9 October 1997 Source: The New York Times, October 9, 1997, p. D4 Europeans Reject U.S. Plan On Electronic Cryptography Threats to Privacy and Commerce Are Cited By Edmund L. Andrews Frankfurt, Oct. 8 -- The European Commission has rejected proposals by the United States aimed at insuring that police agencies can crack coded messages over telephone and computer networks. In a lengthy report released today, the European Commission said the American approach could threaten privacy and stifle the growth of electronic commerce and that it might simply be ineffective. The report appears to all but doom efforts by the Clinton Administration and the Federal Bureau of Investigation to establish a global system in which people who use cryptography would have to deposit a "key" for unlocking their codes with an independent outside organization. As envisioned, the police or intelligence agents would be able to use this key once they got court approval to carry out a wiretap. The plan has been vigorously opposed by the computer industry, which fears that it would jeopardize sales to foreign customers. Because of the Internet's borderless nature, American officials have long acknowledged that their plan is workable only if most other countries adopt similar systems. If not, people could simply route their communications through countries with no restrictions. The White House had already run into heavy opposition from civil rights groups, the computer industry and Congressional Republicans. And earlier this year, the United States failed to muster any support for its plan from the Organization for Economic Cooperation and Development, a consortium backed by more than 40 countries. But the European Commission's blunt opposition, reported today in The Wall Street Journal, went considerably further, raising a slew of objections to "key recovery" and "key escrow," systems. Among them were these: + Hackers could find new ways to breach security." Inevitably, any key access scheme introduces additional ways to break into a cryptographic system," the report said. + The systems could weaken European data-privacy laws. "Any regulation hindering the use of encryption products," the report said, "hinders the secure and free flow of personal information." + Even with a "key escrow" or "key recovery" system, criminals cannot be entirely prevented from using strong encryption. More broadly, the European Commission said, any kind of key-based system could jeopardize the rise of electronic commerce. "If citizens and companies have to fear that their communication and transactions are monitored with the help of key access or similar schemes," the report said, "they may prefer remaining in the anonymous off-line world." American officials did not disguise their disappointment, and challenged the Europeans to come up with better alternatives. "I am a little surprised," said William Reinsch, Deputy Secretary of Commerce in charge of export administration. "My question to the European Commission is, where do they think the market is going? Our sense is that corporations engaged in electronic commerce want key recovery in some form, because they want to recover their own records and to monitor their own employees." Beyond high-minded policy issues, European officials quietly acknowledge that they have political and economic concerns. For one thing, several countries do not like the idea of deferring to an American system that might allow American companies to dominate the next generation of security products. The German Government, meanwhile, is worried that American authorities might have improper access to data on German users -- possibly violating Germany's tough new laws on data protection. But the European Union is far from united. Britain has generally sided with the United States in supporting an international system for regulating data encryption. Indeed, the European Commission remained vague about what alternatives to the American system it might actually favor, nor does the report attempt to block member countries from setting up key-based systems if they want to. American computer and software companies greeted the European policy declaration as a victory. "Even the hard-line Governments, the U.S. and the United Kingdom, have said that any cryptography restrictions have to be internationally coordinated because otherwise you can just download material from another country," said Chris Kuner, a lawyer in Frankfurt who represents Netscape Communications and other networking companies in Europe. "This shows that Europe does not agree with the idea of mandatory key recovery. This idea that is the only possible regulatory framework for the world has been clearly rejected."