The Crypto Controversy

Acknowledgements xv

Chapter 1. Introduction 1

1.1. A problem without a solution 1

National studies on the crypto controversy (2)

1.2. What this book is not about 3
1.3. What this book is about 4

1.3.1. Focus on the Netherlands 5
A wide gap (6)
1.3.2. Outline 6
1.3.3. Aim 7

1.4. How to read this book 8

Part I. Problem and context

Chapter 2. An information society needs information security 13

2.1. The information society 13

2.1.1. Developments 13
2.1.2. Information society policy 15
United States 15
European Union 16
The Netherlands 17
2.1.3. Building blocks and participants 19
2.1.4. Problems 20
The Internet (22)

2.2. Information security 23

2.2.1. Objectives 24
2.2.2. Threats 24
Political viruses (25)
2.2.3. Measures 26
Information-security policy (27)
2.2.4. Governments' role in information security 27
2.2.5. Information security in Dutch government 28
Information security in EU and Dutch law (29)
2.3. Conclusion 31

Chapter 3. Cryptography, a key technology for information security 33

3.1. Cryptography 34

3.1.1. History 34
Atbash (34)
Terminology (35)
3.1.2. Intermezzo dramatis personae 35
3.1.3. Symmetric and public-key cryptography 35
The working of public-key cryptography 37
Authenticity, integrity, and non-repudiation 38
3.1.4. Cryptanalysis and the strength of crypto systems 40
Distributed attacks (42)
3.1.5. Key length 42
Developments that may shake the field (43)
3.1.6. Key management 43
3.1.7. More distinctions 45
3.1.8. Hiding cryptography 46
Detecting cryptography 47
3.1.9. Protocols 48

3.2. Applications 48

3.2.1. Providers 48
3.2.2. Government 51
3.2.3. Other users 52
Financial applications 52
Privacy and sensitive data 53
Human rights 54
Public and private networks 55
Other applications 56
3.2.4. Cryptography in practice 57

3.3. Conclusion the importance of cryptography 57

Chapter 4. Cryptocriminals, a public concern 59

4.1. The crime society 60

4.1.1. Organized crime 60
Activities 61
Seriousness 62
Information behavior 62
Use of cryptography 64
4.1.2. Business crime 65
Seriousness 65
Information behavior and use of cryptography 66
4.1.3. Computer crime 66
Seriousness 67
Information behavior and use of cryptography 68
4.1.4. Other types of serious crime 68

4.2. Investigation 69

4.2.1. Developments in criminal investigation 69
IRT-gate (71)
Draft legislation (72)
4.2.2. The organization of criminal investigation 73
4.2.3. The stages of criminal investigation 74

4.3. Gathering data in transport 75

4.3.1. Tapping 76
Conditions 76
The effectiveness of tapping (78)
Legal problems 78
Technical problems 79
Maintaining tappability 80
4.3.2. Tapping in other countries 81
Echelon (82)
4.3.3. Traffic analysis 84

4.4. Data storage 85

4.4.1. Handing over data 85
Criminal financial inquest (85)
4.4.2. Search and seizure 86
International investigation (87)
4.4.3. Searching elsewhere 87
4.4.4. Providing access 88

4.5. Problems through encryption 88

4.5.1. Main crypto-problems 89
4.5.2. Cryptocriminals in practice 90
4.5.3. Cracking evidence 91
4.5.4. Further crypto-problems 93
Problems in proof (93)
4.5.5. Scope of the problem 95

4.6. Conclusion 95

The main crypto problems for law enforcement (96)

Chapter 5. A survey of cryptography laws and regulations 97

5.1. Export and import controls 97

5.1.1. COCOM and Wassenaar Arrangement 97
5.1.2. United States 98
5.1.3. Import restrictions 99

5.2. International developments 99

5.2.1. OECD 99
Terminology (101)
5.2.2. European Union 101
5.2.3. Other European initiatives 102

5.3. Domestic crypto laws per country 103

5.3.1. Belgium 103
5.3.2. Denmark 103
5.3.3. France 104
5.3.4. Germany 105
5.3.5. The Netherlands 106
5.3.6. Russian Federation 107
5.3.7. United Kingdom 107
5.3.8. United States of America 109
Escrowed Encryption Standard (Clipper) 109
Key Management Infrastructure 110
NRC report 110
Broad Encryption Policy 110
Draft key-recovery legislation 111
Congress bills 111
Conclusion 112

5.4. Concluding remarks 112

Part II. Framework and analysis

Chapter 6. Framework and set of principles 117

6.1. Choosing a framework 118
6.2. A set of principles 119

6.2.1. Fundamental principles 119
6.2.2. Less fundamental principles 121
Comparison with the OECD principles (123)

6.3. Outline of the framework 123

Chapter 6½. Outlawing cryptography 125

6½.1. A crypto ban does not help the police 126

What is a plain text? (128)
Mandatory LEAK and constitutional rights (129)

