<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Long article on why IETF and similar bodies should *not* pander to
national bodies in adopting encryption algorithms.<br>
<br>
<br>
<br>
<a class="moz-txt-link-freetext" href="http://www.bu.edu/jostl/files/2016/01/21.1_Tobias_Final_web.pdf">http://www.bu.edu/jostl/files/2016/01/21.1_Tobias_Final_web.pdf</a><br>
<br>
<meta charset="utf-8">
III. CHINESE WIRELESS TRANSMISSION STANDARDS AND THEIR
COUNTERPARTS
The standards with which this Note is concerned show the truth
behind
Smoot’s claim that the information technology industry “uses every
kind of
standardization process imaginable.”93 The three relevant Chinese
standards
are WLAN Authentication and Privacy Infrastructure (“WAPI”), Ultra
HighThroughput
WLAN & its counterpart Enhanced Ultra High-Throughput
WLAN (“UHT/EUHT”), and ZUC – taken together, the Encryption
Standards.
The table below lays out basic information about the standards,
their
applications, and their foreign competition.<br>
<br>
<meta charset="utf-8">
<meta charset="utf-8">
The first row of standards94 all pertain to WLAN systems, as is
evident from the formal names of both WAPI and UHT.95 At its most
basic, WLAN refers to
a system of connecting two or more devices96 without the need for
wires
between them.97 As network connectivity has become an integral part
of using
a computer, wireless networks have grown in number and popularity.98
A
wireless network allows quick and convenient access to a network. A
common
use of WLAN systems is to connect a laptop to an access point for
the World
Wide Web.99 WLAN can also be used to connect a small set of devices
(such
as a smart phone, laptop, tablet, video game console, and television
set) into a
home multi-media entertainment system.100 Instead of wires, WLAN
uses radio
frequencies to transmit data between connected devices.101<br>
<br>
802.11 is a set of internationally recognized standards that
facilitate WLAN
<meta charset="utf-8">
connectivity.102 The Institute of Electrical and Electronics
Engineers (“IEEE”),
a formal standards development organization based in New York
City,103
created 802.11.104 IEEE continually modifies 802.11, incorporating
new
security and transmission techniques.105 In 1999, when 802.11a was
approved
by the International Organization for Standardization as a formal
international
standard, it had a maximum transfer rate of fifty-four megabits per
second.106
The upcoming revision, 802.11ad, has a maximum transfer rate of
seven
gigabits per second – almost 130 times as fast.107 Users and
businesses benefit
from faster internet connections. Higher speeds make the Internet
more
economically viable as a business transmission medium, a field once
dominated by man-carried or animal-carried letters.108
The added convenience of radio-enabled wireless networks raises
significant
security issues. Interception of or tampering with radio waves is
“trivial to
anyone with a radio.”109 By intercepting radio waves, an
unauthorized person
can effectively eavesdrop on the other parties, and for example,
uncover a
private password or Social Security Number transmitted over the
network. An
unauthorized person could also tamper with the signal and trick
other devices
into thinking his own system has authorization it does not actually
have – and
here, that person could enter private networks, such as a restricted
intranet
upon which a company stores its trade secrets or other private and
sensitive
information.110 Identity thieves often target unsecured wireless
networks to
<meta charset="utf-8">
steal identifying information.111
Early versions of 802.11 used an encryption scheme known as Wired
Equivalent Privacy (“WEP”).112 WEP was intended to bring to wireless
transmissions a level of security which would compete with more
secure wired
transmissions, and thus prevent eavesdropping on, and tampering
with, private
signals.113 Every transmission subject to WEP underwent a two-stage
process
of encryption at its point of origin, and the receiver would reverse
the process
to decrypt and access the information.114 The communicating parties
shared a
secret key upon which the entire process relied; without the proper
key, the
information could not be decrypted. 115 However, in 2001,
researchers
discovered significant security flaws in WEP’s encryption scheme.116
Thieves
and other unauthorized persons could easily exploit these flaws to
gain access
to encrypted transmissions.117 After these discoveries, the IEEE
802.11 Task
Group on Security “began significant changes to WEP” to plug the
holes in
security.118 These changes culminated in the Wi-Fi Protected Access
scheme
(“WPA”).119 In 2004, the IEEE integrated WPA into the 802.11 set of
standards as 802.11i.120<br>
<br>
<meta charset="utf-8">
The rift between WAPI and 802.11 revolves around the standards’
respective handling of security. WAPI is an offshoot of the
WEP-encrypted
versions of 802.11, born of Chinese dissatisfaction with the
security flaws in
WEP.121 The Standardization Administration of China (“SAC”)
“initially
approved WAPI in May 2003 to become effective later in December of
that
year.”122 The core of WAPI is a redone security scheme. The Chinese
claim
that WAPI’s encryption rectifies the security deficiencies inherent
in WEP.123
A “necessary secret encryption algorithm” controls WAPI’s security
scheme.124 The Chinese state provides only a half-dozen Chinese
companies
with access to the algorithm.125 Any company seeking to integrate
WAPI into
its radio designs would thus have to negotiate with one of those six
companies.
