[DRAFT] Cryptographic Privacy Act

[New-Brussels]

Cryptographic Privacy Act Public Draft 4

Category : Human Rights

Strength : Significant

The World Assembly,

NOTICING the usage of cryptography in many member nations as well as its unparalleled importance in regards to the privacy of data, and

RECOGNIZING that all member nations do not possess the same level of information technology, which may be subject to relatively fast and advanced changes that could potentially introduce unforeseen ways of engaging in criminality and warfare, but

REAFFIRMING the concern that this assembly has already professed in regards to privacy, as expressed in GAR#213 Privacy Protection Act, and

ADMITTING that, for the good of their population and, more generally, in their own interest, member nations may need to attempt bypassing encryption, but

CONDEMNING how some governments do not hesitate to undermine the trust that people all around the world may have in cryptography by forcing the implementation of backdoors in widely, publicly used protocols during their development,

UNDERSTANDING that other aspects of cryptography and its usage should be regulated by further legislation, which is expected to justify the necessity of all eventual breaches of privacy, and

NOT FORGETTING that the concept of cryptography isn’t restricted to digital communications,

Hereby,

1. DEFINES, for the purposes of this resolution :
   
   
   1. Cryptography as the study and application of the methods by which the original meaning of information may be secured from unwanted access and, by extension, the various protocols devised for this purpose,
      
      
   2. Encryption as the process of using any protocol to encode information by the means of a key private to authorized readers so that this key is necessary to decode the information, this reversal being defined as decryption,
      
      
   3. Vulnerability, in the context of an encryption protocol, as the inability to prevent unauthorized individuals from decoding encrypted information within a sensible timeframe,
      
      
   4. Cryptographic privacy as the security that a cryptographic protocol can provide to private information;
   
   
2. ESTABLISHES that cryptographic privacy can not be expected in good faith from a vulnerable encryption protocol;
   
   
3. ALLOWS member nations to devise and apply cryptographic protocols, within the confines of this resolution and past international legislation on the matter;
   
   
4. PROHIBITS member nations from interfering with the development of encryption protocols with the intent of increasing the vulnerability of these protocols or their dependencies;
   
   
5. DECLARES that any malignant interference with the development or application of any cryptographic protocol in a member nation shall be considered an act of sabotage, surveillance, or terrorism, depending on the context and severity, and as understood by all parties involved at the lawfully appropriate levels;
   
   
6. PROHIBITS anyone from attempting to reverse or defeat vulnerable encryption protocols implemented by a civilian of any member nation, except in the following cases :
   
   
   1. The obtention of specific instances of decrypted or encrypted information linked to this civilian is warranted lawfully, especially in the context of actions described by clause 5,
      
      
   2. These attempts are performed in the process of scientific cryptography research and education and in good faith or,
      
      
   3. The proprietary of the information gives full consent;
7. URGES member nations to minimize the vulnerability of all cryptographic protocols they utilize, by means including but not limited to investing in scientific cryptography research and education.

Cryptographic Privacy Act Public Draft 3

Category : Human Rights

Strength : Significant

The World Assembly,

NOTICING the usage of cryptography in many member nations as well as its unparalleled importance in regards to the privacy of data, and

RECOGNIZING that all member nations do not possess the same level of information technology, which may be subject to relatively fast and advanced changes that could potentially introduce unforeseen ways of engaging in criminality and warfare, but

REAFFIRMING the concern that this assembly has already professed in regards to privacy, as expressed in GAR#213 Privacy Protection Act, and

ADMITTING that, for the good of their population and, more generally, in their own interest, member nations may need to attempt bypassing encryption, but

CONDEMNING how some governments do not hesitate to undermine the trust that people all around the world may have in cryptography by forcing the implementation of backdoors in widely, publicly used protocols during their development,

UNDERSTANDING that other aspects of cryptography and its usage should be regulated by further legislation, which is expected to justify the necessity of all eventual breaches of privacy, and

NOT FORGETTING that the concept of cryptography isn’t restricted to digital communications,

Hereby,

1. DEFINES, for the purposes of this resolution :
   
   
   1. Cryptography as the study and application of the methods by which the original meaning of information may be secured from unwanted access and, by extension, the various protocols devised for this purpose;
      
      
   2. Encryption as the process of using any protocol to encode information by the means of a key private to authorized readers so that this key is necessary to decode the information, this reversal being defined as decryption;
      
      
   3. Vulnerability, in the context of an encryption protocol, as the inability to prevent unauthorized individuals from decoding encrypted information within a sensible timeframe;
      
      
   4. Cryptographic privacy as the security that a cryptographic protocol can provide to private information;
   
   
2. ESTABLISHES that cryptographic privacy can not be expected in good faith from a vulnerable encryption protocol;
   
   
3. ALLOWS member nations to devise and apply cryptographic protocols, within the confines of this resolution and past international legislation on the matter;
   
