Interesting People mailing list archives
IP: Stewart Baker's Summary of the Paris Encryption Summit
From: Dave Farber <farber () central cis upenn edu>
Date: Sat, 03 Feb 1996 21:56:37 -0500
Date: Sat, 03 Feb 96 21:32:29 EST From: "Stewart Baker" <sbaker () mail steptoe com> To: farber () central cis upenn edu SUMMARY REPORT ON THE OECD AD HOC MEETING OF EXPERTS ON CRYPTOGRAPHY by Stewart A. Baker Steptoe & Johnson Washington, DC sbaker () steptoe com The OECD's ad hoc meeting of experts on cryptography was the brainchild of U.S. policymakers. Export controls on encryption have increasingly been attacked as unworkable by U.S. software and hardware producers, who see a major market for security on the global information infrastructure. This need, they argue, will be met by foreign producers if U.S. export controls are kept in place. Many companies in the software business have also attacked the latest Administration proposal allowing the export of strong encryption only if it incorporates some form of key escrow. These companies question the international demand for key escrow. The likely U.S. purpose in calling for the OECD meeting was to show that other nations are or soon will be inclined to favor key escrow in order to avoid the problems that criminal use of encryption will pose. From the U.S. point of view, the meeting was an opportunity to raise the consciousness of other governments about the problem of uncontrolled encryption while at the same time demonstrating to U.S. industry that defeating U.S. export controls would not open the door to a vast market for unescrowed encryption but would instead spark new and perhaps inconsistent local regulation of encryption. If that was the purpose of the meeting, it was a qualified success. It was not a complete success, because several governments expressed grave doubts about the U.S. effort to control encryption technology. Most prominent among the doubters were the Scandinavian countries. Japan also showed little interest in controlling encryption; it seemed more concerned about catching up in this former defense technology now that its commercial possibilities were growing. Other governments, in contrast, were supportive of some kind of escrow, though they disliked that term and preferred to speak of "trusted third party" approaches to key storage and recovery. The European Union, the United Kingdom, and France clearly favor the development of trusted third party encryption systems. Other countries also said favorable things about trusted third parties. But that term is deliberately ambiguous. It mixes together a wide variety of "trust" services for users of computer networks. Some services, such as maintaining a register of digital signatures or providing digital timestamps, do indeed require trust but are quite uncontroversial. At its most minimalist, support for "trusted third party" encryption might simply mean that governments will set standards that allow companies performing uncontroversial "trust" services to also perform private key escrow when asked to do so by users of encryption systems. Such an approach is unlikely to make escrowed encryption the dominant form of secure computer network communication. But at least some European governments plainly mean to do more than that under the heading of trusted third party encryption. Both Italy and the Netherlands have recently considered legislation to regulate encryption directly in the fashion of the French. The UK is also disinclined to see the spread of uncontrolled encryption within its borders. While these governments now seem unlikely to adopt French-style encryption regimes, they are clearly intrigued at the thought that, with government's thumb on the scale, European telecom and computer companies might be willing to adopt trusted third party encryption even without a direct government mandate. The good news for U.S. policymakers is that many European governments are clearly interested in doing something to encourage key escrow encryption, and Australia and Canada are likely to follow if a consensus in favor of key escrow emerges. This proposal for international concensus is bound to cause some of the most vocally anti-escrow U.S. companies at least a moment of self-doubt. The bad news for U.S. policymakers is that there is little appetite in Europe (let alone Japan) for direct regulation of the encryption market (even the French are showing more flexibility in enforcing their law). And some European governments' commitment to trusted third party encryption may not go beyond saying nice things about it while waiting to see what the market does. For a variety of reasons, the OECD is likely to be drawn into the process of making international encryption policy. The U.S. was generally pleased with the warmth -- if not the ambiguity -- of the international praise for trusted third party encryption, and it hopes to build a stronger international consensus for such encryption. Industry, particularly U.S. industry, would rather see policy made in the OECD than in a (presumptively more protectionist) European forum. And the other OECD nations see that forum as a good place to moderate unilateral U.S. policies, such as the current requirement that keys be escrowed in the United States. Thus all of the participants have something to gain from continuing the dialogue in the OECD. ---------------------- A more detailed description of the conference will be posted shortly to my law firm's web page. To see if it's up, go to "http://www.us.net/~steptoe/welcome.htm" and look under "Law and the Net"
Current thread:
- IP: Stewart Baker's Summary of the Paris Encryption Summit Dave Farber (Feb 03)