Newsnight thingy

[Richard Watts]

On Wed 15 July 1998, Andy Campbell
<andycap@enterprise.net> wrote:

>Hi All,
>
>It was a shame that further points did not come out during this piece. =
>Such as; the fact that encryption is here to stay like or not. If our =
>government continues down the path of unnecessary restrictions it will =
>severely dent what impact UK Companies involved in the development and =
>sale of software products that utilise encryption can have on what I =
>believe will be a significant international market. Or viewed from a =
>different angle are we content to allow other countries to develop and =
>capitalise from these tools?

 .. and notably, Newsnight bought into the idea that crypto controls
are supposed to combat serious criminals and terrorists: that's 
impossible. The only people you can control with crypto legislation are:

 -> People too stupid/poor to pick up a copy of PGP and a stego
 filesystem.
 -> People for whom the risk of being caught using illegal crypto is
 greater than the risk of being caught for their crime.

 Most serious criminals fit into neither of the above categories. What
crypto legislation will catch is petty thieves and burglars using
AOL to communicate and the odd insider trader.

 If you want to catch serious criminals, you have to go much further
than mere crypto control - you have (and I suspect this will happen
fairly soon, irrespective of legislation) to control the passage of
data you don't understand, and then restrict the stego bandwidth to
the point of uselessness. What I suspect will happen is that the
police will use `sending non-standard binary data' as an automatic
cross-index to various other intelligence databases (automatic
telephone tapping, NHS records, newspaper back-issues, DNA and
fingerprint analysis), and use it as an excuse to obtain bugging
warrants, CCTV footage, and automatic surveillance. Ultimately,
this will extend to harrassing activities (being asked where you're
going every time you step out of your house, having parts of your
private life leaked to the press) to stop too many people doing it.

 All this can happen quite nicely today, without any additional
primary legislation, and the only thing stopping it is government
incompetance (and Ross Anderson :-)).

 When it comes to catching serious criminals, pedophiles and
terrorists, crypto legislation is utterly irrelevant. You might as
well claim that banning .22 calibre pistols will reduce the murder
rate.

>
>However I was grateful for the fact that at least this issue got some =
>airing on network television.

 True :-). They did seem fairly sympathetic, anyway, though I got
the impression that they were well out of their depth and having 
difficulty explaining why encryption was so important.

 What it did bring out (though rather weakly) is that this is not
 a technological issue: it's a clash of ideologies - computer
scientists and security experts are concerned with providing a
stable, reliable, engineering framework for commerce based on 
technical solutions, and are in general concerned to see that
only the guilty get shafted when things go wrong. 

 The public at large (and the political machine in particular) is far
more used to social solutions, doesn't like techies telling it what it
can and can't do, and considers people expendable. 

 If given a bank vault to secure, for example, I (and, I suspect most
other people on this list) would say `buy a time-locked safe, and
employ security guards and alarm systems'. Large corporations and
governments would probably say `Put the gold on the back counter and
make stealing it a criminal offence. Arrest anyone who looks or talks
as if they might be thinking of stealing it. Strictly ration crowbars,
skeleton keys and bolt cutters. The election is at midnight, so it's
good to save $20 today and lose $1,000,000 tomorrow'.

 One point worth noting is that secure TTPs _are_ possible, to the
government's definition, which is `well, we want the TTPs to be more
or less secure, and we're prepared to put up with L200m/year in fraud:
the electorate doesn't care'. Technical arguments don't work because
legislators don't care about technical arguments - they will quite
happily legislate that pigs should be tethered at 300 feet if they
think it will win votes (Dangerous Dogs Act, anyone ?). What wins in
these situations is lobbying.

 The lobbying seems to be being done by GCHQ (whose position is
obvious), the Police and Microsoft (of whom neither really cares
about crypto, but both would like to control what you run on your PC.
Microsoft seems to be in favour of crypto, if only because it's a good
way to sell upgrades), and (I suspect) a small number of large
businesses who have a vested interest in the tabloids not finding out
just how many statutory requirements they regularly ignore.

 Interestingly, FAST et al seem more or less neutral, possibly thinking
that the whole argument will become moot once WIPO requires that all
PCs log all activity to central registries for licencing reasons. The
city may be the right people to work on here: I very much doubt the
majority of financial houses would stand up to close scrutiny, and
the government would find it difficult to seriously irritate the CBI, 
especially in the middle of a recession.



Richard.