Source: The New York Times, October 9, 1997, p. D4
Threats to Privacy and Commerce Are Cited
By Edmund L. Andrews
Frankfurt, Oct. 8 -- The European Commission has rejected
proposals by the United States aimed at insuring that police agencies can
crack coded messages over telephone and computer networks.
In a lengthy report released today, the European Commission said the
American approach could threaten privacy and stifle the growth of
electronic commerce and that it might simply be ineffective.
The report appears to all but doom efforts by the Clinton Administration
and the Federal Bureau of Investigation to establish a global system in
which people who use cryptography would have to deposit a "key" for
unlocking their codes with an independent outside organization. As
envisioned, the police or intelligence agents would be able to use this key
once they got court approval to carry out a wiretap. The plan has been
vigorously opposed by the computer industry, which fears that it would
jeopardize sales to foreign customers.
Because of the Internet's borderless nature, American officials have long
acknowledged that their plan is workable only if most other countries
adopt similar systems. If not, people could simply route their
communications through countries with no restrictions.
The White House had already run into heavy opposition from civil rights
groups, the computer industry and Congressional Republicans. And
earlier this year, the United States failed to muster any support for its plan
from the Organization for Economic Cooperation and Development, a
consortium backed by more than 40 countries.
But the European Commission's blunt opposition, reported today in The
Wall Street Journal, went considerably further, raising a slew of objections
to "key recovery" and "key escrow," systems. Among them were these:
- Hackers could find new ways to breach security." Inevitably, any key
access scheme introduces additional ways to break into a cryptographic
system," the report said.
- The systems could weaken European data-privacy laws. "Any regulation
hindering the use of encryption products," the report said, "hinders the
secure and free flow of personal information."
- Even with a "key escrow" or "key recovery" system, criminals cannot be
entirely prevented from using strong encryption.
More broadly, the European Commission said, any kind of key-based
system could jeopardize the rise of electronic commerce. "If citizens and
companies have to fear that their communication and transactions are
monitored with the help of key access or similar schemes," the report
said, "they may prefer remaining in the anonymous off-line world."
American officials did not disguise their disappointment, and challenged
the Europeans to come up with better alternatives.
"I am a little surprised," said William Reinsch, Deputy Secretary of
Commerce in charge of export administration. "My question to the
European Commission is, where do they think the market is going? Our
sense is that corporations engaged in electronic commerce want key
recovery in some form, because they want to recover their own records
and to monitor their own employees."
Beyond high-minded policy issues, European officials quietly
acknowledge that they have political and economic concerns. For one
thing, several countries do not like the idea of deferring to an American
system that might allow American companies to dominate the next
generation of security products.
The German Government, meanwhile, is worried that American authorities
might have improper access to data on German users -- possibly violating
Germany's tough new laws on data protection.
But the European Union is far from united. Britain has generally
sided with the United States in supporting an international system for
regulating data encryption.
Indeed, the European Commission remained vague about what
alternatives to the American system it might actually favor, nor does the
report attempt to block member countries from setting up key-based
systems if they want to.
American computer and software companies greeted the European policy
declaration as a victory.
"Even the hard-line Governments, the U.S. and the United Kingdom, have
said that any cryptography restrictions have to be internationally
coordinated because otherwise you can just download material from
another country," said Chris Kuner, a lawyer in Frankfurt who represents
Netscape Communications and other networking companies in Europe.
"This shows that Europe does not agree with the idea of mandatory key
recovery. This idea that is the only possible regulatory framework for the
world has been clearly rejected."