Cyberlaw code of conduct

 

(June 1997)

 

So far as the USA is concerned, if you want to use secure encryption systems and you are a foreigner, forget it. If you are an American citizen, you may not transmit software which carries out encryption, and even the algorithms for encryption are prohibited exports, being classed as munitions. Why? Well, if Uncle Sam gets into a war with you, Uncle Sam wants to know what you are thinking and saying. And Uncle Sam has decided against "giving guns to the Indians", a lesson they learned in the Wild West, and now apply to the world. So even the most unlikely future enemies are denied access to really secure encryption tools, no matter what their need.

 

Aside from military considerations, the US government is also determined to stop drug dealers and other criminals getting access to encryption tools, so only encryption systems using a 40-bit key could previously be exported, although this has recently been raised to allow 56-bit key systems. A 40-bit system means that anybody wanting to crack a coded message had to be able to find a number which lies somewhere between 0 and 240, or about 1.1 trillion. In a 56-bit system, the number can now be as large as two raised to the 56th power, or about 72 quadrillion, which is 72 followed by fifteen zeroes.

 

Unfortunately, one of these 56-bit systems has already been cracked, so now the US government has offered to allow longer keys, but only under conditions which critics say could leave the whole system open to abuse, since your message must contain its own key, encrypted according to a US government standard that they can read. This "key recovery" system would make a single point of failure which hackers would fall upon with glee.

 

The comparatively weak 56-bit Data Encryption Standard (DES) was trumpeted in January this year, when the secure software maker, RSA Data Security set up a $10 000 challenge, with a message posted on the Internet in encrypted form. Decoded, it reads "Strong encryption makes the world a safer place". They were less than embarrassed when the challenge, expected to last for years, was met within four months. RSA president Jim Bidzos, who had offered a $10,000 bounty to the successful code-cracker, said "We've been saying for a long time that DES is no longer secure and here is the proof."

 

The code was broken by Rocke Verser who recruited up to 14 thousand Internet users to crunch through up to 7 billion keys a second, using their spare computing time to crank through the possible keys. In the end, Verser was lucky, finding the key after just 17 quadrillion keys had been tried. Slowly, ever so slowly, the barriers are coming down: during June, Pretty Good Privacy Inc. obtained US government approval to export 128-bit encryption technology to foreign subsidiaries and branches of large US companies. This encryption software is free of key recovery features, but it is still being kept away from any "Indians".

 

CDA struck down

 

The ill-fated attempt by the US Congress to control what they do not own, died quietly during June. The Communications Decency Act was ruled invalid in an unsurprising decision by the US Supreme Court, which found that the law was unconstitutional because it impinged on freedom of speech.

 

The Congressional supporters of the original bill threaten to come back with a second attempt. According to civil liberties lawyers, the first bill was flawed by the proponents' total misunderstanding of what the Internet was and is, but they are quietly confident that no bill can be put up which remains constitutional while muzzling the Internet. At present, the CDA supporters' ploys seem to involve a narrower definition of decency and a mandatory rating system for all Net materials, conveniently forgetting that US Congress has no power beyond the shores of the United States.

 

The court's ruling was summed up by Justice John Paul Stevens: "It is true that we have repeatedly recognised the governmental interest in protecting children from harmful materials. But that interest does not justify an unnecessarily broad suppression of speech addressed to adults. The government may not reduce the adult population ... to ... only what is fit for children.''

 

Ahead of the CDA ruling, the White House positioned itself in readiness for a defeat, basically taking the position that regulation of the Net should be left to industry. Commented David Sobel of the Electronic Privacy Information Center: "To come in right after the Supreme Court decides the issue and say we didn't really mean what we said up to now-I can't imagine anything that would be seen as more of a waffle than that. It raises waffling to an art form."

 

European sources greeted the ruling with relief, suggesting that it would now be possible to get some cooperation under way to regulate Internet content effectively, and that the Supreme Court's ruling may spur other nations to begin developing their own laws, rather than rely on the CDA to do it all for them.

 

At almost the same time, state laws in New York and Georgia which put limits on free speech over the Internet were overturned. The New York legislation was struck out because it sought to regulate transactions outside the state's borders, thus violating the Constitution's interstate commerce clause. In the Georgia case, an injunction was granted against a law which made it illegal to use a name that "falsely identifies" the sender of an electronic message, such as a pseudonym or an anonymous e-mail address.