Digital Signatures And Encryption in The European Union

Tik-109.300 Telecommunications Architectures
22 November 1998
Department of Computer Science and Engineering
Helsinki University of Technology
Kiril Kesarev <kkesarev@cc.hut.fi>
 

Abstract:

The aim of this essay is to describe the policies on digital signatures and encryption in the context of the European Union. A directive on the use and the legal status of digital (electronic) signatures is being proposed, but it seems that it is insufficient as it is non technical and does not solve all the problems of using digital signatures. However, it is believed that a pan European digital signature standard will become reality by year 2000-2002 and that this standard will use smart-card technology. Policies on the use of encryption differ between member states: the use of encryption in France requires authorization whereas it may be freely used in Finland. Many member states believe that the use of encryption within the EU should be allowed, but that necessary measures should be taken to allow authorities to decipher encrypted information.
 

Contents:

1. Introduction
2. Digital Signatures
    2.1 Draft EU directive on Digital Signatures
    2.2 Problems with Digital Signatures
    2.3 Solutions
3. Encryption
    3.1 Policies on Encryption
        3.1.1 Restrictive approach
        3.1.2 Laissez-faire approach
    3.2 Some opinions of the Union
4. Future directions in digital signature and encryption policies
Appendix: Restrictions in the EU
References
Further Information

1. Introduction

Cryptography has belonged to the domain of the military and intelligence agencies of nations. Its importance in private and commercial use has only been an issue for a few decades. With the advent of world-wide computer networks such as the internet, the importance of protecting information is being emphasized. This essay depicts the problems and solutions digital signatures and encryption in the European Union.

2. Digital Signatures

The purpose of a digital signature is to enable arrangements similar to hand-written signatures in unsecured data networks. Digital signatures apply cryptographic techniques to guarantee that a signature cannot be forged. This is necessary since information stored on a digital medium can be copied exactly which means that the information contained in the copy does not differ from its original in any way. Like hand-written signatures, a digital signature could be used in agreements and other legal acts to prove to a third-party that something has been agreed upon.

2.1 Draft EU directive on Digital Signatures

Although the prevailing principle in contractual legislation is contractual freedom (that agreements do not have to comply with some formality), there are instances when legislation is demanded to secure the rights of the parties. For example, deals on real estate have to be in written form to be valid. The EU has decided that digital signatures belong to the category of ways to agree which needs to be regulated. A reason for this is probably that the technology is new and that it will have a great importance in the future. The following are the main principles of the proposed (draft) EU directive [7]:
  1. The directive speaks about "electronic signatures" instead of digital signatures. The aim is that the directive can be applied to all types of signatures which can be considered "electronic".
  2. The aim is to give a predictable level of legal security for parties using electronic signatures.
  3. Contractual freedom is respected. The directive does not replace any customs already present on the market.
  4. Legal recognition of electronic signatures and certification authorities across borders.
  5. International activities and discussions, UN, WTO, and OECD activities [15, 16], should be taken into considerations when designing the European framework.
  6. Certification authorities, both on the national and on the European level, may be used as keys certification authorities.
  7. Article 5.1 - A member state may not deny the legal effect of an electronic signature on the grounds that the signature is in electronic form, or is not based on a qualified certificate, or is based on a certificate from a certification service provider not fulfilling the requirements of the directive.
  8. Article 5.2 - A member state shall grant the same status to electronic signatures as to hand-written signatures if it is based on a certificate from a qualified certification service provider which fulfills the requirements of the directive.
  9. The requirements for certification service providers are: reliability, promptness, ability to verify identities of persons to whom certificates are issued, personnel with the necessary skills, trustworthy systems, ability to take measures against forgery, sufficient financial resources, secure key storage, etc.

