Global Internet Project ENCRYPTION FEASIBILITY SUMMIT TRANSCRIPT

John Gerdelman:

And welcome to the Global Internet Project's meeting on Encryption. Thank you for being here. First of all, Lord Renwick, its nice to see you this morning, House of Lords, he is also our host tonight for the reception, so one goal is to get through today to the reception that is later this evening.

Now at this summit, we have got experts from around the world on global key management infrastructure considerations and I think it is fortunate that we have so many experts here today that you will see on our panels later this morning and through this afternoon. For those of you that don't know, the Global Internet Project is a year and a half old. It was started by Dr. James Clark, Chairman of Netscape Corporation, about a year and a half ago, and it is composed of senior executives from around the world. Most of the companies represented are multinational and also international. We have got representatives from all the different parts of Europe, North America, Asia and all of us share the same goal; to promote the growth of the Internet across all the boundaries worldwide. Now, because it is such a global medium, Dr. Clark recognized that it cannot be US centric or UK centric or Asia centric. We need members from all around the globe to make sure that the growth of the Internet is sustained in the years to come. In fact, most of the companies in the Global Internet Project do have a significant stake in the Internet and, even though many of us compete against each other, it is a nice forum to bring us all together with the same goal of promoting the growth of the Internet.

Now, the vision that we have laid out with the Global Internet Project is actually spelled out in a document that we released last fall called "The Emergence of a Networked World," commerce society in the future of the Internet. If you would like to see a copy of this, we have those upstairs in the same room where you registered. But I would encourage you to take a look at this, because it does spell out the ideas and goals of the Global Internet Project. And one of the key things for developing this paper though was to continue to educate the politicians and government officials in countries around the world on the nature of the Internet, the revolutionary impact that the Internet will have on commerce and so please do take a look. Now, most of us who are part of the Global Internet Project truly believe that this continued growth will depend on the ability of companies and consumers worldwide to access the services and products on the Internet in a secure, flexible, convenient and easy-to-use manner.

To achieve that goal, we know that we are going to have to shape national policies on information security around the globe. So to help that, in 1996, we developed a set of principles on the Global Information Security Infrastructure that was presented to the Organization of Economic Cooperation and Development or the OECD. Now that was part of our efforts to create international guidelines on cryptography. As most of you know, the OECD released their guidelines, there was eight guidelines with respect to cryptography so for the Global Internet Project, we enter our second phase -- which is part of what we hope to achieve out of this summit -- which are the recommendations for governments and officials on how to implement those guidelines.

Now as I mentioned today, we are going to have three panels, but in addition to the panelists, we have got you experts here. We have developed the format so that there is plenty of time for discussion and plenty of time for questions and answers. We feel, that dialog will help us achieve our goal of the next set of recommendations to governments and officials. But all our jobs don't end at the conclusion of today's session. Our hope is that for the Global Internet Project, for you, that we can all act as ambassadors to take the message from today and that message will impact the deliberations and debates that are worldwide on the use of cryptography and things that effect the policies on information security.

The other person that I want to introduce today is Harris Miller. Harris Miller is the President of ITAA. And ITAA is the glue that has pulled together these multifaceted companies. Harris and his staff can answer any questions or help you with anything that you need for the remainder of today. So, before I introduce, John Patrick, our first speaker, let me tell you who will be on the panels for today. Bob Foster of British Telecom will speak at the conclusion of John Patrick's presentation and will moderate the Technical Perspective. Detlef Eckert, EC, DG XIII will moderate the Government and Policy Perspective which will be our second panel. And then Jeff Hilt from Visa International will look at the User Perspective or the rationale behind the use of encryption. So, to start it off, welcome again. And now John Patrick, Vice President of Internet Technology for IBM, will talk to us about the direction of the Internet.

John Patrick:

Thank you John. Good morning. Well, this is quite an experience to speak with a group of this great diversity. I am sure we have quite a bell curve here, perhaps ranging from some who maybe invented the Internet to perhaps a few who are wondering if this is really about CB radio. So I hope I can be somewhere down the middle and addressing at least one fellow traveler's view of what the Internet is all about and where it is headed. I would like to discuss this in three ways. First to talk about some forces of change that I see happening, right under our noses, at breakneck speed because of the Internet. Secondly, to review a few of the opportunities that I think this presents for the global community, and third, to talk a bit about limitations, or let's say, possible limitations. Will the Internet fall apart? Will people be afraid of security? Will it be possible to realize the dream that many of us share?

So let's start with these forces of change. They are quite profound, actually. And sometimes for those of us so close to it, they are easy to miss. What is happening here is the evolution of a new medium. And you can think of it perhaps as media in the past that evolved. Think about radio, how it evolved from AM, FM, FM/Stereo, and how television evolved from black and white to color, to color surround sound, theater sound. And much in a similar way, the Net is evolving, starting with simple file transfer, e-mail, FTP TelNet, Gopher, some of those early protocols, to the Web, a standard document format that allowed information sharing in a powerful new way, but really just the beginning of this evolution. Shortly followed by multimedia content that allowed people to download and play music or movies. And then streaming multimedia, to allow for no download, but simply a pause and then play. And I think now, evolving to a natural medium, a medium that will facilitate natural human interaction. Each day we can see new announcements by companies around the world having to do with digital television and very advanced technologies that allow this medium to become "The Medium" that allows for a richness that was not possible before. The convergence at last of many media types, something talked about for many years, is actually happening right now.

Now this medium will attract a large number of people. I like to think of this as the global local area network, with maybe a billion people on it. And soon businesses will see it that way, as will governments and educational institutions. This global local area network with a billion people, not all with PC's or workstations, many with access through kiosks and airports and libraries and government buildings and schools. Perhaps in jungles, on the plant floor, people taking a Web break instead of a smoke break.

Ubiquitous access to this new medium having very profound implications, putting the consumer, the individual, in charge, inverting the publishing model so that you and I will decide what we are interested in, when we are interested in it, the degree and depth to which we want to explore, in the manner in which we want to explore. Not being told, here is the headline, here is the summary, you are in the middle of the bell curve. You are our average reader. There won't be any average readers or listeners, individuals will be in charge of their own destiny on this great network.

There are tremendous opportunities being offered as a result of this phenomena that I have just described. And I think they roughly fall into three categories:

• content
• commerce
• collaboration

These are certainly not new terms, but terms which are taking on new meaning.

Very often in this Internet space we hear the term content associated with something going on in Hollywood. Entertainment oriented activities are a valid and important aspect of the medium, but the real content lies in businesses, government depositories and educational institutions. Accounts receivable records, billing documents, inventory databases, millions of engineering drawings, content that is trapped in mainframe systems, local area networks, computers of all kinds. Content which is potentially incredibly useful to extended constituencies, but which was previously inaccessible. And this is what the content move is all about. You saw it in the very early days with companies like Federal Express and now DHL and UPS and Airborne, making it possible to enter an air-bill tracking number and see the status of a package. That is the very tiniest tip of the iceberg. The Internet is unleashing this incredible amount of data to new constituencies everywhere because of the emergence of this medium which is a natural evolution of information technology. Fully compatible so all of the sudden, everyone has a compatible device to all computers. So now this tremendous content is accessible.

Commerce is no longer simply defined as: "Just click here to buy a bottle of salsa or a CD or your favorite garment", but, "click here to initiate the supply chain", "click here to start just-in-time inventory", "click here to move billions of dollars from one company to another company." "Click here for electronic commerce in a major sort of way, business to business, business to consumer, perhaps even consumer to consumer."

And collaboration is not just millions of people being able to visit a Website, which of course is important, but maybe just five or six people being able to have a very private collaboration. Up until now, the focus of collaboration has been mostly on very large numbers of people, but perhaps six of us in this room need to collaborate on a very private project and rather than bill a private network for that conversation, we will be able to use the public network. And with complete security and privacy, discuss the paper we are writing together or the design project that we are collaborating on. I believe this will emerge as a powerful capability for millions of people, but in very small, selective groups.

Content, commerce and collaboration. A very bright set of opportunities. Now what are the limitations? Or what are the possible limitations to this world that I have described? I think there are five possible limitations and I would like to touch on those. Bandwidth, security, scaleability, regulation, and proprietary thrusts. I would like to touch on these just briefly.

Bandwidth. Will the Internet fall apart? It seems to be a common question that many people ask around the world. I, for one, think that it will not fall apart. The Internet is highly distributed, as you know. Think of it like a fibrous root system. Continuously growing, continuously receiving new seeds and fertilizer. This fibrous root system is spreading all over the world and large quantities of investment are being made. You have to think of bandwidth in two pieces: The backbone and the last mile. That proverbial last mile. Now the backbone didn't used to exist. The Internet sprung up as many smaller Internets, regionally based, generally universities in different parts of the world. And in the late 80's, it became quite desirable to be able to build a backbone, an autobahn to connect these regional networks and to gain efficiency in information sharing and load balancing among these various universities. So in 1988, that first backbone was built, 56,000 bits per second. It seemed like it would last forever. Shortly thereafter, just a few years later, the backbone was upgraded to 45 million bits per second. Surely, that would last forever. And of course, as you know, we are now talking incredible high speeds for the backbone. And in fact there really isn't a backbone any longer. There are many backbones. And these backbones themselves over time will be replaced by a new concept called gigapops and you may have been reading about Internet 2, that is with an Arabic 2, not a roman numeral II.

Internet 2 is an initiative that has sprung out of many universities, about 125 universities collaborating to get back the bandwidth they used to think of as their own. Today they pay more and get less. They are very interested in achieving high bandwidth for advanced applications, digital video applications, conferencing, distance learning, advance projects, and this bandwidth will be available through this concept of gigapops, sonnet-based technology, synchronize-optical networking technology, previously thought to have a limit of perhaps 10 billion bits per second, and now with new capabilities in fiber it is quite clear that trillions of bits per second will be possible. Surely this backbone will be adequate. And the distribution of these gigapops, perhaps 50 or so in America, maybe 25 or so in Europe, a dozen or more in Asia, will provide for a consistent way in which these will operate. They will connect into the existing network access points and perhaps eventually subsume today's Internet and the backbone will have plenty of capacity.

But what about that last mile? Nice to have 10 billion bits per second in Silicon Valley when I get 10 bits per second at my house. Particularly here in Europe. Well, there are many pessimists about the last mile. I am one who sees the glass as half full, not half empty, and in fact, I am quite optimistic about that last mile for two very simple reasons: competition and technology. Just as there have been recent breakthroughs in backbone and fiber technology, there are breakthroughs that are coming, that have come, and more to come in other technologies, cellular, RF, cable, satellite, and yes, plain old copper wire that exists in 90 percent of the homes in America and a high percentage of homes in many countries in Europe. This technology is called Subscriber Digital Line. SDL, and its variance, XDSL, 80 SL, HDSL, SDSL, offer tremendous possibilities. And some of the nay-sayers say, "Oh yes, but it is asynchronous, that means it is only 2 million bits per second in one direction and 8 million in the other." Well, only 2,000,000 bits per second will sound pretty good to a lot of people struggling with 14,400 today. And the threat of this particular technology from satellite and from cable will cause it to happen sooner rather than later. Pilots are underway all over the world already. I don't think there have to be winners and losers here, I think all of these technologies will have their place, in different parts of the world and in different applications. But the real point is, that the competition among them will bring better bandwidths for everyone.

What about security? Certainly, security is a very top priority. Is security a problem? So many people talk about it that way. Frankly, I think we should begin to think of security as an opportunity. An opportunity for a more secure world, a more private world, a world where no longer you have to take your most important personal or business secret and put it in a gray envelope and exercise that protocol - Your Eyes Only. And then hand it to somebody in the mail room who delivers it to someone in another mail room. And we have no idea who opens that envelope. That is what we live with today. But we won't have to any longer. The great power of encryption to provide authentication, authorization, and integrity, so that we know that messages are not changed. Non-repudiation so we can't say, I didn't send that message, or I didn't receive that message. These are powerful capabilities we don't have in the physical today. And they will result in electronic commerce that is more dependable, more efficient, more value added for businesses and for individuals.

