Slashdot Mirror
Germany Frees Crypto
marlon shakespeare writes "The German cabinet today released a policy statement on the unrestricted use of encryption. Unfortunately the article's in German but the rought gist of it is available in English. " Hopefully some certain other countries will follow the German lead on this one.
If there is any danger of the internet aiding in right-wing or any other type of conspiracy, it has little to do with encryption. The goal of these organizations is to reach and preach to the uninitiated, and that's best done when their prose is cheaply distributed and easily accessible, which means unencrypted.
As for weapons and such, the argument is in no way different as for criminal in general. So the usual counter arguments apply: We cannot give up everybody's right to privacy only because certain people may abuse it; encryption is available anyway, so the serious guys do have it; criminals are best accused of the crimes they commit, and not the ones they talk about; if police want to prevent crime on a significant scale by intercepting communications, this has to be a massive large scale intrusion into everybody's business, as is easily imagined from the sheer volume of data traveling around---basically it's impossible.
Personally, I even think that widely available cryptography will expose as many criminals as it hides, as people who have something to hide will get more daring in storing that info electonically, so that we'll see a lot more "interesting" security breaches because someone screws up, gets a virus, loses the key etc.
So, in short, this is great news for everyone, and nothing to worry about in terms of crime.
Err - not anymore - at least product using keys of up to 128 bits is completely free. 40 key with legal before but required a licence first.
We recently had ssh installed on some of our (brittle) boxes, but the version "agreed on" in France is somehow called "ssf". Quoth I: "huh?" So I did a little searching and found the following page. It's in French, but the upshot is that the keyspace is limited to 2^40 (and of course it is illegal to modify it). Curiously, most French people I talk to have no idea that strong encryption is illegal. I don't know the status of the 128-bit thing; is it allowed for anyone in France?
--- Premature complacency is the evil of all roots
It is most interesting that ECHELON isn't mentioned at all in the press release. I don't think it's merely coincidence that an inititive like that is started weeks after the STOA-Report and the recent Australian admittace of it existence of the UKUSA spy alliance.
My best bet is, that they don't want to get into diplomatic troubles with the US just now while US trade sactions are discussed regarding the EU import embargo against hormone-infested meat and German troops are fighting under NATO command in the Kosovo.
Note also, that the German goverment is not only allowing but activly encouraging the use of strong crypto, which - in the case of general adoption - would make the ECHELON listing points basically useless.
I guess not all governments are braindead. I hope this starts a trend throughout the world. Maybe I'll actually be able to use a credit card online, without it being as stupid as me writing it below:
;)
4 4002312 4991029348
--------
Last Sunday's New York Times Magazine had an interesting article about Joschka Fischer, the formerly radical politician who is now the German foreign minister. It's worth checking out, particularly for Americans who are generally deprived of any news about the day-to-day political life of other industrial democracies.
France used to have the most anti-encryption policies in the developed world. Their new policy (which may not be the law yet, does anyone know?) is like that of the US: free domestic use, no export without a license for keys of more than 56 bits (which rules out source code distribution for algorithms that allow the key length to be modified easily).
This means that even after the new law is in effect, you still can't do open source crypto development in France.
.
Then go download it and use it! USE has never been illegal in the U.S., only EXPORT of the software itself.
It's comments like yours that make me wonder just how many people really understand the issues involved.
France has banned encryption altogether, AFAIK. In Finland the use of encryption is not restricted, again AFAIK, the guy who developed SSH got a prize from the president. (In the US he would probably be in jail.) The Wassenaar treaty may make export of encryption software more difficult in the future. I am not sure, but I believe Sweden and Norway have no restrictions on crypto eighter.
I wonder whether or not this decision was influenced by the recent revealing information about the echolon system?
Assorted stuff I do sometimes: Lemuria.org
The Wassenaar treaty says that a person/company needs a permit to export weapons. Some crypto is also covered. It does not explicitly restrict crypto export. In Canada they give the permits away (check out www.openbsd.org). I suspect the same is true for Germany as they want to get their companies in the crypto bussiness.
Canada made a similar announcement Fall 1998 regarding crypto.
Well, what can I say, Europe rules ;-)
Except for that Great Britain thing, co-owners of Echelon.
