ENSURING SECURITY AND TRUST IN ELECTRONIC COMMUNICATION
Sorry, I got the URLs wrong, and for some reasons the interesting parts of the summary got cut off. http://www.ispo.cec.be/eif/policy/97503exec.html ENSURING SECURITY AND TRUST IN ELECTRONIC COMMUNICATION Towards A European Framework for Digital Signatures And Encryption EXECUTIVE SUMMARY Introduction Open electronic networks such as the Internet are increasingly being used as a platform for communication in our society. They have the capacity to create new businesses, new channels of distribution and new methods of reaching the customer. They also open up opportunities to re-engineer business conduct itself. It is now largely expected that electronic commerce will be one of the key drivers for the development of the global information society. Electronic Commerce presents the European Union with an excellent opportunity to advance its economic integration by means of a "virtual" economic area. However, the realisation of such developments are hampered by the noticed insecurities typical to open networks: messages can be intercepted and manipulated, the validity of documents can be denied, personal data can be illicitly collected. As a result, the attractiveness and advantage of electronic commerce and communication cannot be fully exploited. In order to make good use of the commercial opportunities offered by electronic communication via open networks, a more secure environment needs to be established. Cryptographic technologies are widely recognised as essential tools for security and trust on open networks. Two important applications of cryptography are digital signatures and encryption. Several Member States announced their intentions to introduce specific regulation on cryptography and some already have done so. For instance, Germany and Italy already moved ahead with digital signature laws. In other Member States internal discussions are taking place, and some tend to refrain, at least for the moment, from any specific regulation at all. Divergent and restrictive practices with regard to cryptography can be detrimental to the free circulation of goods and services within the Internal Market and hinder the development of electronic commerce. The European Union simply cannot afford a divided regulatory landscape in a field so vital for the economy and society. The main objectives of this Communication are to develop a European policy in particular with a view to establishing a common framework for digital signatures, ensuring the functioning of the Internal Market for cryptographic services and products, stimulating a European industry for cryptographic services and products and stimulating and enabling users in all economical sectors to benefit from the opportunities of the global information society. As far as timing is concerned, the Commission considers that appropriate measures ought to be in place throughout the Union by the year 2000 at the latest. As a consequence, the Commission intends to come forward with detailed proposals in 1998 after the assessment of comments on this Communication. This is in line with the April 1997 adopted Communication on Electronic Commerce, where the Commission announced the intention to prepare a policy aiming at guaranteeing the free movement of encryption technologies and products, as well as to propose a specific initiative on digital signatures. Digital Signatures Some Member States are in the process of introducing voluntary schemes, others of mandatory licensing schemes to build trust in Certification Authorities (CAs) and to encourage legal recognition of digital signatures. Whilst the development of a clear framework is welcomed, different national regulatory approaches and the lack of mutual recognition of each others regulatory requirements may easily lead, due to the inherent cross-border nature of digital signatures, to a fragmentation of the Internal Market for electronic commerce and on-line services throughout the Union. In order to stimulate electronic commerce and the competitiveness of the European industry as well as to facilitate the use of digital signatures across national borders, a common legal framework at Community level is urgently needed. Any regulation in the field of digital signatures must meet two main requirements: create a clear framework to build trust in digital signatures on one side and be flexible enough to react to new technical developments on the other side. Encryption Stimulated by the rapid expansion of the Internet encryption will become an integral part of personal and business computing. Electronic commerce as well as many other applications of the information society will only receive acceptance and will only unfold their economic and social benefits if confidentiality can be assured in a user-friendly and cost-efficient way. In open networks, encryption of data is very often the only effective and cost-efficient way of protecting confidentiality of data and communications. Law enforcement authorities and national security agencies are concerned that wide-spread use of encrypted communication will diminish their capability to fight against crime or prevent criminal and terrorist activities. For this reason, there are reflections in several Member States to establish regulation on cryptography, in addition to controls on export and intra-Community shipments. This has led to a discussion about the need, technical