[107529] in Cypherpunks
RE: AU Crypto Report (fwd)
daemon@ATHENA.MIT.EDU (Jukka E Isosaari)
Fri Jan 15 19:44:05 1999
Date: Sat, 16 Jan 1999 03:23:43 +0200 (EET)
From: Jukka E Isosaari <jei@zor.hut.fi>
To: cypherpunks@toad.com
Reply-To: Jukka E Isosaari <jei@zor.hut.fi>
So, does Windows have backdoors in it? :-)
++ J
---------- Forwarded message ----------
Date: Fri, 15 Jan 1999 12:06:29 -0800
From: Gideon Yuval <gideony@MICROSOFT.com>
Reply-To: ukcrypto@maillist.ox.ac.uk
To: "'ukcrypto@maillist.ox.ac.uk'" <ukcrypto@maillist.ox.ac.uk>
Subject: RE: AU Crypto Report
The following was also interesting (euphemisms 101)(my formatting):
"6.4.4 All the intrusive investigative powers have to do with the
preservation of 'public safety' in the broad definition given earlier. The
approach suggested is to incorporate all these powers into one statute which
would provide in its title an
easily understood (my comment: perhaps "easily misunderstood" - endcomment)
purpose, quite separate from any agency. It might, for instance, be titled
the 'Aid to Public Safety Act'. Such a title would be precise in terms of
objective, reassuring in terms of community expectation and positive in its
statement. The various investigatory powers should be couched in purpose or
objective terms. The specification of the means by which any particular
purpose may be realised should be
eschewed.
For example, the problems created by the current definition of a listening
device in the AFP Act when the purpose should simply be stated as being for
'the transmission of data'."
-----Original Message-----
From: Brian Gladman [mailto:gladman@seven77.demon.co.uk]
Sent: Friday, January 15, 1999 8:05 AM
To: UK Crypto List
Subject: AU Crypto Report
I am not sure whether this has already been distributed on 'ukcrypto' but it
is sufficiently interesting to ensure that list members are aware of it.
In Australia the government has kindly released two different versions of a
report on crypto - one version that is sanitised and the other that is not.
As a result it is now possible to see exactly what the Australian government
thinks is too sensitive to tell its citizens.
The commentary below is courtesy of Greg Taylor of EFA. The URL points to a
copy of the report made available by EFA in which the bits you are not
supposed to see are highlighted in red. Although this only provides direct
insight into the muddle headed thinking of the Australian government on
crypto matters I can happily confirm that this very much parallels what goes
on here in the UK.
The report is well worth a read and would be highly amusing were it not for
the fact that this is real and not fiction.
Note in particular:
* a recommendation that "hacking" by law enforcement agencies should be
above the law
* a recommendation that law enforcement and national security agencies
should arrange to put back doors in proprietary software
In view of:
1. the dominant position of US software suppliers in world markets;
2. The visibility of an Australian government position that they support the
covert insertion of backdoors into proprietary software;
we have to wonder what the position of the US government is on such matters.
Since they are likely to be a year or two ahead of the Australia on such
matters, is it now reasonable to assume that US originated software (or
hardware) may contain deliberately engineered security weaknesses capable of
being exploited by the US government?
And, closer to home, if the US government is indeed pursuing such a path,
does the UK government support or object to the distribution of such
insecure products for use by UK citizens?
Brian
----------------------------------------------------------------------------
----------------
EFA has obtained access to an uncensored copy of the "Review of Policy
relating to Encryption Technologies" (the Walsh Report) and this has
now been released online at:
http://www.efa.org.au/Issues/Crypto/Walsh/index.htm
The originally censored parts are highlighted in red.
The report was prepared in late 1996 by Gerard Walsh, former
deputy director of the Australian Security Intelligence
Organisation (ASIO). The report had been commissioned by
the Attorney-General's Department in an attempt to open
up the cryptography debate in Australia. It was intended
to be released publicly and was sent to the government printer early
in 1997. However, distribution was stopped, allegedly at a very
high (i.e. political) level. EFA got wind of this and applied
for its release under FOI in March 1997. This was rejected
for law enforcement, public safety and national security reasons. We
persisted, and eventually obtained a censored copy in June 1997,
with the allegedly sensitive portions whited out. The report
was released on the EFA website, and in the subsequent media
coverage the department claimed that the report was never
intended to be made public, a claim that is clearly at odds with
Gerard Walsh's understanding of the objectives, as is obvious from
his foreword to the report.
