9 October 1997 Source: The New York Times, October 9, 1997, p. D4 Europeans Reject U.S. Plan On Electronic Cryptography Threats to Privacy and Commerce Are Cited By Edmund L. Andrews Frankfurt, Oct. 8 -- The European Commission has rejected proposals by the United States aimed at insuring that police agencies can crack coded messages over telephone and computer networks. In a lengthy report released today, the European Commission said the American approach could threaten privacy and stifle the growth of electronic commerce and that it might simply be ineffective. The report appears to all but doom efforts by the Clinton Administration and the Federal Bureau of Investigation to establish a global system in which people who use cryptography would have to deposit a "key" for unlocking their codes with an independent outside organization. As envisioned, the police or intelligence agents would be able to use this key once they got court approval to carry out a wiretap. The plan has been vigorously opposed by the computer industry, which fears that it would jeopardize sales to foreign customers. Because of the Internet's borderless nature, American officials have long acknowledged that their plan is workable only if most other countries adopt similar systems. If not, people could simply route their communications through countries with no restrictions. The White House had already run into heavy opposition from civil rights groups, the computer industry and Congressional Republicans. And earlier this year, the United States failed to muster any support for its plan from the Organization for Economic Cooperation and Development, a consortium backed by more than 40 countries. But the European Commission's blunt opposition, reported today in The Wall Street Journal, went considerably further, raising a slew of objections to "key recovery" and "key escrow," systems. Among them were these: + Hackers could find new ways to breach security." Inevitably, any key access scheme introduces additional ways to break into a cryptographic system," the report said. + The systems could weaken European data-privacy laws. "Any regulation hindering the use of encryption products," the report said, "hinders the secure and free flow of personal information." + Even with a "key escrow" or "key recovery" system, criminals cannot be entirely prevented from using strong encryption. More broadly, the European Commission said, any kind of key-based system could jeopardize the rise of electronic commerce. "If citizens and companies have to fear that their communication and transactions are monitored with the help of key access or similar schemes," the report said, "they may prefer remaining in the anonymous off-line world." American officials did not disguise their disappointment, and challenged the Europeans to come up with better alternatives. "I am a little surprised," said William Reinsch, Deputy Secretary of Commerce in charge of export administration. "My question to the European Commission is, where do they think the market is going? Our sense is that corporations engaged in electronic commerce want key recovery in some form, because they want to recover their own records and to monitor their own employees." Beyond high-minded policy issues, European officials quietly acknowledge that they have political and economic concerns. For one thing, several countries do not like the idea of deferring to an American system that might allow American companies to dominate the next generation of security products. The German Government, meanwhile, is worried that American authorities might have improper access to data on German users -- possibly violating Germany's tough new laws on data protection. But the European Union is far from united. Britain has generally sided with the United States in supporting an international system for regulating data encryption. Indeed, the European Commission remained vague about what alternatives to the American system it might actually favor, nor does the report attempt to block member countries from setting up key-based systems if they want to. American computer and software companies greeted the European policy declaration as a victory. "Even the hard-line Governments, the U.S. and the United Kingdom, have said that any cryptography restrictions have to be internationally coordinated because otherwise you can just download material from another country," said Chris Kuner, a lawyer in Frankfurt who represents Netscape Communications and other networking companies in Europe. "This shows that Europe does not agree with the idea of mandatory key recovery. This idea that is the only possible regulatory framework for the world has been clearly rejected." [End]
In a lengthy report released today, the European Commission said the American approach could threaten privacy and stifle the growth of electronic commerce and that it might simply be ineffective.