possibilities, effectiveness, proportionality and privacy implications of such regulations. However, nobody can be effectively prevented from encrypting data (criminals or terrorists also can use encryption for their activities), e.g. by simply downloading strong encryption software from the Internet. As a result restricting the use of encryption could well prevent law-abiding companies and citizens from protecting themselves against criminal attacks. It would not however prevent totally criminals from using these technologies. Proposals for regulation of encryption have generated considerable controversy. Industry expresses major concerns about encryption regulation, including key escrow and key recovery schemes. Although there is a lack of experience, as electronic communication and commerce have just begun to penetrate economy and society, this Communication makes some assessments to build a common European understanding of the subject. Policy actions in the area of digital signatures The at European level urgently needed framework should include common legal requirements for CAs (in particular common requirements for the establishment and operation of CAs) allowing certificates to be recognised in all Member States. In addition, the Commission will monitor the legal developments in Member States introducing new legislation with the aim to respect Internal Market principles and will encourage Member States to rapidly implement appropriate measures to build trust in digital signatures. In order to achieve as wide as possible acceptance of digital signatures Member States should co-ordinate activities to ensure legal recognition of digital signatures at the latest by the year 2000. The Commission will evaluate the necessity to provide for the legal recognition of digital signatures at Community level by harmonising different national regulation (e.g. form requirements, evidence rules). The Community and Member States should take part in or initiate a dialogue with international organisations, such as the OECD, the United Nations and the WTO, notably to establish common technical standards and mutual recognition of regulations. Policy actions in the area of encryption The EC Treaty and the Treaty on the European Union fully respect the competence of Member States with regard to national security and law enforcement. To ensure that the development of electronic commerce in the Internal Market is not hindered and to facilitate the free circulation and use of encryption products and services the Commission calls upon Member States to avoid disproportionate restrictions. Moreover the Commission will examine whether restrictions are totally or partially justified, notably with respect to: * the free circulation provisions of the Treaty, in particular Articles 30, 36, 52, 56 and 59, * the principle of proportionality, * the Council Directive 83/189/EEC of 28.3.1993 laying down a procedure for the provision of information in the field of technical standards and regulations and * the EU Directive 95/46/EC of 24.10.95 on the protection of personal data. The Commission also believes that it will be important for Member States to distinguish "digital signature services" from "encryption services", because different rules and different goals separate these two aspects. Additional measures: * Adapting the Dual Use Regulation (CE) 3381/94 in view of the requirements for the cryptographic products market; * Improving the co-operation of police forces on a European and international level; * Working towards international agreements between the Community and other countries because of the global dimension of electronic communications and commerce. Accompanying measures * Encouraging industry and international standards organisations to develop interoperable technical and infrastructure standards for digital signatures and encryption to ensure secure and trustworthy use of networks. * Proposal of a Council and Parliament Decision for an INFOSEC II programme building on the INFOSEC programme carried out from 1992 until 1994. Such a programme would aim at developing overall strategies for the security of electronic communications, in particular with a view to provide the user with appropriate protection systems. * Continuing of the current projects in the field of digital signatures and encryption within the 4th framework programme for Community activities in the field of research and technological development (1994 - 1998) and launching of new projects within the 5th framework programme (1998 - 2002). * Support of the use of digital signatures and encryption in EU services and government administrations. * Setting up of an European Internet-Forum in 1997 as a means to inform and exchange information on the regulatory and use aspects of digital signatures and encryption. * Organisation of an international hearing on "digital signature and encryption" beginning of 1998. Timeframe 4.Q./1997: European Internet-Forum 4.Q./1997: Commission proposal to amend the Dual-Use Regulation 1.Q./1998: International hearing 1.Q./1998: Assessment of the comments on the Communication, the results of the Internet-Forum and the international hearing 2.Q./1998: Proposal for further action (e.g. Directive on digital signatures) 2.Q./1998: Proposal for an Infosec II programme 1998-2002: Projects within the 5th framework programme by 2000: Common framework on cryptography put in place throughout the Union