[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
OECD: No GAK
The New York Times, March 27, 1997, pp. A1, D3.
U.S. Rebuffed in Global Proposal For Eavesdropping on the
Internet
By John Markoff
In a setback for the Clinton Administration that
demonstrates the difficulty of setting global policies for
the Internet, the leading industrial nations have declined
to embrace a United States proposal to allow computer
eavesdropping by the world's law enforcement agencies.
The United States proposal, backed by Britain and France,
was an attempt to restrict the private use of increasingly
advanced data-scrambling technology that can protect the
privacy of electronic mail and other forms of computer
communication. The equipment can make it difficult for law
enforcement officials to crack a code when they suspect it
is masking criminal or terrorist activities.
The proposal called for international endorsement of a
system in which mathematical keys to computer-security
codes would be held by escrow agents from whom law
enforcement officials could obtain the keys once they have
a court's wiretapping warrant.
But policy guidelines scheduled to be released in Paris
today by the 29-nation Organization for Economic
Cooperation and Development fail to endorse the United
States proposal. And they leave such leeway for members to
regulate data-scrambling technology--or not--that computer
security experts say any uniform international policy
remains elusive.
"The difficulty with the guidelines is that anybody can
interpret parts of them in their own way," said Konstantine
Papanikdaw, a policy analyst for information security at
the European Commission in Brussels.
Indeed, the industrial world seems to be deeply divided on
whether governments can ever legitimately eavesdrop on the
electronic communication of their citizens. Because
messages on the Internet are easy to intercept, a growing
number of individuals and corporations are protecting the
privacy of their communications and the security of their
commercial transactions by scrambling such information.
Some O.E.C.D. nations, including Britain and France, have
either outlawed or are in the process of tightly regulating
the private use of data-scrambling systems. But other
nations--including Australia, Canada Denmark and
Finland--have policies that protect individual privacy.
Among other member nations, Japan had initially resisted
the United States proposal but was said to be moving closer
to it, while Germany remained deeply divided.
Most other countries, inside or outside the O.E.C.D., have
yet to confront the data-scrambling issue. And even the
United States has a somewhat contradictory national policy
that permits citizens to use whatever data-scrambling
software they wish within the nation's borders, but
restricts the export of the most up-to-date computer-coding
technology.
That seeming contradiction, however, did not prevent the
Clinton Administration in recent months from waging a
vigorous behind-the-scenes effort for its proposal. And
hoping to resolve some of the policy conflicts, the
Administration is now circulating draft legislation on
Capitol Hill which would attempt to control even the
domestic use of data-scrambling software and establish a
key-escrow system for the United States.
While the O.E.C.D. has no authority to set international
policy, its recommendations are frequently used by member
nations in setting their own foreign and trade policies.
And the privacy and law-enforcement aspects of the Internet
are issues on which member governments have been desperate
for guidance.
But even though most of the O.E.C.D. discussions involved
law enforcement officials, who have been the main advocates
for measures that would insure their ability to crack
codes, European officials say that there was never much
agreement on what to do.
And so the primary recommendation in the report, a copy of
which was obtained by The New York Times, simply gives
O.E.C.D. member nations the latitude to do as they see fit
when it comes to data scrambling, which is formally known
as cryptography.
"National cryptography policies may allow lawful access to
plain text, or cryptographic keys, or encrypted data," the
report says.
Privacy-rights advocates see the O.E.C.D. guidelines as a
critical setback for the Clinton Administration. "The U.S.
proposal to endorse lawful access to private keys was
explicitly rejected by the O.E.C.D. member countries," said
Marc Rotenberg of the Washington-based Electronic Privacy
Information Center and a member of the O.E.C.D.'s advisory
group. "The O.E.C.D. chose instead a policy based on
voluntary, market-driven development of cryptography
products."
And even supporters of the United States position
acknowledged that guidelines were a disappointment.
"The United States probably had more success raising
consciousness then getting language that could he treated
as an endorsement for key recovery," said Stewart Baker, a
former National Security Agency official who participated
on the American delegation to the O.E.C.D.
Meanwhile, executives for the United States computer
industry were critical of the O.E.C.D. for even leaving the
door open for governments to set national policies on data
scrambling.
"We think that markets, not governments, should be the
primary determinants of technology solutions," said Jon
Englund, a vice president at the Information Technology
Association of America, a trade group.
Many experts question whether governments can ever hope to
insure law enforcement access to electronic messages or to
restrict the spread of super-strong coding software,
because new, more powerful versions can always be developed
and easily transmitted over the Internet in the blink of an
eye.
And any international effort is almost certainly doomed if
some countries refuse to go along with a common approach,
because people looking for strong encryption can simply
acquire it wherever the laws are lax. In fact, the big
German company Siemens A.G. recently introduced an
encryption system that it advertises as being much more
powerful than American companies can export under United
States law.
Besides the United States, France and Britain both support
a system for enabling law enforcement officials to obtain
keys to data-scrambling codes. France has already passed a
stringent law that requires participation in such a system,
although the rules to carry out the law have not yet been
worked out.
And in recent days, Britain has quietly circulated the most
restrictive proposal of any nation, a domestic policy under
which the Government would allow private use only of
cryptography that was officially licensed, to make sure
that the software uses code that law enforcement officials
can crack.
Under such laws, of course, criminals and terrorists might
logically choose to use unauthorized encryption software.
But the mere fact that such use would be a crime may be a
deterrent--or give the police grounds to arrest anyone
whose communications were indecipherable.
In Germany, encryption remains a deeply divisive issue. The
Interior Ministry has supported the need for encryption
restrictions of some sort, but the Justice Ministry and the
Economics Ministry have both signaled their opposition. And
German businesses have been outspoken opponents against any
new restrictions on data scrambling.
Meanwhile, United States export restrictions have been a
boon for Brokat Informationssysteme G.m.b.H., a
two-year-old start-up company in Boblingen, Germany. Brokat
supplies secure electronic transaction software for banks
like Deutsche Bank and on-line services like America Online
in Europe.
One of Brokat's hottest products is the Expresso Security
Package which essentially adds strong encryption to the
World Wide Web browsers and Internet server software sold
by two of the largest American software companies--
Microsoft and Netscape Communications.
[End]