13 March 1998: Add more comments
11 March 1998: Add comments

10 March 1998

EU Plans Decryption Ban

To: cypherpunks@cyberpass.net
Subject: EU plans decryption ban
Date: Mon, 09 Mar 1998 23:26:15 +0000
From: Markus Kuhn <Markus.Kuhn@cl.cam.ac.uk>

After government attempts to ban unrestricted encryption, we are
now facing a decryption ban

Industry lobbyist groups have managed to persuade the European
Commission to introduce rather radical new legislation for protecting
pay-TV broadcasters against unauthorized reception by consumers. Not
only the commercial advertising and sale of pirate devices is to be
prohibited (this has already been the case in a number of member
countries and is perfectly acceptable), but also the private possession or
use of clone decoders as well as any private exchange of information about
the security properties of pay-TV encryption systems will become illegal
and punishable under the planned EU conditional access directive. 

This constitutes a serious cut in the existing right of for example German
consumers to handle satellite radio signals received on their premises in
any way they want. It would also ban the use of non-commercial software
currently available freely on the Internet to receive say UK TV programs
in Central Europe for which a normal subscription is not at all available
outside the UK. It also denies security experts and hobby electronic fans to
experiment with access control systems and discuss their results publicly.
Existing Internet Web pages and discussion groups would suddenly become
criminal offenses and industry would have managed to legally ban public
discussion of weaknesses in their systems. The conditional access industry
will use your tax money and the legal system to compensate the technical
flaws in the designs of their security hardware. I feel this is a highly
concerning development of how industry consortias are gaining power over
consumer rights and I ask my representatives in the European and
German parliaments not to pass this EU directive. 

Commercial TV broadcasters and multimedia service providers should use
the available highly effective technical means to protect their revenue
and not the legal system. The proposed legal protection is unproportional
and unnecessary. It is also counterproductive for the further technical
advance of secure communication systems.

For more information, read



Markus G. Kuhn, Security Group, Computer Lab, Cambridge University, UK
email: mkuhn at acm.org,  home page: <http://www.cl.cam.ac.uk/~mgk25/>