So I believe that our mind sets will begin to change. But what is going to cause this to change? Well, it turns out that banks and credit card companies lose a few billion dollars per year due to authentication failures. They don't believe that they will have those authentication failures using the Internet. So they will be highly motivated to educate all of us about the power of encryption. We will begin to think of encryption like we think of the Pentium Pro today. Maybe we will think about it even as a word processor has a spell-checker. Would you buy software without spell-checker? Do you trust your spell-checker? Do you know how it works? I see some heads say no. Most people do trust their spell-checker, and most people have no idea how it works. And this is the way, I believe, we will find encryption very soon, people won't buy any software that doesn't have encryption capability. It will just be there, just like the spell-checker is just there.

So security, I believe, will not be the impediment that some think it could be. I think it will be the enabler. It will be the enabler for economies that may be struggling today to have a new opportunity to compete. To compete globally so that a really good idea in Bled, Slovenia can connect with a good use for that idea in Anchorage, Alaska, because of the secure capability of the Internet. It is an enabler, not an inhibitor.

But what about scaleability. On election night, I got a phone call from a friend that said, "My 9-year old is watching the election on the Internet, he is doing a project for his class and he is asked to bring in a report about what he learned about the American election in November on the Internet. And he is finding it to be extremely slow. But we are confused, we checked Yahoo and that seemed to be working all right, we went to your personal Website, John, that seemed to be working well, but this election results, we couldn't get it. What's wrong with the Internet?"

Well, there was nothing wrong with the Internet that night in November, but there was something wrong with the server, many of the servers that people were looking at. And what was wrong with them was, they weren't big enough, they weren't fast enough. They weren't able to meet the demand. And more often than not, in today's world, when you click on a link and have a problem, it is not the Internet. It may be in some instances of course, but more and more you are seeing messages that say "Server Busy," "Too Many Connections, Please Try Later," "Pardon Us, We Are Upgrading To A Larger Server."

So scaleability is an issue, I believe. There are many companies working to address this and I believe it will not be a problem in the future. But we need time as an industry and I think as users, to learn how to plan better, how to anticipate what is going to happen on that global local area network with a billion people on it, than we may have been able to plan in a more closed, proprietary, simpler, smaller, world of the past. So scaleability will be addressed, I believe.

Issue number four: regulation. Any new phenomena is certainly a tempting target for regulation. This looks like it is really going well, let's tax it. This looks like it is going too well, let's regulate it. And these temptations are natural to expect and in many cases are the result of the failure of the industry to properly educate others and to share the knowledge and the vision of what is possible. The good of the Internet. The good for enabling people on Kobe disaster to find out about their loved ones, the ability for disease management prediction, the ability for cures remotely from the most expert person, regardless of where the patient might be. The good to enable students, wherever they are, to realize their potential and be able to engage in education with the leaders in the field they have chosen. These are powerful, powerful ideas. I urge you to read the booklet that John referred to: http://www.gip.org/ is where you will find it on the Web. It is a powerful document that describes these powers of good and we must make sure that our representatives and our governments and the key influences in various aspects of society, understand these powers of good.

Number five: proprietary thrusts. What do I mean by this? Well, some companies perhaps might think this Internet is a good idea and perhaps should be brought to the desktop in some proprietary way. This would be a bad idea. Can you imagine going to a Website and seeing, "This Website Is Only Accessible If You Have Release 9.3.4 of Operating System 9.2.1?" That would be a bad idea. The Internet was built on a model of cooperation. It can thrive, and it must thrive, on model cooperation. No company can or should dominate the Internet. It must be built on open, cross-platform standards so that all companies in all parts of the world can participate equally in accessing the information and providing and publishing the information. It is critical that this be the case, otherwise the basic premise, the basic benefits that I have been talking about are not made possible.

So these are five possible limitations but I think all of them can be resolved including the last one. We are seeing, by the way, many instances, every week, another announcement by companies, arch competitors, standing on a stage, hand-in-hand, arm-in-arm, talking about how they have agreed to work together on a particular standard. Standards are so important. Standards are what have made this medium possible. And standards are what will make it possible to exploit the potential of this medium. This goes for security, it goes for bandwidth, it goes for quality of service which will be critical to the evolution of the medium, and on and on and on. Standards are critical and I think most players in the industry realize that and while they compete fiercely, they also cooperate fiercely, working together. I would like to think of this at times, having breakfast with some of our competitors, figuring out how we can work closely together, and then we go to our separate lunches to figure out how to kill each other. That's the name of the game in this market. It is a global market, it is an open cross-platform, standards-based market.

So, in summary, there is a new medium evolving at breakneck speed, right under our noses. It will be powerful, it will enable infinite reach for businesses, for governments, for educational institutions. It will offer infinite choice for individuals. Yes, there are possible limitations, but they will be overcome. They will be overcome because we are not dependent on any one government or any one company or any one technology. It is the world community working together, cooperating. It is the smartest people in the world, in 60 or 70 working groups of the IDTF, personally committed and dedicating their own personal time to solving the various issues and technical problems that arise. So I am confident that in the security arena, for example, that we will make great strides as a result of today's meeting and that moving forward, there will be continued progress. And while this is a complex topic, it has no simply answer for business or for government. I believe that collectively, that resolutions can be found and that we will all benefit from this great unfolding of the new medium. Thank you very much.

John Gerdelman:

As the first panelists come up, let me just make a couple quick technical announcements. First of all, thank you John Patrick, for presenting those challenges and your view on the solutions to them. The Internet is constantly creating new challenges. We have an Internet day today: a zillion pieces of information shoehorned into a very short period of time. So we are going to have to try to stay on our schedule.

We have the exciting opportunity to hear Dr. Jim Clark at lunch in addition to John's address now, and some really wonderful panelists. Some of the world's leading experts on the technical and legal and governmental issues. So please, to the extent you can stay away from your phones and other things that distract you, and participate in the meeting, we would really appreciate it and to the extent that you can stay on schedule, that would be very helpful. For those of you who, we didn't have a name tag for, either because of our fault, or because you registered late, please make sure that we get a business card from you so that we get all the follow-up materials out to you. Pete Smith, could you just hold your hand up? If you didn't give Pete a business card when you first came in, please do so, so we make sure we have a full registration list in addition to those people who we did accurately have pre-registered. It might have been our fault, but we just want to make sure we have a complete list, so it is very important. Secondly, for the media that are here, I just want to mention that several of our people have to leave a little early today, so if you want to get to them, you need to get them a little early. John Gerdelman has to leave around 11:15 or so, John Patrick has leave around 1:00, I believe, and Dr. Clark, I don't know if he is going to be able to stay beyond lunch, so if you are interested and from the media, and want to talk to them, make sure you grab them early so they don't get away. With that, I will turn it over to our wonderful host, Mr. Bob Foster from BT who helped to arrange this meeting here in London. Bob.

Bob Foster:

Thank you very much. Good morning, my name is Bob Foster and I work for BT, I am responsible for Internet Multimedia Engineering. I'm not an encryption expert, so I am in excellent position now to chair this session and not get involved myself. The way we are going to run the session is that each of the speakers will speak for about seven minutes and they we will have about half an hour at the end for questions. So ask your questions at the end, but do keep a note of them. So without further ado, I would like to introduce the first speaker, Whitfield Diffie. I asked him if there was something unusual about himself that I could use to introduce him, and he felt that you already knew everything there was that was unusual about him. So say no more. Thank you.

Whitfield Diffie:

In case any of the rest of you flew in last night the way I did, and are interested in getting back to sleep right now, I will get right to the point.

I want to address the question of whether cryptography can be effectively regulated and, maybe I will let these photographers get through with me first. The answer I think in brief, is that the governments cannot achieve either the objectives they say they have or the objectives I believe they really have. I believe that they can do a lot of damage to both democracy and business in the process. So it is a little like that scene in Casablanca. Captain Renault says to Rick, "I had my men search your place this morning," and Rick says, "Did they find what they were looking for?" and he said, "No, but I told them to be especially destructive, that always impresses the Germans."

Now people all tend to talk about cryptography being out of the bag. And sometimes this is very flattering to me. I mean, somebody refers to the New Directions Paper of 1976 and more generally refers to the fact that we have half a dozen conferences every year and thousands of papers are in print and hundreds of sites on the Internet talk about cryptography, and it isn't a secret feel the way it was just a couple of decades ago. But I think that this misses the point. In the 1930's and the 1950's which were two formative years for cryptography, it was barely possible to do cryptography in such a way as to keep up with the communication requirements at the time. And, so you see, I mean, the 50's were a marvelous era, they are driven by the fact that during the Second World War, you saw the first pair of secure phones. Roosevelt had one, Churchill had the other, and they cost millions of dollars apiece. And sure enough, I mean, it is a fine prototype, everybody wanted them. And so the 50's was driven by the need to have cryptography at thousands a bits a second instead of 10's a bits a second.

Now, digital technology has made cryptography relatively-speaking, easy. There are still some frontier problems, of gigabit data rates and things like that, but the point is, it doesn't take genius to design high-grade cryptographic systems today. And in effect, the amount of the computing budget that is going to be devoted to cryptography is rather small. If the digitization of the world that leads us to build digital telephone switches, digital voice, Inpag II digital video, packet switching, forward error correction, digital fuel injection instead of a carburetor, well, it helps you communicate with your office. I was actually surprised three years ago when I learned that the fraction of a secure telephone's computing capability was about 2 percent. And that's a pictographic device, that is not a general communication system. The rest of it is spent on the voice compression and the modem. So when you live in a world where virtually all signals have already been packaged in the right form to be encrypted, by the underlying communication system, the difficulty of doing encryption is very small, relative to what it was in the world a few years ago, which happens to have been the world in which the mentalities of a lot of people in cryptography got set and so the formative years of the people who are now at the top levels of the cryptographic organizations.

My second point is a more, sort of logical issue. It is simply a fact that confidentiality can be manufactured end-to-end on a communications circuit. That's not an obvious fact, I've been making a living off of having discovered it for a couple of decades, but I think that it is clear now that it is a fact and you can conduct a negotiation between the ends of a communication in such a way that at the end of the negotiation, the negotiators know something in common that is not known to any of the observers of the negotiation, even though the observers of the negotiation watched every transaction, so every bit in response. The other way around is not true. Authenticity is only meaningful in most circumstances, when it is tied to some previous form of authenticity. So, you know, credentials tie you back to birth certificates, and things like that. Documents, notarizations tie signatures to individuals. We are talking a lot about certification authorities, certificate infrastructures, and key management infrastructures. The object of those things is a very sound business objective. We want to tie the new media of communication to existing business facts and business relationships.

Now that does require the help of society, and so it is a very real question. What we will do in building a certification infrastructure, an authentication infrastructure, that allows people to get just the right kind of identifying information that makes a contract, a negotiation, an agreement possible. Because it isn't always personal identity, it is now, usually, in a business-to-business transaction, you want to know that you are dealing with the Vice President of Sales, or something like that. You don't actually care who the person is. And, however, what people are interested in regulating is confidentiality. And the fact is that any authentication infrastructure can be put at the service of confidentiality negotiations, regardless of its structure, and I haven't time to explain the various possibilities. But if you, so to speak, put your bugs in everything, if you escrow what are called identity keys so that you can always impersonate people, then despite that fact, it would even in that case take a double impersonation in order to put a wiretap into a circuit.

So there is a final point that goes the other way. Suppose there were societal consensus that cryptography needed to be controlled. I see no societal consensus at the moment, that is why we have meetings like this. That is why we have bills, you know, people fighting over recommendations bills, etc. Suppose it suddenly became clear, that as the world seems to agree that nuclear weapons need to be controlled. Incidentally, nuclear weapons are an easier thing to control. If such a consensus should emerge in the case of cryptography, then it would be probably be possible, because consumer electronics, I mean, computers, etc. have lifetimes of on the order of two to three to five years. All right? If suddenly society came down hard on general purpose computers, which is incidentally what you would have to do, if you have access to general purpose computing, you have ready access to cryptography, but if society did that, then most of the old inventory would go away in under a decade. So it is not, there is not the terrible haste that many people seem to feel. So with that, having slightly passed my seven minutes, I will pass the baton. Thank you.

