IP: EC PLANS ENCRYPTION RULES IN BID TO POLICE INFORMATION

[David Farber <farber () central cis upenn edu>]

From: denis () cnam fr (F. Denis)
Subject: EC Plans Encryption Rules For Internet in Europe
Date: 13 Oct 1995  12:00:00 CDT




This comes from {Nature}, a magazine in France.
Vol 377  #6547   September 28, 1995


`EC PLANS ENCRYPTION RULES IN BID TO POLICE INFORMATION SUPERHIGHWAY'


Paris. The European Commission is to propose legislation to police the
information superhighway that will include powers to decrypt confidential
telephone and computer communication.


   The commission's move follows concern over the perceived increase
in the `illegal' use of the Internet, including the proliferation of
pornography and the unauthorized release of classified documents.


   It also coincides with a similar proposal from the 34-nation-member
Council of Europe. The proposals would, if passed into law, effectively
end the Internet's status in the 15 member states of the European
Union (EU) as an unregulated medium for the free flow of information.


   But they have also raised questions about the possible violation of
telephone and computer privacy, as well as the preferred choice of
encryption/decryption system.


   The proposal to introduce Europe-wide surveillance guidelines has
been confirmed by a senior official responsible for encryption and
data security in the French government.  He says that Brussels is
working closely with the Senior Officers Group for Information
Security Systems (SOGIS), a collection of experts from EU countries,
chaired by the commission itself.


   The commission is expected to publish its guidelines later this
autumn, detailing the powers of enforcement to be given to regulatory
authorities. as well as a preferred choice of decryption system. The
guidelines will then be considered by the EU's Council of Ministers
and the European Parliament.


   But a spokesman for the commission's telecommunications directorate
says that the decryption mechanism is likely to be based on a version
of the `key escrow system'. This refers to the policy under which
users of encryption systems give copies of their decryption keys
either to their government or to a third party that the government
trusts. The keys can be handed over if the government, on production
of a court order, wants to monitor encrypted information.


   The system being considered by the commission will enable EU
countries to monitor encrypted telephone and computer communications
in member states. Thus if someone in Germany makes a call to Italy,
agencies in both countries would possess the key enabling them to
decrypt the call.


   Siguificantly, the commission will also propose that member states
choose private `trusted third parties' rather than government
departments to regulate computer and telephone networks. it is thought
to believe that this move will secure greater public support for the
proposals.


    But civil liberties groups remain sceptical, and maintain that the
use of `third parties' to police the Internet raises its own
questions, one of which is deciding which party to trust and ensuring
they all remain trustworthy. `It is difficult to trust these third
parties," says Simon Davies from the organization Privacy
International. "There is no guarantee that the keys [to decryption]
will not be corruptly accessed within the `trusted' organization."


    Critics of the commission's proposals also include information
technology specialists, although their concerns are different. Ross
Anderson. a senior research associate in computer and communications
security at the University of Cambridge's Computer Laboratory says
that the Council of Ministers will need to iron out various issues
before the key escrow system is fit for use.


   One factor, says Anderson. is that such a system ironically falls
victim to precisely what it is trying to protect - namely. national
security.  If you are a banker doing a politically sensitive deal -
such as renegotiating the Eurotunnel debt - then the UK government
will certainly not want the French to get that key."


   Similarly. the decryption key for a secure telephone bought in
Britain will be kept at the government's General Communications
Headquarters. But if it is taken into France and used to call someone
in Germany, the French government "will inevitably want a copy of the
key", says Anderson.


   This direct conflict of national security priorities, adds
Anderson. makes it hard to "specify a system which satisfies the
curiosity of intelligence agencies. while still providing meaningful
privacy to users".


   A parallel proposal for decryption was announced earlier this month
by the Council of Europe. Peter Csonka, head of the council's Crime
Problems Division, said its 18 suggestions were long overdue following
concern that "electronic information systems and electronic
information may also be used for committing criminal offences".


   The council's suggestions include giving investigating agencies the
right to search computer networks and seize offending, unauthorized or
illegal material. The proposals will also require providers of
telecommunication networks to "avail themselves of all necessary
technical measures that enable the interception of telecommunications
by investigating authorities".




F Denis    denis () cnam fr
indosuez bank, media consultant