Citing privacy concerns and a wish to foster the growth of high-tech industries and electronic commerce, the European Commission said in a report released today that it would not support a US plan to allow law enforcement access to encrypted communications.
"If citizens and companies have to fear that their communications and transactions are monitored with the help of key access, or similar schemes unduly enlarging the general surveillance possibility of government agencies, they may prefer remaining in the anonymous offline world, and electronic commerce will just not happen," the report said.
The report concludes, among other findings, that:
- Restricting encryption use could "prevent law-abiding companies and citizens from protecting themselves against criminal attacks. It would not, however, totally prevent criminals from using these technologies." Citing a crime and crypto study released in July by Georgetown University computer scientist Dorothy Denning and William Baugh Jr. of Science Applications International Corp., the report said that restricting public access to strong encryption would do little to keep such technology out of lawbreakers' hands.
- With strong encryption being produced by more than 840 companies, many with annual growth rates of more than 100 percent, stifling the industry would shut out the "economic and social benefits" of an information society.
- Key escrow systems could open the door to attacks by hackers and crackers. The possibility of insider abuse, targeted attacks, and the high cost of such a system make it an unwise course. "Restrictions imposed by national licensing schemes, particularly those of a mandatory nature, could lead to internal market obstacles and reduce the competitiveness of the European industry," the report said.
- Widespread use of encryption can limit the billions of dollars in economic damage from industrial espionage, credit-card fraud, cellular-phone fraud, and pay-TV piracy.
As to how to let police see scrambled data during investigations, the commission said that access to plaintext - but not to keys - would be the most desirable option. The commission said that "existing regulation on traditional forms of lawful access to data and communication could be explored," such as court orders requiring suspects to hand over keys to encrypted data.
The United States recently has been lobbying European countries to persuade them that law enforcement must have access to scrambled communications traveling over networks and stored on hard drives. However, European commissioners have gotten mixed messages from the Clinton administration. Ira Magaziner, senior policy adviser and principal architect of the White House framework on electronic commerce, recently told leaders that US crypto policy remains undecided.
William Reinsch, Commerce undersecretary for export administration, said today that in ongoing negotiations with the European Commission the United States will try to underscore what it sees as its flexibility on encryption policy.
"In those discussions, we will continue to make clear that our policy is designed to accommodate a variety of technologies and is not focused on third-party key escrow solutions," Reinsch said in a statement. "I'm surprised that the European Commission study objected to recovery technology without providing an alternative that balances privacy and electronic commerce with law enforcement and national security."
The European Commission plans to hold a hearing on encryption and digital signatures in early 1998.