Robert Foster:

Thank you very much Whitfield. As I said, there will be time for questions at the end, so I will pass straight on to Peter Dare from IBM.

Peter Dare:

I want to talk about this problem from a more practical point of view. I want to set out how one might go about implementing a global key recovery infrastructure which probably needs, as Whitfield said, some societal consent. But taking that for granted, I would like to look at how we would build the infrastructure.

First of all, we need to meet our customer's needs, and it is becoming clear, I think, that key recovery is a real customer requirement. Certainly in IBM we find that our customers are asking us for key recovery solutions. Not just because the customers happen to be government or the customers want to be able to export their products and this seems like an easy way to be able to do it, but also because they see it as a function, a feature, they need in their own systems.

Secondly, in establishing the need, you tend to find strength in numbers, you work with the industry, 59 companies worldwide today, maybe more tomorrow, have joined the key recovery runs and you see the majority of the panel here today come from companies that are in the key recovery runs. All those 59 companies cannot be wrong.

Thirdly, you have got to look at how you do it. And there is a difference between what I can term encapsulated key recovery on key escrow, and there is a big debate about what exactly key escrow means, but it certainly means that there is a secret shared between the end user and some key recovery service or agent before the transmission is sent. That sharing of secrets characterized key escrow and it is clear that this particular feature, key escrow, is, this is an insertion make, perhaps we can discuss later. Key escrow provides no advantages to law enforcement over encapsulated key recovery and secondly, key escrow actually makes the system for the end user less secure.

So I think we are looking at an encapsulated key recovery solution rather than a key escrow solution. When you have identified the market, you have identified the requirements, you then need to build the technology. IBM has the technology, we called it secure way key recovery. It provides key recovery by reconstruction of the key. It enables, and this I think must be the essential characteristics of the system, recovery must be possible independently in each jurisdiction. So if Alice is in country A and Bob is in country B, then it must be possible for the key to be recovered either by authorities in country A or by those in country B and if the jurisdiction is a company rather than a country, then you would substitute company A and company B for countries.

Second characteristic is that a user must be able to insist that recovery shall require the collaboration of more than one entity in each jurisdiction. That is, a user can say, I don't want one point of failure, one point to trust. Instead, I want the unanimous participation of at least two entities before my key is recovered. And thirdly, users must have the right to use a key that can't be recovered by protocols and can only be recovered by exhaustive computation. This is the old fashion way of trying all the possibilities until you find one that works. There are other characteristics that key recovery technology must have. It must provide strong cryptographic separation and it must be policy agile. And of course, it must perform well in all configurations in which it will be used.

Finally having established the requirement, having got a technology that works and works well, you then need to build it into a framework. If you implement key recovery and encryption functions within the same trust perimeter, then it is possible to make circumvention of key recovery functions impossible, or at least very difficult. Products can be build that prevent encryption without the preparation of valid key recovery parameters, products can be built that prevent decryption, or at least flag a warning when valid key recovery parameters are not present at decryption time. So it is possible to prevent the avoidance of key recovery when at least one end of a transaction is honest and law abiding and wants to cooperate with the system. Where both ends are rouges, in the jewel rouge problem, that clearly is at the limit, impossible. A determined, clever, unhurried pair of rouges can always subvert any key recovery scheme that you put up. But recognize that a rouge's determination may be frustrated by what is available in the market or by technology controls that governments has put in place. Recognize also that rouges can be stupid or in a hurry. Recognize also that rouges quite often speak to good guys as well, so that one end of the conversation is good. So I think that, in practical terms, when it comes to real solutions, real technology, real customer requirements, forming a basis of a societal consensus, key recovery is certainly technically possible and we can certainly implement it.

Robert Foster:

Thank you very much. The next speaker is Stefan Röver who is the Managing Director of Brokat Information Systems. If you don't know much about Brokat Information Systems, then you didn't read New York Times yesterday. Let me refer you to an article on the front page of the business section. I'll leave you to read that afterwards. Stefan.

Stefan Röver:

Okay. I haven't read it yet either.

As Peter Dare rightly said, one of the key issues with key recovery mechanisms is that a technology control has to be in place. And I would like to talk about a bit of technology that is currently being widely used internationally by banks and insurance companies who are doing business over the Internet and I think that is a technology that has a lot of implications to the implementation of key recovery mechanisms, the control aspect being one of them. Currently a large percentage of European banks, about 80 percent of the German banks doing transactions over the Internet, a lot of Swiss banks, the biggest UK banks, and banks in Singapore, Australia, Hong Kong, and Luxembourg, are using a Java-based technology to secure their transactions.

Just some technical detail of how this technology works and why they are using it. It is actually a technology based on executable content. The user that surfs through the Internet does not just view information in the Internet but can also be passed executable contents which is then executed on his PC and enhances the capabilities of the PC, of the Internet browser that he is using. So that, on the fly, and without previous software installation, software components are transferred to a client PC and make that PC more powerful. This technology can be implemented with different programming languages. The most popular one out there, and the one that most people are using for these types of programs is called Java.

With Java programming language, these banks have implemented a solution that enhances the existing security capabilities of the users browsers. So although internationally, due to export regulations of the U.S. government that you are all aware of, only a very limited security is available for banks and insurance companies to use to encrypt and protect the transactions that they want to perform over the Internet, by the use of the Java technology, they are put into a position where they can enhance this limited built-in capability in the browsers. So when browsers only support what we technically call a 40-bit encryption, users surfing the net, can, when they contact these banks, actually have a higher encryption, a second secure channel is built-up with the bank and the information passed to and from the bank is in fact 128-bit encrypted which is extremely hard to crack as opposed to a 40-bit encryption.

Why are the banks and insurance companies that are currently using this technology favoring this kind of approach? What are the benefits to them? One extremely large benefit is that this type of approach does not require previous software installation on the client's side. They do not have to produce software, burn it on to a CD ROM, ship it to a customer, and ask him to install that type of software on his PC. A user that has access to the Internet with a standard Internet browser can use this type of technology because the actual encryption programs are distributed to the user "on the fly." They do not have to set up an elaborate support infrastructure and answer hotline telephone questions such as, "Ever since I installed your banking software, my CD ROM games stopped working," and these type of questions. So they actually cut down their support and distribution costs quite significantly. And what they also don't have to do is that they do not have to set up an elaborate cryptographic infrastructure that would be required if a key recovery or key escrow mechanism were used. In effect, it is a very Internet-like way of doing things. It is a way that the end user likes because he doesn't have to do any preparation. He doesn't really have to decide in advance that he wants to do a certain transaction. He can use it when traveling, he could use it whenever he has access to the Internet, for example, from a kiosk system or from a PC of a business partner when abroad. That would be a lot more difficult in a solution where software would have to be installed on the client PC. So that is the reason why banks and insurance companies are using this type of technology.

What exactly are the implications for key escrow? I think there are two implications for key escrow that we have to take into consideration. One is that it can cause a severe competitive disadvantage to banks that would be required to use a different mechanism for their encryption facilities if this were not done worldwide. We believe that, from what we have heard from our customers in Switzerland, for example, key escrow or key recovery mechanism, will not be very popular there with the banks and with the government, so we will probably be expecting the Swiss government not to enforce a key escrow or key recovery policy in the near term. So, just for one example, Swiss banks would be able to deal with their customers internationally on the basis that does not require keys to be placed with the government, and these banks would have a competitive advantage over other banks in Europe. Especially since it is very easy for everybody over the Internet to contact these banks. British customers could choose between a Swiss bank and a British bank, the British bank offering them a less comfortable access to the Net than a comparable Swiss bank.

It is also very hard to actually control what the user does on his client PC. The user himself may have no exact knowledge of what is going on in his PC. When he contacts a bank through this Java technology, and these outputs are transferred from the bank to the user, he usually has no idea of what level of encryption is going on there. He actually will not, in most cases, understand the difference between 40-bit and 128-bit encryption. He will not know if the software he is using is actually supporting 128-bit encryption or just 40-bit encryption. So even if governments decided to regulate use of high-level encryption, they would not know what the people with these applications are doing, and the people themselves, in most cases, would probably not know that either. Also, whenever you have used such an application that is transferred to the PC at home, when you stop using it, there is no trace of you having used that on the PC. It is not as it would be with a previously installed software. So I think that is an aspect where the actual control required to efficiently establish a key recovery or key escrow mechanism would definitely fall short.

The second implication to an encryption policy is that this use of encryption in fact allows better enforcement of certain encryption policies than a general encryption mechanism that allowed encryption between any party participating on the Net. The solutions as they currently constructed only allow the user to communicate with the server that the banks of the outputs were obtained from. And if a government were considering an encryption policy, I think an alternative encryption policy that does not actually require use of key recovery or key escrow systems, but that allow encryption for information and transit, and required the server part to make that information available on request through government institutions, would actually obtain the same result. Banks are currently keeping records of what they are doing, users are using these records to obtain account balances, to do electronic money transfers, and to order an sell stocks. So these are all transactions that go into the books of the banks anyway and the bank would be able to actually present this information as it is today to a law enforcement agency under the national individual legal constraints.

So I think an alternative approach that would satisfy both sides, is to allow encryption for information in transit, provided that the server party is able to reproduce the information that was sent over the Net. The technology that the banks are currently using enables this to be enforced because the outputs transferred to the user can only talk to the server that they were sent from, and they only allow certain types of transactions to be done. They cannot be used for any type of encrypted communication between third parties that are not the bank. The bank always has to be involved. I think that would be a viable approach for an encryption policy.

Thank you. Sorry. The next speaker is Brian Gladman. Okay Brian...

Brian Gladman:

Well ladies and gentlemen, this is going to be slightly ad hock because although I knew I was a panelist, I didn't know I was speaking, because my e-mail has been broken for about a week, so I guess...it was actually sent to me, but I didn't actually receive it. This is the second conference that I have attended in a week and I also blamed the technology for failures at the last conference. So...it is my normal procedure.

I think many of you will know that I have worked in government for nearly 30 years and I have only recently transferred to private industry. And I really want to just go over some of the history of why my own personal position on some cryptographic issues has shifted over the years. From 1964 to the early 90's, I worked in defense in the UK and watched a situation in which government took the view that cryptography was for the use of governments and was certainly not for the use of anybody else. That was a very clear policy and a policy that, through a series of measures that I don't want to talk about, actually succeeded in keeping cryptography in a closed society.

In the early 80's, before the end of the Cold War, it became clear that there were some very severe consequences of that policy and that it was actually a very costly policy for government. The reason for that was that a closed market is a noncompetitive market and the products that result from a closed market are extremely expensive. And I was actually in a situation where we were paying ten thousand, fifty thousand pounds for a single crypto. And I did the calculation, I think Whit Diffie referred to, saying well, I've got a PC here on my desk and I actually see the algorithms, and I can work our what percentage of this piece, a piece of cryptography will cost me. And I was actually paying this closed industry about a hundred times more for my cryptography than I calculated I could get it on my PC. Now it wasn't me paying, it was British taxpayers paying. So we were spending these huge sums of money on very expensive cryptography, or the British taxpayers were, when it was fairly evident that if we bought computers and cryptography together, we could actually make it a lot more cost effective.

Whitfield Diffie:

That was American equipment we were charging you too much for!

Brian Gladman:

I have to say Whit, that we never trusted US crypters. So actually, that is not quite true, but since our volume in the market was a lot smaller than yours, we were paying 10 times more anyway. But it had another impact on cost. And that was, because it was a closed market, the development time scales were very long and we had to integrate this cryptography with commercial systems, we were buying increasingly commercial computers. And what we were finding was that by the time we had integrated it, the computers were obsolete. And there are systems actually going into certain places that I am not going to mention, that are still using DOS today, not because people want to use DOS, but because of the cost of the integration process of cryptography.

So it was very clear to me, well before the end of the Cold War, that if we split cryptography into government only and not the commercial market, then our taxpayers, we would be deeply shortchanged. We will be paying huge sums of money for our security and the taxpayer would be the person that lost. So I actually, in the mid-80's shifted my view within defense, to saying, we had to now move to a situation in which we promoted a commercial market for cryptography so that we could reduce the cost of our defense systems. Now that was not popular with certain other people in government. But that was my original rational for moving my own personal position towards a more open exploitation. It wasn't a civil liberties, it was an economic argument for actually reducing the burden of costs to British taxpayers.

