The European Union group

[Back to the policy page]

Members
  • Juraj Dlhopolcek
  • Sunit Jariwala
  • Dan Ksepka
  • Frank J. Miles

    What to prepare for
    You have a difficult task. You are to prepare a position paper (at most 3 pages long) for a meeting of an international organization (say, the International Telecommunications Union or an international trade organization) on the policies regarding use, import, and export of cryptographic machinery and software. You could try to represent the whole (rather heterogeneous) EU area, or choose to discuss only one or two countries. I'd like you to present a selection of the policies that U.S. people might find restrictive or strange. You are to be an advocate/defender of these policies. You may defend your policies regarding cryptography with a mixture of convenient logic, exaggeration, and history. Mention specific policies and give some comments to support these policies.

    Note that the history of Western Europe with regard to laws and practices (what governments say and what they actually do) is complex. Look at the entries for France and Germany in http://cwis.kub.nl/~frw/people/koops/cls2.htm and consider this recent news report:

    3:00 a.m. 16.Feb.2000 PST DUBLIN, Ireland -- Britain is likely to become the first country in the world to make imprisonment a possible consequence of refusing to surrender, or even losing, one's private encryption keys.

    At the same time, neighboring Ireland is preparing legislation that would make it the first country to prohibit law enforcement from forcing encryption users to hand over their private keys.

    The new British law also would compel Internet service providers to build in "reasonable interception capabilities" to networks and could force ISPs to hand over data traffic information -- email destinations, Web site visits, IP names -- to law enforcement without a search warrant. It includes provisions for listening in on mobile and satellite phone calls, intercepting pager messages, and bugging office switchboards.

    The topsy-turvy state of affairs is emblematic of the approach of the two countries to electronic commerce legislation.

    In your oral rebuttal
    Be prepared to defend "your" country's positions. Assert that you are correct, distort history and economics judiciously if necessary to support your wishes, claim sovereign immunity, etc. Have a few facts ready if you absolutely need them!

    With the growing use of Internet resources around the globe, international policies regarding data/information/technological transfer are quickly changing. A prime example of this shift in trends concerns the European Union's policies of a few years ago, contrasted with the regulations of today. While data transfer issues are still a major concern, policies are quickly liberalizing, as exhibited by the EU support of the Wassenaar Agreement. Before delving into the European Union's policies, it is necessary to define the EU and its goals. The European Union (EU) is a union of fifteen independent states based on the European Communities and founded to enhance political, economic and social co-operation. Member states include Austria, Belgium, Denmark, Finland, France, Germany, Greece, Ireland, Italy, Luxembourg, Netherlands, Portugal, Spain, Sweden, United Kingdom of Great Britain, and Northern Ireland. In the rest of this paper, the distinct EU policies (e.g. Bulletin EU 10-1997, EU Directive 95/46/EC, Wassenaar Agreement) regarding encryption schemes as well as the change from an anti-encryption to pro-encryption viewpoint, will be discussed.

    Secure data transfer on the Internet has become one of the most crucial aspects of today's network designers. For this reason, the European Union is trying to stay on top of its laws regarding information safety. For example, in Bulletin EU 10-1997, The Commission acknowledges the importance of Internet data transfer safety, and recommends the usage of digital signatures: "The Commission proposes to set up a Community framework for digital signatures by, for example, drawing up common certification criteria, and to promote the growth of a European cryptographic services and products industry. It calls on the Member States to see that their national restrictions on encryption are compatible with Community regulations, to arrive at a Community position on questions of cryptology in order to defend it vis-à-vis international bodies, and to strengthen cooperation between police forces at European and international level in order to combat the use of electronic communications as a tool for crime." (http://europa.eu.int/abc/doc/off/bull/en/9710/p102157.htm)

    This is a very progressive stance toward the movement for the collective international data transfer safety. The use of digital signatures is a very efficient way for verifying the authenticity of information. To further increase the security on information, all the member European Union nations have accepted the EU Directive 95/46/EC on the Protection of Individuals with regard to the Processing of Personal data and on the free movement of such data. Article 25 is especially important, since it states that: "Under current legislation and one aspect of the EU Directive of particular significance is Article 25 which states that personal data may only be transferred from EU member states to "third countries" if those countries provide 'an adequate level of data protection'". A 'third country' is any country in Europe that is not a member of the European Union, and that has not agreed to the EU Directive 95/46/EC. This example shows that the European community strictly observes the issues of data transfer safety and will probably continue to do so in the future.

    A positive stance toward the legalization of public encryption is a very important step towards the worldwide use of e-commerce. However, not all of the European Union member countries were receptive towards the issue of public encryption. For example, until 1996, France had a strict law that made encryption illegal, unless done with a permission of the government. Stringent fines and prison sentences were imposed upon individuals who broke this law. After 1996, pressure of the European Commission forced France to change its laws, and today, public encryption is legal as long as the French authorities can break it. This is certainly a positive step, but more laws will be needed before the French government will openly encourage e-commerce.

    In 1995, twenty eight countries signed the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies. Most of these countries are members of the European Union and nations that are in the process of review for acceptance into the European Union. Under the Wassenaar Arrangement, cryptography is regarded as a "dual-use" benefit. This means that encryption schemes can be used both for military and civil purposes. Under this provision, all export cryptographic software and instruments are subject to the laws and regulations of the European Commission. Export of the software via Internet is also covered by the Arrangement. The only exceptions to the Wassenaar Agreement concern the export of products that are for the purchaser's personal use. This exception is permissible, since most of today's notebook computers use some sort of encryption; furthermore, it would be efficient (if not impossible) to keep track of every computer purchased. See http://cwis.kub.nl/~frw/people/koops/cls2.htm#Wassenaar.

    Although the EU policies regarding encryption and data transfer remain somewhat stringent, the progressive Wassenaar Agreement and Bulletin EU 10-1997 both exhibit tendencies towards gradual reform. Just think, until 1996, France arrested those practicing encryption without the government's consent. Today, the Wassenaar Agreement permits the use of encryption within the military and civil sectors. The Bulletin EU 10-1997 acknowledges that encryption is indeed necessary, and designates the police force to combat Internet-related crime. It is interesting to note that international powers such as the European Union have also jumped on the Internet bandwagon. With improved safety measures and technological advances pertaining to data transfer, "Internet criminals" and "hackers" may have finally met their match.