Traitors.
Um, excuse me, but in what way am I a troll? If you don't agree with the argument, refute it. Show that it's unsound. Show that US policy isn't largely run by paranoia and greed.
It's called public debate. I welcome you to join it responsibly.
How much money do we put into the intelligence agencies, anyway? And how much of that money goes towards economic surveillance.
I'm sorry, but the US is not the moral paradigm so many of its citizens seem to believe.
The list of murderous dictators the US has put in power and supported--yes, for self-proclaimed economic and security reasons--is too long to list here.
Well - not online. Just open the Sun or the Daily mirror, then read all the junk about the spice girls private life or the naked pictures of royal familly members caught sunbathing in their garden. Read the violent comments against Europe all well as the rumors they propagate about how the EU (there was one saying that the EU wanted to change the size of the English pint of beer - which was 100% bullshit of course).
Not all countries recognise the waiver for "public domain" software - Australia applies the Wassenaar restrictions to all software.
Which is IMHO a good thing as the echelon system is abused to aquire economic secrets in a kind of neo-colonial way, and everybody knows it.:-(
Sebastian
There was a policy document circulated a couple
h tm
of months ago from the Irish government which
states you can import and use anything, but
you're restricted by the Wassenaar Agreement for
export. There's a clause in there to cover lawful
access (court orders and the likes). It's at...
http://www.irlgov.ie/tec/Communications/signat.
Caution - Flammable
The Portuguese law does not forbid the use of encryption, but it should be made less ambiguous.
In the case of the EU/UE it's a bit more difficult to manage to convince the 15 members states to agree on a common policy towards free encryption use. Maybe the brits would oppose, as apparently always (Euro, Common Army, etc..).
Yep, Fortify is cool. I'd forgotten you could wrangle any 40 bit quickie install of Netscape into a 128 bit monster. I think I was using fortify way back in 3.02 dayz on win32. Gonna try the unix version now. Thanks for the reminder!
-kabloie
For the last couple of months half of Germany has been looking at the odds of the current Social Democrats & Green party coalition surviving a full term. Most people are betting against it. And there is a reason that they would not win the elections again if those would be held today. Such as crippling the economy, destroying jobs, the 630 Mark Jobs and maybe cause there hasn't been a change. Ohh yeah the hypocritical stand to NATO and Kosovo might have something to do with that too...
"Nimis exaltatus rex sedet in vertice - caveat ruinam!"
Unrestricted use, but not unrestricted distribution. Germany is bound by the wassenaar thingy, so export restrictions will remain. Well, atleast it's a (small) step in the right direction.
This announcement from the German government has little to do with freedom. As some pointed out, use of strong crypto was not restricted before in Germany (and not in most countries either, the notable exception being France). Hence it is not about a new freedom. What it is about is that Germany, like a growing number of countries, have laws regulating digital signatures to make them legally binding. One may argue that is unnecessary to make laws about this, but it seems to be the German way. As part of the package the German government is sponsoring an official national infrastructure for certificate authorities. It only seems natural that they want to encourage people to use it.
Part of making digital signatures successful is to instill trust among the people in this technology. Digital signatures can never be trusted if there is the slightest doubt that the private key can be disclosed (unknowingly to the owner). Hence different schemes for mandatory national key recovery are totally contrary to a successful deployment of digital signatures in e-commerce.
One can also argue the national key recovery schemes are never going to a) be manageable b) be of any use to law-enforcement or intelligence. (If you were a terrorist, would you submit your keys?)
A philosophical issue is whether the freedom of expression would cover encrypted expressions. If my freedom to express myself is guaranteed by the constitution, does it matter if you can understand me?
I think it's rather funny that the statement harps very much on the economic need for strong crypto. It sounds like some people read the recent report by the EU and din't like what it said. The statement mentions that information is becoming a raw material which needs to be protected and only gives passing note to privacy concerns. I wonder how many of the hard-lobbying German companies have been burnt by inadequate crypto; I remember a few stories about German companies losing technological advantages because their latest and greatest R&D was picked off from insecure emails etc.
It also states that the German government will try to raise crypto awareness, so not only will they allow its development, sell and use but they will actually promote crypto and an understanding of why it is important.
This rocks !