Then of course, what immediately happened was a realization, if we were going to bring government cryptography and commercial cryptography together, we had to find some way of meeting a consensus in the middle to this difficult task. We had the national security people on one side, the intelligence agencies who certainly did not want to see the spread of cryptography, so they might be called the crypto-fascists. We had the Internet people on the other side who might well be called the crypto-anarchist, and they were as far apart as you could ever imagine, I mean, getting those two groups to agree with each other might be just a little bit difficult. But then there were people in the middle that might be called crypto-conservatives and crypto-liberals, where maybe there was scope for bringing the communities together. Now, I am a crypto-liberal, although most people characterize me as a crypto-anarchist but I am a crypto-liberal, I don't necessarily believe in no controls, but I certainly am on the liberal side, but certainly from about 1988 onwards, I worked with a number of people to try and see if we could create a middle ground.

Now, the middle ground that we have been, if you like, heading for, hasn't been easy to achieve. We have seen a number of government attempts to create middle ground, HR Clipper in the U.S., what I have characterized as H.M.S. Clipper in the UK., which are attempts to actually achieve a middle ground and key escrow was a government, if you like, to create a middle ground. And I think that most people feel that that is not going to work, and I certainly don't feel that it is going to work. Key recovery, on the other hand, is a different kettle of fish. Key recovery, in the hands of end users, might be very important. And I do emphasize, certainly, my own company's position is very much about end user control key recovery. If you are going to use encryption for stored data, then you better be sure that you have got some emergency means of recovering if you lose your keys. That is the important point.

Now, I did a web survey last year and had about 250 responses, which is not large. But only six percent of the responses supported covert intercept as a government requirement, but actually 97 percent responses supported search warrant. Now when you think about user control key recovery, you do not need new laws to actually implement search warrant if you are prepared voluntary end user control key recovery, because as Peter Dares already said, a two-ended process you are not going to solve anyway. Your interest in the situation where there is a criminal on one end and a lawful person at this end, you can go along to the legal person and say, here is a search warrant, I am worried that you are talking to a criminal. An end user control key recovery can actually meet that requirement. So I think it is very important that we actually do recognize this might be a middle ground. But I personally emphasize user control key recovery, not government controlled key recovery, user controlled key recovery.

Now I should say, (I don't want to spend a longtime on this), that I also, as a matter of personal position, don't support key recovery universally. I think key recovery might be okay if it were put into the hands of a well-developed, mature democracy, but key recovery in countries where there are undemocratic, unprincipled governments might actually be a very severe blow to the human rights of people in those countries. So certainly, I do not support any controls on cryptography for personal privacy use. I am talking about the business use of cryptography where I think you can make a very sound case as I say for user control key recovery. Thank you Mr. Chairman.

Robert Foster:

Thank you very much Brian. We have two more speakers to go, Ernie Brickell first.

Ernie Brickell:

Thank you for the opportunity to be here today. It is a real pleasure.

It is a very fun time to be working in cryptography. Of those of us who started working on this back in the early 80's, there are at least three of us on this stage, I don't think we thought we would be sitting in front of a group of people in suits, talking about policy.

So the question put before this panel today is, is key recovery on an international basis technically feasible? And I believe it is technically feasible. It can be done, the solutions are going to require changes in existing standards, changes in existing protocols, that is all possible. The problem that is facing us today is that we don't really know what the requirements are going to be for the various governments and if an international agreement between governments can be reached, on what is going to be required, then the technical solutions can be found to achieve those.

So in terms of, just starting from talking about how key recovery can be possible: in any cryptography protocol, the actual encryption is usually done with a symmetric key. And there is initially a mechanism to exchange or determine a session key that is going to be used for that particular session. And what can happen in a key recovery system is that the keyholders can be made and an additional recipient of that session key that is going to be used for the message being used and Certco, my client says Certco/Bankers Trust. So Certco is actually a spin-off from Bankers Trust. It was about last November that we did the spin-off. But Certco has a solution based on this that is called secure keys and Nanette DiTosto, I think many of you know, has some brochures on that with her today.

With secure keys, once the session key is determined, which can be done by any existing cryptographic protocoling that does session keys, then the keyholders are made an additional recipient of that session key, in addition to the normal recipients of the message. The keyholders can be corporations, an individual corporation could hold their own keys, or it could be Trusted Third Parties. And in addition, the keys that the keyholders use could be an actual key in one piece or it can be split into fragments and stored among several parties, so that no individual keyholder has the entire information necessary to recover a key. And even in that case, it still can be very fast should law enforcement or whoever needed to recover the key, it can be very fast to determine that key.

And there are also many options that can be accomplished in a key recovery system, so the information recovered could be a master key that could then be used to decrypt any information coming out of a specific user, the information could be just a session key so that law enforcement or whoever, could determine just a single session. Or a system could be built so that the law enforcement would never actually see a key. That the keys they would use would be put into tamper-resistant devices that law enforcement could control and all they would ever see would be the actual messages. So they would never actually receive the real keys. The system can also accomplish a secure auditing facilities, so that someone accessing the information through key recovery system could be completely audited so that you would be able to know what information was obtained through the key recovery system. That is another feature of secure keys.

So in key recovery system, when a user first gets a system, it will be enabled to do what I will call weak encryption, which would be the 40-bit or 56-bit encryption, and then with facilities built in to do strong encryption, and then it would be a bootstrap process the user could go through to set up a key recovery system with Trusted Third Parties that would enable the strong encryption to then take place. The systems would need to be built with a certain amount of anti-tampering so that it would not be easy for someone to go in and modify the system to remove the key recovery facilities, and as several speakers have already mentioned, that can't be made bullet-proof, but it can certainly be made so that it is more difficult for somebody to remove the key recovery from a commercial product than it would be for them to obtain their own cryptography from someplace else and put that into place.

Another very nice feature to have in an encryption system is called perfect forward secrecy. And I think Whit may have been the first person to talk about this a few years back. It is a system in which you have your individuals, your client system built in such a way so that if your key, the key that you are holding is compromised, someone cannot go back and decrypt previous traffic that you had encrypted. And this is achieved by using the private key that you have to negotiate a session in a certain way each time you do a session key. And even with that system, you can still add the key recovery elements necessary to maintain the perfect forward secrecy.

When Whit said he was going to talk first I gave him a hard time, saying I wanted to make sure that everybody still had time. Because Whit sometimes goes on for a while, so I guess I had better not go on too long. So, just in summary, the technical feasibility is there. We can build systems to do key recovery. The problem is that we are going to have to change existing standards to do that and companies do not want to go in and start modifying standards when they are not sure what the government regulations are going to be and what is really going to be necessary a few years down the road. So if the world really wants an international, safe, secure Internet with key recovery possible, then the agreements between governments need to get into place so that we the technologists know what to build to. Thank you.

Robert Foster:

Our final speaker this morning is Taher Elgamal from Netscape.

Taher Elgamal:

Just before we started, actually, Bob asked me how I felt about being the last speaker. And I said, okay, it doesn't matter. Now that I have actually had a chance to think about it, I do like having the last word. I would like to talk about key recovery for a little bit. I am actually coming at this from the business point, not from the technical point.

There actually is a business need for a certain kind of keys to be recovered and just as my colleague has mentioned before, these keys are generally related to data that are actually stored on somebody's disk or archive somewhere. There actually is a business need for that. We generally like to build products that people actually use. If we build a product based on a government regulation, in such a way that people do not use it, then we have not actually served anybody any good, including the governments themselves. Because people will figure a way around the technology that they do not want to use, and will use the things that they want.

So I have a quiz for everybody. This is a new panel technique here. So you are the law enforcement agent sitting, trying to tap the line, actually on the Internet and there is no encryption, by the way, at all, so your life is easy and you see a form coming back from an HCTP's server that the clients had blown up building X at time 0300. And it says literally that. So you keep thinking, which one is building X? There is a lot of buildings. It doesn't say really which building. So there must be some technique that these two people have figured out, to actually determine which one building X is. This information is not very useful. The worst point is that you have no clue as to who actually sent this thing because you read some bits on the wire that say, blew up building X at 0300. You try to track back, where that came from, and you come...if you work very, very, very hard, you can actually come up with an IP address. So you go pick up the IP address and put him in jail. Right. Folks, key recovery is not the thing that we need to be concerned about. The real problem that we have is authenticating users electronically. This is the problem you actually have as the law enforcement agent in this particular scenario. You do not know who is communicating. This is a very different world from the phone world. In the phone world, if you tap a line, you can actually hear somebody talking and if you reproduce a tape, it sounds like the person talking and you can actually have an evidence in court. If you collect some bits off of the wire that say blew up building X, there is no way at all, technologically, that you can tie this to any person, whether encryption is used or not.

What governments should do is to help build an infrastructure for electronic ID's for people so that we can prevent a whole lot of crimes that are actually far more severe than the things that we would actually learn if we tapped the line and decrypted the data. If I am not able to determine who I am talking to on the other side, there is a lot of bad things that can happen. A lot worse than being able to decrypt or not decrypt, or recover keys or not recover keys. These are random bits. Recovering keys is a totally useless thing, actually. The data is important, and then you want to recover the data at some point, I will agree with that.

But coming back to my business case, the way we are looking at this from Netscape's point of view , the customers too want to be able to recover data if it stored encrypted on somebody's hard disk so there is actually a reason to do that. I have not found a customer that wants to recover any encrypted session between a client and a server. There is actually no reason to do that at all. And the reason is that the key is totally useless, because the datum sits on the server. If the data is available on an decrypted form, why the heck use escrow keys, and go through all of these things. You would actually have access to the data readily if you just go and talk to their favorite server. Say Hi, what is this session all about?

So, looking at the fact that there is actually a limited amount of money in this world, I believe that the right way to spend it is to actually build an infrastructure that identifies people, identifies entities. So that we can trust the system first and we know who we are talking to. The other issue with building a product that works for people, rather than building a product that satisfies a certain regulation. I would like to satisfy regulations, by the way, don't misunderstand me. But I would like to satisfy them with something that actually works, that people use. It's scaleability. You know, Whit mentioned something about how much he spent on encryption for a phone. I have a different, a totally different statistic from, actually, the other side of the spectrum. A web server which some people may or may not know what that means. A web server that actually does encryption, spends quite a bit of its energy on the encryption part. We actually have some numbers that make that really obvious to people. So, if instead of trying to speed up the encryption, I add some other things on top of it in order to allow key recovery for data that is already not encrypted at the server, I am building a product that nobody will want to use, basically. Basically, I am telling the server person, encryption is not useful, because it is going to slow your system down by a factor of 50 and if that actually happens, somebody will figure some other way to do it. The scaleability and maintaining the performance is actually a very important thing in building products that people actually use.

My last point, and I am probably beyond my time too, concerns the regulation of cryptography. Cryptography is mathematics. It is really not possible to regulate a set of mathematical formulas. It is however, possible to regulate products that use cryptography. Certain applications definitely are worth regulating because you could use cryptography to communicate bad things. But certain applications use it for good things. For actually, the society to be able to use this infrastructure in a way that we can trust it. There really is no reason to be afraid of using a technology that has been historically used in war just because we are using the same technology in a different arena.

Robert Foster:

Thank you very much Taher. Thank you to all the speakers for keeping the time. We do have half an hour for questions now. If you would like to raise that even, unless you want to remain anonymous, if you would give your name and you association, that would just be probably more informative to the other people in the audience.

Stewart Baker:

It seems to me that it is obvious, whatever happens to export control, we are going to have different regulatory regimes in different countries. And the question is, for the panel is, how many of these key recovery schemes can actually accommodate different sorts of regulatory regimes and still let people talk to each other?

Peter Dare:

I can speak for IBM's SKR scheme. A fundamental component of that scheme is something we call the jurisdiction policy table which identifies who in the jurisdiction is a key recovery agent. But also includes a specification of [inaudible words], to the jurisdiction, if there are restrictions, and many jurisdictions won't put any restrictions on at all. And importantly, what level of the residual which is a SKR component the jurisdiction prefers.

