May 19, 1998


by Andy Oram
American Reporter Correspondent

CAMBRIDGE, MASS.—A ground-breaking statement on electronic signatures (which will be in some ways the future road markers of the Internet) appeared from the European Commission on May 13. Few noted the appearance of this proposal for “a common framework for electronic signatures.” But it’s worth examining for its a strong stance on critical issues of our day, such as government regulation and the use of computer encryption.

Indeed, in evaluating the European Commission’s 18-page communication one revisits all the big questions of Internet policy. How much should governments intervene in technology and its applications? Should public services on the Internet be centralized or thrown open to all comers? How do we protect users’ privacy? The May 13 communication operates from a sensible starting position on all these complex questions.

Even without the larger policy issues and the question of encryption, electronic signatures form a lynch-pin of the promises offered by the information highway. Just think of all the occasions when we depend on verifying the source of information: when we get a contract from a business partner, when a doctor receives patient records from a colleague, when a political party issues its public statements or a union its calls for labor action.

In daily life we depend on context and the physical attributes of a document to ensure that it’s real. In order to move our everyday communication as well as commerce to digital networks, we need to verify sources through electronic signatures.

But support for electronic signatures requires a more controversial policy: the widespread availability of strong computer encryption to protect private communications. This is because current technology (public-key encryption) uses exactly the same keys for both signatures and data hiding.

The EC communication takes the strongest stand on encryption yet seen from an international government body. It states that organizations responsible for digital signatures should not “store or copy private cryptographic signature keys of the person to whom the certification service provider offered key management services unless that person explicitly asks for it.”

So a user can keep a private key on a diskette in a drawer and rest assured that the signature cannot be forged, so long as nobody breaks into the desk. Even more important, the user can let the key double as an decryption key—and people can send the user mail that nobody else can read.

This scares law enforcement organizations in many countries, not least of them the United States. Many governments would like to restrict the use of encryption. The battle has continued for some five years in the U.S., revolving continually around an attempt to make people store their private keys in huge central facilities (key escrow or key recovery) so that the government can crack secret communications.

The most recent outcropping in the American battle came fairly auspiciously last week in a bill called E-PRIVACY introduced by Senators Ashcroft and Leahy. Among its positive aspects, it reduces restrictions on export to a trivial (though somewhat mysterious) “technical review.” It also strictly limits government access to mobile phones and place privacy safeguards on cooperation with foreign governments.

Ashcroft and Leahy toss a few consolation prizes to the surveillance community, but these may be the politically necessary concessions upon which freedom of encryption is conditioned. Such concessions include the above-mentioned technical review, a clause imposing penalties for using encryption during the commission of a crime, and the creation of a center to research code-breaking technologies.

Between the EC proposal and the E-PRIVACY bill, one would have good reason to be optimistic that the world’s citizens will have access to encryption. But I’ve seen too many duplicitous announcements from governing bodies over the years, too many vaguely-worded statements that take away what they profess to give, too many nimble feints followed by deadly thrusts of the sword.

One favorite trick of the Clinton Administration, mimicked recently by the British Department of Trade and Industry, is to claim that they do not wish to outlaw people’s right to use any kind of encryption desired. Yet they propose requirements for using encryption when people deal with government and government-funded institutions, expecting that the resulting encryption systems will seep out into general public use because few would bother maintaining two types of encryption software. The E-PRIVACY bill would protect the public from this kind of surveillance coup by requiring government systems to interoperate with others.

Those of us driven to what one psychologist called “the paranoid position” by the machinations of control-hungry regimes take pause when we read in Article 3 of the EC communication, “Member States may make the use of electronic signatures in public sector subject to additional requirements.”

But the EC communication in general is an occasion for rejoicing. It repeatedly affirms people’s right to use any kind of electronic signature without controls. And even when granting member states the right to regulate signatures, the communication requires criteria to be “objective, transparent, non-discriminatory and proportional.” It would be hard for a government to require access to private keys using the claim that it adheres to the EC proposal.p

In its balance between private rights and public needs, the EC communication shows wonderful sophistication. It permits a rich flowering of competing systems—making use of the free market at its best.

But it also recognizes the role of governments. After all, if you plan to bring a digitally-signed file into a court and enforce a contract, you have to be sure the court will recognize the string of bits as a legal signature. So at the very least, governments must legitimize these signatures.

For citizens to depend on such signatures, governments must go further and set up standards for quality. Nobody will trust a signature from Joe’s Certificate Authority, anymore than they’d accept a bank check from the hobo hanging out on the street corner. The EC communication describes the type of assurances that certificate authorities must offer to be trustworthy.

In short, the EC communication is a model for striking a balance between commercial initiative and positive government regulation. As such, the report should be on the desk of anyone trying to sort through the confusing pronouncements of “hands-off government” and “international coordination” being circulated these days in regard to a wide range of issues: privacy protection, copyright enforcement, taxation, control over pornography, domain name registration, and everything else that can happen online.

To top off the EC’s achievement, they see to it that digital signature policy preserves the strict guarantees of individual privacy promised by several European governing bodies.

If the spirit of the EC communication is followed by member nations, we’ll be able to move forward to a digital economy and a wired generation with confidence; our privacy will also be enhanced through strong encryption. It is up to Europeans citizens to make sure their freedom isn’t ravaged by the introduction of any Trojan Horse requiring government access to keys. And Americans should urge our government to fall into line.

Editor, O’Reilly Media
Author’s home page
Other articles in chronological order
Index to other articles