cr> ACLU press conference; Paris Encryption Summit


Richard Moore

From: "Craig A. Johnson" <•••@••.•••>
To: Cyber.Rights.Co-Leaders
Date:          Wed, 7 Feb 1996
Subject:       Press Conference and lost encryption file


Do one of you guys have that encryption thing from that ex-NSA spook,
Stewart Baker, that I was going to post, but never got around to it.

I think we should post it.  [Done, below -- rkm]

The ACLU press release with information and bios of all the
plaintiffs will be on their Web site.  I don't yet have an online
version of their press release, or I would have posted it.

BTW, the press conference went well, I said my two bits worth, but I
don't think any of the networks that were there ran my clip.

You can see me on CNN on a segment in Bobby Batista's show on telecom
and the Internet, standing next to the ACLU guy who is talking.  It's
about a two-minute clip and very easy to miss.

CNBC, CNN, ABC, Fox, CNBC, and PBS were all there, but I think most
of the other news eclipsed us.

Anyway, it was an interesting experience, and I think we all
complimented one another.  The ACLU guys were happy about it.

Now, let's see what the fallout is tomorrow, when the ACLU and Joe
Shea both file complaints.

Thanks for posting the CPSR press release Richard.


From: "Craig A. Johnson" <•••@••.•••>
Date:          Sun, 4 Feb 1996
Subject:       (Fwd) IP: Stewart Baker's Summary of the Paris Encryption Summ

interesting in that it shows that the U.S. seems to be winning in
its effort to ram key escrow down everyone else's throats.


------- Forwarded Message Follows -------
Date:          Sat, 03 Feb 1996
From:          Dave Farber <•••@••.•••>
Subject:       IP: Stewart Baker's Summary of the Paris Encryption Summit
To:            •••@••.••• (interesting-people mailing list)

Date: Sat, 03 Feb 96
From: "Stewart Baker" <•••@••.•••>
To: •••@••.•••



     Stewart A. Baker
     Steptoe & Johnson
     Washington, DC

     The OECD's ad hoc meeting of experts on cryptography was the
     brainchild of U.S.  policymakers.  Export controls on encryption
     have increasingly been attacked as unworkable by U.S. software
     and hardware producers, who see a major market for security on
     the global information infrastructure.  This need, they argue,
     will be met by foreign producers if U.S. export controls are kept
     in place.  Many companies in the software business have also
     attacked the latest Administration proposal allowing the export
     of strong encryption only if it incorporates some form of key
     escrow.  These companies question the international demand for
     key escrow.

     The likely U.S. purpose in calling for the OECD meeting was to
     show that other nations are or soon will be inclined to favor key
     escrow in order to avoid the problems that criminal use of
     encryption will pose.  From the U.S. point of view, the meeting
     was an opportunity to raise the consciousness of other
     governments about the problem of uncontrolled encryption while at
     the same time demonstrating to U.S. industry that defeating U.S.
     export controls would not open the door to a vast market for
     unescrowed encryption but would instead spark new and perhaps
     inconsistent local regulation of encryption.

     If that was the purpose of the meeting, it was a qualified
     success.  It was not a complete success, because several
     governments expressed grave doubts about the U.S. effort to
     control encryption technology.  Most prominent among the doubters
     were the Scandinavian countries.  Japan also showed little
     interest in controlling encryption;  it seemed more concerned
     about catching up in this former defense technology now that its
     commercial possibilities were growing.

     Other governments, in contrast, were supportive of some kind of
     escrow, though they disliked that term and preferred to speak of
     "trusted third party" approaches to key storage and recovery.
     The European Union, the United Kingdom, and France clearly favor
     the development of trusted third party encryption systems.  Other
     countries also said favorable things about trusted third parties.
      But that term is deliberately ambiguous.  It mixes together a
     wide variety of "trust" services for users of computer networks.
     Some services, such as maintaining a register of digital
     signatures or providing digital timestamps, do indeed require
     trust but are quite uncontroversial.  At its most minimalist,
     support for "trusted third party" encryption might simply mean
     that governments will set standards that allow companies
     performing uncontroversial  "trust" services to also perform
     private key escrow when asked to do so by users of encryption
     systems.  Such an approach is unlikely to make escrowed
     encryption the dominant form of secure computer network

     But at least some European governments plainly mean to do
     more than that under the heading of trusted third party
     encryption.  Both Italy and the Netherlands have recently
     considered legislation to regulate encryption directly in
     the fashion of the French.  The UK is also disinclined to
     see the spread of uncontrolled encryption within its
     borders.  While these governments now seem unlikely to adopt
     French-style encryption regimes, they are clearly intrigued at
     the thought that, with government's thumb on the scale, European
     telecom and computer companies might be willing to adopt trusted
     third party encryption even without a direct government mandate.

     The good news for U.S. policymakers is that many European
     governments are clearly interested in doing something to
     encourage key escrow encryption, and Australia and Canada
     are likely to follow if a consensus in favor of key escrow
     emerges.  This proposal for international concensus is bound to
     cause some of the most vocally anti-escrow U.S. companies at
     least a moment of self-doubt.

     The bad news for U.S. policymakers is that there is little
     appetite in Europe (let alone Japan) for direct regulation
     of the encryption market (even the French are showing more
     flexibility in enforcing their law).  And some European
     governments' commitment to trusted third party encryption
     may not go beyond saying nice things about it while waiting to
     see what the market does.

     For a variety of reasons, the OECD is likely to be drawn
     into the process of making international encryption policy.  The
     U.S. was generally pleased with the warmth -- if not the
     ambiguity -- of the international praise for trusted third party
     encryption, and it hopes to build a stronger international
     consensus for such encryption.  Industry, particularly U.S.
     industry, would rather see policy made in the OECD than in a
     (presumptively more protectionist) European forum.  And the other
     OECD nations see that forum as a good place to moderate
     unilateral U.S. policies, such as the current requirement that
     keys be escrowed in the United States.  Thus all of the
     participants have something to gain from continuing the dialogue
     in the OECD.


     A more detailed description of the conference will be posted
     shortly to my law firm's web page.  To see if it's up, go to
     "" and look under "Law and
     the Net"


 Posted by Richard K. Moore (•••@••.•••) Wexford, Ireland
 Materials may be reposted in their entirety for non-commercial use.