IMO, the friction between Megacorp and Government today is having many of the same effects as the friction between Church and King during the High Middle Ages -- resulting in much better prospects for freedom than would be possible if either side prevailed completely over the other.
/.
/. If the government wants us to respect the law, it should set a better example.
You are one one making the silly claims, why don't you prove your thesis. Here counterexample 1: Why are we in Kosovo? Under your claim it must be because we are paranoid or greedy. So we are either paranoid about the mighty Yugoslav army invading NYC or due to greed, we would love to get a part of that massive engine of industry that is Yugoslavia. Hmm...
How much money do we put into the intelligence agencies, anyway?
Around $26.6 billion, out of a total budget of around $1.8 trillion. A massive 1.4% of the total budget. Or a couple of drops in the bucket for the less mathematically inclined.
DrLunch.com The site that tells you what's for lunch!
Clearly you have no idea at all about Germany. Boy Scouts here are mostly leftists, hemp-smoking liberals ;-)
Actually, I think part of the reason for this policy - maybe even THE reason for this new policy- *IS* the Echelon project. Germany is a very close ally of the USA, and would never "severe ties" with the US. At the same time, of course nobody is very hot on the idea of having even friends read their mail... So I think they want to protect themselves against Echelon without creating an official problem.
The text DOES explicitely mention industrial espionage as a serious threat to Germany, and I seriously doubt they meant some small hacker in the duties of the former USSR........
Can't say. bmwi is down. Slashdot effect anyone?
They did state in the later points they would seek international cooperation.....
It's not all that surprising, really. The guiding principles of the founding of the US were Paranoia and Greed. Even the most superficial research into the Puritans and the economic interests invested in colonial america reveal this much. The order of importance has flip-flopped at various times in our development, but the principles never change. They continue to guide US intra and inter-governmental policies. Examples are easy to come by:
1. The USAUK program for intercepting private communication, with the information being used to promote--ala industrial spying--US commercial interests.
2. A drug war that costs billions, has failed miserably, and yet has gone on longer, amazingly enough, than prohibition did. Believe me, there are a lot of people making lots of money off the war on drugs. They can seize anything and use it for their own purposes, including cars, boats, and planes.
Of course, Paranoia and Greed aren't necessarily vices--they just usually are.
Hopefully this will not be too eagerly embraced by various 'youth organizations' and 'flight clubs'.
After all, in the US, encryption technology is STILL considered a munition. How would people in the surrounding countries (of Germany) feel if various para-military organizations - such as the Boy Scouts - started stockpiling munitions?
IMHO Germany has come a long way singe the 1930's, but I'm sure this is going to ruffle some feathers.
[/paranoid]
-- What you do today will cost you a day of your life.
Wasn't it the German government who crippled the GSM encryption without telling anyone? Now, they want people to trust crypto? Good luck.
Citizens Against Plate Tectonics
Well, looks like maybe Europe isn't such a bad place to live, afterall. I kinda like our new Government. The old one would've taken the US policy of Encryption Is Bad, you can be sure of that.
But at any rate, let's see if their deeds speak as loudly as their words.
We can only hope.
Wassenaar has an exception for what they call "public domain" software, and their appendix defines "public domain" in such a way that it includes free software/open source. So governments that have signed Wassenaar can still let their citizens export any free software they want to. They just have to restrict commercial products with strong encryption. The US forgot about this loophole because the Clinton administration is clueless about free software/ open source, and they can't close it unless they get all of the Wassenaar countries to agree.
I think we can all agree that there does exist just such an obligation (although I'm unconvinced that bombing is the best way to handle the problem.)
g oslavia-leadall
I agree that our current bombing is not the best way. I believe carpet bombing would be much better. Incidiary bombs. Milosevec isn't ethnically clensing the country himself, just like Hitler he has help. We are worrying too much about the "civilian" population. I say bomb them till they yield. But this is a mute point, peace is already in the works
http://news.excite.com/news/r/990603/13/news-yu
However I have to wonder why you believe that it is just the government that if greedy and paranoid. Isn't it human nature?
-Just because your paranoid, doesn't mean that they aren't after you.
