Interesting People mailing list archives
IP: Stewart Baker's Summary of the Paris Encryption Summit
From: Dave Farber <farber () central cis upenn edu>
Date: Sat, 03 Feb 1996 21:56:37 -0500
Date: Sat, 03 Feb 96 21:32:29 EST
From: "Stewart Baker" <sbaker () mail steptoe com>
To: farber () central cis upenn edu
SUMMARY REPORT ON THE
OECD AD HOC MEETING OF EXPERTS ON CRYPTOGRAPHY
by
Stewart A. Baker
Steptoe & Johnson
Washington, DC
sbaker () steptoe com
The OECD's ad hoc meeting of experts on cryptography was the
brainchild of U.S. policymakers. Export controls on
encryption have increasingly been attacked as unworkable by
U.S. software and hardware producers, who see a major market
for security on the global information infrastructure. This
need, they argue, will be met by foreign producers if U.S.
export controls are kept in place. Many companies in the
software business have also attacked the latest
Administration proposal allowing the export of strong
encryption only if it incorporates some form of key escrow.
These companies question the international demand for key
escrow.
The likely U.S. purpose in calling for the OECD meeting was
to show that other nations are or soon will be inclined to
favor key escrow in order to avoid the problems that
criminal use of encryption will pose. From the U.S. point
of view, the meeting was an opportunity to raise the
consciousness of other governments about the problem of
uncontrolled encryption while at the same time demonstrating
to U.S. industry that defeating U.S. export controls would
not open the door to a vast market for unescrowed encryption
but would instead spark new and perhaps inconsistent local
regulation of encryption.
If that was the purpose of the meeting, it was a qualified
success. It was not a complete success, because several
governments expressed grave doubts about the U.S. effort to
control encryption technology. Most prominent among the
doubters were the Scandinavian countries. Japan also showed
little interest in controlling encryption; it seemed more
concerned about catching up in this former defense
technology now that its commercial possibilities were
growing.
Other governments, in contrast, were supportive of some kind
of escrow, though they disliked that term and preferred to
speak of "trusted third party" approaches to key storage and
recovery. The European Union, the United Kingdom, and
France clearly favor the development of trusted third party
encryption systems. Other countries also said favorable
things about trusted third parties. But that term is
deliberately ambiguous. It mixes together a wide variety of
"trust" services for users of computer networks. Some
services, such as maintaining a register of digital
signatures or providing digital timestamps, do indeed
require trust but are quite uncontroversial. At its most
minimalist, support for "trusted third party" encryption
might simply mean that governments will set standards that
allow companies performing uncontroversial "trust" services
to also perform private key escrow when asked to do so by
users of encryption systems. Such an approach is unlikely
to make escrowed encryption the dominant form of secure
computer network communication.
But at least some European governments plainly mean to do
more than that under the heading of trusted third party
encryption. Both Italy and the Netherlands have recently
considered legislation to regulate encryption directly in
the fashion of the French. The UK is also disinclined to
see the spread of uncontrolled encryption within its
borders. While these governments now seem unlikely to adopt
French-style encryption regimes, they are clearly intrigued
at the thought that, with government's thumb on the scale,
European telecom and computer companies might be willing to
adopt trusted third party encryption even without a direct
government mandate.
The good news for U.S. policymakers is that many European
governments are clearly interested in doing something to
encourage key escrow encryption, and Australia and Canada
are likely to follow if a consensus in favor of key escrow
emerges. This proposal for international concensus is bound
to cause some of the most vocally anti-escrow U.S. companies
at least a moment of self-doubt.
The bad news for U.S. policymakers is that there is little
appetite in Europe (let alone Japan) for direct regulation
of the encryption market (even the French are showing more
flexibility in enforcing their law). And some European
governments' commitment to trusted third party encryption
may not go beyond saying nice things about it while waiting
to see what the market does.
For a variety of reasons, the OECD is likely to be drawn
into the process of making international encryption policy.
The U.S. was generally pleased with the warmth -- if not the
ambiguity -- of the international praise for trusted third
party encryption, and it hopes to build a stronger
international consensus for such encryption. Industry,
particularly U.S. industry, would rather see policy made in
the OECD than in a (presumptively more protectionist)
European forum. And the other OECD nations see that forum
as a good place to moderate unilateral U.S. policies, such
as the current requirement that keys be escrowed in the
United States. Thus all of the participants have something
to gain from continuing the dialogue in the OECD.
----------------------
A more detailed description of the conference will be posted
shortly to my law firm's web page. To see if it's up, go to
"http://www.us.net/~steptoe/welcome.htm"; and look under "Law
and the Net"
Current thread:
- IP: Stewart Baker's Summary of the Paris Encryption Summit Dave Farber (Feb 03)