========================== http://europa.eu.int/rapid/cgi/rapcgi.ksh?p_action.gettxt=gt&doc=IP/97/862|0|RAPID&lg=EN ---------------------------------------------------------------------------- European Commission adopts policy framework for more security on the Internet ---------------------------------------------------------------------------- DN: IP/97/862 Date: 1997-10-08 TXT: FR EN PDF: FR EN Word Processed: FR EN ip/97/862 Brussels, 8th October 1997 European Commission adopts policy framework for more security on the Internet Open networks such as the Internet are increasingly being used as a platform for communication. Open and accessible, they allow rapid and efficient world-wide exchanges at low cost. However, the realisation of such developments are hampered by the noticed insecurities typical to open networks: messages can be intercepted and manipulated, the validity of documents can be denied. Cryptographic technologies can resolve this problem. They are the essential tool for security and trust in electronic communication. Two important applications of cryptography are digital signatures and encryption. Several Member States of the EU have announced their intentions to introduce specific regulation on cryptography and some have already done so. But divergent legal and technical approaches would constitute a serious obstacle to the Internal Market and would hinder the development of new economic activities linked to electronic commerce. The main goals of this Communication are to develop a policy framework in particular with a view to ensuring the functioning of the Internal Market for cryptographic products and services, establishing a European framework for digital signatures and stimulating a European industry for cryptographic services and products. The communication announces the Commission's intention to propose legislation on the basis of this Communication in the first half of 1998. Digital signature How does the digital signature work? Two complementary software keys are generated and assigned to a user. One of them - a signature key - is kept private (private key) whereas the other - a signature verification key - is published (public key). It is of course crucial that the private key cannot be computed from the public key. With the help of the sender's public key the recipient can find out whether or not the signed data has been altered and check that the complementary key-pair. But how does for instance the recipient of a message know that the sender is really the one he claims to be? Anyone can publish a public key under another name. The recipient may therefore wish to obtain more reliable information on the identity of the key owner. One way is to have it confirmed by a third-party. In the context of digital signatures these third-parties are most commonly so-called certification authorities (CA). Greater use of digital signatures requires adjustments and changes in many regulatory areas. In the current situation, the most important legal problems result from different national rules and regulations (or the lack of them), in particular the absence of common requirements for CAs, of technical and operational requirements to be met by certain categories of digital signature products, of liability rules and of legal recognition of digital signatures. The legal concepts behind signatures and the requirements on form and procedures, are different in each of the Member States jurisdictions. These different national regulatory approaches and the potential lack of mutual recognition of each others regulatory requirements easily leads, due to the inherent cross-border nature of digital signatures, to a fragmentation of the internal market for electronic commerce and on-line services throughout the Union. Confidential electronic communication: Encryption Encryption technologies are increasingly integrated into commercial systems and applications. The integration of complete cipher machines on smart cards is a reality. Not less than 1,400 encryption computer products exist world-wide. More than 400 companies from the US and about 440 companies outside the US, many of them in Europe, now offer encryption products. Electronic commerce and many other applications of the information society will only expand and unfold their economic and social benefits if confidentiality can be assured in a user-friendly and cost-efficient way. But law enforcement authorities and national agencies are concerned that wide-spread use of encrypted communication will diminish their capability to fight against crime or prevent criminal and terrorist activities. Proposals for regulation of encryption have generated considerable controversy. The communication expresses major concerns about encryption regulation: 1. Encryption is often the only effective and efficient way of protecting confidentiality and communications. Regulations could limit the use of encryption. In addition, divergences between regulatory schemes could result in obstacles to the functioning of the Internal Market, in particular the free circulation of encryption products and services, and the protection of personal data. A fragmented market would reduce the opportunities for growth, constrain job creation and lower the levels of competitiveness. 2. Furthermore regulation of encryption would probably not be very efficient because nobody can be totally prevented from encrypting data. Firstly, access to encryption software is relatively easy, for instance by simply downloading it from the Internet. Secondly, it is difficult to prove that a specific person has sent an unauthorised encrypted message. Thirdly, encryption is also possible using methods that allow one to hide a message in other data (e.g. images) in such a way that even the existence of a secret message and thus the use of encryption cannot be detected. Widespread availability of encryption can also prevent crime. Already today, the damage caused by electronic crime is estimated in the order of billions of Ecus (industrial espionage, credit card fraud, toll fraud on cellular telephones, piracy on pay tv encryption). Therefore, there are considerable economic and legal benefits associated with encryption As a result, restricting the use of encryption could well prevent law-abiding companies and citizens from protecting themselves against criminal attacks. It would not however prevent totally criminals from using these technologies. Policy actions at Community level Given this situation the Commission proposes in its communication the following strategy: - A community framework for digital signatures should be introduced. Detailed regulations for digital signatures are already under preparation in some Member States. Whilst the development of a clear framework is welcomed, the very divergent legal and technical approaches which have already appeared and the absence of any legal environment in other Member States might constitute a serious barrier to doing business and communicating throughout the European Union. A common framework at Community level is therefore urgently needed. The communication announces the Commission's intention to propose legislation on the basis of this Communication in the first half of 1998. - Common European certification requirements for CAs are crucial. By establishing defined common criteria for the activities of CAs, the Community could put in place a framework allowing that certificates issued by a CA in one Member State are recognised in all other Member States. - National legal systems may need to be adapted to ensure that they offer the same recognition and treatment to digital signatures as to conventional signatures. - Electronic communication is not limited to the European Union. Therefore a framework must be developed at an international level once a Community position has been established. The Commission will continue and initiate the dialogue on international level. - If national restrictions in the area of encryption are put into place they have to be compatible with Community law. Therefore the Commission will examine whether national restrictions are justified and whether they respect the principle of proportionality. Potential impacts on trade and competitiveness will also be important considerations. - The Dual-Use Regulation should be adapted in view of the requirements for the cryptographic products market. It could be improved by progressively dismantling intra-Community controls on commercial encryption products. - In stead of introducing or maintaining rather unefficient but cumbersome restrictions, the Commission invites and supports Member States to enhance co-operation of police forces on a European and international level. - International agreements may be necessary between the Community and other countries, once a harmonised system has been put in place. - Interoperability between different encryption and digital signature applications are absolutely necessary. The Commission encourages industry and international standards organisations to develop technical and infrastructure standards. - The Commission is ready to support the development of cryptographic services, in proposing a programme, developing overall strategies for the security of electronic communication. - The Commission will launch new projects within the 5th research and development Framework Programme (1998 - 2002). Its proposal for the 5th Framework Programme foresees a key action on electronic commerce. Special importance will be attached to the testing of techniques aiming at interoperability, enhancing privacy and stimulating best practice and encourage widescale deployment. - The Commission will create by the end of 1997 a European Internet-Forum as a means to inform and exchange information. - The Commission intends to organise beginning of 1998 a hearing about the topic "digital signature and encryption". The aim is to consult governments, industry and consumers on which measures they feel the Community should take into consideration. .