Policy-makers puzzle over ‘encryption’ conundrum

Date: 24/10/1996

By Tim Jones

NOBODY likes being left out of the loop, least of all governments.

When it comes to law-breaking, they like it even less and the speed with which electronic information systems are developing is making life very difficult for public authorities.

Under authoritarian regimes, the issue is straightforward. In Burma last month, a man who sent a message critical of government policies by electronic mail to a friend in Europe soon found the police knocking at his door.

In democratic countries, such actions would not be tolerated. Apart from the outcry from civil rights groups, this kind of heavy-handed policing would undermine a crucial factor in the developed world's pursuit of a competitive edge - 'the information society'.

“We feel that new horizons of economic activity and jobs and new products are potentially available if we can solve the public policy problem of how to implement strong security globally,” says Martyn Lowry, director for European public affairs at encrypted technologies manufacturer Electronic Data Systems.

Yet, at the same time, governments in the EU, the US and Japan cannot be blamed for worrying about the increased use of 'encryption' on the Internet and other networks.

Encryption is a mathematical system of scrambling data, using technology to ensure that information is readable and accessible only to the intended recipients. If, by chance or by design, somebody else does win access to the information, it is incomprehensible to them without a 'key'.

The abiding fear of law-enforcement agencies is that these unbreakable codes and ciphers will be used by organised crime gangs or terrorists. The 1995 film The Net, in which a highly-organised gang conducts all its activities electronically, still keeps investigators from the Federal Bureau of Investigation (FBI) awake at night.

However, businessmen must be sure that their internal information systems are secure from interference and theft if they are to be tempted into using the most up-to-date systems of electronic commerce.

Policy-makers across the developed world are trying to square this circle, and the European Commission is no exception. Nevertheless, a communication from DGXIII, the Directorate-General for telecommunications, suggesting how to come up with common standards for encryption, is still to be published. Originally earmarked to be unveiled at the special 'information society' meeting of industry ministers in Dublin on 8 October, the paper is still keenly awaited by experts in the IT business.

The problem for the Commission is that the issues arising from encryption are not national or even European in character; they are global and need to be solved on a worldwide basis.

“Companies are global and we need strong encryption in order to conduct business globally,” says Bob Rarog of Digital Equipment Corp, who chairs the US Electronics Industry Association's export control committee. “Strong encryption must be exportable, importable and designed to meet customer demands and needs. Because if it is not, folks are not going to buy it or use it. We have to come to some accommodation whereby governments - the US, the EU, Japan and others - can ensure that we have strong security that is usable world-wide and works.”

A recent study from the European Electronic Messaging Association (EEMA) found that firms were increasingly using the Internet and e-mail systems, but were still steering clear of other networks for electronic data exchange. This was partly because of a natural reluctance to try out new mechanisms, but also because of a lack of inter-operability and concerns about privacy and secrecy.

Since the Second World War, many countries - the US in particular - have imposed controls on the export of encrypted technologies, classifying them as military technologies. While this made sense for much of the Cold War, it is now hampering the development of electronic commerce.

The US administration, led by Vice-President Al Gore, has been trying to find a way of meeting the FBI's law-enforcement needs while cutting some slack for industry.

Its first proposal found no takers. Under the 'clipper chip' system, users of encryption technologies would have been obliged to deposit a key to the system with a government agency. The problem with this was the word 'government'.

Now, the administration is coming round to the idea, proposed by several of the manufacturers, of a 'key recovery' system. This would oblige users to lodge the details of the key with a third party - such as a bank or an insurance company - and these components could then be used to reconstruct the code under a court order.

Washington has also dropped its constraints on the export of strong encryption technologies (known as '56-bit DES') for two years while companies develop 'key recovery' systems. After that, firms will be allowed to export strong technologies, but only if the government has indirect access to a key.

The Commission is taking a similar approach with the Trusted Third Party (TTP) proposal, although this envisages the placing of an 'escrow' key with a third party rather than allowing it to be reconstructed.

At the same time, Industry Commissioner Martin Bangemann wants to see common standards for TTPs, common rules on procedures to ensure law enforcement and prevent abuse of these technologies, and guidelines to ensure the inter-operability of encryption. Exactly how the TTPs should work would be market-driven.

Industry welcomes the initiative, but wants the Commission to maintain an open mind towards the US system. “'Trusted third party' is one technical means that should be looked at, but we also feel that there are others which will address the need for European governments to access with the appropriate legal authority,” says Digital's Rarog. “Things like 'key recovery' should be on the table. The Commission ought to look at it.”

Another problem for the Commission is the age-old EU question of competence. National security organisations are keen for these issues to remain at the level of the member states, while the Commission feels that the importance of developing the 'information society' overrides this.

“We know that five or ten years down the line this is going to be a major feature of international commerce,” says a diplomat sympathetic to the Commission's approach. “We need to solve this problem now.”