EU Crypto Free Trade Area

[Brian Gladman]

As a matter of interest does anyone know of a prosecution, either here in
the UK or in another country, for not complying with the crypto export
control laws?

I have not researched this but I have asked this question many times and
no-one has come up with a case that has gone to court.   I should also
mention that Trusted Information Systems ran a study which involved
purchasing many software packages from 'export controlled' countries.  They
were able to purchase many strong crypto packages with no concern on the
part of the suppliers for gaining export licenses. They documented such
exports from the UK.

Not being a lawyer, I don't know the significance in the courts of a
situation where the authorities are seen, over a long period, not to enforce
a law.  I would certainly be interested to hear from any lawyers on the list
on what might happen in court if someone is now singled out for prosecution
when so many other openly documented breaches of the regulations have been
ignored.  I would have at least hoped that the courts would ask themselves
what made the case before them so special.

It seems to me that laws that are not supported by citizens, and not
enforced by the appropriate authorities, should be repealed.  The crypto
export control laws in the UK are now clearly damaging and yet the DTI have
allowed themselves to swallow the GCHQ argument that they should remain.

I have written to Mrs Roche (via email) on this issue but, despite a
reminder, Mrs Roche has not even had the decency to acknowledge my input.
My letter was written in February, just after the 'we are about to announce
our new policy' disaster and this explains the contents of the first half of
it.  In view of the complete disinterest on the part of Mrs Roche, I now
openly publish it here.

    Brian

----------------------------------------------------------------------------
---------------
To: The Honourable Barbara Roche MP
      Department of Trade and Industry

22nd February 1998

Dear Ms Roche,

UK CRYPTOGRAPHIC AND TTP POLICY DEVELOPMENT

I am writing to you to express my concern and dismay at recent events in the
development and announcement of UK policy on cryptography and Trusted Third
Party (TTP) services.  This is a vitally important issue for the UK and it
is essential that any policy that emerges has the widespread support of
***ALL*** citizens of the UK in whose name it will be advocated.

I would maintain that it is important prior to setting out policy that your
Department should consider the various policy options in an open and
democratic way so that everyone impacted by any announced policy feels that
they have had a chance to influence the direction it will take.
Traditionally, of course, policy development has taken place in secret but I
had thought (and hoped) that your government in particular was committed to
a more open approach and I am therefore concerned at what now appears to be
happening.

While I consider a closed approach to policy formulation undemocratic, it is
at least equally unfair to all UK citizens in that everyone impacted by the
policy is being treated in the same way.  However a policy of selective
consultation, leaks, accusations and denials of the form now underway
converts this process from one that is simply undemocratic into one that is
both undemocratic and unethical in that the vast majority of UK citizens are
being denied the right to have their voices heard whilst a privileged few
are given this opportunity.  I associate such patronage and privilege with a
past age and it comes as some surprise to find that such practices are still
in use by a government that I had thought stood up for equality of treatment
for all UK citizens.

I would wish that you should undertake open consultation prior to policy
announcement. If, however, you must form policy in secret then do so but
expect to be criticised by people such as myself for being undemocratic.
If, however, you enter into a process of selective consultation and leaks
then you will have moved from simply being undemocratic to being unethical
as well and I, for one, will not hesitate to bring this into the open.  I
have stopped short of doing this as I hope this appeal to you might bear
fruit and bring a more open, organised and careful approach to the policy
formulation and announcement process.

I might add that at least one means for more open consultation exists in
that I have worked with others to establish a mechanism for achieve this
(see my Web page at: http//www.seven77.demon.co.uk//).  Although your
officials have sometimes been helpful here they have mostly stayed silent,
especially so in recent months.

Turning to the policy itself, I can only hope that the rumours flying around
at the moment are wide of the mark.  Any attempt to introduce key recovery
or key escrow for confidentiality keys on any other basis than a COMPLETELY
voluntary one is doomed to failure (if you doubt this consider the US
experience).

But there is a much more important issue in that the current focus on this
aspect of policy has taken the spotlight off another area where you could
make some simple policy changes that are not in any way damaging and yet
will be enormously beneficial and widely welcomed in business and commerce
and by UK private citizens.

Our existing export controls on cryptography were put in place in the depths
of the cold war and have hardly changed since then.  They impose severe
market constraints on export (through licensing) even for the countries
within the EU, all of whom are supposed to be our friends.  At the end of
the cold war it was widely recognised that these laws were too restrictive
and the Wassenaar agreement was put in place to maintain controls on export
to Libya, Syria,.... on a non-proliferation basis but we have not changed
our laws to bring this less restrictive regime into effect (I suspect this
is because the dark forces of NSA and GCHQ, to which I am strongly opposed,
have been against this).

By announcing changes to our export licensing regime for cryptographic
products to remove such controls except for export to proscribed countries
you would be taking a step that is not in any way damaging and yet would be
of enormous benefit to business and commerce within the UK and Europe.  This
would be a concrete demonstration of UK government support for electronic
commerce and the open electronic market.

Such a policy announcement would have truly enormous benefits and would
bring universal and widespread support in that:

* it would remove contraints on UK companies in exporting to our EU partners
in an area where the UK is very strong

* it would be seen in the EC as a move to support an open electronic
commerce market in Europe

* it would be in line with the recent EU communication on such matters

* it would be an enormous plus for the UK at a time when we hold the
Presidency of the EU

Not least of course it would also be a clear demonstration that the
principles set out by the Labour Party prior to the election were being put
into practice.

In reality this is a far more important practical step than anything to do
with LEAK (Law Enforcement Access to Keys) and is a step that you could take
that would command truly enormous support from industry, commerce and
private citizens in the UK. Moreover it would be seen as a bold and popular
step in a wider European context at a time when there is much excitement
about the impact of electronic commerce and the Information Society.

To be able to announce changes in policy that promote and open market in
Europe for the products that will underpin secure electronic commerce at a
time when we hold the EU Presidency is surely an opporunity which is too
good to miss?  Especially so when it shows the government to be carrying
through its stated pre-election policy.

In summary, therefore, I ask you to consider seriously shifting the emphasis
of the policy changes away from the LEAK issue towards changes in our
cryptographic export control regime to promote the development of the secure
electronic commerce market in Europe.  I believe that if you are able to do
this you will convert a potentially damaging process into one which will
command almost universal support and popularity both here in the UK and more
widely in the EU.  I urge you to give such changes your most serious
consideration.

I would be happy to expand on these ideas if appropriate.

   Yours sincerely,

         Dr Brian Gladman