[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

OECD: No GAK



   The New York Times, March 27, 1997, pp. A1, D3.

   U.S. Rebuffed in Global Proposal For Eavesdropping on the
   Internet 

   By John Markoff

   In a setback for the Clinton Administration that
   demonstrates the difficulty of setting global policies for
   the Internet, the leading industrial nations have declined
   to embrace a United States proposal to allow computer
   eavesdropping by the world's law enforcement agencies.

   The United States proposal, backed by Britain and France,
   was an attempt to restrict the private use of increasingly
   advanced data-scrambling technology that can protect the
   privacy of electronic mail and other forms of computer
   communication. The equipment can make it difficult for law
   enforcement officials to crack a code when they suspect it
   is masking criminal or terrorist activities.

   The proposal called for international endorsement of a
   system in which mathematical keys to computer-security
   codes would be held by escrow agents from whom law
   enforcement officials could obtain the keys once they have
   a court's wiretapping warrant.

   But policy guidelines scheduled to be released in Paris
   today by the 29-nation Organization for Economic
   Cooperation and Development fail to endorse the United
   States proposal. And they leave such leeway for members to
   regulate data-scrambling technology--or not--that computer
   security experts say any uniform international policy
   remains elusive.

   "The difficulty with the guidelines is that anybody can
   interpret parts of them in their own way," said Konstantine
   Papanikdaw, a policy analyst for information security at
   the European Commission in Brussels.

   Indeed, the industrial world seems to be deeply divided on
   whether governments can ever legitimately eavesdrop on the
   electronic communication of their citizens. Because
   messages on the Internet are easy to intercept, a growing
   number of individuals and corporations are protecting the
   privacy of their communications and the security of their
   commercial transactions by scrambling such information.

   Some O.E.C.D. nations, including Britain and France, have
   either outlawed or are in the process of tightly regulating
   the private use of data-scrambling systems. But other
   nations--including Australia, Canada Denmark and
   Finland--have policies that protect individual privacy.
   Among other member nations, Japan had initially resisted
   the United States proposal but was said to be moving closer
   to it, while Germany remained deeply divided.

   Most other countries, inside or outside the O.E.C.D., have
   yet to confront the data-scrambling issue. And even the
   United States has a somewhat contradictory national policy
   that permits citizens to use whatever data-scrambling
   software they wish within the nation's borders, but
   restricts the export of the most up-to-date computer-coding
   technology.

   That seeming contradiction, however, did not prevent the
   Clinton Administration in recent months from waging a
   vigorous behind-the-scenes effort for its proposal. And
   hoping to resolve some of the policy conflicts, the
   Administration is now circulating draft legislation on
   Capitol Hill which would attempt to control even the
   domestic use of data-scrambling software and establish a
   key-escrow system for the United States.

   While the O.E.C.D. has no authority to set international
   policy, its recommendations are frequently used by member
   nations in setting their own foreign and trade policies.
   And the privacy and law-enforcement aspects of the Internet
   are issues on which member governments have been desperate
   for guidance.

   But even though most of the O.E.C.D. discussions involved
   law enforcement officials, who have been the main advocates
   for measures that would insure their ability to crack
   codes, European officials say that there was never much
   agreement on what to do.

   And so the primary recommendation in the report, a copy of
   which was obtained by The New York Times, simply gives
   O.E.C.D. member nations the latitude to do as they see fit
   when it comes to data scrambling, which is formally known
   as cryptography.

   "National cryptography policies may allow lawful access to
   plain text, or cryptographic keys, or encrypted data," the
   report says.

   Privacy-rights advocates see the O.E.C.D. guidelines as a
   critical setback for the Clinton Administration. "The U.S.
   proposal to endorse lawful access to private keys was
   explicitly rejected by the O.E.C.D. member countries," said
   Marc Rotenberg of the Washington-based Electronic Privacy
   Information Center and a member of the O.E.C.D.'s advisory
   group. "The O.E.C.D. chose instead a policy based on
   voluntary, market-driven development of cryptography
   products."

   And even supporters of the United States position
   acknowledged that guidelines were a disappointment.

   "The United States probably had more success raising
   consciousness then getting language that could he treated
   as an endorsement for key recovery," said Stewart Baker, a
   former National Security Agency official who participated
   on the American delegation to the O.E.C.D.

   Meanwhile, executives for the United States computer
   industry were critical of the O.E.C.D. for even leaving the
   door open for governments to set national policies on data
   scrambling.

   "We think that markets, not governments, should be the
   primary determinants of technology solutions," said Jon
   Englund, a vice president at the Information Technology
   Association of America, a trade group.

   Many experts question whether governments can ever hope to
   insure law enforcement access to electronic messages or to
   restrict the spread of super-strong coding software,
   because new, more powerful versions can always be developed
   and easily transmitted over the Internet in the blink of an
   eye.

   And any international effort is almost certainly doomed if
   some countries refuse to go along with a common approach,
   because people looking for strong encryption can simply
   acquire it wherever the laws are lax. In fact, the big
   German company Siemens A.G. recently introduced an
   encryption system that it advertises as being much more
   powerful than American companies can export under United
   States law.

   Besides the United States, France and Britain both support
   a system for enabling law enforcement officials to obtain
   keys to data-scrambling codes. France has already passed a
   stringent law that requires participation in such a system,
   although the rules to carry out the law have not yet been
   worked out.

   And in recent days, Britain has quietly circulated the most
   restrictive proposal of any nation, a domestic policy under
   which the Government would allow private use only of
   cryptography that was officially licensed, to make sure
   that the software uses code that law enforcement officials
   can crack.

   Under such laws, of course, criminals and terrorists might
   logically choose to use unauthorized encryption software.
   But the mere fact that such use would be a crime may be a
   deterrent--or give the police grounds to arrest anyone
   whose communications were indecipherable.

   In Germany, encryption remains a deeply divisive issue. The
   Interior Ministry has supported the need for encryption
   restrictions of some sort, but the Justice Ministry and the
   Economics Ministry have both signaled their opposition. And
   German businesses have been outspoken opponents against any
   new restrictions on data scrambling.

   Meanwhile, United States export restrictions have been a
   boon for Brokat Informationssysteme G.m.b.H., a
   two-year-old start-up company in Boblingen, Germany. Brokat
   supplies secure electronic transaction software for banks
   like Deutsche Bank and on-line services like America Online
   in Europe.

   One of Brokat's hottest products is the Expresso Security
   Package which essentially adds strong encryption to the
   World Wide Web browsers and Internet server software sold
   by two of the largest American software companies--
   Microsoft and Netscape Communications.

   [End]