Wednesday, June 1, 2011

To know or not to know?

The government of India passed an IT Act (Amendment 2008) which requires any use of encryption greater than 40-bit to receive written government permission, and deposit of the decryption keys. Google and eCommerce websites regularly use 128-bit; Skype 256-bit; and the government has been in a five-year battle with RIM over access to the traffic being sent via Blackberry devices. Can this tension be resolved?

I'm sometimes nervous about making online purchases as it is; the thought that my credit card information may be open to copying and storing in somebody else's database makes me nervous, especially after so many private- and public-sector databases have been leaked in recent months.

It's not just consumer credit card purchase information that travels over https links and VPN (Virtual Private Network) technology: encryption is necessary to protect all sorts of commercial information flowing back and forth in our inter-connected, flat, world. In fact, though few understand the technical intricacies, it's fair to say that without encryption we couldn't operate the free-flow of information cross-boundary (whether between organizations or countries).

So ideas like the Indian one, or France's recent declaration that they wish to mandate the storing of users' access passwords to online services, are short-sighted and must have a negative effect on the ability of business to compete globally.

The choice is stark:

  • Use weak encryption, or none, and face the possibility that commercial secrets are misused by others.
  • Or use strong encryption and risk being barred from operation in some countries where state surveillance is being promoted.

Get more like this