From: Ross Anderson To: ukcrypto@maillist.ox.ac.uk Subject: Unpleasant EU move on encryption Date: Tue, 10 Mar 1998 15:49:52 +0000 Message-Id: The EU is about to issue a wide-ranging directive to ban unauthorised decryption of commercial traffic. This is a result of lobbying by Rupert Murdoch; its stated goal was to make it illegal to sell pirate TV decoders. The overt justification was the difficulty Murdoch had in the 1980's and early 90's in closing down pirate pay-TV operators in Ireland and Germany. That problem has now been fixed but the EU machine still grinds on towards a directive. Until very recently, the proposed directive: just covered pirate decoding devices made available for sale. However, the DVB lobby wanted it toughened up still further: and they managed to get an amendment quietly put through the European parliament last month: according to which member states will have to criminalise the "... provision of information concerning activities and measures facilitating unauthorized access" (page 8, Amendment 12, c2). The problem this poses the IT community is threefold. (1) As the proposed directive also covers electronic shopping, member states will have to make it an offence to break 40-bit SSL keys (or even to own a copy of Bruce Schneier's SSL-breaking screensaver :-). By extending it to cover the provision of information, the amendment could result in attendees at conferences such as Eurocrypt becoming criminals. This would make it impossible to hold security conferences in Europe. It would certainly make my web page illegal (papers such as `Tamper Resistance - A Cautionary Note' and `Why Cryptosystems Fail' would be contraband). It might even become an offence for people supervising computer science here at Cambridge to help undergraduates with the solution of past exam questions. (2) Furthermore, the amendment extends the scope of the directive from payment systems to encompass all technical means whereby access to a service is made conditional on a prior individual authorisation by the service provider. So I might be liable to prison for having made my .netscape/cookies file read-only; my mail filter might also get me into trouble. (There could be a conflict of laws here as filtering measures undertaken by European ISPs to comply with EU data protection and obscenity laws might be illegal under the amended directive.) (3) If Murdoch gets away with all this - or even with the original, unamended, directive - then the DTI/GCHQ/NSA people can argue that 40 bit crypto is enough: `if you merely want to protect commercial transactions, strong laws are more effective that strong algorithms. People attack systems like pay-TV because the penalties are perceived to be light or non-existent; they don't attack the (much weaker) funds transfer systems used by banks as even an attempt gets you jail time.' This argument didn't cut much ice with Vladimir Levin, but there is a strong technophobic consitituency in government that believes in legal fixes for everything and which will love the spooks' argument. Anyway, the main effect of this directive will be to put a serious damper on research, development and the commercial exploitation of cryptography and systems based on it throughout the whole community (which the spooks will also like). In the process, it will hand billions of ECU worth of business to the Americans on a plate. There is resistance to it on these grounds even in the Commission (the amendment was faxed to us yesterday by an EU insider who wants to raise the alarm). See for more details. Ross