Unpleasant EU move on encryption

Geoffrey Leeming geoffrey at jcp.co.uk
Wed, 11 Mar 1998 10:54:54 +0000 

Well, I read Ross's email with mounting scepticism, and as I read the
directive I thought he was going off the deep end a bit, as the directive
seems to be quite well targetted, and clearly defines the scope NOT to
include "the confidentiality of private communications and the security of
financial transactions".

However, having read the amendment, I apologise to Ross for the momentary
doubt.  It does, indeed, appear to attempt to outlaw the study and tuition
of cryptanalysis under Amendment 12(c3).  It also amends the definition of
"illicit device" to include any equipment or software "... which in any
way enables such unauthorised access", which clearly includes
cryptanalytic tools such as Schneier's screensaver.

He and his 'EU insider' are right to want to raise the alarm.  Seeing as
the deadlines for objections are reasonably close (March 18th is the first
deadline), who is going to voice an objection?

Is it worth attempting to interest the media in this?  Crypto may be too
technical a subject for most broadcasters, but "EU outlaws Mathematicians"
would make a nice headline!  If this is a Murdoch-sponsored amendment as
Ross implies, the various members of the anti-Murdoch media (Guardian &
BBC immediately spring to mind) might be interested in having a pop.


Ross Anderson wrote:

> The EU is about to issue a wide-ranging directive to ban unauthorised
> decryption of commercial traffic. This is a result of lobbying by
> Rupert Murdoch; its stated goal was to make it illegal to sell pirate
> TV decoders. The overt justification was the difficulty Murdoch had in
> the 1980's and early 90's in closing down pirate pay-TV operators in
> Ireland and Germany. That problem has now been fixed but the EU
> machine still grinds on towards a directive.
>
> Until very recently, the proposed directive:
>
> <http://www.cl.cam.ac.uk/~mgk25/ca-law/COM-97-356.pdf>
>
> just covered pirate decoding devices made available for sale.
> However, the DVB lobby wanted it toughened up still further:
>
> <http://www.dvb.org/dvb_news/dvb_pr042.htm>
>
> and they managed to get an amendment quietly put through the European
> parliament last month:
>
> <http://www.cl.cam.ac.uk/~mgk25/ca-law/anast-report.pdf>
>
> according to which member states will have to criminalise the
> "... provision of information concerning activities and measures
> facilitating unauthorized access" (page 8, Amendment 12, c2).
>
> The problem this poses the IT community is threefold.
>
> (1) As the proposed directive also covers electronic shopping, member
> states will have to make it an offence to break 40-bit SSL keys (or
> even to own a copy of Bruce Schneier's SSL-breaking screensaver :-).
> By extending it to cover the provision of information, the amendment
> could result in attendees at conferences such as Eurocrypt becoming
> criminals. This would make it impossible to hold security conferences
> in Europe. It would certainly make my web page illegal (papers such as
> `Tamper Resistance - A Cautionary Note' and `Why Cryptosystems Fail'
> would be contraband). It might even become an offence for people
> supervising computer science here at Cambridge to help undergraduates
> with the solution of past exam questions.
>
> (2) Furthermore, the amendment extends the scope of the directive from
> payment systems to encompass all technical means whereby access to a
> service is made conditional on a prior individual authorisation by the
> service provider. So I might be liable to prison for having made my
> .netscape/cookies file read-only; my mail filter might also get me
> into trouble. (There could be a conflict of laws here as filtering
> measures undertaken by European ISPs to comply with EU data protection
> and obscenity laws might be illegal under the amended directive.)
>
> (3) If Murdoch gets away with all this - or even with the original,
> unamended, directive - then the DTI/GCHQ/NSA people can argue that 40
> bit crypto is enough: `if you merely want to protect commercial
> transactions, strong laws are more effective that strong algorithms.
> People attack systems like pay-TV because the penalties are perceived
> to be light or non-existent; they don't attack the (much weaker) funds
> transfer systems used by banks as even an attempt gets you jail time.'
> This argument didn't cut much ice with Vladimir Levin, but there is a
> strong technophobic consitituency in government that believes in legal
> fixes for everything and which will love the spooks' argument.
>
> Anyway, the main effect of this directive will be to put a serious
> damper on research, development and the commercial exploitation of
> cryptography and systems based on it throughout the whole community
> (which the spooks will also like). In the process, it will hand
> billions of ECU worth of business to the Americans on a plate. There
> is resistance to it on these grounds even in the Commission (the
> amendment was faxed to us yesterday by an EU insider who wants to
> raise the alarm).
>
> See <http://www.cl.cam.ac.uk/~mgk25/ca-law/> for more details.
>
> Ross