How much encryption do we need?
by Ruth Walker, walkerr@csps.com

TORONTO -- "Encryption" is the term for technologies that can be used to wrap your e-mail, your e-commerce, and your Web-surfing in a veil of secrecy.

How much encryption do we need? And how do we get it? Those would seem to be the basic questions for Web surfers.

  	[HP Server] 	 
PRIVACY IN THE BOX: Encryption software is ready for servers like this Hewlett-Packard L3000 -- if it's legal.

Many people hesitate to do business over the Internet because they're worried about hackers snatching up their credit-card numbers and electronic eavesdroppers listening in on their e-mail. And so you might think that there would be more public discussion about encryption - that it might be, well, a little less cryptic.

But from the beginning of mass use of the Internet, tension has existed in both Canada and the United States between cybernauts and law enforcement officials. The technology gurus argue that people need access to strong encryption if the Internet is to realize its full potential for electronic commerce. Law enforcement officials, especially in the US, see potential for online crime and want to be able to steam open, so to speak, people's e-mail.

And so strong encryption programs -- the equivalent of a serious deadbolt lock -- have over the years been classified as sensitive goods, like missiles or other armaments, subject to government export controls. Selling them abroad has often meant going through a cumbersome permit process -- often hard for small firms, and even fatal to their contracts.

All this technology and regulation is changing so fast, that even people in the industry are hard-pressed to know what the law lets them do.

HushMail, for instance, which provides a free, ad-supported Web-based e-mail service protected with very heavy duty 1,024-bit encryption, started up in Austin, Texas, in May 1999, but located its programmers in the British West Indies, where encryption law is much more relaxed than in the US. Now its corporate headquarters is in Dublin, and its e-mail servers are located in Vancouver. The decision to locate their servers in Canada, says HushMail spokeswoman Genevieve Van Cleve, was made "because of its friendly crypto laws and cheap bandwidth".

Ms. Van Cleve accentuates the positives when asked about a recent decision to locate in Ireland: a booming local economy, a strong information technology skills base within the labor force, access to the security-conscious European market.

"If the US were to change all its laws tomorrow, we wouldn't leave Ireland any more than we'd close the doors on our sales offices in Utah", she adds. But she says, "It's kind of hard to figure out what the [US] law is ... The law has never been tested. But it would not be a smart business move for us to try to test it. We'll leave that to the Microsofts of this world."

Similarly, a media official at a Canadian encryption firm often cited as a bright young comer in its field was unable to find anyone willing to discuss encryption regulation on the record. David Jones, a computer scientist at McMaster University in Hamilton, Ontario, and the president of Electronic Frontier Canada, says that by threatening over the years to introduce domestic controls on encryption, US law-enforcement agencies have managed to distract privacy advocates from what he says should be the real issue: abolition of export controls. Export controls have had the general result of weakening the encryption standards available off the shelf in the US and Canada, in Dr. Jones's view.

This analysis is disputed, however, by Brian O'Higgins, founder and chief technology officer of Entrust in Ottawa. "We make it safe to do business on the Internet", he says, selling encryption, digital signatures, and strong authentication technology. "The US government zeroed out all controls on encryption in January 2000. It was a 180-degree reversal", he says. "They decided e-commerce was more important than law enforcement."

The US decision has left Canada scrambling. Its crypto laws have at times given firms here an edge -- as HushMail's servers in Vancouver attest. A year and a half ago, Industry Canada, the commerce ministry, announced that its policy would be to allow encryption as strong as anything available anywhere.

"I called it a home run at the time", says Mr. O'Higgins. He acknowledges, though, that practice hasn't quite caught up with policy. If laws are less than crystal clear -- and there's evidence that in the US, at least, regulations have been drafted with enough ambiguity to let regulators decide on permits case by case -- there's also an apparent reluctance to explain why encryption matters.

Says Van Cleve: "I don't think anyone -- in business or in government -- has made the case for strong privacy and encryption: Consumers deserve to be protected, too."