   
4. PROHIBITS member nations from interfering with the development of encryption protocols with the intent of increasing their vulnerability;
   
   
5. DECLARES that any malignant interference with the development or application of any cryptographic protocol in a member nation shall be considered an act of sabotage, surveillance, or terrorism, depending on the context and severity, and as understood by all parties involved at the lawfully appropriate levels;
   
   
6. PROHIBITS anyone from attempting to reverse or defeat vulnerable encryption protocols implemented by a civilian of any member nation, except in the following cases :
   
   
   1. The obtention of specific instances of decrypted or encrypted information linked to this civilian is warranted lawfully, especially in the context of actions described by clause 5;
      
      
   2. These attempts are performed in the process of scientific cryptography research or education and in good faith;
      
      
   3. The proprietary of the information gives full consent;
   
   
7. URGES member nations to minimize the vulnerability of all cryptographic protocols they utilize, by means including but not limited to investing in scientific cryptography research and education.

Cryptographic Privacy Act Public Draft 2

Category : Human Rights

Strength : Significant

The World Assembly,

NOTICING the usage of cryptography in many member nations as well as its unparalleled importance in regards to the privacy of data, and

RECOGNIZING that all member nations do not possess the same level of information technology, which may be subject to relatively fast and advanced changes that could potentially introduce unforeseen ways of engaging in criminality and warfare, but

REAFFIRMING the concern that this assembly has already professed in regards to privacy, as expressed in GAR#213 Privacy Protection Act, and

ADMITTING that, for the good of their population and, more generally, in their own interest, member nations may need to attempt bypassing encryption, but

CONDEMNING how some governments do not hesitate to fragilize the trust that people all around the world may have in cryptography by forcing the implementation of backdoors in widely, publicly used protocols during their development,

UNDERSTANDING that other aspects of cryptography and its usage should be regulated by further legislation, which is expected to justify the necessity of all eventual breaches of privacy, and

NOT FORGETTING that the concept of cryptography isn’t restricted to digital communications,

Hereby,

1. DEFINES, for the purposes of this resolution :
   
   
   
   1. Cryptography as the study and application of the methods by which the original meaning of information may be secured from unwanted access and, by extension, the various protocols devised for this purpose;
      
      
   2. Encryption as the process of using any protocol to encode information by the means of a key private to authorized readers so that this key is necessary to decode the information, this reversal being defined as decryption;
      
      
   3. Vulnerability, in the context of an encryption protocol, as the inability to prevent unauthorized individuals from decoding encrypted information within a sensible timeframe;
      
      
   4. Cryptographic privacy as the security that a cryptographic protocol can provide to private information;
   
   
2. ESTABLISHES that cryptographic privacy can not be expected in good faith from a vulnerable encryption protocol;
   
   
3. ALLOWS member nations to devise and apply cryptographic protocols, within the confines of this resolution and past international legislation on the matter;
   
   
4. PROHIBITS member nations from interfering with the development of encryption protocols with the intent of increasing their vulnerability;
   
   
5. DECLARES that any malignant interference with the development or application of any cryptographic protocol in a member nation shall be considered an act of sabotage, surveillance, or terrorism, depending on the context and severity, and as understood by all parties involved at the lawfully appropriate levels;
   
   
6. PROHIBITS member nations from attempting to defeat vulnerable encryption protocols implemented by a civilian of any member nation, except in the following cases :
   
   
   1. The obtention of specific instances of decrypted or encrypted information linked to this civilian is warranted lawfully;
      
      
   2. These attempts are performed in the process of cryptography research with the full consent of the proprietary of the information;
   
   
7. URGES member nations to minimize the vulnerability of all cryptographic protocols they utilize, by means including but not limited to investing in cryptography research.

Cryptography Act Public Draft 1

Category : Human Rights

Strength : Significant

The World Assembly,

NOTICING the usage of cryptography in many member nations as well as its unparalleled importance in regards to the privacy of data, and

RECOGNIZING that all member nations do not possess the same level of information technology, which may be subject to relatively fast and advanced changes that could potentially introduce unforeseen ways of engaging in criminality and warfare, but

REAFFIRMING the statement that “...every person has a right to privacy that extends to all lawful actions that occur out of public view and to all lawful actions, places, and other matters for which a subjective expectation of privacy and a reasonable, or objective, expectation of privacy exist”, which has been expressed in GAR#213 Privacy Protection Act, and

ADMITTING that, for the good of their population and, more generally, in their own interest, member nations may need to attempt bypassing cryptographic protocols, but