SPAM openly welcomed. I do charge a 500$ proof-reading fee though. Any complaints may be directed to the brick wall to y
Aren't bandwidth issues a more serious consideration? Since you are talking about "e-commerce", your customer encryption can only be as good as the software out there (128-bit Netscape isn't good enough?), and censorship probably isn't an issue for you.
--
Business. Numbers. Money. People. Computer World.
I quite agree - whatever the US wants the UK agree. They always try to stop whatever the EU tries to do. Especially when the EU want to fight back US trade tax raise, there 14 votes pro and 1 con : the UK of course !
;-)
And of course they drive on the WRONG side of the road
France made a similar move March this year, authorising people to use encryption. Let me remind you that before this it was illegal to use ANY kind of encryption (you were not allowed to use ssh for example), which was rarely absurd. The URL (English) is here
--
A real key, and a false one.
OK, so I thought that the Phantom Menace was the best of the 4 yet-released episodes of Star Wars.
Why should Germans care whether their government gives them permission to use cryptography? How can they be stopped?
If I memorize 3 sentences, for a total of some ungodly number of bits, and use it as a twofish key, and have it written down nowhere... then how short of torture are they going to get it out if me?
So much for personal use. As far as secure communications, if two people use, say, 2048 bits for session key transfer, use a paranoid protocol, and use 256 bits for the session, what are they going to do about it?
The only way they could levy fines/impose prison terms on the USE of encryption (weak or strong) would be to admit they were routinely spying on people. Unless a police-state takover were imminent, such a revelation would not be politically popular, I would imagine.
So, I wouldn't worry about it. As far as I know, Germany's constituton has SOME basic protections, so if they did "alter the deal", Schroeder couldn't exactly apply the Vader "grip of death" on anyone using PGP. Same as with US export nonsense. The NSA may wish it could put a huge bounty on Bruce Schneier... but oh well!
Actually when you ask sociologists, they say while being quite among the top nations when it comes to technology, the US are behind most of Europe in social aspects.
(Useless trivia: Finland was world leader in that category AFAIR, but dont quote me on that)
One could read into that ("see no reason at this time") that they reserve the right to restrict the use of encryption sometime in the future. It wouldn't surprise if that is actually what they (the Swedish government) mean. One could infer from what has been said on that that Pagrotsky (Swedish minister of trade) actually believes that restricting use (national key deposit etc) of cryptography would a) be possible b) be of any use for law enforcement.
I don't think the government has a problem with wire tapping stemming from irregular internal intelligence activities against communists. Wire tapping laws are a lot more permissive nowadays than they were then (and they are used, only these last few days they have been using GSM to chase a murderer on the run).
Back to Mr Pagrotsky, he made some quite clueless statements regarding Sweden's position in the Wassenaar negotiations in parliament lately. It is quite clear that the Swedish government belong to the hardliners in crypto-export matters.
In one response to a question in parliament regarding crypto-export he made Swedish software industry accomplices in spe of Milosevic et al. There's your sense of reality!
All I have to say is.. my servers go wherever they will be the most secure. That means that they go where braindead censorship is non-existant, and cryptography is allowed. Well.. I know Australia WAS my first choice. Now it's Germany, or New Zealand. The US is out, for obvious reasons.
Where is your business colocating it's servers?
--
This is a translation by Thomas Roessler, roessler@guug.de, as posted to the ukcrypto mailing list. Many thanks to him.
1. The Federal Government does not plan to limit the free
availability of encryption products in Germany. It considers the
application of secure encryption to be a crucial requirement for
the citizens' privacy, for the development of electronic
commerce, and for the protection of business secrets. The
Federal Government will therfore actively support the
distribution of secure encryption. This includes in particular
increasing the security consciousness of citizens, business, and
administration.
2. The Federal Government strives for strengthening users' trust in
the security of encryption. It will therefore take measures to
create a framework for trustworthy secure encryption, in
particular by improving the possibilities for reviewing
encryption products for their security, and by recommending the
use of reviewed products.
3. For reasons of national security, and the security of business
and society, the Federal Government considers the ability of
German manufacturers to develop and manufacture secure and
efficient encryption products indispensible. It will take
measures to strenghten the international competitiveness of this
sector.
