(Copyright © 1998 T Bruce Tober)
Rumours are rife that fairly soon the government will announce its decision to make key escrowed encryption mandatory in the UK.
They were reportedly going to announce it on 17 February, but events seem to have overtaken them. The Audit Commission was scheduled to, and did, release its report on computer fraud two days later. The encryption announcement was delayed (if it was ever really to have been made on the 17th. Conspiracy theorists might suggest that one reason for the delay was that the Audit Commission's report would provide the government's spin doctors to put an additional positive spin on the mandatory key escrow requirement.
That spin would be that in order to stop, or at least reduce, further increases, such as those reported by the Audit Commission, key escrow needs to be made mandatory.
Nothing could be further from the truth. If anything, key escrow will play into the hands of the biggest and best of the fraudsters.
Forget the fact that the blairites pledged in their pre-election manifesto not to prohibit free and unfettered encryption.
Forget for the moment that they also promised to incorporate into UK law, the European Convention on Human Rights -- which includes the right to privacy, which right would be violated by a "key escrow" scheme.
Forget for the nonce that four or five years of attempts by Bill Clinton's administration to enact such a law in the States has been continuously and unceremoniously rejected by the public and businesses over there.
Forget that Adm. McConnell, former Director of the NSA (the USA's National Security Agency) under President's Bush and Clinton says, "It was our view in the 80s that strong crypto will happen.... It was a matter of national security. Today, it is not a matter of national security. Can Key Recovery be used against dissidents and political opponents? In a word, YES."
Forget that not one terrorist, child pornographer or other major criminal with an ounce of brains will use state-legislated cryptography.
Forget all of that for the moment and ask yourself one question, would you give the local constabulary a key to the backdoor to your home for them to use at their discretion? I think most people would answer with a resounding "NO!"
But, when it comes to encryption, the question many of those same people ask is, "why would any law-abiding person need or even want to encrypt their messages on the Net or anywhere else?"
Pure and simple. It's a matter of privacy, the same privacy that causes them to dismiss the idea of giving a backdoor key to their friendly bobby on the beat.
As the author Ayn Rand said a half century ago, "Civilization is the progress toward a society of privacy. The savage's whole existence is public, ruled by the laws of his tribe. Civilization is the process of setting man free from men."
Everything you send or receive over the Net is like a postcard, completely open and available for inspection by anyone. Internet Service Provider administrators and their employees and anyone capable of hacking into their systems can read anything you send, be it as a public message or a private e-mail.
We're so used to the protections the law provides us for the protection of the privacy of postal mail, telephone conversations etc. that we take it for granted our E-mails are no different. Unfortunately, they are different.
K K Campbell spelt it out rather bluntly in an article in an electronic magazine, "eye WEEKLY" (June 29 1995). Campbell said:
It should be the first lesson every newbie learns: E-mail ain't secure. An E-mail is like a postcard: it travels through the many sets of hands in delivery and any set of hands can read it if so inclined. Most postal employees don't, for two reasons: there is so much mail they haven't the time, and most postcards are so boring, who the hell wants to?
The same goes with the system administrators who oversee the shunting around of all your cyberscribbling. Most don't snoop, but some do. Need I remind you that [system administrators] are not a monolithically mature. well-adjusted breed imbued with highly developed moral principles.
"So what?" you ask. "If you're not doing anything illegal, what have you got to hide?" A few examples should suffice here: Scientists, and other researchers, exchanging research findings; Businesses exchanging trade secrets, financial plans, sales information, etc amongst their management, their accountants and lawyers and/or their employees; Legal professionals and their clients exchanging case-related data; Doctors exchanging diagnostic and other medical information; and the list goes on.
In the business world, it's also a matter of security, intellectual properties protection, professional confidences, and protection of trade secrets.
All are legitimate information exchanges, all are in need of confidentiality. All normally have that confidentiality if they exchange the information via the post, faxes, voice telephone messages. But when it comes to arguably the quickest, most efficient means of exchanging such information, that confidentiality is compromised.
Ah, but there is a solution. Encryption. Strong, secure, un-encumbered encryption. As Jon Care, a UK cryptology specialist warns, "The only security is good encryption technology... Strong encryption must be used to protect business-critical information."
But, it's not just for encryption. There's also the capability to electronically sign your E-mail so it's readable by anyone, but also so that it can be ascertained that the message is really from you and not a forgery and that it is intact, nor manipulated. All of which concerns would sound very paranoid, IF we didn't KNOW that there are and always have been police and government stitch-ups of various people and political enemies.
On the net, the standard for encryption has for years been PGP (Pretty Good Privacy). It was written by Phil Zimmerman, of Colorado, USA. At the height of the First Gulf War (coincidentally or not) he wrote this program based on his own research into various completely public and legal papers and books on cryptography.
And it's so good, even without escrowed keys (or rather because of its lack of escrowed keys, that even the DTI's Information Society initiative recommends the program. It says, "A range of encryption software has been developed to address this very problem. The programmes make it easy for you to put your message into code before sending it and for the recipient to decode it at the end of its electronic journey. The most popular software for this purpose, and the de facto world standard, is PGP (Pretty Good Privacy). Look at the Web site www.pgp.com for more information. Be aware that the use of some encryption systems may be illegal in certain countries."
Moreover, so does UKERNA the government agency which operates JANET (the UK's Higher Education and Research Internet). UKERNA recommends it for encryption and digitally signing across JANET. UKERNA apparently even distributed PGP and other tools on CD to computer service providers within JANET.
Whether it became the standard because it's so good (it is so strong the US government considers it munitions and prohibits its export except in certain, well-defined situations). Or because it's so easy to use (it wasn't at all easy until a couple of years ago when the first of the front ends - a "front end" is a program that sits on top of another, adding features or utilities to it, making it easier to use - for it were developed and more recently in its own Windows versions). Or because of its author's status as a cause celebre is impossible to know for certain, but I suspect the first of the three.
All of which is fine and good. Pick up a copy of PGP from your favourite web page or ftp site.
PGP is available for most computer operating system - DOS, Windows, UNIX, Mac. I'll discuss only the DOS and Windows versions, in that they're the most commonly used.
If you choose to go the PGP route, one of the best things you can do initially is visit the International PGP website >. In addition to finding every available version of PGP-international, you'll also find loads of documents about PGP, its use and history, crypto in general and a plethora of links to other related sites. This will provide you with vitally useful tutorial information as well as giving you the opportunity to try one or more versions of PGP on a personal level in order to better determine if it's suited to your needs.
Fine, Now You've Got It...
Use it.
Sign all messages with non-escrowed keys now, don't give in to government tyranny. The more of us who are using it currently and consistently, the less able the government will be able to get its foot in our back door.