[name inaudible]:

Actually, I have been talking to several government representatives about this topic, many of whom are in the room here. And my plea is: "Please, do not ask me to put policy inside my product because policies change all the time." There are 50 some million copies of the Netscape Navigator all around the world. If I had to put a different government policy table in each different version of this product, and hope that these are actually going to talk a year from now, you know, I am dreaming. Policies are not fixed. Policies do change. For whatever the reason it happens to be. It is not the different countries that is the problem, it is their variation in time that is actually the problem. So in my opinion, the only key recovery scheme that will actually support these multiple policies is a very, very lightweight key recovery scheme that policies attached to completely from the outside and not built into.

Anonymous speaker:

Also, the question to be considered there is: Does the industry really want to pay for support of policies that, in a particular country, are not needed? The solutions that we are currently using could achieve a lot. The means a law enforcement agencies uses to try to achieve this by making the data available, are based on existing legislation. Now, if you had to use a product instead of an infrastructure for that, that would not just meet your national requirements, but that was initially laid out to meet existing national requirements in a lot of countries and future national requirements as they change over time. Industry is going to pay a lot of money for infrastructure that is not needed.

Robert Foster:

Another question?

[unidentified speaker #1]: So in the product will support flexible policies from various countries and it has a very easy way to modify those policies just based on a certification of the policy statements from the various countries, so it would be useable in a changing environment.

Robert Foster:

Okay? Not a lot of enthusiasm for having different government regulations.

This microphone has been touched by many famous people on its way to me.

This is perhaps a question to Taher and also to Stefan. Stefan, you spoke about Java and downloading executables onto client PC's, which is clearly an extremely powerful way to actually operate at the user end. My first question is, what, do you have concerns about hostile applets, and I refer to everybody to the Digicrime web page for a very good demonstration of that. And some of the people on the panel have even been previous members of Digicrime. But it is an interesting point, because perhaps the question to Taher is: Do you believe that that sort of approach, with downloadable JAVA Applets would be possible to cover the problem of building in some form of policy within products? So do the two of you feel that perhaps the combination of those two technologies could produce something that is feasible?

Taher Elgamal:

What I was trying to say was that even in the downloadable JAVA Applets, it still should be policy independent. Again, because these things will be around, will talk to different versions of different products and it is really, really difficult to keep track of a policy inside of any running piece of code. It is a reasonable requirement to say that the policy is something that attaches to your machine and that you have to abide by it and the software can read it in some way. But it is really a very difficult thing to embed a policy. Which policy is it? So does Deutsche Bank, for example, know which country their customer lives in? And which policy do we actually put it in. And what do you tell them? It is a very complicated matter. It is not really a feasible thing to embed a policy for a country inside of a product that is downloadable. And the nature of downloading is that there is really no boundary between...I don't know where the boundary is.

Stefan Röver:

I think the question of the safety of JAVA Applets is a valid question, but I would probably go beside the core of this discussion. How it is tried to make these Java Applet safe for use, I can only illuminate one short point. A big discussion is virus attacks and using Java Applets, you actually have the ability to react to a virus attack on a very short time. If you use software that has been previously burnt on a CD and installed at the customer's side, and the virus attack on this PC banking software were to be performed, a bank shipping that software would need 4 to 6 weeks to react to that. Using the Java-based technology, you can react within hours. The Applet that is downloaded hours later will not be susceptible to the same virus attack, so actually, without going into too much detail there, the Java based technology is, in fact, a lot safer than using a standalone, installed technology that is built on to your PC where virus attacks can have a much more serious impact.

But the main part of your question I think was: How can a national policy be implemented in Java Applets? I do not really want to get into the discussion of, is it sensible to have different national policies, or do we really want those policies? I have tried to stay out of that, but yes, in fact, if there is a national policy, for example, a policy saying we will only allow information in transit to be encrypted if it relates to data that can be recovered and that books are being kept for. Then you can in fact create your outputs, that they only allow certain types of transactions to be done. For example, money, electronic money transfers, or viewing your account balance, these things. So the functionality can be limited, a national policy might be to say, we do not want free-form entries in there. We do not want somebody having a free-form field and entering to his investment manager, well, please move this money to my black account and wherever. They don't...so a national policy might be to prohibit these things. But to allow entry of formatted data, data that is of a certain content and display of formatted data. Another national policy in a different country might be totally different. They might allow any type of output. So actually using this type of technology, at least from a server point of view, where the regulations govern institutions that set up these servers in a particular nation, a certain amount of regulation is possible there. And national interest can be met and nation-specific ways. Okay?

Robert Foster:

There is another speaker. Question?

Unidentified:

[inaudible]

Robert Foster:

But of course what will be interesting is if you were accessing your service from the UK. today, the service would have to know that today, a different rule may have to apply.

Unidentified:

[inaudible]

Robert Foster:

Yeah. The gentleman in the back.

[inaudible name - something like Amos Fiat]:

So, Sylvia McCulley presented a paper called [inaudible] a few years ago and some suggest that everything we are discussing these days is patented under Sylvia McCulley's patent which was issued, at least the U.S. government paid some money in this context. So the question is, is everybody who is doing some kind of [inaudible] key recovery paying license fees? Or is this problem being ignored? Or...Just curious.

[unidentified speaker]:

This is for you Ernie.

Ernie Brickell:

Nanette, you want to take this? Certco has patent rights to the McCulley patent and so we are covered, so to answer your question, yes, we are paying McCulley.

Robert Foster:

Peter?

Peter Dare:

Yes, IBM has patents pending on key recovery technology. Clearly we want to see key recovery accepted in the marketplace and we will make sure that it is licensed on an appropriate basis.

[unidentified speaker]:

That doesn't answer the question, whether you have rights to McCulley's patent.

Peter Dare:

That is right. No, I don't think we do.

[unidentified speaker]:

I would like to say [inaudible] is subject to patents, so I mean your thesis that none of these are patented is certainly correct. I certainly hope that we are going to solve that in the marketplace and not through some sort of regulation.

Robert Foster:

And again, [inaudible] rights to the McCulley patent.

[unidentified speaker]:

I might stand quick on this, but I don't think we need it. Because our scheme does not actually use that method.

[unidentified speaker]:

We don't need it either.

[unidentified speaker]:

I'm certain we don't.

Bill Poulos:

Yes, I'm Bill Poulos from EDS. Mr. Gladman made an interesting point that key recovery technologies could be dangerous in national jurisdictions that don't have good democratic processes and certain protection. I am concerned about that and my question is, if my company were to use the key recovery technologies being promoted by your respective companies, how do you prevent those kinds of national jurisdictions from engaging in state-sponsored industrial espionage against my company, or against our customers? Is there a way to protect against that, when these jurisdictions have the ability to obtain a warrant and to serve that warrant? And how you cover the liability of that when damage actually occurs to a customer using these key recovery mechanisms that governments are promoting?

[unidentified speaker]:

This is a fundamental question. Basically, if you are a large corporation, then the expectation is that you would run your own key recovery service. That you would be a sufficiently responsible corporate citizen. You cooperate with law enforcement on investigating any suspected crime amongst your employees. So if you are in charge of your own key recovery mechanisms, then clearly you are not going to do any industrial espionage against yourself. For smaller companies...clearly the option, they can choose a key recovery agent in a country of their choice. It is up to governments to sort that out, to make sure that what happens is actually law enforcement, not one country spying for economic reasons on the industry of another country.

[unidentified speaker]:

A book called Friendly Spies quotes the IBM office in Paris as having done a set of experiments to demonstrate the fact that the keys they were required to share with the French government were being used for industrial espionage purposes.

[unidentified speaker]:

Can I just add quickly to this one. I mean, I think this is a worry. But what I want to say very strongly is that carefully engineered key recovery is a hundred thousand times better than key escrow in terms of the end user being able to actually control the use of their secret materials. So in some senses, I often call it the least worst option.

Whitfield Diffie:

Would somebody explain to me the difference between key recovery and key escrow? I mean, I think its due to marketing here, and I have a high respect for marketing, but it seems to me that it all comes down to somebody other than the legitimate owners of the data has a way of getting at it behind the legitimate owners back.

[unidentified speaker]:

Yeah, let me take a crack at it Whit. So, I think that key escrow is a politically incorrect term.

Whitfield Diffie:

Yeah.

[unidentified speaker]:

So key escrow seems...the current usage seems to be saying that a government is going to hold the key.

Whitfield Diffie:

I think that is the definition by the people who like the term key recovery.

[unidentified speaker]:

Key recovery seems to be saying that the corporation is going to hold their own keys or perhaps a Trusted Third Party, with trust really meaning trust.

Whitfield Diffie:

Now how does it differ from software key escrow, one of the initiatives in the US that involved, in particular, the TIS key, and which corporations were going to hold the key. That was called key escrow.

[unidentified speaker]:

Change in terminology. Right. So key recovery is the politically correct term now.

Whitfield Diffie:

And while we were on the subject of terminology, perfect forward secrecy means that after the close of communications, no key further exists in the world that can read the communications. How is possibly compatible with the notion of key recovery.

[unidentified speaker]:

Well, because you can change the keys that are stored on a frequent basis.

[unidentified speaker]:

Can you recover the plain text after the communication has ended?

[unidentified speaker]:

Yes.

Whitfield Diffie:

Then you don't have perfect forward secrecy.

[unidentified speaker]:

I agree with what Ernie said. I mean, the distinction I make is actually about who is actually in control of the material. I mean, our position is very strong. This is actually user control key recovery and government access, if you like, is actually by traditionally accepted search warrant processes. So we are not...whereas escrow is being very much about the government actually wanting to hold your keys.

[unidentified speaker]:

Yes, I think a fundamental characteristic of escrow that I said earlier is that the user shares a secret with the key recovery service before transmission takes place. Before the message is assembled.

Whitfield Diffie:

Not true. The software key escrow...

[unidentified speaker]:

Oh yes, we had approximately two, yes. There is no secret to share. You are right. There was an evolution from escrow to recover, but I mean...you are right, of course, at one point.

[unidentified speaker]:

Recently on the network, I have finally heard a good term for this, it is law enforcement access to key, or LEAK.

[unidentified speaker]:

Just one point that Whitfield made earlier. He talked about the key being available to someone who doesn't legitimately have access to it.

[unidentified speaker]:

Not legitimate owners of the data.

[unidentified speaker]:

Okay. Government has legitimate access to data where the law allows it to intercept communications. So...legitimate, legal activity.

[unidentified speaker]:

I think the fine point you were making here.

[unidentified speaker]:

I'm sorry. You call the owners of the data. I mean, isn't that basically the Communist point of view. The government owns everything?

[unidentified speaker]:

The OECD wording is legitimate possession of the crypto text.

[unidentified speaker]:

If I could involve the audience to ask some questions.

Nicko van Someren:

Nicko van Someren from nCipher. I just wanted to take up Peter on his response to, I think the gentlemen from EDS, about being able to choose a key escrow key recovery Trusted Third Party agent outside the jurisdiction that you might consider a dangerous jurisdiction. In the recent paper published by the British government, this is not an option, you have to have your key agents registered with the government in which you happen to be...with an agent which is licensed by the British government if you want to use any Trusted Third Party system in Britain. And it is likely that Indonesia or China or wherever would attempt to impose similar legislation. So, your point about being able to choose the location of your key recovery agent, the fact that it may be geographically remote does not stop it from being required to sign some agreement with this potentially offensive government.

Peter Dare:

I don't necessarily agree with everything the British government does or says. But the point is, even in the DTI consultation document, there is no requirement on the user to do anything. The restrictions apply solely to those that offer services, or want to offer services.

[unidentified speaker]:

I think the problem is not that key recovery is being done in a country that we do not trust. The problem is that you are communicating with it in the first place. If somebody is communicating with someone in a country that is not trustworthy, they already have the data that has been communicated. So the fact that they can recover the keys to decrypt the data is a completely side issue.

[unidentified speaker]:

So...I agree. The issue is not so much in that, that whether the key recovery system is being used in a country. But if you are communicating in a country that has some restrictive rules on encryption, whether you have a key recovery system or not, they are going to get that data. If you have a key recovery system, you know, as our colleagues pointed out, you have the opportunity to perhaps have those keys held by a corporation that is trusted by the country in which you are communicating and then the government there would not have the access to that without going through the corporation.

