--- begin forwarded text Delivered-To: [EMAIL PROTECTED] Date: Sat, 9 Jan 1999 13:08:21 -0600 Reply-To: Digital Signature discussion <[EMAIL PROTECTED]> Sender: Digital Signature discussion <[EMAIL PROTECTED]> From: Richard Hornbeck <[EMAIL PROTECTED]> Subject: FW: Censored Australian crypto report liberated - vely interesting To: [EMAIL PROTECTED] Another one from over the transom. Some of the more interesting 'unredacted' comments from this document, which is described in greater detail below, include: ======= 1.2.52 The models of 'Commercial Key Escrow' and 'Trusted Third Party' systems variously proposed by the United States and Britain contain some (inevitable?) design flaws which will leave subjects of law enforcement and national security investigations outside their arrangements. The market may well identify, for normal commercial reasons, the need for trusted third party services in Australia. (paragraphs 4.5.4-11; 4.7.1-6 refer) ======= Nothing really new or unexpected in the passage above. ============== 3.2.9 Despite an understandable concern at what might be, the indications are that the current United States experience is not significantly different to Australia's - a small proportionate incidence of personal computers and associated digital storage utilising encryption or password protection but the trend line moving upward in only a slight way from a low base. The encryption involved ranging from the relatively unsophisticated through to DES. ============= Interesting, considering one of the FBI's strongest arguments for export controls was the increase in encrypted stored data. At least 'unredacted' portions of the document acknowledge the minimal positive results that export control is having. Lots more where that came from! Richard Hornbeck [EMAIL PROTECTED] www.primenet.com/~hornbeck -----Original Message----- From: Greg Taylor [mailto:[EMAIL PROTECTED]] Sent: Saturday, January 09, 1999 3:12 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Censored Australian crypto report liberated EFA has obtained access to an uncensored copy of the "Review of Policy relating to Encryption Technologies" (the Walsh Report) and this has now been released online at: http://www.efa.org.au/Issues/Crypto/Walsh/index.htm The originally censored parts are highlighted in red. The story behind this is a rather comical example of bureaucratic incompetence. Revisiting a little history, the report was prepared in late 1996 by Gerard Walsh, former deputy director of the Australian Security Intelligence Organisation (ASIO). The report had been commissioned by the Attorney-General's Department in an attempt to open up the cryptography debate in Australia. It was intended to be released publicly and was sent to the government printer early in 1997. However, distribution was stopped, allegedly at a very high (i.e. political) level. EFA got wind of this and applied for its release under FOI in March 1997. This was rejected for law enforcement, public safety and national security reasons. We persisted, and eventually obtained a censored copy in June 1997, with the allegedly sensitive portions whited out. The report was released on the EFA website, and in the subsequent media coverage the department claimed that the report was never intended to be made public, a claim that is clearly at odds with Gerard Walsh's understanding of the objectives, as is obvious from his foreword to the report. It has now come to light that the Australian Government Publishing Service, which printed the report, lodged "deposit copies" with certain major libraries. This is a standard practice with all Australian government reports that are intended for public distribution. The Walsh Report is quite possibly the first instance where a report was withdrawn after printing but before any public release. It is believed that the Attorney-General's department was unaware that not all copies had been returned to them. To this day, the report remains officially unreleased, except for the censored FOI version. Interestingly, several Australian government sites now link to the report on the EFA website. Quite possibly, this situation would have remained unchanged, except for an alert university student who recently stumbled across an unexpurgated copy of the report, gathering dust in the State Library in Hobart. The uncensored version has now replaced the censored report at the original URL. The irony of this tale is that the allegedly sensitive parts of the report, which were meant to be hidden from public gaze, are now dramatically highlighted. The censored sections provide a unique insight into the bureaucratic and political paranoia about cryptography, such that censorship was deemed to be an appropriate response. The official case for strict crypto controls is now greatly weakened, because much of the censored material consists of unpalatable truths that the administration would prefer to be covered up, even though the information may already be known, or at least strongly suspected, in the crypto community. This apparent unwillingness to admit the truth is an appalling indictment on those responsible for censoring the report. It is indicative of a bureaucracy more anxious to avoid embarrassment and criticism than adhere to open government principles and encourage policy debate. Even worse, the censorship was performed under the mantra of law enforcement and national security, a chilling example of Orwellian group-think. There are also some controversial recommendations in the report that demand attention, since they could well be still on the current policy agenda, in Australia or elsewhere. Examples are proposals for legalised hacking by agencies, legalised trap-doors in proprietary software, and protection from disclosure of the methods used by agencies to obtain encrypted information, an apparent endorsement of rubber-hose code-breaking. On top of all this is the matter of allegedly sensitive material being released to public libraries. It would seem that a number of copies have been gathering dust now for at least a year. So far the sky hasn't fallen, nor has the country succumbed to rampant threats to national security. Attached is a brief summary of what seem to be the important censored items, including a few which make the Attorney-General's Department look somewhat precious, to put it mildly. The more interesting exercise is to scroll through the report until you see red ;-) Greg =================== Paragraphs censored for reasons of national security, defence or international relations -------------------------------------------------------------------- - A statement that there are "design flaws" in US and British key recovery proposals (1.2.52 and 1.2.57) - An opinion that export controls are of dubious value (1.2.60, 3.7.6) - Commentary that US agencies sought to dominate public discussion of encryption policy (5.1.3) Paragraphs censored because they are classified as "internal working documents" -------------------------------------------------------------------- - A recommendation that "hacking" by law enforcement agencies should be above the law (1.2.28, 6.2.3) - Recommendation that authorities be given the power to demand encryption keys, in contravention of the principle of non self-incrimination. Paragraphs censored by reason of affecting enforcement of law and protection of public safety --------------------------------------------------------------------- - A statement that encryption is a "looming problem" (1.2.1) - Statements that strong encryption is widely available and cannot be broken. (1.2.15 and 1.2.16, 3.5.1, 3.5.4) - Acknowledgment that more overt forms of surveillance carry "political risk" (1.2.22, 3.6.1, 4.3.1, 4.3.2) - A recommendation that law enforcement and national security agencies should arrange to put back doors in proprietary software for surveillance purposes. (1.2.33, 6.2.10, 6.2.11, 6.2.22) - A statement that communications interception is valuable (1.2.42) - A statement that criminal elements are using prepaid SIM cards in mobile phones (3.2.2) - Speculation about forming another cryptanalytical agency to parallel DSD. (4.4.2) - Commentary about the vulnerability of key escrow systems (4.5.8) - Statement that agencies want protection from disclosure of how keys were obtained (6.2.16) - Recommendation that the Federal Police Act permit covert entry to premises. (6.2.20) - Recommendations for exemption of Federal Police from the normal legal discovery process (6.2.20) --- end forwarded text ----------------- Robert A. Hettinga <mailto: [EMAIL PROTECTED]> Philodox Financial Technology Evangelism <http://www.philodox.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'