Features

net.wars: Ybat yvir pelcgb

Ah, golden memories. When men were men, women were scarce, and Netheads were given to saying things like, "You can have my encryption algorithm, I thought to myself, when you pry my cold dead fingers from its private key." Those were the days, eh?

Yesterday, the  Foundation for Information Policy Research publicly danced on the  grave of the "crypto wars". The reason: powers to regulate companies provided cryptography services to the public embedded in the US Electronic Communications Act of 2000 have now expired in a sunset provision: "If no order for bringing Part I of this Act into force has been made under subsection (2) by the end of the period of five years beginning with the day on which this Act is passed, that Part shall, by virtue of this subsection, be repealed at the end of that period."

Why would they let this expire? Let go of a chance at power? Aside from the usual "Oops" theory?

Well, for one thing, no one is really offering cryptographic services to the general public. Yes, some oddballs run PGP, and we all use cryptography behind the scenes whenever we buy anything online or speak on a cellphone (or VPN into a business network), but where is the mass-market software that automatically encrypts email? How many people routinely encrypt their hard drives or buy third-party certificates to use for digital signatures? The only service I've ever seen require a digital certificate is the online VAT return. And look at the three service providers listed there: BT; Chambersign; Equifax. Chambersign is an association of various European Chambers of Commerce; BT is a very well-known entity to government folks, and Equifax is one of the two or three companies monitoring all our individual credit data. These aren't organisations the British government is afraid of being unable to control – er, work with. In 1994's eager cypherpunk explosion, it seemed as though by now you'd have certificate providers dotted all over the landscape.

For another thing, I suspect that as time has worn on cryptography just isn't as scary as it used to be. Law enforcement agencies have so many other tools now -- surveillance cameras, analyzing traffic data, ID cards, biometric passports, DNA samples, national databases – that they couldn't have foreseen in 2000. Remember, back then the World Trade Center was still standing, and no one could have imagined that they'd be able to get these tools into widespread use without a public outcry.

All that said, it's still a great moment. The expiration of the "last vestiges of Government control over cryptography", as Ross Anderson put it, validates so much of what he and Caspar Bowden and the many others who fought to impose sanity on legislation such as the Regulation of Investigatory Powers Act and the Anti-Terrorism, Crime and Security Act said at the time. Years of fighting to block government attempts to require everyone to deposit copies of their keys with a "trusted third party" so that law enforcement could have access to the cleartext of communications whenever they wanted without telling you.

You'd have to have read net.wars since  Week One to remember this, but the first-ever of these columns was provoked by the fatuous November 2001 declaration of Jack Straw, then foreign minister, to the effect that people who had opposed key escrow "I think will now recognise they were very naive in retrospect". Given that statement, it's startling to realise that with all the incursions on privacy and civil liberties that have been made since those 2001 attacks, reinventing crypto regulation hasn't been one of them. As I said at the time, I don't think I was naïve during the six years I spent arguing in every forum I could find that key escrow was a bad idea. It was, and is.

Regulating the providers of cryptographic services was part of that same mindset: if you can control who is a service provider, you can control who uses cryptography, how they use it, and whether you can have access to the cleartext. That was always going to be unacceptable for businesses, especially those in financial services, who have a statutory duty to protect the integrity and confidentiality of the data they guard. It is, at the end of the day, the widespread business need to use cryptography – ironically, possibly even the advent of digital rights management, which of course is a form of cryptography – that probably finally helped drive the stake into the regulatory heart.

If there's one thing I've learned in the last 15 years of watching the political battles over the Net it's that victories don't stay victorious and battles don't stay fought. They resurface in new forms. Cryptography is taking longer to go into the mass-market than anyone thought it would. Cryptography, even more than computers themselves, needs to be invisible. People want to be told their phones/data/email are secure. But after that they're more interested in the design of the handset or the way the address book picks up new names than in whether they use PGP or Blowfish.

So: rejoice and be vigilant. Happy encrypting.