2.2 Problems with Digital Signatures

1. There is no way to tell the difference between an authentic and a forged digital signature. Most digital signature schemes are built around asymmetric ciphers, so-called public key ciphers. These ciphers are believed to be strong which means that it is infeasible to break it by today's technology and by the new technology of the foreseeable future. However, people are often the weakest link in any technology. The security of all public-key ciphers relies on that the holder of a private-key (used for creating a digital signature) is legitimate and sole holder of that key. If that key is stolen by or otherwise lost to another person, that person may use the key to forge signatures of its legitimate holder. These signatures will be indistinguishable from authentic signatures from an outsider's point of view.
2. The person who has signed digitally may claim that the signature is forged to avoid the obligations caused by the signature. In general, if someone claims that a hand-written signature is genuine and authentic, then he or she has to prove that this is the case. If a party in an agreement claims that his or her signature has been forged, the other party has to show evidence that the signature is genuine and that it has been signed by the party. In digital signatures, this scheme does not work. Although it is possible to show that the signature has been created with some private key, it is almost impossible to show that the private key was solely in the possession of its legitimate holder.
3. Digital signatures relate to all rights and obligations of a person, not individual rights and obligations. The traditional view is that digital signatures are an electronic version of the hand-written signature. Therefor, the common trend is that a person should possess one private key which he or she uses for all his electronic transactions. Another view would not relate signatures to individual persons, but to rights and obligations of individuals. This would enhance the privacy of the individual as he or she is not identified by name. Instead, digital certificates will be used and that the possession of such certificates is evidence of some right or obligation.
4. The proposed EU directive does not solve the real problems of digital signatures. The proposed directive is intended as a framework and is technology neutral. Germany has criticized the proposal of being too broad and incomplete for implementing national digital signature legislation complying to the directive [10, 11].

2.3 Solutions

1. Secure storage of private keys. Digital signature technology is very complex and it is a bad idea to let an average person be responsible for secure storage of private keys. One solution to secure key storage is smart-card technology which stores the keys and is capable of signing digitally. These keys are not accessible to the outside world, even to its legitimate user. [3]
2. An active trusted third-party. Every deal or transaction is also signed by a trusted third-party which can verify that the two parties are what they claim to be. Trusted third-party schemes are also useful in the case when private keys are stolen or lost. However, the use of a trusted third-party also creates privacy problems as it may register every transaction and build an accurate picture of a person's life.
3. Change the direction of the regulations. The current trend in regulating digital signatures is that the signature belongs to a person. Another possibility is to view the signature only as a carrier of rights and obligations. Here, a person would have a portfolio of private keys which he uses when dealing with various parties.
4. Ad hoc determination of what technology is secure for digital signatures. Regulations and legislation change slowly compared to advances in technology. Therefor, regulations should not refer to any specific cryptographic or other method as the standard for conducting business electronically.

3. Encryption

Encryption is used to protect against eavesdropping when data is transferred through insecure networks. Most members countries have legislation enabling the authorities to conduct wiretapping of telephone lines. Some countries like the Netherlands have plans that extends even further. According to legislative projects, internet service providers will be obligated to build their systems in a way which facilitates wiretapping by the authorities [14].

3.1 Policies on Encryption

3.1.1 Restrictive approach

1. The most common restrictions on cryptography are the export restrictions. All member states of the European Union have at least some level of control on the export of cryptographic hardware and software. The Wassenaar Arrangement, the successor of the COCOM treaty, is the essential source of restrictions on export of cryptography for military purposes. The aim of the agreement is to restrict export and transfer of military technology to states that are hostile against western countries. All current EU member states are participating in the Wassenaar Arrangement. The implementation of these export controls varies between countries.
2. Prohibiting the use of encryption. France is the only country in the Union where the use of encryption in communication is prohibited without authorization by the government. In case of authorization, the encryption keys must be made available to the authorities. The French restrictions on cryptography only concern encrypted communications. Other uses such as digital signatures and authentication are allowed without any obligation to report their use to the authorities [13].
3. Key-escrow. To allow legal interception of encrypted communications, many countries had plans to implement key-escrow schemes. The aim of a key-escrow scheme is to store encryption keys in a place where authorities may retrieve them and use them for wiretapping. No country has implemented a key-escrow system [4].

