[PROPOSAL] Encryption Standards Act

by **Federated States of Zootron** » Thu Mar 17, 2016 3:07 pm

Encryption Standards Act
Category: International Security
Strength: Significant

The World Assembly,

Recognizing that only through strong encryption standards can digital data be kept secure,

Realizing that the root cause of many security vulnerabilities lies in substandard encryption and security procedures,

Noting that in the modern world a security breach in one computer system can lead to an attack on another computer system,

Upholding the fundamental right to privacy and security of correspondence,

Does hereby enact that:

1) No member nation may impose limitations on the strength of encryption used in telecommunications.

2) No member nation may impose limitations on the sale and/or creation of encryption software.

3) No member nation may create or force the creation of software for which there is a known security vulnerability or backdoor.

4) No member nation may compel a company to release or create encryption keys, nor issue a security certificate.

5) No member nation may compel a company to keep private a security vulnerability, nor may any member nation keep hidden from the person or company owning a piece of software a security vulnerability contained within.

In addition,

Urges governments to classify software as a form of speech, and grant software protection as free speech.

A few questions about my draft:

1) Has this already been covered?
2) Is this too short?
3) Does this break any rules?

by **Savoy-Habsburg** » Sat Mar 19, 2016 4:28 am

Some nations, (I'm thinking of Tinfect and his perfect empire) do not need encryption, or communicate in other ways. Some have no idea what data is for they are from the middles ages.
Seriously though, I believe personally that nations should be allowed to encrypt their data how they wish it, an face the consequences themselves, but maybe I'm wrong...

by **Imperium Anglorum** » Sat Mar 19, 2016 9:10 am

All of these are detrimental to national security.

2) No member nation may impose limitations on the sale and/or creation of encryption software.

3) No member nation may create or force the creation of software for which there is a known security vulnerability or backdoor.

4) No member nation may compel a company to release or create encryption keys, nor issue a security certificate.

Now, it is irrelevant whether I believe that such a system should be used. (I believe they should not be.) However, because I believe that such regulations would be very detrimental to national security, I cannot support these positions.

by **Dooom35796821595** » Sat Mar 19, 2016 11:01 am

So, what? Top secret documents, fleet deployment schedules, and security analysis should use the same encryption as gossip texts? Any encryption developed by the military should be made available to the public? What about nations who don't rely solely on simplistic 'market forces'? We can't allow flawed product to be 'stolen' by our enemies that would turn their systems against themselves if they try to use it?

by **Wallenburg** » Sat Mar 19, 2016 12:30 pm

"We couldn't really care less about your clauses dealing with 'software', but clause four is unacceptable. We will produce warrants for any encryption keys related to suspicious encrypted radio activity."

by **We Couldnt Agree On A Name** » Sat Mar 19, 2016 1:00 pm

Imperium Anglorum wrote:All of these are detrimental to national security.

2) No member nation may impose limitations on the sale and/or creation of encryption software.

3) No member nation may create or force the creation of software for which there is a known security vulnerability or backdoor.

4) No member nation may compel a company to release or create encryption keys, nor issue a security certificate.

Now, it is irrelevant whether I believe that such a system should be used. (I believe they should not be.) However, because I believe that such regulations would be very detrimental to national security, I cannot support these positions.

And very detrimental to encryption. Every useful form of encryption has some sort of vulnerability, that's necessary for the information to be decrypted. Even a Vernam cipher has it's vulnerabilities.

by **Louisistan** » Sun Mar 20, 2016 5:52 am

Dooom35796821595 wrote:So, what? Top secret documents, fleet deployment schedules, and security analysis should use the same encryption as gossip texts? Any encryption developed by the military should be made available to the public?

Yes. No modern encryption algorithm worth its money should rely on the secrecy of the algorithm in question. It is entirely sufficient to keep the key secret. In fact, publicising an encryption algorithm makes it all the more secure, because that allows the scientific community to peer review and analyse the encryption standard so as to make sure that there really are no vulnerabilities.

This is a well known principle in cryptography.

by **Federated States of Zootron** » Sun Mar 20, 2016 9:29 am

We Couldnt Agree On A Name wrote:
Imperium Anglorum wrote:All of these are detrimental to national security.

2) No member nation may impose limitations on the sale and/or creation of encryption software.

3) No member nation may create or force the creation of software for which there is a known security vulnerability or backdoor.

Now, it is irrelevant whether I believe that such a system should be used. (I believe they should not be.) However, because I believe that such regulations would be very detrimental to national security, I cannot support these positions.

And very detrimental to encryption. Every useful form of encryption has some sort of vulnerability, that's necessary for the information to be decrypted. Even a Vernam cipher has it's vulnerabilities.

Perhaps the text should be revised to read

3) No member nation may create for force the creation of software for which there is a known backdoor.

The intent was to prevent governments from forcing companies to produce an encryption system that they could break with a master key. Given that eventually, everyone would have the master key, people that used the system would have their data in the open.

by **Federated States of Zootron** » Sun Mar 20, 2016 9:32 am

Wallenburg wrote:"We couldn't really care less about your clauses dealing with 'software', but clause four is unacceptable. We will produce warrants for any encryption keys related to suspicious encrypted radio activity."