CONDEMNING how some governments do not hesitate to fragilize the trust that people all around the world may have in cryptography by forcing the implementation of backdoors in widely, publicly used protocols during their development,

UNDERSTANDING that other aspects of cryptography and it’s usage should be regulated by further legislation, which is expected to justify the necessity of all eventual breaches of privacy, and

NOT FORGETTING that the concept of cryptography isn’t restricted to digital communications,

Hereby,

DEFINES, at least for the purposes of this resolution :

a. Cryptography as the study and application of the methods by which information may be made private to any unintended reader and, by extension, the various protocols devised for this purpose;

b. Encryption as the application of any protocol that obfuscates the original meaning of information beyond legibility, with decryption as it’s reversal or attempted defeat;

c. Vulnerability, in the context of an encryption protocol, as the ability to reverse or defeat it without any information private to the owner of relevant data and within a sensible timeframe;

d. Cryptographic Privacy as the logical consequence of using cryptography to ensure the privacy of information for the sake of one’s own privacy;

ESTABLISHES that cryptographic privacy can not be expected from a vulnerable encryption protocol;

PROHIBITS member nations from interfering with the development of encryption protocols with the intent of increasing their vulnerability;

ALLOWS member nations to devise and apply cryptographic protocols, in the extent of legislation on the matter and within the confines of this resolution;

DECLARES that any malignant interference with the development or application of any cryptographic protocol in a member nation shall be considered an act of sabotage, surveillance, or terrorism, depending on the context and severity, and as understood by all parties involved at the lawfully appropriate levels;

URGES member nations to regulate the governmental development or application of any preferred forms of cryptography in an official manner, left to their liking and customs and according to their level of information technology, especially if the intent is to implement bona fide acts of surveillance, as explained above;

PROHIBITS member nations from attempting to reverse or defeat vulnerable encryption protocols implemented by a civilian of any member nation, except in the case where the obtention of specific instances of decrypted or encrypted information linked to this civilian is warranted lawfully, and

ALLOWS member nations to establish organizations dedicated to the lawful encryption and decryption of data, as this kind of duty can not be realistically accomplished by an international body without seriously endangering international harmony.

OOC :

With "Encyrption Privacy Act"[sic] having met it's foreseen demise, I feel like it's the right time to post this draft.

Not sure on the title yet, I would go with something like "Conventions on Cryptography" or something like that, don't be afraid to suggest a better one. Title has been chosen as "Cryptographic Privacy Act" to prevent confusion.

You can access my notes and their revision history at https://docs.google.com/document/d/1ZFXBUvXKjv_qx-nGmWJsw7mb8VhaHWUUFyRmdzinmi4/edit?usp=sharing, the current draft candidate only being different in it's formatting (probably).

[The New Nordic Union]

[b]Cryptography Act (working title) Public Draft 1
REAFFIRMING the statement that “...every person has a right to privacy that extends to all lawful actions that occur out of public view and to all lawful actions, places, and other matters for which a subjective expectation of privacy and a reasonable, or objective, expectation of privacy exist”, which has been expressed in GAR#213 Privacy Protection Act, and

Not sure that this phrasing is allowed by the House of Cards Rule; my guess would be, it isn't.

[New-Brussels]

EDIT : snipped, as the quote seems to be fully legal

[Christian Democrats]

In my opinion, the word "rely" in the House of Cards Rule should be read narrowly. I think a proposal can reference other resolutions without relying on them. The purpose of the House of Cards Rule is to require each proposal to stand on its own two feet. In other words, if a referenced resolution were repealed, the meaning and effect of the later resolution would stay the same.

[Kenmoria]

"“Cryptography Act” works fine as a title for me, it states clearly what is being legislated."

[Attempted Socialism]

In my opinion, the word "rely" in the House of Cards Rule should be read narrowly. I think a proposal can reference other resolutions without relying on them. The purpose of the House of Cards Rule is to require each proposal to stand on its own two feet. In other words, if a referenced resolution were repealed, the meaning and effect of the later resolution would stay the same.

OOC:
That is also the interpretation of the last HoC ruling I'm aware of: viewtopic.php?p=33109496#p33109496
Essentially, unless your resolution would be inoperable with the repeal of the cited resolution (And here it wouldn't), HoC is not violated.
Personally I disagree with that ruling, but unless it has been overturned, this draft would be legal.

[New-Brussels]

"“Cryptography Act” works fine as a title for me, it states clearly what is being legislated."

"All good then."

