Cyberlaw code of conduct
(June 1997)
So far as the USA is concerned, if you want to
use secure encryption systems and you are a foreigner, forget it. If you are an
American citizen, you may not transmit software which carries out encryption,
and even the algorithms for encryption are prohibited exports, being classed as
munitions. Why? Well, if Uncle Sam gets into a war with you, Uncle Sam wants to
know what you are thinking and saying. And Uncle Sam has decided against
"giving guns to the Indians", a lesson they learned in the Wild West,
and now apply to the world. So even the most unlikely future enemies are denied
access to really secure encryption tools, no matter what their need.
Aside from military considerations, the US
government is also determined to stop drug dealers and other criminals getting
access to encryption tools, so only encryption systems using a 40-bit key could
previously be exported, although this has recently been raised to allow 56-bit
key systems. A 40-bit system means that anybody wanting to crack a coded
message had to be able to find a number which lies somewhere between 0 and 240,
or about 1.1 trillion. In a 56-bit system, the number can now be as large as
two raised to the 56th power, or about 72 quadrillion, which is 72 followed by
fifteen zeroes.
Unfortunately, one of these 56-bit systems has
already been cracked, so now the US government has offered to allow longer
keys, but only under conditions which critics say could leave the whole system
open to abuse, since your message must contain its own key, encrypted according
to a US government standard that they can read. This "key recovery"
system would make a single point of failure which hackers would fall upon with
glee.
The comparatively weak 56-bit Data Encryption
Standard (DES) was trumpeted in January this year, when the secure software
maker, RSA Data Security set up a $10 000 challenge, with a message posted on
the Internet in encrypted form. Decoded, it reads "Strong encryption makes
the world a safer place". They were less than embarrassed when the
challenge, expected to last for years, was met within four months. RSA
president Jim Bidzos, who had offered a $10,000 bounty to the successful
code-cracker, said "We've been saying for a long time that DES is no longer
secure and here is the proof."
The code was broken by Rocke Verser who
recruited up to 14 thousand Internet users to crunch through up to 7 billion
keys a second, using their spare computing time to crank through the possible
keys. In the end, Verser was lucky, finding the key after just 17 quadrillion
keys had been tried. Slowly, ever so slowly, the barriers are coming down:
during June, Pretty Good Privacy Inc. obtained US government approval to export
128-bit encryption technology to foreign subsidiaries and branches of large US
companies. This encryption software is free of key recovery features, but it is
still being kept away from any "Indians".
CDA struck down
The ill-fated attempt by the US Congress to
control what they do not own, died quietly during June. The Communications
Decency Act was ruled invalid in an unsurprising decision by the US Supreme
Court, which found that the law was unconstitutional because it impinged on
freedom of speech.
The Congressional supporters of the original
bill threaten to come back with a second attempt. According to civil liberties
lawyers, the first bill was flawed by the proponents' total misunderstanding of
what the Internet was and is, but they are quietly confident that no bill can
be put up which remains constitutional while muzzling the Internet. At present,
the CDA supporters' ploys seem to involve a narrower definition of decency and
a mandatory rating system for all Net materials, conveniently forgetting that
US Congress has no power beyond the shores of the United States.
The court's ruling was summed up by Justice
John Paul Stevens: "It is true that we have repeatedly recognised the
governmental interest in protecting children from harmful materials. But that
interest does not justify an unnecessarily broad suppression of speech
addressed to adults. The government may not reduce the adult population ... to
... only what is fit for children.''
Ahead of the CDA ruling, the White House
positioned itself in readiness for a defeat, basically taking the position that
regulation of the Net should be left to industry. Commented David Sobel of the
Electronic Privacy Information Center: "To come in right after the Supreme
Court decides the issue and say we didn't really mean what we said up to now-I
can't imagine anything that would be seen as more of a waffle than that. It
raises waffling to an art form."
European sources greeted the ruling with
relief, suggesting that it would now be possible to get some cooperation under
way to regulate Internet content effectively, and that the Supreme Court's
ruling may spur other nations to begin developing their own laws, rather than
rely on the CDA to do it all for them.
At almost the same time, state laws in New York and Georgia which put limits on free speech over the Internet were overturned. The New York legislation was struck out because it sought to regulate transactions outside the state's borders, thus violating the Constitution's interstate commerce clause. In the Georgia case, an injunction was granted against a law which made it illegal to use a name that "falsely identifies" the sender of an electronic message, such as a pseudonym or an anonymous e-mail address.