[unidentified speaker]:

I think that is basically a question of whether we sell countries the technology that supports their doing this. You can put an office in a foreign country and supply technology of communicating securely with your office. And if you advertised and sold this notion that governments always have right to access to communications this way, and access to the content of communications, and provided products to help them do it, you will end up with that result, but I don't think it is inevitable.

Casper Bouton: [spelling]

Casper Bouton, Qualier Internet Consultants. I would just like to bring up the problem of access to the escrow data bases in different jurisdictions and the problem of keeping escrow databases synchronized. If you want to have access at either end, in two jurisdictions, then you either, it seems to me, have to have the data bases synchronized over an ultra-secure channel or if you go with the [Roy Holloway **] solution, there is a master key. A shared secret key, which allows algorithmic generation of the individual user keys. The problem with having such a master key is if one is worried about keys leaking or being compromised. That master key is a jackpot of considerable significance. And that then leads on to the question of whether there are any circumstances under different government's national policy regimes, whether they would require access or expect access to that master key. Do you have any comments on that?

[unidentified speaker]:

Yeah. I am not sure we need to synchronize anything in the first place.

[unidentified speaker]:

I think one of the great difficulties is when we start to talk about security is that it is much, much more about key management than it ever is about key recovery. And the fact is that some schemes actually seek to undertake key recovery in an methogonal and separate way from key management. Other schemes seek to actually integrate key management and key recovery. Now that is going to be quite a difficult issue. When our scheme happens to take the view that we shouldn't get deeply involved in the key management process because that should be a commercial market process. The key recovery is separate in our scheme, but in the [Roy Holloway **] scheme, of course, key recovery and key management are all wrapped up in one.

Robert Foster:

Okay, we have got time for one more question.

Terry Schoen:

Terry Schoen, Entrust Technologies. Probably a question for Whitfield and Brian. If you have a properly managed public key infrastructure where backup and key recovery is done as an automatic process, would that not be sufficient for most law enforcement officials if data was the thing that was the issue?

[unidentified speaker]:

Backing up what?

Terry Schoen:

Backing up that data that is encrypted. Or backing up the key so that the data can be recovered. So law enforcement comes to the company, requests a copy of the transmission, you are able to recover the data, show it to them, is key escrow...?

Whitfield Diffie

I am not quite sure. I mean, it sounds to me...that we are sort of talking at cross purposes. My view of an infrastructure to support communications is that it is always an unwise idea to put backup communication keys. Things in transit are not valuable. If they don't get there, you can't read them when they get there, you just send them again. The solution to having lost keys for communication purposes is merely to re-key. Keys for protecting storage of data are in effect a basically new application of cryptography. That has not been a major application of cryptography in the past, many a people are doing things with that. It has some clear, economic benefits in a network environment, and under those circumstances, it is essential that you have robust key recovery. So we have two phenomena here that are quite different and the marketing hype is confusing them as much as it can.

[unidentified speaker]:

I think I can only, really, agree with Whit here. I think that certainly if you have an infrastructure for stored data that gives you key recovery, that is one approach which meets the user requirement for key backup. There are obviously going to be others as well. But I mean, I think the really essential point is that the user interest is in key recovery for stored data. Key recovery for communications is not an end user interest, it is a much more government interest.

Robert Foster:

Okay. Thank you very much indeed. I would like to thank you for your patience in listening to us. Hope you found it informative and would like you to join me in thanking the panel.

[unidentified speaker]:

Okay, to keep on schedule, we are going to need to move promptly to lunch which is in the Kensington Room, upstairs, and please move their promptly, so we will have plenty of time to listen to Jim Clark's presentation and time for Q&A during his presentation. Thank you all very much. The Kensington Room is upstairs, at the top of the stairs, someone will point you in the right direction. Kensington Room for the meeting. If you did not get a copy of the invitation to the reception this evening that Lord Renwick is hosting, we will be giving those out at lunch, for those of you who did not get one this morning. There is a reception at the House of Lords immediately following the session this afternoon. If you did not get an invitation, we will be handing those out at lunch for those who did not get one.

Takuma Amano and Robert Blohm encryption panel

[Unidentified moderator]:

There is a useful interlude during the day if you wanted to have all of you who are very interested and involved in the Internet, listen to some information that we think is very significant, although it is still very much in the development stage, and we didn't want to pass up this opportunity to have an opportunity for you all to meet two people who are involved in some very cutting edge research about the impact of the Internet and an opportunity to provide them feedback. Our next two speakers, Takuma Amano and Robert Blohm are both investment bankers.

Takuma previously was president of a software company in Japan so he has quite a bit of experience in the Internet. Last fall, they co-authored an article which appeared in the Wall Street Journal about the very important topic we believe, about the economic impact of the growth of the Internet. There are lots of metrics out there that I am sure you are all familiar with, about how many servers there are, how many people are connected to the Internet, how much advertising revenue is being spent on the Internet, etc., etc. There are various attempts to get some meaningful metrics about the Internet. One of the things that we are very interested in, representing the industry, and we know that the government is very interested in, and we know the companies are very interested in, is what has the Internet meant in terms of economic growth and in terms of job creation. Because, though the Internet is very much an enabler, it also in itself, creates job opportunities and creates economic activity.

So Takuma and Robert appeared with us at the official announcement of the Global Internet Project in December in Internet World in New York and presented some preliminary results that they had done and explained how they had arrived at their information. That the Internet has already created, in 1996 alone, over 1 million jobs. And how this is an amazing driver of economic activity, particularly in the U.S. because the U.S. is such a large part of the Internet economy, but also in other parts of the globe. They have been continually updating their research and analysis since the initial analysis and we are going to spend a few minutes today having them review their analysis, give you a brief explanation of how they have done their analysis, and give you some chance to get some feedback. This is a fairly condensed version of their presentation. We have a fairly condensed period of time so we can keep flowing to other panels, but certainly, take this as if you haven't heard their presentation before, as new information, and I am sure Takuma and Robert will be glad to talk with you later today, or subsequently, if you have an opportunity to provide them some feedback, because they see their work is very much a work in progress, I believe, and are looking for as much feedback as possible from the industry. So I will turn it over to you, Takuma and Robert.

Takuma Amano:

Thank you. Good afternoon ladies and gentlemen. I am Takuma Amano and he is Robert Blohm. I am going to explain what we have done in terms of estimating economic impact of the Internet. As you know, there is no macroeconomic data available to estimate the economic size of the industry or economic size of the Internet. And so we have to build up, build up from microeconomic data. But if you use accounting data to do so, it is not necessarily timely and it does not necessarily refer to the explosive growth of the Internet economy. Or also strategic expenditures done by the Internet software companies, because those softwares are expensive immediately.

[comment from panel]

Stock market value.

Robert Blohm:

We use the stock market evaluation as a proxy for revenues and so on. Companies share-value information is available. There is a relationship with GDP and in fact, intuitively, it is as follows: there is a corporate financial rule of thumb that a company's revenues are more or less equal to a company's equity, book value or market evaluation. If that is the connection, it has become a match in the growth as has been captured by accounting data. This is a real-time measure. It gives...you know, the market has a chance to react to developments and anticipate developments, so it captures information about a company's activity that is not captured in accounting data, it only comes much later.

Takuma Amano:

So look at the best case, and that is Netscape's IPO. If a venture company has a successful IPO after that, they will have aggressive growth: recruiting engineers, recruiting marketers, of course, the overhead becomes bigger, they have to establish an administration, and also they will, also some of their business outside, they will buy a lot of equipment from outside parties. And so they will definitely increase their net income and net profit. All those things are components of GNP. So you understand a market capitalization of the industry on the stock exchange are very good approximations of some kind of GDP. So we say, [inaudible] the relationship.

Robert Blohm:

Basically, one can view the economy either as the sum of consumption or the sum of production. We view the economy as the sum of production, it is like a single firm, we are aggregating all the firms in the economy assuming these private firms are responsible for all the economic output. And we are using the market capitalization as the measure of this.

Takuma Amano:

And from all our experiences in the 1980's, usually the total market capitalization were around 2/3 of GDP, I'm talking in the United States. And if the total market capitalization are larger than 2/3 of GDP we are a little bit concerned about the possibility of overvaluation of the market. But now in the 1990's, because of the recent substantial increase of new ideals, new companies coming into the market, I think we have to change this percentage. These market valuations are rising because of a lot of layoffs, increased productivity. So, of course increased productivity means contained inflation, therefore, I think we have to adjust, instead of 2/3, but almost 100 percent of gross market capitalizations will be very close to a GDP. And also that is, we are talking about total. But we are not talking about a specific company's market capitalization is contributing to GNP for that amount, but total capitalization like this is okay. But if we take industry itself, that is also we believe, in the industry's share of GDP. And this is what I have been explaining. The middle line is the GDP of the United States from 1959 to 1996. And the lower line is the market capitalizations of the U.S. Equity markets, New York Stock Exchange, AMEX Exchange, Pacific Exchanges plus of course, NASDAQ. The bottom line, and the middle line, that line, is a percentage market capitalization against GDP

Robert Blohm:

And you see the two-thirds relationship which is pretty constant. There was definitely, you know, during the 70's, some very bad years where it declined substantially below 60 percent, but we saw with the Reagan years, and especially more lately, the Clinton years, the market capitalization is up now at an historic high of 100 percent of GDP. This should not worry the likes of Allan Greenspan and so on because of the following fact. What is responsible for that rise?

What we have here are the same graphs of GDP and market capitalization, market capitalization is here, and what is this graph up here that is more or less the same upward shape from the early 80's, capturing the Reagan years and the Clinton years? This is the number of listed companies. So we have seen a dramatic increase, almost from 6,000 to 9,000 companies. And that explains this dramatic growth in market capitalization. It is not the share prices are inflated. That should not worry the Fed. We have a larger number of companies, the overall market capitalization is lower such that listed companies now account probably for half of privately owned companies in the United States. Market cap is now properly 100 percent of GDP. This is not speculation, this is not inflation of prices.

Takuma Amano:

Then, what is the technical procedure for specifically estimating the Internet economic size. First, content providers. It is very difficult to estimate what content providers are doing over Internet. The best example is a Dow Jones, yes Dow Jones, they are selling Wall Street Journal through the Internet. But I don't know what the percentage is. I might be very small. So, because of the difficulty of estimating contents provided business over Internet, we unfortunately have to eliminate it. So for our estimation, contents provided business is not included in the Internet economy. But, the simply example is Netscape. Their business is 100 percent Internet. Likewise Cybercash and Entrust are 100 percent Internet based. Now, what is a percentage of IBM's business due to Internet? It is very difficult, so we basically come to say, 15 percent for hardware-type manufacturers. If I say, IBM is simply a hardware manufacturer, they would be upset. So, I go, hardware-type manufacturer will be 15 percent, but for Microsoft or Oracle, for those software companies, they are now really shifting to Internet related business, we decided to assign 25 percent. Intel is a hardware-type manufacturers, but for the exceptional case of Intel, Intel is Wintel, therefore we decided to use the same percentage as Microsoft. Now, one of the biggest suppliers for Internet is telephone companies. And if you take Nynex, probably for Nynex for U.S. domestic carriers, the percentage of Internet should much less I believe, so we assign 5 percent. Though I know, something that guy told us, no, their percentage Internet is 40 percent, so we just upgrade. Yep.

Robert Blohm:

To recap here, what we are doing, we said there is no macro-economic data, there is micro-economic data on specific firms. So what we were doing is, we were getting a result by construction, we were building it up, we were taking all the firms that have direct Internet related activity and adding up these market capitalizations, comparing it to the total market capitalization, which represents total GDP and we are getting a percentage of GDP.

Takuma Amano:

And we picked out about 148 companies, and by calculating it our way, it comes to about 191 billion dollars absorbed last October. So last October we said, okay, GDP contribution by Internet economy or Internet industry should be somewhere around that. So 200 billions dollars, that is about 2.8 percent of United States GDP. Now, job creation...

Robert Blohm:

Okay. And the growth, incidentally, that would account for all of last years economic growth. We estimated that this activity occurred over the last year, or year and a half, so that was approximately...it was 2.4

Takuma Amano:

2.4.