Theodor Schlickmann of the Commission's DG13 posted the URL: http://www.ispo.cec.be/eif/policy/970503toc.html Executive summary from http://www.ispo.cec.be/eif/policy/970503exec.html follows: ENSURING SECURITY AND TRUST IN ELECTRONIC COMMUNICATION Towards A European Framework for Digital Signatures And Encryption EXECUTIVE SUMMARY Introduction Open electronic networks such as the Internet are increasingly being used as a platform for communication in our society. They have the capacity to create new businesses, new channels of distribution and new methods of reaching the customer. They also open up opportunities to re-engineer business conduct itself. It is now largely expected that electronic commerce will be one of the key drivers for the development of the global information society. Electronic Commerce presents the European Union with an excellent opportunity to advance its economic integration by means of a "virtual" economic area. However, the realisation of such developments are hampered by the noticed insecurities typical to open networks: messages can be intercepted and manipulated, the validity of documents can be denied, personal data can be illicitly collected. As a result, the attractiveness and advantage of electronic commerce and communication cannot be fully exploited. In order to make good use of the commercial opportunities offered by electronic communication via open networks, a more secure environment needs to be established. Cryptographic technologies are widely recognised as essential tools for security and trust on open networks. Two important applications of cryptography are digital signatures and encryption. Several Member States announced their intentions to introduce specific regulation on cryptography and some already have done so. For instance, Germany and Italy already moved ahead with digital signature laws. In other Member States internal discussions are taking place, and some tend to refrain, at least for the moment, from any specific regulation at all. Divergent and restrictive practices with regard to cryptography can be detrimental to the free circulation of goods and services within the Internal Market and hinder the development of electronic commerce. The European Union simply cannot afford a divided regulatory landscape in a field so vital for the economy and society. The main objectives of this Communication are to develop a European policy in particular with a view to establishing a common framework for digital signatures, ensuring the functioning of the Internal Market for cryptographic services and products, stimulating a European industry for cryptographic services and products and stimulating and enabling users in all economical sectors to benefit from the opportunities of the global information society. As far as timing is concerned, the Commission considers that appropriate measures ought to be in place throughout the Union by the year 2000 at the latest. As a consequence, the Commission intends to come forward with detailed proposals in 1998 after the assessment of comments on this Communication. This is in line with the April 1997 adopted Communication on Electronic Commerce, where the Commission announced the intention to prepare a policy aiming at guaranteeing the free movement of encryption technologies and products, as well as to propose a specific initiative on digital signatures
ENSURING SECURITY AND TRUST IN ELECTRONIC COMMUNICATION
Sorry, I got the URLs wrong, and for some reasons the interesting parts of the summary got cut off. http://www.ispo.cec.be/eif/policy/97503exec.html ENSURING SECURITY AND TRUST IN ELECTRONIC COMMUNICATION Towards A European Framework for Digital Signatures And Encryption EXECUTIVE SUMMARY Introduction Open electronic networks such as the Internet are increasingly being used as a platform for communication in our society. They have the capacity to create new businesses, new channels of distribution and new methods of reaching the customer. They also open up opportunities to re-engineer business conduct itself. It is now largely expected that electronic commerce will be one of the key drivers for the development of the global information society. Electronic Commerce presents the European Union with an excellent opportunity to advance its economic integration by means of a "virtual" economic area. However, the realisation of such developments are hampered by the noticed insecurities typical to open networks: messages can be intercepted and manipulated, the validity of documents can be denied, personal data can be illicitly collected. As a result, the attractiveness and advantage of electronic commerce and communication cannot be fully exploited. In order to make good use of the commercial opportunities offered by electronic communication via open networks, a more secure environment needs to be established. Cryptographic technologies are widely recognised as essential tools for security and trust on open networks. Two important applications of cryptography are digital signatures and encryption. Several Member States announced their intentions to introduce specific regulation on cryptography and some already have done so. For instance, Germany and Italy already moved ahead with digital signature laws. In other Member States internal discussions are taking place, and some tend to refrain, at least for the moment, from any specific regulation at all. Divergent and restrictive practices with regard to cryptography can be detrimental to the free circulation of goods and services within the Internal Market and hinder the development of electronic commerce. The European Union simply cannot afford a divided regulatory landscape in a field so vital for the economy and society. The main objectives of this Communication are to develop a European policy in particular with a view to establishing a common framework for digital signatures, ensuring the functioning of the Internal Market for cryptographic services and products, stimulating a European industry for cryptographic services and products and stimulating and enabling users in all economical sectors to benefit from the opportunities of the global information society. As far as timing is concerned, the Commission considers that appropriate measures ought to be in place throughout the Union by the year 2000 at the latest. As a consequence, the Commission intends to come forward with detailed proposals in 1998 after the assessment of comments on this Communication. This is in line with the April 1997 adopted Communication on Electronic Commerce, where the Commission announced the intention to prepare a policy aiming at guaranteeing the free movement of encryption technologies and products, as well as to propose a specific initiative on digital signatures. Digital Signatures Some Member States are in the process of introducing voluntary schemes, others of mandatory licensing schemes to build trust in Certification Authorities (CAs) and to encourage legal recognition of digital signatures. Whilst the development of a clear framework is welcomed, different national regulatory approaches and the lack of mutual recognition of each