3.1.2 Laissez-faire approach

1. Export restrictions are difficult to enforce if the encryption product is software. Encryption software is easy to transfer through the internet without detection by the authorities. Therefor, many countries such as Finland, Ireland, Spain, etc. do not rigorously enforce export restrictions for cryptographic software.
2. Prohibiting the use of encryption is impossible. The use of encryption can be undetectable to any authority if used correctly. Therefor, it seems to be impossible to enforce any ban on the use of encryption. Furthermore, the possession of a piece of encryption software does not morally constitute a crime for which a punishment should be given. The majority of member states apply a laissez-faire approach to the use of encryption because it is very difficult to control. However, law enforcement authorities are looking for ways to control the use of encryption where it disrupts their work.
3. If key-escrow is implemented, those who still want to communicate in privacy (drug dealers, terrorists, etc.) will use non-escrowed encryption. It seems impossible to enforce a key-escrow scheme. Any person could simply refuse to turn in his or her encryption keys to the key-escrow authority. Furthermore, a key-escrow system would make the society look totalitarian [1]. Many EU countries had plans to implement a key-escrow system, but they have abolished them because they appeared to be impossible to implement and enforce.

3.2 Some opinions of the Union

1. Export restrictions. The EU considers that export of cryptography for military use should be controlled by individual member states. This export control is deemed beyond the scope of EU legislation. However, the EU want to be the only entity which regulates the export of cryptography for private and commercial use. Secondly, the aim is to abolish any import and export restrictions on cryptography for civil use between member states [2, 6].
2. The EU has examined the idea of implementing key-escrow schemes, but it has come to the conclusion that it would not prevent criminals from using strong non-escrowed encryption. Furthermore, key-escrow systems would be difficult to implement and very expensive to maintain and involve security risks [6].
3. The intellectual property rights of satellite and cable TV broadcasters need more protection than the protection given by encryption techniques. This protection would involve the prohibition of publishing technical data on how encrypted TV transmissions work. However, there has been concerns that this may restrict legitimate scientific research in the field of cryptography [9].

4. Future directions in digital signature and encryption policies

The EU commission estimates that a common regulations and policy on digital signatures and encryption will be achieved in 2000-2002. It is likely that a common pan European standard for digital signatures will be achieved because all member states believe that it will enhance Europe's competitiveness on the World market. This standard will probably use smart-card technology. The lifting of export and import restrictions on cryptography for civil use within the Union will also take place. However, plans for building a key-escrow system are likely to fail. The practical, technical, and privacy problems will be too great to overcome. European developers of cryptographic software have a competitive advantage over US developers due to strict US export restrictions. This advantage is likely to remain in the forthcoming years.

Appendix: Restriction in the EU

The following table contains concise information on restrictions on cryptography in EU countries. The restriction level uses coloring where GREEN means that there are no or very few restrictions, YELLOW to indicate that there are some restrictions, and RED to describe that many restrictions are imposed on the use of cryptography. This table is based on CRYPTOGRAPHY and LIBERTY - an international survey on encryption policy, Global Internet Liberty Campaign, 1997 [12].
 