EDIT : apparently not enough, so it's gonna be "Cryptographic Privacy Act"

[Wallenburg]

I'll be borrowing Ambassador Leveret's proposal scalpel for this draft:

The World Assembly,

NOTICING the usage of cryptography in many member nations as well as its unparalleled importance in regards to the privacy of data, and

RECOGNIZING that all member nations do not possess the same level of information technology, which may be subject to relatively fast and advanced changes that could potentially introduce unforeseen ways of engaging in criminality and warfare, but

REAFFIRMING the statement that “...every person has a right to privacy that extends to all lawful actions that occur out of public view and to all lawful actions, places, and other matters for which a subjective expectation of privacy and a reasonable, or objective, expectation of privacy exist”, which has been expressed in GAR#213 Privacy Protection Act, and

ADMITTING that, for the good of their population and, more generally, in their own interest, member nations may need to attempt bypassing cryptographic protocols, but

CONDEMNING how some governments do not hesitate to fragilize the trust that people all around the world may have in cryptography by forcing the implementation of backdoors in widely, publicly used protocols during their development,

UNDERSTANDING that other aspects of cryptography and it’s usage should be regulated by further legislation, which is expected to justify the necessity of all eventual breaches of privacy, and

NOT FORGETTING that the concept of cryptography isn’t restricted to digital communications,

IC: "That is an extensive preamble. Its size is not necessarily bad, but if you get concerned about the length of your proposal, I would cut from this first."

Hereby,

DEFINES, at least for the purposes of this resolution :

"The 'at least' can go."

a. Cryptography as the study and application of the methods by which information may be made private to any unintended reader and, by extension, the various protocols devised for this purpose;

OOC: That's not a really good definition of cryptography. I would go for something more like "the use of codes to securing information from unwanted observation or replication".

b. Encryption as the application of any protocol that obfuscates the original meaning of information beyond legibility, with decryption as it’s reversal or attempted defeat;

Its, not it's. Again, this is a poor definition of encryption. If encryption were just messing with information until you couldn't read it anymore, then nobody could read it, even the intended reader(s). Encryption is the process of encoding information so that only authorized individuals may read it. Decryption is the use of encryption keys to convert encoded information into intelligible information.

c. Vulnerability, in the context of an encryption protocol, as the ability to reverse or defeat it without any information private to the owner of relevant data and within a sensible timeframe;

More accurately, vulnerability is the potential to fail to successfully deter attempts by unauthorized individuals to decrypt encoded information.

d. Cryptographic Privacy as the logical consequence of using cryptography to ensure the privacy of information for the sake of one’s own privacy;

"Cryptographic privacy" more commonly refers to the security of private information, as provided by cryptographic algorithms.

ESTABLISHES that cryptographic privacy can not be expected from a vulnerable encryption protocol;

Well, it can, but not very well.

PROHIBITS member nations from interfering with the development of encryption protocols with the intent of increasing their vulnerability;

Would this include interference in foreign governments' cryptography for the purposes of espionage?

ALLOWS member nations to devise and apply cryptographic protocols, in the extent of legislation on the matter and within the confines of this resolution;

IC: "I believe the phrase you are looking for is 'within the confines of this and previously passed World Assembly legislation'."

DECLARES that any malignant interference with the development or application of any cryptographic protocol in a member nation shall be considered an act of sabotage, surveillance, or terrorism, depending on the context and severity, and as understood by all parties involved at the lawfully appropriate levels;

"Would discontinuing the development or application of a cryptographic protocol be considered 'malignant'?"

URGES member nations to regulate the governmental development or application of any preferred forms of cryptography in an official manner, left to their liking and customs and according to their level of information technology, especially if the intent is to implement bona fide acts of surveillance, as explained above;

"I do not understand. What regulations do you wish for member states to impose on their own cryptographic endeavors?"

PROHIBITS member nations from attempting to reverse or defeat vulnerable encryption protocols implemented by a civilian of any member nation, except in the case where the obtention of specific instances of decrypted or encrypted information linked to this civilian is warranted lawfully, and

"I would also provide for an exception allowing researchers to attack samples of encrypted information in order to study the efficacy of encryption methods."

ALLOWS member nations to establish organizations dedicated to the lawful encryption and decryption of data, as this kind of duty can not be realistically accomplished by an international body without seriously endangering international harmony.

"I am sure that the World Assembly encrypts the data stored in its archives, as well as information sent within and away from the headquarters."

[New-Brussels]

too big a quote for the mere human that I am

"We will address the points in order before concluding on an important note.

First things first : the fact is that we have already trimmed the preamble quite a bit. We think it would be detrimental to our argument to trim it any further.

---

On the topic of vulnerability, I think you might understand that the reason why we do not expect cryptographic privacy at all, as defined in the proposal, from a vulnerable encryption protocol, let's stay broad, is that we want to explicitly consider that information protected by such a method is not private.

This is why, in order to still provide a layer of privacy protection for data encrypted by a vulnerable protocol, we prohibit nations from interfering with civilian use of cryptography unlawfully. We think that this is not a difficult interpretation to have as it is one that gives this resolution an important purpose : explicitly defining how and when the concept of privacy is linked to the concept of cryptography and filling the legislative gaps.