6½.2. A crypto ban does hamper good guys 130
6½.3. Conclusion 131

Chapter 7. LEAKing through the Public Key Infrastructure 133

7.1. Public Key Infrastructures 134

Terminology (135)
The crypto family revisited (137)

7.2. Public Key Infrastructures and LEAK 138
7.3. Non-confidentiality cryptography 139

7.3.1. Working of DSA 140
7.3.2. Subversive use of DSA 140
7.3.3. Assessment of DSA 141

7.4. LEAKing through key deposits 143

7.4.1. LEAK techniques 143
7.4.2. Escrowed Encryption Initiative 144
Defeating the LEAF 146
Software key escrow 147
Temptations for Polly (148)
7.4.3. Royal Holloway's international TTP scheme 148
7.4.4. Add-ons 151
Splitting keys 151
Traceable ciphertexts 152
Cryptographic warrant bounds and edge surveillance (153)

7.5. LEAKing through key recovery 153

7.5.1. Commercial Key Escrow 154
Translucent cryptography (154)
7.5.2. PGP's Corporate Message Recovery 155
7.5.3. International Cryptography Framework 156
7.5.4. Key Recovery Alliance 156

7.6. LEAKy issues 157

Abuse by government (158)

7.7. Assessing the LEAK options 159

7.7.1. Effectiveness of LEAK systems 159
7.7.2. The options 162
7.7.3. Applying the criteria 162
7.7.4. Conclusion 165

Chapter 8. Demanding decryption 167

8.1. Preliminary distinctions 168

8.1.1. Demanding decryption or key delivery? 168
8.1.2. Decrypting stored and communicated ciphertexts 169

8.2. Demanding non-suspects to decrypt 170
8.3. Demanding suspect corporations to decrypt 172
8.4. Demanding individual suspects to decrypt 174
8.5. The rationale behind the privilege against self-incrimination 177
8.6. Is it possible to create a law demanding decryption? 180

Voices for demanding decryption (181)

8.7. How to enforce a decryption command 182

8.7.1. Penalize a refusal to cooperate 182
8.7.2. Penalize cryptocriminal use 186
8.7.3. Reverse the burden of proof 189
Local precedents for reversing the burden of proof (190)

8.8. Assessing the decryption command 194

8.8.1. The decryption command in current law 194
8.8.2. Options for enforcing a decryption command 195
8.8.3. Applying the criteria 196
8.8.4. Conclusion 200

Chapter 9. Alternative investigation measures 203

9.1. 'Direct eavesdropping' 204

9.1.1. Description 205
9.1.2. Situations, crimes, and encryption 206
9.1.3. Legal status in the Netherlands 207
9.1.4. Situation in other countries 209
9.1.5. Conclusion 210

9.2. Tempest monitoring 211

9.2.1. Description 211
9.2.2. Situations, crimes, and encryption 213
9.2.3. Legal status in the Netherlands 213
9.2.4. Situation in other countries 214
9.2.5. Conclusion 215

9.3. Infiltration 215

9.3.1. Description 215
9.3.2. Situations, crimes, and encryption 217
9.3.3. Legal status in the Netherlands 218
9.3.4. Situation in other countries 219
9.3.5. Conclusion 219

9.4. Crown witnesses 220

9.4.1. Description 220
9.4.2. Situations, crimes, and encryption 222
9.4.3. Legal status in the Netherlands 222
9.4.4. Situation in other countries 223
9.4.5. Conclusion 224

9.5. Data mining 224

9.5.1. Description 224
9.5.2. Situations, crimes, and encryption 225
9.5.3. Legal status in the Netherlands 226
9.5.4. Conclusion 227

9.6. Assessing the alternative investigation measures 227

9.6.1. The options of alternative investigation measures 227
9.6.2. Applying the criteria 229
9.6.3. Conclusion 232

Chapter 10. The zero option 233

10.1. The zero option 233
10.2. Applying the criteria 235
10.3. Conclusion 236

Chapter 11. Reconciling interests 237

11.1. Rawls and social justice 238
11.2. The crypto conflict and criminal justice 240
11.3. Description of the problem 241

11.3.1. The original position 241
11.3.2. Representative groups and their veil of ignorance 242

11.4. The crypto policy conference 243

11.4.1. The least advantaged group 243
11.4.2. Principles and ordering rules 244
11.4.3. Selecting the options 245
11.4.4. Narrowing down the problem 252
11.4.5. The key decision 252
11.4.6. Looking at the future 255
11.4.7. Evaluation 257

11.5. Agenda for a US conference 257
11.6. Conclusion 259

Summary 261
Abbreviations 267
Glossary 269

Glossary of terms 269
Glossary of legal terms (English-Dutch) 271
Glossary of laws and regulations (English-Dutch) 271
Glossary of organizations (English-Dutch) 271

Bibliography 273

Legislative proposals, decisions, and other parliamentary documents 283
Dutch 283
European 283
Case Law 284
Dutch 284
European 285
US 285