Country:
Restriction level:
Restrictions:
Austria
YELLOW
 1. Export restrictions. Special license is required for export. 
2. The use of encryption in radio communications is restricted. 
3. The government is working towards applying OECD and EU guidelines on cryptography.
Belgium
GREEN/YELLOW
 1. Export license is required for most countries. 
2. A law exists which requires key-escrow and telecos have the right to disconnect subscribers that use non-escrowed encryption. The law has not been enforced. 
3. The government is working towards applying OECD and EU guidelines on cryptography.
Denmark
GREEN
 1. Export restrictions are based on the Wassenaar Arrangement. 
2. No restrictions on the use of encryption. 
3. The government is working towards applying OECD and EU guidelines on cryptography.
Finland
GREEN
 1. Export restrictions are based on the Wassenaar Arrangement, EU legislation and national legislation which also restricts the export of security services such as consultation. Regulations are not rigorously enforced. 
2. No restrictions on the use of cryptography. The use is even encouraged. 
3. The government is working towards applying OECD and EU guidelines on cryptography.
France
RED/YELLOW
 1. Strict export controls going beyond the Wassenaar Arrangement. 
2. The use of encryption requires permission and access to keys by law enforcement. Signature and authentication products are allowed without permission. 
3. The government is working towards applying OECD and EU guidelines on cryptography.
Germany
GREEN
 1. Export controls exist. 
2. No restrictions on the use of encryption. A digital signature law has been passed. 
3. The government is working towards applying OECD and EU guidelines on cryptography.
Greece
GREEN
 1. No explicit national export restrictions except those in the Wassenaar Arrangement and EU legislation. 
2. No restriction on the use of encryption. 
3. The government is working towards applying OECD and EU guidelines on cryptography.
Ireland
GREEN/YELLOW
 1. Export restrictions: the Wassenaar Arrangement. 
2. No restriction on the use of encryption. 
3. The government is working towards applying OECD and EU guidelines on cryptography.
Italy
GREEN/YELLOW
 1. Export restrictions: the Wassenaar Arrangement implemented in national legislation. 
2. No restrictions on the use of encryption. A digital signature law exists and there are plans for key-escrow. 
3. The government is working towards applying OECD and EU guidelines on cryptography.
Luxembourg
GREEN/YELLOW
 1. Export restrictions: the Wassenaar Arrangement. 
2. No restrictions on encryption. 
3. The government is working towards applying OECD and EU guidelines on cryptography.
the Netherlands
GREEN/YELLOW
 1. Export restrictions: the Wassenaar Arrangement implemented in national legislation. 
2. No restrictions on encryption, but there were plans to pass legislation requiring a license to use strong encryption. 
3. The government is working towards applying OECD and EU guidelines on cryptography.
Portugal
GREEN/YELLOW
 1. Export restrictions: the Wassenaar Arrangement. 
2. No legislation on the use of encryption. 
3. The government is working towards applying OECD and EU guidelines on cryptography.
Spain
YELLOW
 1. Export license is required to many countries. The Wassenaar Arrangement is applied. 
2. No explicit ban on the use of encryption, but telecommunications providers are obligated to provide decrypted communications for authorities. 
3. The government is working towards applying OECD and EU guidelines on cryptography.
Sweden
GREEN
 1. Export license is required. 
2. No restriction on the use of cryptography. 
3. The government is working towards applying OECD and EU guidelines on cryptography.
United Kingdom
GREEN/YELLOW
 1. Export license is required. 
2. No restriction on the use of cryptography, but there are plans to implement key-escrow and trusted third-parties. 
3. The government is working towards applying OECD and EU guidelines on cryptography.
"3. The government is working towards applying OECD and EU guidelines on cryptography" means that the individual member state has adopted the non binding opinion of the Council of Europe.

References:

[1] Hal Abelson, Ross Anderson, et. al, The RISKS of Key Recovery, Key Escrow, and Trusted Third Party Encryption, 31Jul1998 [referenced: 26Sep1998] <http://www.cdt.org/crypto/risks98/>

[2] Yaman Akdeniz, UK Government Policy on Encryption, Web Journal of Current Legal Issues, 1/1997 [referenced: 26Sep1998] <http://webjcli.ncl.ac.uk/1997/issue1/akdeniz1.html>

[3] Report of Day 1 of the European Expert Hearing on Digital Signatures and Encryption (Copenhagen, April 23, 1998), 24Aug1998 [referenced: 24Sep1998] <http://www.fsk.dk/fsk/div/hearing/first.html>

[4] The Copenhagen Hearing April 23 - Report on legal issues, 23Jun1998 [referenced: 24Sep1998] <http://www.fsk.dk/fsk/div/hearing/second.html>

[5] The Copenhagen Hearing April 23 - Theme paper, 6Apr1998 [referenced: 24Sep1998] <http://www.fsk.dk/fsk/div/hearing/theme.html>

[6] EUROPEAN COMMISSION, Towards A European Framework for Digital Signatures And Encryption, COM (97) 503, 10Oct1997 [referenced: 24Sep1998] < http://www.ispo.cec.be/eif/policy/97503toc.html>

[7] EUROPEAN COMMISSION, Proposal for a EUROPEAN PARLIAMENT AND COUNCIL DIRECTIVE on a common framework for electronic signatures, COM(1998)297 final, 13May1998 [referenced: 24Sep1998] <http://www.ispo.cec.be/eif/policy/com98297.html>

