From: Stefek Zaba To: ukcrypto@maillist.ox.ac.uk Subject: Re: Unpleasant EU Move Date: Fri, 13 Mar 1998 19:41:19 +0000 Message-ID: <4829.889818079@hplb> Further to Ross' and Devid Hendon's digging - I too have dug a little, and found that the scope of this Directive does indeed cover a *very* *great* *deal* more than just conditional-access TV. The body of the draft describes, at Definitions (Amendment 7, p.6) the scope as including "Information Society Services within the meaning of Article 1 2 of Council Directive 83/189/EEC, as amended". [Incidentally, the EU appears to be in the frame for a document numbering problem in about 60? years' time, since it uses 2-digit yearnums for its document-id scheme :-)]. Searching the europa.eu.int website reveals the relevant definition of "Information Society Services" to apparently be: all existing or new types of services that will be provided at a distance, by electronic means and on the individualised request of a service receiver. This definition of "service" would cover, for example, on-line professional services (e.g. solicitors, estate agents, stockbrokers, insurance, health care, travel agents), interactive entertainment (e.g. video on demand, on-line video-games, virtual visits to museums), on-line information (e.g. electronic libraries and newspapers, financial information), virtual shopping malls and distance learning services. Reference: http://europa.eu.int/comm/dg15/en/media/infso/1054.htm - I haven't found the "directive on a transparency mechanism for Information Society services" itself, however. The definition goes on to say that broadcast services are *not* covered under the meaning of "Information Society services" - those are, however, covered by this Directive since p.6 shows the categories to be ORed. It goes on further to say that on-line financial services are covered too, though the specific matter the "transparency mechanism" Directive covers does not apply in the same way to these. Given the breadth of this definition, I don't see Ross's position as misplaced at all. It means that *any* discussion, probing, demonstrations of insecurity, etc., of the security measures for any "information society services" - basically any targetted-to-the-individual on-line transaction - would be outlawed. That's a really good way to ensure the fielded strength of security mechanisms. The experience of decades in fielding systems has shown that open review is profoundly bad for increasing effective system security, and that documentation of failures leads merely to criminal exploitation but does not advance the state of the art. I'm writing to my MEP this weekend - as if I didn't have a *life* to live! I'll make sure he knows the UK DTI is *not* supporting this particular amendment. (David - thanks for your postings to this list on this issue. Is "not supporting" an accurate and as-strong-as-is-consistent-with-reality reflection of DTI opinion, or can the DTI position be reasonably said to be one of active opposition?) Cheers, Stefek