Information Technology Reference
In-Depth Information
but the way that NSA was used to eavesdropping on communications is no longer
possible and the US has to reorganise the way that it gathers information. I believe that
the export restrictions were relaxed not because NSA had no capabilities, but because of
pure economic reasoning; it just did not make any sense to prevent American companies
from selling encryption material when you could download it for free from the webs of
European countries. It almost seemed like very other house in Finland was exporting
encryption material. It did not make any sense. If you wanted to encrypt your material
you could always buy from Scandinavia. So why not allow American companies to sell
the same material? I think that the US basically gave up on the battle. There are some
battles that are just not worth fighting and there was no reason to have US companies not
participating in the competition for these devices.
Stanley : I can probably speak on UK and NATO policies towards cryptography. The
UK gave up the battle about the same time as the Americans. And in regard to keys, it is
not actually trying to intercept transmissions in real-time. If you try to prosecute a
criminal, you can go to a Judge and get a warrant and force the criminal by law to give
over that private key. The refusal to hand over a private key is an offence with a
mandatory prison sentence, which is not connected to the crime you are accused of
committing. So, of course if you are accused of committing a murder, you may as well
not give up your private key and take two years' sentence, rather than give it up and take
fifteen, twenty or twenty-five years. I have a description of someone who sent an
encrypted e-mail to the Minister who was going to be in charge of this particular law; he
then sent an anonymous tip-off to the police that this Minister had encrypted child
pornography on his computer and his inbox. So, under the terms of this law, the police
had to go to the Minister's house and say to him that information had been given that he
had pornography on his machine. The law was not in place at the time but under the law
he would have had to give his private key. Not giving the private key would have meant
a two-year jail sentence. Now he has to prove that he does not have this private key.
Proving the negative is not an easy thing but the law still went through anyway so you
can understand the sort of problems that have arisen.
For import/export restrictions, most of the European countries and the US have agreed
a common set of restrictions as again there is no point in the US having one policy,
France having another and the UK yet another. But you can sell to where you can buy
from. I am not sure about who the members of the group are, but this agreement is in
place and it is on the Internet.
In the NATO PKI in which I am involved, we only have a mandate for digital
signature but for any products that we buy there is an agreement not to turn off the
confidentiality side. And for confidentiality we normally have to use hardware
encryption. This encryption of offline includes e-mail type encryption. And under the
rules we can use anything that has been approved by a NATO NSA equivalent. So it has
to be put forward by a NATO nation as an approved national algorithm. There is also a
directive on the use of AR for PfP communications and there is a classified algorithm; its
name is not classified but how it is implemented is classified for use in internal NATO
communications. So the hardware implementation for this particular algorithm will be
used for internal NATO communications. But this is NATO the organisation, not NATO
the political alliance because there you have many countries. We are not allowed to turn
on the encryption that is built-in to a lot of the products that we use. We are only
allowed to use NATO encryption. The other thing to know which is probably of more
Search WWH ::




Custom Search