others regulatory requirements may easily lead, due to the inherent cross-border nature of digital signatures, to a fragmentation of the Internal Market for electronic commerce and on-line services throughout the Union. In order to stimulate electronic commerce and the competitiveness of the European industry as well as to facilitate the use of digital signatures across national borders, a common legal framework at Community level is urgently needed. Any regulation in the field of digital signatures must meet two main requirements: create a clear framework to build trust in digital signatures on one side and be flexible enough to react to new technical developments on the other side. Encryption Stimulated by the rapid expansion of the Internet encryption will become an integral part of personal and business computing. Electronic commerce as well as many other applications of the information society will only receive acceptance and will only unfold their economic and social benefits if confidentiality can be assured in a user-friendly and cost-efficient way. In open networks, encryption of data is very often the only effective and cost-efficient way of protecting confidentiality of data and communications. Law enforcement authorities and national security agencies are concerned that wide-spread use of encrypted communication will diminish their capability to fight against crime or prevent criminal and terrorist activities. For this reason, there are reflections in several Member States to establish regulation on cryptography, in addition to controls on export and intra-Community shipments. This has led to a discussion about the need, technical possibilities, effectiveness, proportionality and privacy implications of such regulations. However, nobody can be effectively prevented from encrypting data (criminals or terrorists also can use encryption for their activities), e.g. by simply downloading strong encryption software from the Internet. As a result restricting the use of encryption could well prevent law-abiding companies and citizens from protecting themselves against criminal attacks. It would not however prevent totally criminals from using these technologies. Proposals for regulation of encryption have generated considerable controversy. Industry expresses major concerns about encryption regulation, including key escrow and key recovery schemes. Although there is a lack of experience, as electronic communication and commerce have just begun to penetrate economy and society, this Communication makes some assessments to build a common European understanding of the subject. Policy actions in the area of digital signatures The at European level urgently needed framework should include common legal requirements for CAs (in particular common requirements for the establishment and operation of CAs) allowing certificates to be recognised in all Member States. In addition, the Commission will monitor the legal developments in Member States introducing new legislation with the aim to respect Internal Market principles and will encourage Member States to rapidly implement appropriate measures to build trust in digital signatures. In order to achieve as wide as possible acceptance of digital signatures Member States should co-ordinate activities to ensure legal recognition of digital signatures at the latest by the year 2000. The Commission will evaluate the necessity to provide for the legal recognition of digital signatures at Community level by harmonising different national regulation (e.g. form requirements, evidence rules). The Community and Member States should take part in or initiate a dialogue with international organisations, such as the OECD, the United Nations and the WTO, notably to establish common technical standards and mutual recognition of regulations. Policy actions in the area of encryption The EC Treaty and the Treaty on the European Union fully respect the competence of Member States with regard to national security and law enforcement. To ensure that the development of electronic commerce in the Internal Market is not hindered and to facilitate the free circulation and use of encryption products and services the Commission calls upon Member States to avoid disproportionate restrictions. Moreover the Commission will examine whether restrictions are totally or partially justified, notably with respect to: * the free circulation provisions of the Treaty, in particular Articles 30, 36, 52, 56 and 59, * the principle of proportionality, * the Council Directive 83/189/EEC of 28.3.1993 laying down a procedure for the provision of information in the field of technical standards and regulations and * the EU Directive 95/46/EC of 24.10.95 on the protection of personal data. The Commission also believes that it will be important for Member States to distinguish "digital signature services" from "encryption services", because different rules and different goals separate these two aspects. Additional measures: * Adapting the Dual Use Regulation (CE) 3381/94 in view of the requirements for the cryptographic products market; * Improving the co-operation of police forces on a European and international level; * Working towards international agreements between the Community and other countries because of the global dimension of electronic communications and commerce. Accompanying measures * Encouraging industry and international standards organisations to develop interoperable technical and infrastructure standards for digital signatures and encryption to ensure secure and trustworthy use of networks. * Proposal of a Council and Parliament Decision for an INFOSEC II programme building on the INFOSEC programme carried out from 1992 until 1994. Such a programme would aim at developing overall strategies for the security of electronic communications, in particular with a view to provide the user with appropriate protection systems. * Continuing of the current projects in the field of digital signatures and encryption within the 4th framework programme for Community activities in the field of research and technological development (1994 - 1998) and launching of new projects within the 5th framework programme (1998 - 2002). * Support of the use of digital signatures and encryption in EU services and government administrations. * Setting up of an European Internet-Forum in 1997 as a means to inform and exchange information on the regulatory and use aspects of digital signatures and encryption. * Organisation of an international hearing on "digital signature and encryption" beginning of 1998. Timeframe 4.Q./1997: European Internet-Forum 4.Q./1997: Commission proposal to amend the Dual-Use Regulation 1.Q./1998: International hearing 1.Q./1998: Assessment of the comments on the Communication, the results of the Internet-Forum and the international hearing 2.Q./1998: Proposal for further action (e.g. Directive on digital signatures) 2.Q./1998: Proposal for an Infosec II programme 1998-2002: Projects within the 5th framework programme by 2000: Common framework on cryptography put in place throughout the Union
participants (2)
-
John Young -
ulf@fitug.de