22 September 1997
Source: Mail list firstname.lastname@example.org
From: Brian Gladman <email@example.com> To: UK Crypto List <firstname.lastname@example.org> Subject: European Crypto Policy Article Date: Mon, 22 Sep 1997 20:02:58 +0100 For those who have not seen it! Brian The following article appears in the 22 September 1997 edition of Communications Week International: Europe to resist U.S. cryptography policy By Kenneth Neil Cukier BRUSSELS -- Europe plans to use privacy and free trade laws to resist cryptography policies promoted internationally by the United States. And initial results of European trials designed to test the practicability of storing users' private encryption keys in so-called "trusted third party" (TTP) databases suggest such systems may in any case be unworkable, according to European Commission officials. The trials have cast doubt on the systems' scalability, cost and legality. Ulrich Sandl, responsible for cryptography policy at the German Ministry of Economics, said last week that the operation of trusted third party systems may be illegal in Germany or Europe as a whole. "There is a real prospect that [products based on] the U.S. policy is a violation of our privacy laws, with severe consequences," he told a conference of European officials, cryptographers and industry executives in Brussels. This combination of legal and technological factors, said an EC official, will lead the EC to "not endorse" key recovery in a report to be distributed at a Council of Commissioners meeting on 1 October by commissioners Martin Bangemann and Mario Monti, the heads of directorate general XIII for telecoms matters and DG XV for internal market and data protection respectively. The official, like seven others interviewed for this article, asked not to be named, citing the controversial nature of the issue. "I am under terrible internal pressure here," said one source. The report's existence is public knowledge. Detlef Eckert, an adviser at DG XIII, said at the conference that it will recommend policies be transparent, free of bureaucratic burdens for users, and promote the free-flow of products within Europe, but he declined to discuss whether the matter of key recovery is treated. The report, an EC "communication," is expected to call on Europe to develop cryptography policies that are driven by consumer choice rather than law enforcement concerns, according to people from national governments, industry, and the EC who are familiar with the document. It will also urge EC nations to develop uniform legal recognition for digital signatures. Significantly, the EC's paper does not oppose key recovery -- likely to be referred to as "key escrow" in the final draft -- outright, since France is pursuing such a policy and the United Kingdom is divided over the matter. Instead, it calls for "effective and proportionate" policies -- diplomatic wording meant to underscore that a key recovery policy is neither, said an EC official. The communication would represent the most concrete sign that Europe intends to resist U.S. policy designed to create a system of international accords on key recovery for law enforcement. It comes alongside the United States' unexpected lurch towards heavy domestic and international encryption controls by Congress and the Federal Bureau of Investigation. Although a communication is a low-level policy paper, it is often used as the first step towards developing formal policies. Officials say it is meant to rally Europe to resist key recovery policies. And they say that France's cryptography laws, if enacted, pose free-trade concerns since they stipulate only French-controlled entities can run national TTPs, which may force a showdown at the EC. The paper is also significant because it diverges dramatically from an unpublished EC report, due in September 1996, that was said to lean heavily in favor of crypto restrictions. And it completely contradicts a Council of Europe declaration in September 1995 that sought to outlaw cryptography without law enforcement access (CWI, 18 September 1995). The Council of Europe, an intergovernmental organization separate from the EU, has no powers to enforce recommendations. The EC's reluctance to support key recovery is partly motivated by the results of tests involving TTPs (CWI, 17 February). Four separate projects have proven TTPs are technical, commercial and legal failures, said an EC official. The X.509-style directory system has a hierarchical rather than network structure, meaning that it is difficult to deploy on a mass basis. The TTPs' expenses have also encountered cost overruns from initial projections. Matt Blaze, one of the world's leading cryptographers and a researcher at AT&T in Murray Hill, New Jersey, concurs with the EC's findings. "On a large scale, they [key recovery systems] break down completely. Some key recovery policies don't even work on a small scale," he said. The only publicly-available TTP operating in the United States today uses technology from Trusted Information Systems Inc. and is run by Oakland, California-based SourceFile, a subsidiary of FileSafe Corp. SourceFile president Tom Morehouse acknowledges that his system has yet to be stretched to the point where any scalability problems would become apparent: "We are getting ready to test [the system] with a large number of customers, but we haven't yet." Some observers say the EC's impact is marginal. "The EC doesn't have law enforcement or national security responsibilities, so it's not surprising if that isn't their highest priority when looking at the crypto question," said Stewart Baker, a lawyer specializing in cypto issues with Steptoe & Johnson in Washington DC. "They have electronic commerce and commercial interests in mind." But an EC official countered: "The Commission has the right to protect the internal market." He noted that "to protect privacy" and "to protect from industrial espionage" are matters that fall under the EC's mandate. Another official, when asked if the EC would ban U.S. products with key recovery on these basis, interrupted saying: "Use European products! The more U.S. export controls, the better it is for us. We have the technology and we have the knowledge." U.S. crypto vendors felt their position was vindicated. "[U.S.] industry and privacy advocates can use this development to educate members of Congress who still believe that Europe is following the United States," said Peter Harter, chief public policy counsel at Netscape Communications Corp.