The most obvious side-effect that this would have would be to encourage every citizen to use the most secure encryption methods they have access to if they are deemed legal by their nation, and this is an undoubtedly good outcome.

We find your definition of vulnerability to be good, but we would like you to understand that our definition's wording interacts especially well with our main operative clause. As such, we are considering borrowing some elements from your definition to make it more proper. Same thing with cryptographic privacy.

---

We find your comment on espionage very interesting as we chose in the first cleanup of this draft to remove references to espionage as it could very well be considered surveillance, specifically in the DECLARES clause. The way you bring this topic up seems to indicate that we should probably still consider espionage separately and we are eager to know your opinion about this.

In any case, in response to your comment, we believe that yes, this clause could apply to cases of espionage, but the relevant interference itself would certainly be considered an act of sabotage, as explained, therefore even for the purposes of espionage if that is your concern. We admit that our intent is to criminalize the government sanctioned implementation of backdoors, the argument for which being explained in the preamble albeit subtly as there is a distinction between condemnation and criminalization.

So, as we believe that the forced implementation of backdoors is a problem, especially if it is government sanctioned, making an exception for any politically interesting purpose would clearly work against our intent.

Nevertheless, it is obvious that the wording should bring a compromise between vaguely mentioning interference and specifically prohibiting backdoors and we think this is reflected in the proposal. Other matters require their own treatment as explained in the DECLARES clause, although in this case it might be useful to not limit ourselves to the specific actions enumerated, so we will have that in mind.

Please do not hesitate to tell us if you think that other concepts similar to backdoors in their relevance to cryptography should be treated by this proposal.

---

Would the discontinuation of crypto-related activity be considered malignant ? The definition of malignant can be summarized as either ill-intended or dangerous, obviously ignoring all medical applications of the term. Do you see how useful this adjective is to the clause ? We believe that a discontinuation can be well intended, such as when replacing obsolete technology, or ill-intended, such as when shutting down a 'troublesome' encryption method, as you may have pertinently implied. The answer is : it depends on the context of this discontinuation for someone to judge whether or not it is malignant and it is clear that this applies to every kind of interference.

---

The URGES clause only serves as a formal recommendation to.. regulate the governmental usage of cryptography officially. There are multiple benefits from this, the most important being that nations would strive to eliminate their cryptographic vulnerabilities, as it is in their interest to choose the best forms of cryptography available.

That said, we realize that this clause should simply be changed to 'URGES member nations to minimize the vulnerability of all cryptographic protocols they utilize, including but not limited to investing in cryptography research;'.

---

We believe that the particular way of conducting cryptography research you mentioned is very pertinent and we will take it into account. We also think that your remark about the last clause is pertinent.

Now, for that note I talked about,
"
OOC :

So, about my definitions of Cryptography and Encryption.

These definitions are obviously not as precise and rigorous as anyone who has any knowledge of encryption as we know it today would want it to be, me included.

I was under the impression that defining all these terms 'for the purposes of the resolution' meant that the primary concern could be shifted to their legal relevance to the resolution if they are still correct, since they would not be binding. (This is what I tried to infer by 'at least', and I concur that in retrospect it doesn't sound very confident haha) So, I agree that I should at least mention encryption keys where it's relevant and integrate them with a newer, more factually correct definition.

Anyways, better work on the next draft

[New-Brussels]

Public draft 2 has been posted.

List of changes incoming, they have mostly been covered by my previous post anyway.

[Araraukar]

OOC: The way it's written now (aka emphasis on data security), there's no way it's anywhere near human rights. If anything, it'd be International Security, Mild. And then you've got Digital Network Defense to tapdance around with.

Also, in my understanding "cryptography" is a field of science, like, say, "biochemistry" or "particle physics" (or any other such "sub-branch" science), while "encryption" is the actual action of securing information. If you're looking to ban/restrict an area of science, it again in no way is human rights and you need to dance around DND.

Additionally, if you're trying to ban "master passwords" for, say, workplace computers and/or administrator access to user-encrypted files, there's no way in hell you'll ever be able to pass this.

[New-Brussels]

(aka emphasis on data security)

Well no the emphasis is on, and I'll quote my previous post because my preamble is very long : "explicitly defining how and when the concept of privacy is linked to the concept of cryptography and filling the legislative gaps".
Obviously, cryptography has to do with data security but nowhere are the specifics of such a subject touched upon in the proposal. Or maybe in "URGES" but this is hardly the most relevant operative clause.