Note that the proposal says nothing about a government compelling an individual to release an encryption key. Even if the communication is between companies, there will be an individual who knows the key.

by **Federated States of Zootron** » Sun Mar 20, 2016 9:37 am

Savoy-Habsburg wrote:Some nations, (I'm thinking of Tinfect and his perfect empire) do not need encryption, or communicate in other ways. Some have no idea what data is for they are from the middles ages.
Seriously though, I believe personally that nations should be allowed to encrypt their data how they wish it, an face the consequences themselves, but maybe I'm wrong...

Encryption has been described by some news services as the civil rights battle of this decade. The Federated States of Zootron has noticed violations of the basic right to privacy stemming from sub-standard encryption.

[OOC] I assume, from the issues, that every nation is human and in modern times. {/OOC]

by **Lychgate** » Sun Mar 20, 2016 9:40 am

Remove the "Does" so it becomes "Hereby enacts". You need italics, underlines, or bolds to differentiate between clauses. Part 3 of the "Hereby enacts" clause also seems similar to something in real life...

by **Wallenburg** » Sun Mar 20, 2016 10:21 am

Federated States of Zootron wrote:
Wallenburg wrote:"We couldn't really care less about your clauses dealing with 'software', but clause four is unacceptable. We will produce warrants for any encryption keys related to suspicious encrypted radio activity."

Note that the proposal says nothing about a government compelling an individual to release an encryption key. Even if the communication is between companies, there will be an individual who knows the key.

And that individual's release of the key would amount to theft, as the key would be the property of the company, and not the individual.

by **Separatist Peoples** » Sun Mar 20, 2016 11:58 am

Federated States of Zootron wrote:
Savoy-Habsburg wrote:Some nations, (I'm thinking of Tinfect and his perfect empire) do not need encryption, or communicate in other ways. Some have no idea what data is for they are from the middles ages.
Seriously though, I believe personally that nations should be allowed to encrypt their data how they wish it, an face the consequences themselves, but maybe I'm wrong...

Encryption has been described by some news services as the civil rights battle of this decade. The Federated States of Zootron has noticed violations of the basic right to privacy stemming from sub-standard encryption.

[OOC] I assume, from the issues, that every nation is human and in modern times. {/OOC]

OOC: Not an accurate assumption. There is a wide range of rp realities in the WA. In a recent thread, we've had magical ponies, galactic empires, and nations from Minecraft arguing with modern and WW1 tech nations. While we generally write MT proposals and resolutions, we are careful to deal with them in ways that do not explicitly exclude our extraordinary roleplayers.

by **Dooom35796821595** » Mon Mar 21, 2016 3:46 am

Louisistan wrote:
Dooom35796821595 wrote:So, what? Top secret documents, fleet deployment schedules, and security analysis should use the same encryption as gossip texts? Any encryption developed by the military should be made available to the public?

Yes. No modern encryption algorithm worth its money should rely on the secrecy of the algorithm in question. It is entirely sufficient to keep the key secret. In fact, publicising an encryption algorithm makes it all the more secure, because that allows the scientific community to peer review and analyse the encryption standard so as to make sure that there really are no vulnerabilities.

This is a well known principle in cryptography.

As an effective metriocracy our government is more then capable of producing secure encryption without allowing terrorist chatter to be neigh uncrackable. The problem isn't with the security of the encryption, it's with the prospect of allowing anyone to use the highest levels of security.

by **Tinfect** » Mon Mar 21, 2016 4:01 am

Savoy-Habsburg wrote:Some nations, (I'm thinking of Tinfect and his perfect empire) do not need encryption, or communicate in other ways. Some have no idea what data is for they are from the middles ages.

OOC:
Geez, go for the jugular why don't ya. Of course the Imperium needs encryption. You can't maintain a constant connection to the Imperial Archive or its defensive systems when Hyperpulse Generators don't facilitate a constant connection in the first place. And not everything is even connected to the Archive.
And the Imperium is far from perfect, Markhov just presents it that way because, A: He's a Nationalist Bastard and will never admit it, and B: It's literally his job. But lets not get into that here.

IC:

Federated States of Zootron wrote:Recognizing that only through strong encryption standards can digital data be kept secure,

"Nearly a century of Imperial Archive defensive measures would disagree with that statement, Ambassador. Encryption is merely one part of a defensive strategy."

Scandavian States wrote:2) No member nation may impose limitations on the sale and/or creation of encryption software.

"The Imperium does not allow private industry to develop encryption software. This clause is entirely unacceptable."

Scandavian States wrote:3) No member nation may create or force the creation of software for which there is a known security vulnerability or backdoor.

"All software is vulnerable to something. This would effectively ban socialist Member States from creating software, and is unacceptable."

Scandavian States wrote:5) No member nation may compel a company to keep private a security vulnerability, nor may any member nation keep hidden from the person or company owning a piece of software a security vulnerability contained within.

"If a security vulnerability is unknown, it can be easily repaired before it can be exploited. This clause has clearly not been thought through. The Imperium is opposed, regardless of the fact that this all but certainly duplicates or contradicts recently passed legislation."

by **The Puddle Jumping Wads of Wrapper** » Mon Mar 21, 2016 5:19 am

A few small comments. One, backdoors are necessary during the development of software. We suggest you clarify that line by allowing it during development but necessitate the removal of all backdoors in the final product. Two, clause 4 is... well... that could cause problems when nations use government contractors to provide security. Some certification that software is secure would be required, yes? Or does, erm, does this "security certificate" mean something else entirely? Also, we're not so sure about the category. How does this resolution significantly increase police and military budgets?

[PROPOSAL] Encryption Standards Act

[PROPOSAL] Encryption Standards Act

Who is online