4. The spreading of strong encryption must not undermine the legal
possibilities of prosecution and security authorities [police and
intelligence communities may be a better translation]. The
responsible Federal Ministries will cautiously watch the
development and present a report after two years. Additionally,
the Federal Government will work on improving the technical
skills of prosecution and security authorities.
5. The Federal Government attaches importance to international
cooperation on encryption policy. It encourages market-driven,
open standards and interoperable systems and will work to
strengthen multilateral and bilateral cooperation.
try going to www.replay.com, based in holland, they have the full 128bit versions of IE and Netscape
But what is this going to help in the US-Debacle ? I hope the govt gets a clue some time soon. It would be really nice to legally use the 128bit Netscape (flame me if you hate it, but I really don't like transferring personal stuff over 40 bits ;-)
Any news whether the Echelon people complained already ?
Good. Now let's hope other countries will follow suit. Maybe now somebody in the European Parliament will start pushing this thing in Europe.
Funny thing that the Germans again seem to value privacy more than the rest of us. Example: phone companies in most european contries are required to keep details billing records for at least 3 - 5 years. In Germany they are allowed to keep them for a *maximum* of 1 year.
You can upgrade the international versions of Netscape to high grade encryption using Fortify, which is developed outside the US. No need to be stuck with 40 bits.
Yeah, you're pretty save in the US. As long as all those bad guys don't have legal strong encryption, you don't have anything to fear.
Let kids and lunatics buy and wear (machine) guns and explosives, that's fine, just as long as they don't use that heavy 128 Bit ammo...
Those provincial fags always act like they're the lapdog of the US government. Echelon is just a symptom of their deceitfulness. Who needs the Brits anyway? I say, lets kick them out of the EU!
All other arguments from the U.S. gov. are straw men. The funny thing is that this policy will hurt much more in the long run than it helps in the short run. Quoting Alan Greenspan (unrelatedly) from yesterday's headlines:
``The United States has been in the forefront of the postwar opening up of international markets, much to our, and the rest of the world's, benefit,'' Greenspan said. ``It would be a great tragedy were that process reversed."
> This is really good news, especially since
> France have released their restrictions too
> recently.
Well, there never were any restrictions in
Germany. This is about that there won't be
restrictions in future and that the German
governmant actively supports and encourages
the use of cryptography.
It's amazing to me how behind-the-times the U.S. appears at times. Though we claim to be the most technologically advanced, the trendsetters, etc., it's surprising how legally backwards we are when it comes to controlling access and the use of technology. (Try speaking that last sentence aloud and swap out "drugs" for "technology" Amazing how similar the arguments are, no?)
On the contrary, it was the Germans that fought against it being crippled. There was still Soviet tension around the time GSM was being developed, and they had evidence of Soviets eavesdropping on all their business men on mobiles travelling down the autobahns.
In the end, Europe settled for having multiple versions of crippled GSM phones. This is why you find Italian Mafia types importing German phones.
All of your points are correct, but you misread my message. I wasn't defending the US gov't's stupidity; I can't, it's indefensible. I was pointing out that the German gov't isn't as clued in as people here are pretending.
Nor did I ever say or imply that "only constitutionally guaranteed rights are worth anything". What I did imply was that one acknowledgement of a basic right (assuming that it's a correct acknowledgement, of course) is worth a million grants of permission. I hold to that premise.
A lot of this is societal. Britain has its freedom because that's the way its society works. Ditto America (our Constitution is just an outgrowth of it).
Oh well.
-Billy
This announcement constitutes _permission_ for Germans to use strong encryption. It's not like the problem in the States -- the US gov't is forbidden to restrict its citizens from using strong crypto (classing strong crypto as munitions means that the "right to bear arms" applies to crypto), but they've chosen to forbid them to export it.
The German gov't is giving _permission_ to use crypto, not acknowledging a right. Tomorrow they may alter the deal -- pray that they do not alter it further (Episode 1 is so devoid of cool quotes!).
I don't like the US system, of course, and I'm fighting for a change -- but don't pretend this is somehow better. It's worse.
Do not stop fighting this stupidity!
-Billy
have released their restrictions too recently.
The swedish government also sent out a press release recently
stating that "they see no reason at this time to
restrict the usage of encryption technology".