[8] EUROPEAN COMMISSION, Green Paper on the Legal Protection of Encrypted Services in the Internal Market, 6Mar1996 [referenced: 24Sep1998] <http://europa.eu.int/en/record/green/gp004en.pdf>

[9] EUROPEAN COMMISSION, Proposal for a EUROPEAN PARLIAMENT AND COUNCIL DIRECTIVE on the Legal Protection of Services based on, or consisting of, Conditional Access, 9Jul1997 [referenced: 24Sep1998] <http://www.cl.cam.ac.uk/~mgk25/ca-law/COM-97-356.pdf>

[10] German Consumer Association Denounces EU Draft Digital Signature Directive - Translation and Commentary by Christopher Kuner, Esq., 14Jul1998 [referenced: 26Sep1998] <http://www.kuner.com/data/sig/verbrauc.htm>

[11] Remarks of the German Government on the EU Draft Directive concerning Electronic and Digital Signatures - Translation and Commentary by Christopher Kuner, Esq., 31Aug1998 [referenced: 26Sep1998] <http://www.kuner.com/data/sig/gov_ger_eu-draft.htm>

[12] Global Internet Liberty Campaign, CRYPTOGRAPHY AND LIBERTY - AN INTERNATIONAL SURVEY OF ENCRYPTION POLICY, 6Feb1998 [referenced: 26Sep1998] <http://www.gilc.org/crypto/crypto-survey.html>

[13] Secrétariat d'Etat à l'industrie - France, LES TELECOMMUNICATIONS EN FRANCE - CRYPTOLOGIE, 30Oct1998 [referenced: 26Sep1998] <http://www.telecom.gouv.fr/francais/activ/telecom/bfiche454.htm>
 
[14] Ministry of Transport, Public Works and Water Management - the Netherlands, Proposed Telecommunications Act, 30Jun1998 [referenced: 24Sep1998] <http://www.minvenw.nl/hdtp/wetsite/act2b.html>

[15] UNITED NATIONS COMMISSION ON INTERNATIONAL TRADE LAW, DRAFT UNIFORM RULES ON ELECTRONIC SIGNATURES, 25May1998 [referenced: 24Sep1998] <http://www.mbc.com/legis/wp-76.html>

[16] UNITED NATIONS, UNCITRAL MODEL LAW ON ELECTRONIC COMMERCE WITH GUIDE TO ENACTMENT, GENERAL ASSEMBLY RESOLUTION 51/162, 16Dec1998 [referenced: 24Sep1998] <http://www.un.or.at/uncitral/english/texts/electcom/ml-ec.htm>

Further Information

Crypto Law Survey by Bert-Jaap Koops
    An excellent source of information on regulations regarding cryptography. The page is updated regularly.

Electronic Frontier Foundation
    Home page of EFF. The purpose of EFF is raise and disburse funds for education, lobbying, and litigation in the areas relating to digital free speech.

Global Internet Liberty Campaign
    Home page the Global Internet Liberty Campaign. The purpose of this organization to promote
privacy, free speech and other liberties on the internet.

The Wassenaar Arrangement
    This is the official home page of the Wassenaar Arrangement. The site contains links to national authorities who enforce export restrictions.

Miscellaneous documents:

ISTEV, Legal and Regulatory Issues for the European Trusted Services Infrastructure - ETS, June 1997 [referenced: 26Sep1998] <ftp://ftp.cordis.lu/pub/infosec/docs/lrfets.doc>

Department of Trade and Industry - United Kingdom, SECURE ELECTRONIC COMMERCE STATEMENT, 10Jun1998 [referenced: 26Sep1998] <http://www.dti.gov.uk/CII/ana27p.html>

Department of Trade and Industry - United Kingdom, PAPER ON REGULATORY INTENT CONCERNING USE OF ENCRYPTION ON PUBLIC NETWORKS, 26Feb1997 [referenced: 26Sep1998] <http://dtiinfo1.dti.gov.uk/cii/encrypt/>

Ministry of Transport and Communications - Sweden, Digital Signatures - a technological and legal overview, 27Feb1998 [referenced: 26Sep1998] <http://www.regeringen.se/info_rosenbad/departement/kommunikation/ds98_14/ds9814e.pdf>