, it also
sounds like a bad idea for the Canadian economy as a whole.
"(It would be) a turn-off for international business, and a good reason
for anybody not to setup a business here, because that sort of a law
would be in place here and doubtless would not be setup in other
countries."
Kossmann advised anyone concerned to offer their opinion to Ottawa.