Robert Blohm:

2.4 percent growth. That is a growth rate that we will not see again. But the growth will continue. That is a take off stage.

Job creation. What we did is very straight forward. We just read off the job figures from the SCC data that are provided by U.S. firms. And then weighted them and so on by the Internet percent and we got a job creation figure of 380,000 jobs for last year in these companies. Now, going back to a comment I just made, that publicly traded companies now account for a half of corporate production in the United States or the corporate, private production economy. We then double that number, to 760,000. That captures all those all those entrepreneurial and development firms and so on that are out there and providing the wherewithal for this development.

What is striking is that the number, 760,000, if reflective of last year or year and a half, accounts for half the new jobs in the United States. So we have these jobs as highly productive. They apparently account for all of U.S. economic growth, but half the jobs growth in that year. So that is a very significant, that is probably the single most striking characteristic of what is going on. Globally, the U.S. accounts for two-thirds of the world's software market, the general rule of thumb. From Morgan-Stanley research, we also found out that the number of host computers in the USA for Internet is 70 percent, so that validates our taking that figure while going back to this, grossing it up by a third, so we have got our to figure some 1.1 million jobs worldwide at that time. Next one. Oh yeah. Well, why don't you cover the update.

Takuma Amano:

And of course, GIP asked us to update our research because our estimation was done last October and we updated it in January. And the rough idea about new market capitalization, as of this January, not recent stock price decreases. Since then equity increased and is coming back again somewhere around last December's level. So anyway, the Internet market capitalization was around 220, we believe, 225 billion dollars. That is about a 14% increase in one quarter.

Robert Blohm:

So annually, that would be something like a 75 percent growth rate over the year. Now we have probably seen similar growth over the second quarter. That would be just before the stock market correction that we've seen, but I think the stock market correction will prove not very long lived, and we are already seeing a rise again. So over the year, one could expect something not too far from our estimate. But anyway, over the long run and over time, the shape of the growth path that we are going to show you at the end, we believe, will be preserved. And what is responsible for this is higher expected earnings. What is driving these share prices, of course in the market, are also the efficiencies. All companies have derived cost efficiencies of course. There is substitution for some employment, but there are new jobs created in all these entrepreneurial firms that are servicing this. So, you know, there is not a need for inflationary fear, because companies have an enormous amount of room if they come under cost pressure. Simply their profits decline somewhat but there is no need to raise prices. Companies have this enormous room, the stock market value is driven not by prices increases, but by cost decreases.

So, we can't estimate the job creation during last month off immediate figures because those numbers basically come out annually. But if we apply the same percentage growth and so on, 75 percent last year, we are talking about a 100 to 200,000 new jobs in the last quarter. And for adding on for the rest of the world, again, upwards of 200,000 jobs worldwide. Keep in mind that our estimate is conservative. There is no multiplier effect in our estimate. It is, we include only a few direct suppliers to these Internet companies, like Intel and so on, but by using market cap, this is very interesting. You cannot add up all the revenues of companies and get GDP, because there are things called intercompany transactions that are subtracted from GDP. All the material supplies don't count. That is accounted for in market cap. Market cap captures just the firm's contribution to economic activity. Not its purchases from suppliers. In fact, if the supplier's share price rises, his market cap increases, the buyers are going to decrease because he is paying more and it is impinging on his profits and so on. So it is a good separation. Anyway, we are not measuring applications of Internet by users. The efficiency of Internet use, among other things, in particular, the increase transactions flow from credit card transactions and so on. This will have very important impacts on monetary policy and in monetary economics that we are only beginning to look at, in terms of velocity, and so on, a transactions flow. The ease of information access is very important, an important efficiency not measured in many instances, leading us to believe that our measure of inflation is overstated. We have at-home banking, for example, buyer behavior information, the Nielsen-type stuff, and so on. Finally, our estimate is conservative because it compensates for the negative impact on rival info-median and transactions media. Of course, newspapers are more traditional media. Transactions media would be shopping malls, real estate, and so on. People have the locational assets. So, why don't you recap and we will show the growth path, and then we are done.

Takuma Amano:

The last, but not least, I think miserable, but the most important U.S. achievement is the optimal allocation of the most important economic resource. That is human brains. By shifting young, talented engineers from the defense related industries to Internet software developments.

[unidentified speaker]:

We are short of time. Why don't you just explain the last chart.

Robert Blohm:

Okay, this is what we see as future growth. The red line up here is the info-tech industry. This is just our estimation. There is a kind of consensus that ultimately it will reach 14 percent of GDP. On this axis we have the percentage of GDP...[Blohm points to Excel graphs] 14, you know 12 down, and 9 here. This line is Internet and we have 19 from 1995. This growth over 1996 was very large. Well over 100 percent. We reached 3 percent of GDP about here. Now these numbers above, the dots, these are the actual growth rates, reminding you again, these are just percentage of GDP. This is a level, and this is a kind of flow. This year we expect 78 percent growth in GDP. That would be the change from here to here. And you see the growth rate should taper off as the Internet reaches its level, maybe 9 percent. Will the Internet, you know, comprise two-thirds of info-tech ultimately? I think it is a reasonable question to discuss, but nevertheless, the growth, you know, we are not going to see the same growth that we saw in the early stages which is true in any era. We see the impact on info-tech and again, this sort of declining growth rates as we go off into the future. So this is what we see as the picture.

The lesson for economies is that, this is a great job machine. Don't do things to stop this. There is a great success story in the United States. The story for Europe is a story of unemployment. Not in Britain, but on the continent. And the key, what is going to create the jobs, is the entrepreneurial sector that will develop the Internet. The way this is done is to lower taxes to enable people to set up companies that are going to employ all these people, which they are doing in the United States and not to impose regulations, rather to deregulate, to reap this tremendous benefit that we have seen as occurring and driving in the U.S. and driving the U.S. economy.

Takuma Amano:

Thank you very much.

[Unidentified moderator]:

Takuma and Robert will be around later today, so if you have questions or comments about their results, or if you have some suggestions on their methodology, I know they would be glad to hear from you. We are next going to move to our very important panel for today, the government policy perspective. As John Gerdelman said this morning, and Jim Clark reiterated at lunch: One of the reasons the Global Internet Project was formed was to further the education efforts that the industry puts forward to the policy makers globally and we have a very distinguished global panel. I would like to call up the Chairman, Detlef Eckert from the European Commission and his other colleagues and we will now have their discussion to discuss the government position in policy. Following that, we will have a summary of the OECD cryptography guidelines which were recently issued by John Dryden from the OECD. So Detlef, you and your panelists are on, and make sure you don't fall off the back of the panel here. We don't want to lose anybody.

Detlef Eckert:

My name is Detlef Eckert from the European Commission. I am really honored as a noncrypto expert to chair a meeting of government experts who, by and large, are experts. First of all, to date, our discussion has shown that there is a really high interest in it and being surrounded by so many people, I wanted to show you all a cartoon that I took from the financial times, many of you may have seen it. We are taking you off encryption since you need a rest. I guess it is well known amongst many of you, but I like it very much, so I have circulated it to our guys who deal with encryption. Got some mixed reactions, by the way. So, thank you for this opening. Before I hand over to the panelist, let me briefly confirm that the European Commission has a very high interest in this subject. It is mounting up, even as an interest. We see electronic commerce and the Internet, as outlined just before by Amano and Bluhm's excellent presentation on the economic impact, as crucial for competitiveness and job creation. And so we have to everything to make this new business, this new infrastructure, flourishing and creating new jobs.

And therefore, we need to make sure that there is a possibility to make communication and trade much more secure than it is now. And we should find a solution for this. As has been outlined today, the software on the encryption projects, I guess it was Brian Gladman said this, moving from closed market to open market. From government exclusive market to competitive market. We see that the product are imbedded in software. I guess it was Parker who said that no software without encryption can be sold on the Internet in the future. So these are becoming products which are embedded in commercial activities and can no longer be regarded as something suspicious or separated. Therefore, and this is now where the European Commission has a specific role. Therefore, these services are becoming services for which the treaty, the Total Market Rules imply.

There are, of course, exceptions to these rules in the Treaty of Rome, Article 36 and Article 56, that allow member states to set up specific rules against the free flow of services and goods in the European community if there are, for instance, public security concerns. There is no doubt that this treaty stipulates this. However, these measures must be justified. And this means the justification must prove that there is a need, it must prove that the measures taken are effective and there must be proof that the measures taken are proportionate and non-discriminate. So these are the things where the European Commission have a specific responsibility to see and to chair and to check emerging laws. So having said this, I would like to pass over directly, I guess, the first one on the panel is the Undersecretary for Export Administration from the U.S. Department of Commerce, Mr. William Reinsch. May I ask the panelist to stick to roughly 5 to 7 minutes please to allow for the discussion.

[unidentified speaker]:

Good Luck!

William Reinsch:

You have to consider that it is probably in our interest to talk longer, so that there are fewer questions. I am also looking forward to having my European colleagues comment on the relationship between the EU and member states on this area. I always look forward to that kind of discussion, because I can sit back and not get involved in it. Let me make some comments which are, for the most part, prepared, because I want to minimize the mistakes I make. And then we can have the rest of us talk and go on to questions. Most of this, I think, will be familiar to those of you that follow the American policy closely.

Our policy, as you know, is based on an attempt to balance what we view our the competing interests here, privacy, electronic commerce, national security and law enforcement. And I have several pages on why there is a business, electronic commerce privacy interest, in this issue. And I think you all know that better I, and you heard that articulated this morning, so I won't give that to you. But I don't want the remainder of my comments to reflect, a focus exclusively on the law enforcement aspects of it. I am not a law enforcement official, and I want to make clear that we do recognize very strongly the importance of encryption as a critical element of electronic commerce and we in my government are committed to facilitating the growth of electronic commerce, and thereby the growth of encryption. So please don't take the fact that I am skipping all that in the interest of time as an indication that we are not interested in that.

But I do want to point out as well that there are law enforcement and national security risks to the increased use of encryption. They were also referenced this morning. And we are trying to deal with them, as I said, in a way that provides some balance between those equities and the equities that are reflected by the business community. And we are trying to do it in a way that is based on consultation with private sector. And one in which we are working with the market and not against it. And I think that that is facilitated by the fact that in many respects, particularly with respect to key recovery, the market is going in that direction anyway. But I want to be very clear about that. We believe in using the market to respond to the demands for encryption products. And we do not intend, through our policy, to mandate the use of particular products or particular technologies. Neither do we intent to limit in any way, the use of products with encryption capabilities domestically. We watch the market closely in this regard however, and we want to do what we can to facilitate the creation and sales of products that can accommodate both the demands of electronic commerce and also our law enforcement concerns.

Now that means key recovery, fundamentally. And it means discussing with you, what I have looked at as two aspects of the problem. One the adequacy of product in the marketplace and facilitating its production and arrival in the marketplace. And probably more important for the longer term, the creation and facilitation of the infrastructure to support those products, because key recovery, in particular, is dependent on that kind of infrastructure to make it work. Now by key recovery I want to make clear that I refer to a range of technologies. Some in existence, some under development, some under conception, if you will, that are designed to permit the plain text recovery of encrypted data or communications. There has been a tendency in the United States at least, although I don't think it was reflected this morning, to construe this term and others as very narrowly focused on a single approach or a single technology. And I want to make it clear that that is not our intent. We expect the market to make those judgments. And I mean that, we intend to do the best we can to stick to that, and I think thus far we have been able to meet that standard.

At the end of last year we published new regulations that relate to this subject. That did a number of things that I want to bring you up to date on. For those of you who are not familiar with them. One was that they transferred the export licensing of commercial encryption products from the Department of State to the Department of Commerce, which had the effect of emphasizing the President's decision that encryption is not anymore fundamental ammunition or something to be used solely by the military or in the pursuit of diplomacy, but rather it is in fact a part now and will be in the future, increasing a part of normal commercial activity. It also signals, however, that the United States continues to view export controls as an appropriate tool to influence market developments on encryption. And to keep strong encryption products out of the hands of dangerous end users, and I don't expect our view about that to change. That view, of course, has been and will continue to be, consistent with our arrangement obligations for the multilateral control of these items.