If you're looking to ban/restrict an area of science

I am looking to restrict the actions that are described by an area of science, here encryption, decryption, the forced implementation of backdoors by the government, and brute-forcing/using these backdoors against civilian encrypted data (All of this is clearly described in the proposal, or am I crazy ?) You seem to imply yourself that it is more sensible to restrict actions than whole areas of science in this case, and I agree.

So knowing all of this information, available in the proposal without any substantial mental exercise, Human Rights is appropriate.

Additionally, if you're trying to ban "master passwords" for, say, workplace computers and/or administrator access to user-encrypted files, there's no way in hell you'll ever be able to pass this.

You know what, I'll just say that I don't want to do any of that and that my proposal doesn't do any of that.

Also, it seems that I can completely remove the "DECLARES" clause since DND already takes care of considering any cyber attack as an offense, so, nice !

[Wallenburg]

OOC: The way it's written now (aka emphasis on data security), there's no way it's anywhere near human rights. If anything, it'd be International Security, Mild. And then you've got Digital Network Defense to tapdance around with.

Cryptography is a central issue to digital privacy in the real world, and the resolution approaches the issue in a manner that focuses on human rights.

Also, in my understanding "cryptography" is a field of science, like, say, "biochemistry" or "particle physics" (or any other such "sub-branch" science), while "encryption" is the actual action of securing information. If you're looking to ban/restrict an area of science, it again in no way is human rights and you need to dance around DND.

The proposal, from my perspective, regulates the practice of cryptography. In particular, it limits how certain entities can go about creating easier ways to decrypt data or force other entities to do the same. In the real world this would apply to many controversial situations. For instance, two years ago a mass shooter in San Bernardino, California, was suspected of Islamist sympathies. The FBI seized his phone and demanded that Apple create a "backdoor" through the phone's encryption. This would allow the FBI unauthenticated access to the phone's information. Apple resisted on the basis of not only the privacy rights of the suspect, but also the privacy rights of all its customers. Such backdoors might easily be abused by the FBI or anyone else who might get their hands on such backdoors. Certainly privacy rights belong in the Human Rights category?

Additionally, if you're trying to ban "master passwords" for, say, workplace computers and/or administrator access to user-encrypted files, there's no way in hell you'll ever be able to pass this.

This resolution does not do that. User authentication and data encryption, while sometimes related, are not the same.

[Araraukar]

User authentication and data encryption, while sometimes related, are not the same.

OOC: And this attempts to do which?

Also "any malignant interference with the development or application of any cryptographic protocol" - would adding an admin backdoor password thing count as malignant?

[Wallenburg]

User authentication and data encryption, while sometimes related, are not the same.

OOC: And this attempts to do which?

The later. That's why its active clauses handle encryption protocols, rather than authentication systems.

Also "any malignant interference with the development or application of any cryptographic protocol" - would adding an admin backdoor password thing count as malignant?

I can't say for sure. However, an administrator generally owns or otherwise has higher authority over a device with multiple users, so any attempt by an administrator to implement a "backdoor password" would probably not be malignant. I doubt such a thing would be necessary anyway, since administrators can control permissions for all other users' data without anything but their own username and password.

[New-Brussels]

I can't say for sure. However, an administrator generally owns or otherwise has higher authority over a device with multiple users, so any attempt by an administrator to implement a "backdoor password" would probably not be malignant. I doubt such a thing would be necessary anyway, since administrators can control permissions for all other users' data without anything but their own username and password.

One could indeed say that one such "backdoor password" is the administrator's own password. To stay in the topic of cryptography, an admin's status might allow him to run decryption or bruteforce programs that are otherwise disallowed on the machine, but it doesn't imply any control over anyone else's encrypted data. The described situation really has nothing to do with the proposal anyway.

UNLESS you are referencing cryptographic backdoors, ara, in which case yes, obviously the proposal declares crypto backdoors as malignant interference with the operation of an encryption protocols (more accurately sabotage), that's kind of the point. The two clauses mentioning interference are deliberately specific enough to target backdoors and general enough to completely prevent any other kind of interference from having the same effect or being considered benign.

Also, format will be altered soon to make the proposal **prettier** is done

[New-Brussels]

Jan Herst grabs the attention of the assembly and walks to the stand.

He clears his throat and says, "Our third draft is here. And it bites harder."

He resumes, with a satisfied tone, "We have modified the prohibitions on the unauthorized decryption of weakly protected civilian data to apply to anyone.

Indeed, we believe that in order to truly provide a proper layer of legal protection for vulnerable encryption protocols, and still with the intent of penalizing their use in favor of sensibly inviolable encryption methods, such provisions targeting all possible actors are needed.

In order to better accommodate situations in which attempts at such decryptions might prove reasonable in both their need and good faith in regards of their target's privacy, exceptions have been added and altered. Our main concern is now on other possible exceptions which might prove useful to include.