Date: Mon, 9 Mar 1998 21:29:46 -0500 From: Dave Emery <die@die.com> To: Markus Kuhn <Markus.Kuhn@cl.cam.ac.uk> Cc: cypherpunks@toad.com Subject: Re: EU plans decryption ban On Mon, Mar 09, 1998 at 11:26:15PM +0000, Markus Kuhn wrote: > After government attempts to ban unrestricted encryption, we are > now facing a decryption ban > > Industry lobbyist groups have managed to persuade the European > Commission to introduce rather radical new legislation for protecting > pay-TV broadcasters against unauthorized reception by consumers. Not > only the commercial advertising and sale of pirate devices is to be > prohibited (this has already been the case in a number of member > countries and is perfectly acceptable), but also the private possession or > use of clone decoders as well as any private exchange of information about > the security properties of pay-TV encryption systems will become illegal > and punishable under the planned EU conditional access directive. > In the US there is not yet a ban on exchange of information because of the potential first amendment issues, but there are (and have been since the late 1980s) felony level bans with $500,000 fines for each incident on the manufacture, assembly, modification, import, export, sale and distribution of any device or equipment primarily of assistance in the unauthorized decryption of satellite cable programming or direct to home satellite. And unauthorized interception of radio signals including satellite video transmissions that are scrambled or encrypted can be prosecuted under current law as a felony. -- Dave Emery N1PRE, die@die.com DIE Consulting, Weston, Mass. PGP fingerprint = 2047/4D7B08D1 DE 6E E1 CC 1F 1D 96 E2 5D 27 BD B0 24 88 C3 18
To: ukcrypto@maillist.ox.ac.uk Subject: Unpleasant EU move on encryption Date: Tue, 10 Mar 1998 15:49:52 +0000 From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk> The EU is about to issue a wide-ranging directive to ban unauthorised decryption of commercial traffic. This is a result of lobbying by Rupert Murdoch; its stated goal was to make it illegal to sell pirate TV decoders. The overt justification was the difficulty Murdoch had in the 1980's and early 90's in closing down pirate pay-TV operators in Ireland and Germany. That problem has now been fixed but the EU machine still grinds on towards a directive. Until very recently, the proposed directive: <http://www.cl.cam.ac.uk/~mgk25/ca-law/COM-97-356.pdf> just covered pirate decoding devices made available for sale. However, the DVB lobby wanted it toughened up still further: <http://www.dvb.org/dvb_news/dvb_pr042.htm> and they managed to get an amendment quietly put through the European parliament last month: <http://www.cl.cam.ac.uk/~mgk25/ca-law/anast-report.pdf> according to which member states will have to criminalise the "... provision of information concerning activities and measures facilitating unauthorized access" (page 8, Amendment 12, c2). The problem this poses the IT community is threefold. (1) As the proposed directive also covers electronic shopping, member states will have to make it an offence to break 40-bit SSL keys (or even to own a copy of Bruce Schneier's SSL-breaking screensaver :-). By extending it to cover the provision of information, the amendment could result in attendees at conferences such as Eurocrypt becoming criminals. This would make it impossible to hold security conferences in Europe. It would certainly make my web page illegal (papers such as `Tamper Resistance - A Cautionary Note' and `Why Cryptosystems Fail' would be contraband). It might even become an offence for people supervising computer science here at Cambridge to help undergraduates with the solution of past exam questions. (2) Furthermore, the amendment extends the scope of the directive from payment systems to encompass all technical means whereby access to a service is made conditional on a prior individual authorisation by the service provider. So I might be liable to prison for having made my .netscape/cookies file read-only; my mail filter might also get me into trouble. (There could be a conflict of laws here as filtering measures undertaken by European ISPs to comply with EU data protection and obscenity laws might be illegal under the amended directive.) (3) If Murdoch gets away with all this - or even with the original, unamended, directive - then the DTI/GCHQ/NSA people can argue that 40 bit crypto is enough: `if you merely want to protect commercial transactions, strong laws are more effective that strong algorithms. People attack systems like pay-TV because the penalties are perceived to be light or non-existent; they don't attack the (much weaker) funds transfer systems used by banks as even an attempt gets you jail time.' This argument didn't cut much ice with Vladimir Levin, but there is a strong technophobic consitituency in government that believes in legal fixes for everything and which will love the spooks' argument. Anyway, the main effect of this directive will be to put a serious damper on research, development and the commercial exploitation of cryptography and systems based on it throughout the whole community (which the spooks will also like). In the process, it will hand billions of ECU worth of business to the Americans on a plate. There is resistance to it on these grounds even in the Commission (the amendment was faxed to us yesterday by an EU insider who wants to raise the alarm). See <http://www.cl.cam.ac.uk/~mgk25/ca-law/> for more details. Ross
