Capitals at odds over EU encryption rules

Date: 30/07/1998

By Simon Coss

A PATCHWORK of national laws governing the use of Internet encryption software is fast taking shape, as EU member states make slow progress in talks on a common approach to the issue.

Madrid is the latest Union government to put encryption rules on its statute books, with a recently enacted 'Telecommuni-cations Law 1998' granting Spanish citizens the right to use "strong cryptography".

But opponents of the law point out that it will also oblige anyone who wants to use such software to deposit an electronic 'key' with a government-approved agency known in technical jargon as a Trusted Third Party or TTP.

The police insist such measures are needed to enable them to 'tap' scrambled e-mail messages sent over the Internet by criminals and terrorists.

Critics argue that TTPs compromise the security of encryption software and discourage people from sending sensitive information across open networks like the Internet. They claim this could have disastrous consequences for the emerging electronic commerce industry, which relies on shoppers being prepared to pay for goods by giving virtual retailers their credit card or bank details.

Civil rights campaigners also complain that obliging individuals to deposit electronic keys with TTPs represents an unacceptable attack on the right to privacy.

"Both privacy in a networked environment and electronic commerce demand a system to transmit data that is secure and trustful," said David Casacuberta of civil liberties group Electronic Frontiers Spain. "Now the Spanish government has accepted the idea of using encryption, they should notice how strong cryptography does not make any sense if there is a centralised computer system holding private keys."

Laws on the use of encryption vary widely across the EU. France has by far the most draconian legislation, with any French citizen wishing to use encryption software produced abroad having to obtain permission from the prime minister. The UK recently unveiled plans for a voluntary TTP licensing scheme and several other member states have legislation pending. At the other end of the spectrum are countries like Finland, Sweden, Denmark and Germany which have no controls.

Attempts to agree on a coordinated EU-wide approach to encryption policy have so far met with limited success.

Union justice ministers emphasised the need to look into the issues raised by software after an informal meeting in the UK earlier this year, but little progress has been made since then in discussions between national police experts from all 15 member states.

"The matter is being discussed but at the moment there are no concrete results," said one Scandinavian diplomat, who added that the question of TTPs was posing particular problems. "This is not at all resolved. There are no conclusions yet, it is a very delicate issue."