It has now come to light that the Australian Government Publishing
Service, which printed the report, lodged "deposit copies" with
certain major libraries. This is a standard practice with all
Australian government reports that are intended for public
distribution. The Walsh Report is quite possibly the first instance
where a report was withdrawn after printing but before any public
release. It is believed that the Attorney-General's department
was unaware that not all copies had been returned to them.
To this day, the report remains officially unreleased, except for
the censored FOI version. Interestingly, several Australian
government sites now link to the report on the EFA website.
Quite possibly, this situation would have remained unchanged,
except for an alert university student, Nick Ellsmore, who recently
stumbled across an unexpurgated copy of the report, gathering dust
in the State Library in Hobart. The uncensored version has now
replaced the censored report at the original URL.
The irony of this tale is that the allegedly sensitive parts of
the report, which were meant to be hidden from public gaze, are
now dramatically highlighted. The censored sections provide a
unique insight into the bureaucratic and political paranoia
about cryptography, such that censorship was deemed to be an
appropriate response. The official case for strict crypto
controls is conseuently weakened, because much of the censored
material consists of unpalatable truths that the administration
would prefer to be covered up, even though the information
may already be known, or at least strongly suspected, in the crypto
community.
This apparent unwillingness to admit the truth is an appalling
indictment on those responsible for censoring the report.
It is indicative of a bureaucracy more anxious to avoid embarrassment
and criticism than adhere to open government principles and encourage
policy debate. Even worse, the censorship was performed under
the mantra of law enforcement and national security, a chilling
example of Orwellian group-think.
There are also some controversial recommendations in the report that
demand attention, since they could well be still on the current
policy agenda, in Australia or elsewhere. Examples are
proposals for legalised hacking by agencies, legalised trap-doors
in proprietary software, and protection from disclosure of the
methods used by agencies to obtain encrypted information, an
apparent endorsement of rubber-hose code-breaking.
On top of all this is the matter of allegedly sensitive material
being released to public libraries. It would seem that a number
of copies have been gathering dust now for at least a year.
So far the sky hasn't fallen, nor has the country succumbed
to rampant threats to national security.
Attached is a brief summary of what seem to be the important
censored items, including a few which make the Attorney-General's
Department look somewhat precious, to put it mildly.
The more interesting exercise is to scroll through the report until
you see red ;-)
Greg
===================
Paragraphs censored for reasons of national security, defence or
international relations
--------------------------------------------------------------------
- A statement that there are "design flaws" in US and British key
recovery proposals (1.2.52 and 1.2.57)
- An opinion that export controls are of dubious value (1.2.60, 3.7.6)
- Commentary that US agencies sought to dominate public discussion of
encryption policy (5.1.3)
Paragraphs censored because they are classified as "internal
working documents"
--------------------------------------------------------------------
- A recommendation that "hacking" by law enforcement agencies should
be above the law (1.2.28, 6.2.3)
- Recommendation that authorities be given the power to demand
encryption keys, in contravention of the principle of non
self-incrimination.
Paragraphs censored by reason of affecting enforcement of law and
protection of public safety
---------------------------------------------------------------------
- A statement that encryption is a "looming problem" (1.2.1)
- Statements that strong encryption is widely available and cannot be
broken. (1.2.15 and 1.2.16, 3.5.1, 3.5.4)
- Acknowledgment that more overt forms of surveillance carry
"political risk" (1.2.22, 3.6.1, 4.3.1, 4.3.2)
- A recommendation that law enforcement and national security agencies
should arrange to put back doors in proprietary software for
surveillance purposes. (1.2.33, 6.2.10, 6.2.11, 6.2.22)
- A statement that communications interception is valuable (1.2.42)
- A statement that criminal elements are using prepaid SIM cards in
mobile phones (3.2.2)
- Speculation about forming another cryptanalytical agency to parallel
DSD. (4.4.2)
- Commentary about the vulnerability of key escrow systems (4.5.8)
- Statement that agencies want protection from disclosure of how keys
were obtained (6.2.16)
- Recommendation that the Federal Police Act permit covert
entry to premises. (6.2.20)
- Recommendations for exemption of Federal Police from the normal
legal discovery process (6.2.20)
