Alert: Germany going to ban strong crypto.

1. What has happened?

This is to inform you of upcoming political activities of the German government with regard to legal regulations of the distribution and use of cryptographic technology, including software as PGP or the like.

According to brief notices published today by the weekly newsmagazine "DER SPIEGEL" as well as by some dayly newspapers, last week a secret meeting of high-ranked officials was closed with an urgent recommendation in favour of a strongly restricted key-escrow crypto regulation.

The list of participators is said to have included Mr. Peter Frisch, who is the head of the German Verfassungsschutz (a secret service responsible for counteracting domestic anti-constitutional activities in Germany), as well as a Secretary of State delegated by the minister of domestic affairs of the Federal Republic of Germany, Mr. Kanther, and other Secretaries of State delegated by the local governments of all of the 14 States of which Germany is comprised of.

2. About the outcoming of the meeting

It is said that up to now there is only a draft proposal which will be subject to further consulations of the Cabinet of the German government. However, there are rumors saying the German Cancellor, Mr. Kohl, intends to make decisions immediately after the christmas break in early January, 1997.

The envisaged crypto regulation would impose a *general ban* on all distribution and/or use of cryptography with regard to the German territory, including the German part of the internet. This would, of course, also affect PGP. After such law would have entered into force, even downloading PGP or handing over a disk with a PGP copy would be illegal.

Legal use of cryptography would then be granted if and only if a general license has been obtained by the manufacturer and/or distributor of crypto equipment from some dedicated authority for that crypto software and/or the crypto device. This license will, in particular, require that

  1. the secret keys are always escrowed by depositing them in a secret official database which is accessible by secret serivices and law enforcement authorities, and
  2. also the source code of the crypto software is deposited.

Private as well as commerical use of cryptography will be licensed only under these restrictions.

3. Possible consequences

It is clear that PGP does not fit these requirements. Of course, also things like RSA encryption included in Netscape browsers, although crippeld by U.S.-ITAR, would not be allowable.

Furthermore, it is said that the envisaged crypto regulation also would cover all crypto software and/or devices required for dealing with digital signatures.

This means that anyone who actually has access to the secret key escrow database, whether legal or not, would be able to monitor all intercepted encrypted traffic and would as well be able to fake any digital signature.

4. Scope of present available information

At present it is not clear to what extent current reporting about the crypto politics of the German government can be validated. There seems to be little doubt that some roundtable meeting of high-ranked officials was held behind closed doors last week, but there are contradictory reports about the results. Some say that the report finished by said conference is merely a noncommittal collection of papers and materials. Others claim that said report comprises, inter alia, at least key phrases of an upcoming crypto regulation if not a draft wording therefor. Anyway, it seems to be clear that Mr. Frisch and other security officials are strongly pushing towards a legal ban on strong crypto.

5. Political background and related issues

A broad discussion among relevant experts outside secret services and law enforcement authorities has shown that such crypto ban is useless for fighting against crime. This in particular holds because criminals might use steganography. Moreover, it is not very likely that criminals will decide to make use of any licensed crypto devices, knowing that the secret keys are escrowed.

But why how and here this nervous attempt of the German government to push back the ghost into the bottle? They seem to feel that it is just only a question of months, or maybe one year or so, until strong cryptography is so widespread that any attempt to ban it would inevitably fail.

During a hearing recently held by an enquete commission of the Bundestag (=German Parliament) labeled "Future of Media in Germany", a representative of the Federal Ministry for Domestic Affairs (Bundesinnenministerium) argued that that he is well knowing that strong crypto methods are widely available and that he does not assume that a ban on strong crypto would discourage criminals. However, if e.g. by means of a wiretap any illegal use of encrypted communication would be detected, this would consitute an important hint which would cause further investigations. Moreover, he argued that there is a further benefit of being able to perform traffic analysis on the basis of identified individuals under suspicion who use certain methods of illegal cryptography, enabling law enforcement authorities to draw conclusions with regard to the structure of organized crime.

As far as it can be seen today, only two ministers might argue against that crypto proposal: First, Mr. Schmidt-Jortzig, Minister of Justice, and second, Mr. Rüttgers, responsible for research promotion and technology. Chancellor Kohl and in particular Mr. Kanther are said to be strong proponents of an illiberal crypto regulation.

With regard to the domestic situation within Germany, one big question is how business, in particular big business, will respond to these plans. Of course, anyone who uses cryptography for commercial purposes might desire to use strong crypto without any key escrowing. However, as recently seen in the U.S., industry might prefer to have some kind of compromise with the government.

Most of the private people in Germany are not aware of the internet and any privacy problems related therewith. Please note that Germany in general is five up to ten years behind the U.S. with regard to penetration of the internet into everyday life. Moreover, there is a big public discussion on organized crime and domestic security promoted by right-wing politicans of CDU, CSU, FDP and even SPD.

It should be understood that the intended ban on strong crypto in Germany might perhaps be avioded by strong protests on a domestic as well as on an international scale.

zur ckzurück © 1996-2024 Lutz Donnerhacke @ IKS GmbH Jena Thursday | 26.Dec.2024