Cryptography is a discipline which embodies principles, means and methods for the transformation of data utilized to ensure the confidentiality of data, authenticate the data and to ensure its integrity1. Internet has resulted in data, business and communication being conducted on open networks which are more difficult to control and monitor than traditional channels. Despite its value in ensuring information and data security, many nations regard cryptography as a dual-use technology that can be applied for civil and military purposes, and therefore should be regulated. Governmental concerns particularly revolve around the reduced ability for intelligence and security agencies to perform effective surveillance of computers and electronic communication to uncover, prevent and prosecute illegal activities2.
What kind of laws and regulations have they brought in to try to deal with their concerns?
The Wassenaar agreement3 acts as the principal document on the encryption software export control regimes around the world. Its guidelines base restrictions on the key length of symmetric cryptographic products, and allow the free export of mass-market cryptographic software which complies with such provisions.
OECD Guidelines for Cryptography Policy4 focus on trust, free choice and market-driven development of cryptographic methods. They promote the fundamental protection of privacy and personal data, lawful access to cryptographic keys and the need for a clear liability for cryptography users and service providers. These represent the first international attempt to give policy orientations on several aspects of cryptography, and highlight international cooperation to development of standards and removal of unnecessary trade obstacles.
In an attempt to control the development and access to strong cryptography tools, governments have regulated the general export (and sometimes, import) of cryptography products. The deployment of key recovery systems, including trusted third-party access and key escrow,5 have been proposed to make decryption keys available. These have however not become fully-fledged law due to queries about issues including privacy, effectiveness and costs6.
How far do such efforts threaten the privacy that organisations need for conducting legitimate business?
Electronic commerce is one key driver for the development of the global information society7. The online marketplace needs to ensure safe commercial transactions, key in building consumer trust8, and retainment of sensitive data, whose compromise may have both financial, reputation and competitive consequences. As cryptography tools are one security measure for achieving this, too much restriction is undesirable.
Does regulation of this kind pose a threat to the security of sensitive corporate data?
Organisations that process and store personal data are required to put in place information security measures9. Those that depend on electronic payment systems might, with weak encryption, expose themselves to attacks that misuse the customer’s private information. Industry espionage may also prove easier if attackers have the ability to decrypt sensitive communication and stored data of an organisation that has weak or key-forfeiture encryption10.
Balancing national security interests and protecting the security and privacy in commerce, should be the focus of the internet community, to allow available effective cryptography standards and appropriate regulative law to promote a functioning and innovative online market.