Date: Wed, 11 Mar 1998 10:54:54 +0000 From: Geoffrey Leeming <geoffrey@jcp.co.uk> To: ukcrypto@maillist.ox.ac.uk Subject: Re: Unpleasant EU move on encryption Well, I read Ross's email with mounting scepticism, and as I read the directive I thought he was going off the deep end a bit, as the directive seems to be quite well targetted, and clearly defines the scope NOT to include "the confidentiality of private communications and the security of financial transactions". However, having read the amendment, I apologise to Ross for the momentary doubt. It does, indeed, appear to attempt to outlaw the study and tuition of cryptanalysis under Amendment 12(c3). It also amends the definition of "illicit device" to include any equipment or software "... which in any way enables such unauthorised access", which clearly includes cryptanalytic tools such as Schneier's screensaver. He and his 'EU insider' are right to want to raise the alarm. Seeing as the deadlines for objections are reasonably close (March 18th is the first deadline), who is going to voice an objection? Is it worth attempting to interest the media in this? Crypto may be too technical a subject for most broadcasters, but "EU outlaws Mathematicians" would make a nice headline! If this is a Murdoch-sponsored amendment as Ross implies, the various members of the anti-Murdoch media (Guardian & BBC immediately spring to mind) might be interested in having a pop. Ross Anderson wrote: [copy of message omitted]
From: "Brown, R Ken" <brownrk1@texaco.com> To: "'ukcrypto@maillist.ox.ac.uk'" <ukcrypto@maillist.ox.ac.uk> Subject: RE: Unpleasant EU move on encryption Date: Wed, 11 Mar 1998 06:03:23 -0600 It looks even worse than Ross said: I'm no lawyer but amendment 12 (c1) "Member states shall prohibit on their territory [...] the advertising and provision of information concerning the manufacture, import, sale and availability in general of illicit devices" sounds as if it could ban any discussion at all about decoders? Even the DVB's own website <http://www.dvb.org/dvb_news/dvb_pr042.htm> provides information about the "manufacture, import, sale and availability" of the devices - if only their claim that they are over 200 million quid short this year. > Surely they can't mean that? Maybe the amenders don't want the law > passed & so are making it obviously unreasonable? (OK, that's probably > paranoia brought about by reading Trollope over 140 years ago has the > government proposing a bill to allow Protestant clergymen to inspect the > clothing of nuns, in order to provoke Irish Catholic MPs to walk out of > Parliament, so that they can get an unpopular free trade bill > through...) > > > Ross Anderson wrote: [snip]
Date: Wed, 11 Mar 1998 13:25:00 +0000 From: Hendon David <David.Hendon@CIID.dti.gov.uk> (Tel 0171 2151779) To: UKcrypto-outgoing@maillist.ox.ac.uk (Receipt Notification Requested) (Non Receipt Notification Requested) Subject: Re:Unpleasant EU Move on encryption I hesitate to enter this debate, but here goes anyway. First of all, let me say that the directive that Ross mentions is nothing to do with me and is being handled in another bit of DTI as a copyright protection measure. As the guy in DTI responsible for encryption policy though, I would be just as concerned as Ross if the outcome was as he describes. I haven't looked at the documents yet. I gather that the state of negotiation of this directive is that it is under-going its first reading in the Council and the European Parliament (EP). Under the Mastricht co-decision procedure, such directives are decided jointly by both institutions, the Council and the Parliament. The co-decision procedure is as arcane a procedure as I ever met in 30 years in the civil service, but the interesting bit for the moment is what happens to EP amendments. Basically, the Council of Ministers - in this case the Internal Market Council (in practice a working group of experts at my level or lower) and the Parliament (a working group of MEPs) separately consider the text as proposed by the European Commission. Normally both the Council working group and the Parliamentary Group propose amendments to the text. Once the Plenary of the Parliament has approved the amendments, the Council and the Commission decide whether to accept them. The Council adopts as a "common position" a text which subsequently goes again to the EP for a second reading. The EP can propose further amendments and it all gets very difficult then if people don't agree what should go into the text. I will save all that stuff for later. It will certainly be many months away. So if you want to kick into touch amendments proposed in a working group of the EP, you need to persuade the MEPs who are in the working group or, even better, the rapporteur for the directive. I don't know who it is at the moment, but I can find out. If the amendments stay in the report of the group, then the next chance is to get them kicked out when the report of the Group is accepted by the superior committee. I don't know for sure which this is, but it is probably what is called EMAC (I think this is economic