Additionally, 802.11 and WAPI are mutually incompatible.126<br>
<br>
During 2003 and 2004, the Chinese government planned to
<meta charset="utf-8">
instate WAPI as
a mandatory standard.127 By June 2004, all WLAN devices would be
required
to support WAPI.128 The United States government formally protested
the
mandatory standard.129 Perhaps more importantly, information
technology
giants Intel, Texas Instruments, and Broadcom promised to cease
sales of any
product affected by WAPI.130 Craig Barret, Intel CEO, personally
visited
Beijing in an attempt to resolve the crisis.131 Amid the tension,
China agreed to
“indefinitely postpone” government enforcement of mandatory
compliance
with WAPI during bilateral trade negotiations with the United
States.132
<meta charset="utf-8">
However, the United States Trade Representative’s 2013 Report on
Technical
Barriers to Trade said that, as of 2011, “China’s Ministry of
Industry and
Information Technology (“MIIT”) remained unwilling to approve any
Internetenabled
mobile handsets or similar hand-held wireless devices unless the
devices were WAPI-enabled.”133<br>
<br>
<meta charset="utf-8">
The UHT/EUHT standards follow in much of the same vein as WAPI. UHT/
EUHT are Chinese domestic alternatives to the
internationally-accepted
802.11n standard.134 The Chinese claim that UHT/EUHT can coexist
with
802.11.135 However, because UHT/EUHT both operate on the same
frequency
as their 802.11 counterparts, a device operating on one standard may
cause
considerable interference with the transmissions of a device
operating on the
other standard.136 A European information technology standards
organization
concluded that “adequate coexistence between UHT/EUHT standards
based
devices and devices based on standard 802.11 is not possible.”137
The United
States Trade Representative has also expressed concerns about
incompatibility
between UHT/EUHT and 802.11.138<br>
<br>
4G LTE differs from the above standards in that it is designed for
use in
mobile smartphones, as opposed to use in laptops or other larger
devices. 139
The 4G LTE set of standards is developed by the 3rd Generation
Partnership
Project (“3GPP”).140 Although 3GPP is an industry-specific standards
organization, instead of a general formal standards organization
like IEEE,
3GPP controls the 4G LTE standards and promulgates enhancements to
the set,
similar to the various iterations of 802.11x developed by IEEE.141
3GPP
developed 4G LTE in part through recommendations from the Next
Generation
Mobile Networks initiative – of which China Mobile Communications
Corporation is a member.142 With Sprint Corporation’s cessation of
support for
<meta charset="utf-8">
WiMAX in 2012, all American smartphone carriers now support 4G LTE
standards exclusively.143 The market has thus established 4G LTE as
a de facto
hegemon.144<br>
<br>
<meta charset="utf-8">
ZUC is an additional encryption system operating over the top of 4G
LTE.145 The Data Assurance and Communication Security Center (“DCS”)
of
the Chinese Academy of Sciences is developing the standard, and held
the first
international workshop on ZUC in December 2010.146 In 2011, 3GPP
approved
ZUC as one of several voluntary encryption standards.147 In early
2012,
China’s MIIT informally announced that networks and mobile devices
operating on China’s TD-LTE standard must only use
domestic-developed
encryption algorithms, a set that includes ZUC.148 At subsequent
bilateral
negotiations between the US and China, China agreed not to mandate a
specific encryption standard.149 The US Trade Representative is
still closely
<meta charset="utf-8">
monitoring ZUC developments.150<br>
<br>
<br>
<br>
[Long snip on why the WTO is likely to conclude against USA and for
China, citing US - Nicaragua as precedent, and /national security/
as the right of sovereigns to break markets.]<br>
<br>
<br>
<br>
<meta charset="utf-8">
VII. CONCLUSION
A WTO Panel, in a dispute over the Encryption Standards invoking
Article
XXI’s national security exception, is very likely to produce a dual
ruling akin
to the GATT Panel Report in US – Nicaragua: that China has breached
its
obligations, yet that breach is justified under Article XXI’s
national security
exception. Any ruling to the contrary would require the Panel to
ignore the
terms of reference set in US — Nicaragua and rule on the validity or
motivation of China’s invocation of Article XXI. As national
security goes to
the core of a sovereign’s responsibility, the consequences of a new
formal
interpretation of Article XXI would be severe – and beyond the scope
of this
Note.<br>
</body>
</html>