Europe To Resist U.S. Cryptography Policy

22 September 1997
Source: Mail list ukcrypto@maillist.ox.ac.uk
From: Brian Gladman <gladman@seven77.demon.co.uk>
To: UK Crypto List <ukcrypto@maillist.ox.ac.uk>
Subject: European Crypto Policy Article
Date: Mon, 22 Sep 1997 20:02:58 +0100

For those who have not seen it!

   Brian


The following article appears in the 22 September 1997 edition of
Communications Week International:

Europe to resist U.S. cryptography policy

By Kenneth Neil Cukier

BRUSSELS -- Europe plans to use privacy and free trade laws to resist
cryptography policies promoted internationally by the United States.

And initial results of European trials designed to test the practicability
of storing users' private encryption keys in so-called "trusted third
party" (TTP) databases suggest such systems may in any case be unworkable,
according to European Commission officials. The trials have cast doubt on
the systems' scalability, cost and legality.

Ulrich Sandl, responsible for cryptography policy at the German Ministry of
Economics, said last week that the operation of trusted third party systems
may be illegal in Germany or Europe as a whole. "There is a real prospect
that [products based on] the U.S. policy is a violation of our privacy
laws, with severe consequences," he told a conference of European
officials, cryptographers and industry executives in Brussels.

This combination of legal and technological factors, said an EC official,
will lead the EC to "not endorse" key recovery in a report to be
distributed at a Council of Commissioners meeting on 1 October by
commissioners Martin Bangemann and Mario Monti, the heads of directorate
general XIII for telecoms matters and DG XV for internal market and data
protection respectively.

The official, like seven others interviewed for this article, asked not to
be named, citing the controversial nature of the issue. "I am under
terrible internal pressure here," said one source.

The report's existence is public knowledge. Detlef Eckert, an adviser at DG
XIII, said at the conference that it will recommend policies be
transparent, free of bureaucratic burdens for users, and promote the
free-flow of products within Europe, but he declined to discuss whether the
matter of key recovery is treated.

The report, an EC "communication," is expected to call on Europe to develop
cryptography policies that are driven by consumer choice rather than law
enforcement concerns, according to people from national governments,
industry, and the EC who are familiar with the document. It will also urge
EC nations to develop uniform legal recognition for digital signatures.

Significantly, the EC's paper does not oppose key recovery -- likely to be
referred to as "key escrow" in the final draft -- outright, since France is
pursuing such a policy and the United Kingdom is divided over the matter.
Instead, it calls for "effective and proportionate" policies -- diplomatic
wording meant to underscore that a key recovery policy is neither, said an
EC official.

The communication would represent the most concrete sign that Europe
intends to resist U.S. policy designed to create a system of international
accords on key recovery for law enforcement. It comes alongside the United
States' unexpected lurch towards heavy domestic and international
encryption controls by Congress and the Federal Bureau of Investigation.

Although a communication is a low-level policy paper, it is often used as
the first step towards developing formal policies. Officials say it is
meant to rally Europe to resist key recovery policies. And they say that
France's cryptography laws, if enacted, pose free-trade concerns since they
stipulate only French-controlled entities can run national TTPs, which may
force a showdown at the EC.

The paper is also significant because it diverges dramatically from an
unpublished EC report, due in September 1996, that was said to lean heavily
in favor of crypto restrictions. And it completely contradicts a Council of
Europe declaration in September 1995 that sought to outlaw cryptography
without law enforcement access (CWI, 18 September 1995). The Council of
Europe, an intergovernmental organization separate from the EU, has no
powers to enforce recommendations.

The EC's reluctance to support key recovery is partly motivated by the
results of tests involving TTPs (CWI, 17 February).

Four separate projects have proven TTPs are technical, commercial and legal
failures, said an EC official. The X.509-style directory system has a
hierarchical rather than network structure, meaning that it is difficult to
deploy on a mass basis. The TTPs' expenses have also encountered cost
overruns from initial projections.

Matt Blaze, one of the world's leading cryptographers and a researcher at
AT&T in Murray Hill, New Jersey, concurs with the EC's findings. "On a
large scale, they [key recovery systems] break down completely. Some key
recovery policies don't even work on a small scale," he said.

The only publicly-available TTP operating in the United States today uses
technology from Trusted Information Systems Inc. and is run by Oakland,
California-based SourceFile, a subsidiary of FileSafe Corp. SourceFile
president Tom Morehouse acknowledges that his system has yet to be
stretched to the point where any scalability problems would become
apparent: "We are getting ready to test [the system] with a large number of
customers, but we haven't yet."

Some observers say the EC's impact is marginal. "The EC doesn't have law
enforcement or national security responsibilities, so it's not surprising
if that isn't their highest priority when looking at the crypto question,"
said Stewart Baker, a lawyer specializing in cypto issues with Steptoe &
Johnson in Washington DC. "They have electronic commerce and commercial
interests in mind."

But an EC official countered: "The Commission has the right to protect the
internal market." He noted that "to protect privacy" and "to protect from
industrial espionage" are matters that fall under the EC's mandate. Another
official, when asked if the EC would ban U.S. products with key recovery on
these basis, interrupted saying: "Use European products! The more U.S.
export controls, the better it is for us. We have the technology and we
have the knowledge."

U.S. crypto vendors felt their position was vindicated. "[U.S.] industry
and privacy advocates can use this development to educate members of
Congress who still believe that Europe is following the United States,"
said Peter Harter, chief public policy counsel at Netscape Communications
Corp.