I guess they have to be careful about such
things after some scandals regarding registering
political extremists (communists) in the 70's, though..
Stefan Persson
Augusto Pinochet
supported and put in place by the nice guys of the CIA. Did organise mass killing and torture for years. Now the US try to stop Pinochet trial in Europe in fear that the nice US foreign policy would be put to light.
So we are either paranoid about the mighty Yugoslav army invading NYC or due to greed, we would love to get a part of that massive engine of industry that is Yugoslavia. Hmm...
After WWII, Yugoslavia was one of the few Eastern Block countries that was freely allowed to build up a strong industry. Since the crumbling of the "evil empire" using Yugoslavia as a buffer is no longer necessary. Efforts to destabilize their economy, health and education systems began during the Bush administration if not earlier.
The US has now pissed off yet another cultural region of Eastern Europe by trying to squish them under its thumb. My biggest fear now is losing a few of our (US) cities to some backpack nukes because of these political pissings.
For more info read Against Empire or anything else by Michael Parenti and for old but established data on CIA tactics read War Against the Poor
"I have a cunning plan..."
You should be using fortify for netscape (www.fortify.net). Perfectly legal. Perfectly cool. Effectively, my browser is now as good as a USA one.
http://www.jonmasters.org/
The echelon project has huge listening stations in Germany as well, does this mean that Germany wants to lose the final connection to the 'allies' of WW2? Or is it just an attempt to avoid situations like the one where a windmill factory lost a huge order to an american company?
Unable to read configuration file '/bigassraid/htdig//conf/14229.conf'
Geocrawler error message.
Can anyone enlighten me on this??
> how do you know that the author is living in the US?
He does not need to. Exporting is illegal according to USA law. In most countries using crypto is legal. Just get it from http://www.replay.com/ You do not need to export it yourself.
Actually, speaking as a German, I am a little surprised, but so far Schroeder has proven to be a very competent Chancellor. They've done quite a few things, including going ahead to join the NATO mission in FRY and stopping the abuse of a certain kind of low income jobs. It's good to see that the change in Government after 16 years of Helmut Kohl brought about at least a few good things.
Nice to see that democracy is working for the benefit of the people, for a change.
It was the NSA, doing behind-the-scenes arm-twisting, that got GSM encryption crippled. They needed a European government as their front, and for all I know it might have been Helmut Kohl and his folks. But in case you didn't notice, that government was voted out of office.
As for trusting crypto, only code that is available in source form and independently audited should be trusted. However, you can expect FUD from proprietary software vendors attempting to assert the reverse with security-by-obscurity arguments.
http://babelfish.altavista.digital.com/cgi-bin/tra nslate?urltext=http://www.bmwi.de/presse /1999/0602prm1.html&lp=de_en&doit=done
Sorry I couldn't make it a link, but Slashdot is putting in an arbitrary margin.
--------
Point 3 of the summary seems to stop curiously short of saying "we won't restrict crypto export" in clear terms, the way that Point 1 says "we won't stop our citizens using crypto" in clear terms. Is that just an artifact of translation, are the Germans just paying lip service to Wassenaar, or will we see export controls going up around Germany similar to the US ones?
--
Xenu loves you!
"Even the most superficial research into the Puritans and the economic interests invested in colonial america reveal ... (The guiding principles of the founding of the US were Paranoia and Greed.)."
Superficial - yeah. Most colonies, both in the US and elsewhere around the world, were founded to funnel wealth back to the sponsoring entity. Seems like a more balanced view would be that the guiding principles that lead to the independence of the USA would be more properly identified a self determination and a "right" to non-interference.
"USAUK program for intercepting private communication" and "drug war" examples are certainly instances of debatable actions, but the assertion that the primary motivations behind these programs is "greed and paranoia" is laughable. It is oversimplification run amok.
Your response to "rombuu" (I'm afraid your example, Kosovo, does not serve as a counter to my argument.) is a pretty good example of what I call a bullshit argument. You mistakenly attribute the causal motives for eavesdropping and anti-drug activities to greed and paranoia, yet go to pains to point out alternative underlying motives as a counter argument to "rombuu"'s comments. Why do you get to make up the rules of evidence here? Try thinking for yourself sometime - it's much more rewarding than parroting someone else's stale arguments.