Most informed observers greeted the UK government’s proposals for a voluntary licensing regime for Certification Authorities, Trusted Third Parties (TTPs) and Key Recovery Agents, presented earlier this week by small businesses minister Barbara Roche, with guarded enthusiasm. Firstly, because the government had retreated from its former position, whereby licensing should be obligatory. Also because they saw the initiative as an attempt to advance the technology [of data encryption] and widen its acceptance by creating an imprimatur of approval, in the words of Paris-based US lawyer Jonathan Schur, who specializes in this area. As such, it falls in line with similar legislation already in existence in Germany, Sweden and Italy. There are also those, like British lawyer Heather Rowe, who are generally receptive to the scheme, but question the inclusion into the government’s proposals of the key escrow clause, whereby the British government is able to access the keys held by all TTPs for the purpose of investigation what information is being transmitted in an encrypted form. On a practical level, Rowe says the key escrow won’t help catch wrongdoers, because criminals won’t be using TTPs in the first place. On a philosophical level, meanwhile, she questions whether the government should in any case have the right to delve into data flows between private individuals or institutions. In any case, the direction the UK authorities are headed in leaves still more isolated, at least in terms of the developed world, the legal framework for cryptography existing in France. First through the Telecommunications Law of 1996, then by two implementation decrees brought out earlier this year, the French government created serious restrictions on both the use and supply of data encryption in the domestic market. Beyond 40-bit encryption, use of the technology requires express permission from the SCSSI, an inter-ministerial body answering directly to the prime minister. Up to 40 bits, there are no restrictions on the use of encryption, but those supplying the software must present the authorities with a declaration, including the algorithms used. The government thus seeks to guarantee its right of access to all encrypted information flows, even those using the recognizedly weak level of 40 bits. There were reports in 1995 that a student in France had managed to break a 40-bit code created by Netscape in just eight days. Schur, who advises foreign companies on the framework in France, said one of the concerns with the law is that it would require a policeman to be stationed beside each computer in the country in order to enforce it fully. Since that is patently impossible, he went on, there is a risk of massive non-compliance or selective enforcement, with local companies accusing more muscular foreign competitors of infringement to disturb their operations and gain a momentary advantage over them.