and monetary affairs committee - they certainly deal with all the telecomms stuff). If the amendments stay in there, then you need to lobby the members of the EP themselves. You need to get academics in other countries lobbying their MEPs as well, because it wouldn't be enough to convince all UK MEPs. Even if the EP adopt the amendments, it is by no means certain that the Council of Ministers will agree and even if they do the first time round, there is another chance to get the EP to change its position at the second reading. On the face of it, and knowing quite well what other countries' Governments think about encryption, I should have thought the Council of Ministers would never accept these amendments if they really do have the consequences that Ross has outlines because of the implications for European industry in the future. By the way, the common position in the Council can't be before May and the second reading in the EP therefore won't be until the autumn, so there is quite a bit of time to sort this out. I wouldn't hang about though. It is easier to sort out contentious suggestions as they are made, than months later when they have achieved some sort of status. Hope this helps. David Hendon
Date: Fri, 13 Mar 1998 17:16:00 +0000 From: Hendon David <David.Hendon@CIID.dti.gov.uk> (Tel 0171 2151779) To: UKcrypto@maillist.ox.ac.uk Subject: Re:Re:Unpleasant EU Move Hi everyone Further to my posting a couple of days ago, responding to Ross' concerns about possible European Parliament amandments to the draft directive on legal protection of copyright, I have done a bit of digging. Its the Legal Affairs Committee of the EP which is considering the amendments and the rapporteur is Giorgios Anastassopoulos. I presume, but don't know, that he is a Greek :-) Anyway, the amendment won't be voted in the Legal Affairs Committee until 14/15 April, so there is a bit of time to lobby MEPs if you want. Having talked to the people concerned here, I gather the DTI won't be supporting that particular EP amendment once it gets to the Council and we don't think the European Commission will either. We have already lobbied the UK members of the EP Committee. Anyone know any Greek companies or academics who could have a word with Mr A? David Hendon
To: UKcrypto@maillist.ox.ac.uk Subject: Re: Unpleasant EU Move Date: Fri, 13 Mar 1998 19:41:19 +0000 From: Stefek Zaba <sjmz@hplb.hpl.hp.com> Further to Ross' and Devid Hendon's digging - I too have dug a little, and found that the scope of this Directive does indeed cover a *very* *great* *deal* more than just conditional-access TV. The body of the draft describes, at Definitions (Amendment 7, p.6) the scope as including "Information Society Services within the meaning of Article 1 2 of Council Directive 83/189/EEC, as amended". [Incidentally, the EU appears to be in the frame for a document numbering problem in about 60? years' time, since it uses 2-digit yearnums for its document-id scheme :-)]. Searching the europa.eu.int website reveals the relevant definition of "Information Society Services" to apparently be: all existing or new types of services that will be provided at a distance, by electronic means and on the individualised request of a service receiver. This definition of "service" would cover, for example, on-line professional services (e.g. solicitors, estate agents, stockbrokers, insurance, health care, travel agents), interactive entertainment (e.g. video on demand, on-line video-games, virtual visits to museums), on-line information (e.g. electronic libraries and newspapers, financial information), virtual shopping malls and distance learning services. Reference: http://europa.eu.int/comm/dg15/en/media/infso/1054.htm - I haven't found the "directive on a transparency mechanism for Information Society services" itself, however. The definition goes on to say that broadcast services are *not* covered under the meaning of "Information Society services" - those are, however, covered by this Directive since p.6 shows the categories to be ORed. It goes on further to say that on-line financial services are covered too, though the specific matter the "transparency mechanism" Directive covers does not apply in the same way to these. Given the breadth of this definition, I don't see Ross's position as misplaced at all. It means that *any* discussion, probing, demonstrations of insecurity, etc., of the security measures for any "information society services" - basically any targetted-to-the-individual on-line transaction - would be outlawed. <sarcasm strength=high> That's a really good way to ensure the fielded strength of security mechanisms. The experience of decades in fielding systems has shown that open review is profoundly bad for increasing effective system security, and that documentation of failures leads merely to criminal exploitation but does not advance the state of the art. </sarcasm> I'm writing to my MEP this weekend - as if I didn't have a *life* to live! I'll make sure he knows the UK DTI is *not* supporting this particular amendment. (David - thanks for your postings to this list on this issue. Is "not supporting" an accurate and as-strong-as-is-consistent-with-reality reflection of DTI opinion, or can the DTI position be reasonably said to be one of active opposition?) Cheers, Stefek