We await your insight on this matter."

Jan leaves the stand after collecting his notes.

OOC :

Things are getting clearer by the minute as the main prohibitions of this proposal are being refined. I really wonder why I haven't thought of referencing the clause exactly above it (clause 5), it provides good closure !

And of course, mentioning the consent of the information's proprietary sounds obvious and relevant, for example in the context of hackathons.

[Araraukar]

OOC post: For the record, my brother is just working on his Master's thesis on pretty much this subject in Real Life. I'm trying to get him to find some time to have a look at this.

UNLESS you are referencing cryptographic backdoors, in which case yes, obviously the proposal declares crypto backdoors as malignant interference with the operation of an encryption protocols (more accurately sabotage), that's kind of the point. The two clauses mentioning interference are deliberately specific enough to target backdoors and general enough to completely prevent any other kind of interference from having the same effect or being considered benign.

I don't know the terminology, but I'm talking about stuff like this scenario:

• Person A is a known member of an international terrorist group.
• The authorities have the permission (proper warrant through proper legal procedure) to listen to their phonecalls and otherwise monitor their communications.
• The authorities have strong evidence (my brother briefly mentioned communication end-points and metadata, which I sort of know as things that exist, but not really in this context) of Person A communicating with Person B in the same organization in another nation with the purpose to commit a terrorist act.
• They send messages to one another as encrypted files protected by a program developed in Person A's nation.

Now, the questions as per the above scenario:

1. Would this proposal stop the authorities from cracking or bruteforcing (or whatever the term is) their way through the encryption to get the contents of the messages that they believe have relevant information of an imminent unlawful action? (Do note that the imminent unlawful action is also against WA law, not just national.)

2. Would this proposal stop the authorities from requiring encryption software developers to install a "backdoor" or some kind of "master password" with which individual users' data can be decrypted? (Do note that in this scenario the authorities would still need to have the legal permission to access said data.)

3. If the answer to the above questions is "yes", then doesn't this violate existing WA resolutions about terrorism and cyberterrorism? (Do note that the example intentionally does not specify if we're talking about cyberterrorism or "meatspace" terrorism.)

4. Would the answers to the above questions be different if

1. the software had been developed in another WA nation?
2. the software had been developed in a non-member nation?
3. the software was used by the same or another nation by their authorities, who used it to protect their own sensitive data?
4. the software had been developed for the exact purpose of defeating lawful warrants?

I may have more questions once I hear from my brother, but for now the above scenario and related questions are my most important concerns.

[New-Brussels]

OOC post: For the record, my brother is just working on his Master's thesis on pretty much this subject in Real Life. I'm trying to get him to find some time to have a look at this.

Cool ! And from the scenario and questions you posted afterwards, I can see that this proved interesting !

I don't know the terminology, but I'm talking about stuff like this scenario:

• Person A is a known member of an international terrorist group.
• The authorities have the permission (proper warrant through proper legal procedure) to listen to their phonecalls and otherwise monitor their communications.
• The authorities have strong evidence (my brother briefly mentioned communication end-points and metadata, which I sort of know as things that exist, but not really in this context) of Person A communicating with Person B in the same organization in another nation with the purpose to commit a terrorist act.
• They send messages to one another as encrypted files protected by a program developed in Person A's nation.

Now, the questions as per the above scenario:

I consider this scenario to be one of the primary cases to which the mentioned exception should apply. Good call.

So, assuming a rational interpretation of the proposal as previously explained :

1. Would this proposal stop the authorities from cracking or bruteforcing (or whatever the term is) their way through the encryption to get the contents of the messages that they believe have relevant information of an imminent unlawful action? (Do note that the imminent unlawful action is also against WA law, not just national.)

No. The exception does not distinguish which laws are applicable and assumes full legality.

2. Would this proposal stop the authorities from requiring encryption software developers to install a "backdoor" or some kind of "master password" with which individual users' data can be decrypted? (Do note that in this scenario the authorities would still need to have the legal permission to access said data.)

Still in the scenario, one would be hard pressed to say that the suspects are going to change their encryption methods for a newly developed one, but in a general sense, yes.

I understand what you are implying, so one could also argue that a well placed update to their communication protocol, if they are using a service, could change the encryption methods used to ones with backdoors, thus allowing the furtherment of the investigation.

Obviously, such a move would have no effect against data that has been already encrypted and the strong evidence of the imminence of a terrorist act should be enough to shift the focus on the immediate arrest of the implicated individuals. Maybe it would ease the life of counter-terrorists all around if the obtention of further data can somehow provide incriminating evidence for other individuals. Maybe the potential authoritarian abuse isn't worth it.

Curiously, clause 4 does not forbid independent bodies from carrying on such a task and I think that leaving the specifics of such particular situations to national legislation is not a bad idea.

3. If the answer to the above questions is "yes", then doesn't this violate existing WA resolutions about terrorism and cyberterrorism? (Do note that the example intentionally does not specify if we're talking about cyberterrorism or "meatspace" terrorism.)

In any case, no, we specifically shift the legal consequences on already existing law in clause 5 or otherwise doesn't touch upon the subjects so I can not see how there might be a contradiction. If there is an explicit example of past legislation that proves this wrong, please inform me.

4. Would the answers to the above questions be different if :
the software had been developed in another WA nation?

No.

the software had been developed in a non-member nation?

Having considered the wording of the proposal carefully, I would answer no.

the software was used by the same or another nation by their authorities, who used it to protect their own sensitive data?

Concerning :

1. No. It would still have to be legal anyways.

2. Ditto.

3. No.

the software had been developed for the exact purpose of defeating lawful warrants?

The broadest interpretation of that sentence I can find that is still relevant to the proposal is that the concerned encryption protocol is invincible.

Now, ask your brother how hackers would feel if you told them all their cryptographic precautions have no effect in the face of the law. I'm not sure that angering an entire virtually international community would be in the interest of the World Assembly.

Anyway, in the interest of privacy, and as it is the full intent of the proposal, I cannot see how providing an exception for such software would not favor totalitarianism, thus going against the category.

The answer to the question is no and should not be otherwise.

[Kenmoria]

"In the CONDEMNING clause, “fragilize” is not a word. I think you could mean “worsen” or “deteriorate”."

[New-Brussels]

"In the CONDEMNING clause, “fragilize” is not a word. I think you could mean “worsen” or “deteriorate”."

OOC : https://en.wiktionary.org/wiki/fragilize

[Kenmoria]

"In the CONDEMNING clause, “fragilize” is not a word. I think you could mean “worsen” or “deteriorate”."

OOC : https://en.wiktionary.org/wiki/fragilize

(OOC: That is a new one, and I've just checked and it doesn't appear in the Google, Oxford, Apple or Collins dictionaries. I would still replace it though, as its obscurity makes it look incorrect.)

[New-Brussels]

OOC : https://en.wiktionary.org/wiki/fragilize

(OOC: That is a new one, and I've just checked and it doesn't appear in the Google, Oxford, Apple or Collins dictionaries. I would still replace it though, as its obscurity makes it look incorrect.)

Sounds like an artifact from my mother tongue. Changed to "undermine".

[Avgrunden]

The Free Lands of Avgrunden hereby pledges our full support for the Cryptographic Privacy Act.

A few small suggestions for possible edits:

Clause 4:

PROHIBITS member nations from interfering with the development of encryption protocols with the intent of increasing their vulnerability;

We would suggest rewording this to avoid ambiguity - the clause could be read to mean that the development of encryption protocols which themselves are intended to increase vulnerability cannot be interfered with by member nations.

A possible reword: "Prohibits member nations from, with the intent of increasing their vulnerability, interfering..."

Clause 6:

6. PROHIBITS anyone from attempting to reverse or defeat vulnerable encryption protocols implemented by a civilian of any member nation, except in the following cases :

a. The obtention of specific instances of decrypted or encrypted information linked to this civilian is warranted lawfully, especially in the context of actions described by clause 5;

b. These attempts are performed in the process of scientific cryptography research or education and in good faith;

c. The proprietary of the information gives full consent;

We would suggest adding the word "OR" after "good faith;", so as to clarify that only one of the exceptions needs to be met for full compliance with the act.

[New-Brussels]

PROHIBITS member nations from interfering with the development of encryption protocols with the intent of increasing their vulnerability;

We would suggest rewording this to avoid ambiguity - the clause could be read to mean that the development of encryption protocols which themselves are intended to increase vulnerability cannot be interfered with by member nations.

A possible reword: "Prohibits member nations from, with the intent of increasing their vulnerability, interfering..."

We do not see how your rewording prevents the mentioned issue from happening, but we believe that your point is very pertinent and that the current wording lacks in consistence with our intent.

OOC : Good point (maybe for the wrong reasons but thank you in any case)

6. PROHIBITS anyone from attempting to reverse or defeat vulnerable encryption protocols implemented by a civilian of any member nation, except in the following cases :

a. The obtention of specific instances of decrypted or encrypted information linked to this civilian is warranted lawfully, especially in the context of actions described by clause 5;

b. These attempts are performed in the process of scientific cryptography research or education and in good faith;

c. The proprietary of the information gives full consent;

We would suggest adding the word "OR" after "good faith;", so as to clarify that only one of the exceptions needs to be met for full compliance with the act.

OOC : I am under the impression that exceptions are associative by default as they cannot work against each other. Is that reasonable ?