We've begun having discussions with our training partners including the ones that are represented here, on trying to develop a common approach to encryption policy, including export controls, based on the guidelines recently agreed to at the OECD. Many of you may know David Aaron, our ambassador to the OECD. The President has also appointed our special representative on encryption. He has been engaged in these discussions, I think it is fair to say for the most part, our discussion in this early stage have involved sharing information about what each of us is doing, and in the process, we have learned a great deal, and have discovered, I think, several things. One is that most of the governments that we are dealing with have concerns that are similar to ours. And most of them have the same breadth, point of view, or the same spectrum of point of view, reflected within their government that we have reflected within our government and also within their society. Everyone has to go through the same debate on this. Some are going through it a little faster than others. The French, as you know, who are not here today, have already passed legislation. The British, I think, as you shall shortly hear, have put out a very comprehensive paper on this subject and are well on the way to implementing their policy. I will be describing our policy. People are moving at different rates. I think in a general sense, many of us are moving in a similar direction. And that is an important thing to keep in mind for the future. That, of course, is what we are hoping to see occur.

Domestically, we have done a number of things with respect to our own export controls, that I think will influence the ability of American companies to do business abroad. The most important of those, I believe, is the creation of a license exemption, which would allow recoverable encryption products of any strength, and any key length, to be exported freely after a single review by the government. And we have companies beginning to try to take advantage of that. We have also expanded the definition of products eligible for this particular exception to include, not only key escrow systems, and we had this discussion about what these terms mean, thanks to Whit Diffie's question, and for this purpose we construe escrow to mean a third party and we construe recovery to include systems that don't necessarily involve a third party. That is not necessarily the right definition, but just so that you are clear about what I mean.

But what we are making clear in our own rules, is to permit the export of key recovery products. I want to make clear that what that means is not just key escrow systems, but also other systems that do not necessarily involve third parties, that provide for recovery of the keys for plain text. Products which wrap keys in the header of a message, or which provide access at some point in transmission to plain text are examples of what is equally accepted. The new regulations will also allow for self-escrow and they allow for escrow, escrowing of keys overseas in certain circumstances, which we believe will make key recovery products more attractive in export markets. The regulations also recognize that the establishment of an infrastructure is going to take some time, and I think that that is obvious to you all, and that therefore, we will consider requests for self-escrow and escrowing overseas even before there are any government agreements on access, or before there is an established network of recovery agents in place. It is in our interest to get the products out there that have these capabilities, without waiting to make sure that the infrastructure, in fact, is in existence. This is our best way of dealing with what is essentially a chicken and egg problem of who goes first. Somebody has to go first, and our judgment has been that it is our interest to get the products out there.

We have also created a special two-year period in which we have liberalized, somewhat, the rules on exports, for our companies, and permitted them to export 56-bit DES or equivalent products if they submit plans and show that they are working with us to develop the kind of key management infrastructure that we envision. In addition, we are in the process of developing, through the private sector standards, for key management, the National Institute of Standards and Technology, which is our basic standard's agency, which is also a part of the Department of Commerce, has formed an industry advisory committee to develop requirements and standards for key recovery products that the federal government will use. We have invited representatives of foreign governments to attend this advisory committee series of meetings, which so far has met twice, the next meeting, I believe, is next week. At the last meeting we had representatives of six countries attending, to share with us their views both about what we were doing and also about what they are doing. Because we want to encourage compatibility.

Let me make clear that in the United States, the way we do this is essentially a private sector process. This is an advisory committee that consists entirely of representatives of industry. The government convenes and the government sits on the side and listens, but the industry itself develops the standard. At the end of the day, once the standard is developed, the government, in all probability, will accept and promulgate that standard for government use and for government purchases of encryption products. What the private sector chooses to do is its own business in the United States. What has tended to happen in the past, of course, is if it is a good standard, lots of people climb aboard that train and begin producing to it, partly because it is a good standard, and partly because, in our country, the government is a significant purchaser of products like this. We expect and hope to have this standard completed by the end of the year, which, for this process, is near record time. Although in this particular industry, I recognize that it is slow, but we are doing the best we can. And anytime you get 25 engineers from 25 different companies together to talk about this, you can imagine you get different points of view about what we ought to do and that is exactly what is happening.

Probably the best gauge of the progress we are making has been the industry's response to our policy. In the first three months, we received over 400 license applications, valued at almost 500 million dollars. Twenty companies have submitted plans which lay out how they will build and market key recovery products. We know that others are preparing them. These companies include the largest software and hardware manufacturers in our country. Some of them are represented here today, although the law, our law prohibits me from naming any particular companies unless they have identified themselves. We have approved eight of these plans so far. We expect to approve more very shortly. We are doing them, roughly on an average of about 30 days and it is one of the deadlines we have been able to meet. We have not been able to meet all of our deadlines, but we have been able to do that. Thus far, we have not rejected any plans. We believe this suggests to us that our policy is working. I think it is facilitated by the fact that there is a market demand for key recovery and electronic commerce is going to require public/private key encryption systems, and people within those systems are going to want key recovery. I think that was stated this morning by some people in the business. There is no shortage of companies coming in to us saying, we see a demand for these products and therefore we want to work with you to facilitate their production market in the United States as well as their export.

Now, what we want to do, as I have said before, is make very clear to all of you that we do not support mandatory key escrow and key recovery. What we want to do is enable the development establishment of a voluntary key management system for public key-based encryption. We believe the current policy is succeeding in bringing key recovery products to the marketplace and now we are beginning to look at how we can best facilitate the development of the infrastructure. To that end, probably next week is my current estimation, we will submit to the Congress legislation that is intended to do the following:

Let me be clear on that later point, because our position and policy was incorrectly described at lunch, and I want to make sure that there is no misunderstanding about it. We will undertake to create a government system for licensing and certifying certificate authorities in key recovery agents and we will only approve, for those purposes, entities that commit to key recovery. But we are not going to insist that our system be the only one offered in the United States. Other entities will be free to set up their own key management infrastructures and individuals, as always, without approval or licensing by the government. And individuals will continue to be free to use whatever kind of encryption that they wish.

This is what our bill will reflect next week. There will be I'm sure, agitated debate in the Congress about this. There were references during lunch also to legislation on this subject. I can go into this at greater length in questions, if anyone is interested in the intricacies of the American political process, and I can't imagine that you would be. But I would just say that, in my judgment, and I worked there for 20 years, so I have some experience here, the Congress is not going to pass legislation that is going to effectively turn the government's policy 180 degrees. There is an active and growing group of people in our Congress who believe the policy I have just articulated to you goes too far and in fact does not provide sufficient protection against terrorists and drug dealers and is inadequate from the standpoint of law enforcement. That is a significant group of people, including those on the committees who are going to be reviewing this bill, and they will go head-to-head with those people who believe our policy does not go far enough. At the end of the day, I hope, that the Congress will not be paralyzed by that argument, and in fact, will pass what we want, but in our system you never really know. And we will find out, but I do not take it as a given that the Congress is dead set on producing legislation that is going to block the government's export control policies, and so for those of you that are counting on that, I think that you have got a long wait. So having said that, and probably taking a bit more time, let me defer to my colleagues and then we can come back. Thank you.

Detlef Eckert:

Thank you very much. I guess the next speaker is Ulrich Sandl from the German Ministry of Economic Affairs. He participated in the OECD guideline discussion and to see how the commission is used to compromise. Please, only ten minutes.

Ulrich Sandl:

All right. Thank you very much Mr. Eckert. First I want to stress my pleasure to be here today and we do think that it is very important that business, government, and science and technicians come together and discuss. As Mr. Eckert has said, I am working with the Job Ministry for Economic Affairs. And together with the Ministry of Interior we are responsible for crypto policy in Germany. From our point of view, this common responsibility makes a lot of sense, because our Ministry of Economics is responsible to the internal security and we are responsible for economic growth. So together we are forced to struggle for a balanced direction in this field of action. Since the beginning of February, we got a political decision on our crypto policy. I have to stress that this is no final decision so that fundamental discussion will go on, but we have got a clear assignment to take first matters to create cornerstones in the crypto policy. Sorted by our priority, we have to deal now with three main objectives:

Let me explain the background of this decision. Firstly, for us, cryptography is one of the most important technologies for the information age and Germany wants to play an important in this game.

Secondly, no one will deny that cryptography is increasingly used by criminals to hide their business and we have to concentrate much of our energy to fight crime on the Internet. And that in some cases, in Germany and I have spoken with the prosecutors and it was really serious. However, there is presently no intention in Germany to restrict the use of cryptographic methods. And in my personal opinion, it will harm to our enterprises too much, and brings too little benefit for our law enforcement. As arguments I've heard on the first panel today, I take them very seriously. So we will allow the user to choose his cryptographic methods, including the key management systems.

However, to be liberal does not mean to do nothing. Certainly government and cryptographers or big enterprises, have the ability to care for their own protection in the Cyberworld. But what about Mr. and Mrs. Everybody? Whom might think that cryptography is a new political system? What about small or medium sized enterprises? For a growing number of Internet users, we have to find an adequate solution to protect their interests. Sometimes it seems to me that some experts have forgotten that outside these walls some people are not experts... Who can't read the source code, who can't assess if an algorithm is weak or a key is too short. And sometimes it makes me very unhappy when our discussion just deals with the problem of the access or nonaccess of law enforcement agencies. One of the most important questions we have to answer now in Germany is how to bring more security to the users, and particularly for those who can't protect themselves.

Finally, let me give you a short insight in the current discussion upon practical implementation of this intended crypto policy. Together with law enforcement, science and industry, we have established several working groups. And we are dealing here with the following items. In the first working group, we will try to define the conditions for general acknowledged evaluation procedure for crypto products and on approved basis, to provide a reliable secure level for everybody. In the second working group, we are going to define the conditions for establishment of privately run IT security infrastructure on personal party basis. With those products, and I stress only those products, should be opened. Everybody should be free to use, the specifically evaluated products, but if he or she uses it, he must know that he uses a reliable system, but that the keys will be stored to be used for lawful access purposes. The philosophy behind this is quite simple. When government take cares that strong and reliable systems are distributed, those governments have to take care too that those products are not misused.

In the third working group, we are considering how to promote European and international cooperation. First we would like bilateral negotiations, we would like multilateral negotiations more, and we, I have to stress here very clearly, we have had very good experiences with the OECD meetings. One major point is the use of cross-border key management systems. Facing technical realities for us, it would be very difficult to accept that private keys of German users are kept under foreign jurisdictions without the knowledge of the user. Fourthly, finally, we are going to discuss these items very intensively with all the governmental and nongovernmental groups because we think that there is a great need for transparency and we learned from discussions in other countries that it doesn't make any sense to have only closed door codes. Now we want to start a campaign to raise public awareness on IT security because we do think that information on these issues is very important.

Ladies and gentlemen, we are standing at the very beginning in Germany and we know that there are a lot of questions to be answered. So I would appreciate it very much to have some discussion afterwards. Of course, we are still in the developmental process, Mr. Clark, and don't pretend to have a master plan for this. Thank you very much.

Detlef Eckert:

Clear answer in the USA, waiting answer in Germany, and the United Kingdom has issued the paper. It is available on the Internet, please save it.

[unidentified speaker]:

Okay, thank you very much. Well, I think listening to the various discussions, it sort of struck me that what has happened in the UK government is that we have come at the problem from two different directions. And I think the discussion document that we have put out recently is the sort of result of the intersection of two different cultures, as it were, within government. If I go back a couple of years, then there was concern in one part of government that strong encryption might become readily available and be used on the Internet. And there was a concern in the other part of government that strong encryption wouldn't become available and wouldn't be used on the Internet. And these two, entirely different, I am not joking, these two entirely different approaches, had some difficulty in coming together. And indeed, it was just about the time that I became involved myself that we started to find a way forward. I think nothing to do with me, it was just coincidentally. And the way forward that we decided to try was the one that is described in the discussion document, which is what is in your handouts in Section 7. It's available on the Internet and I hope that some of you would have had time to read it.

The basic approach we took was, first of all, we recognize that if the law enforcers wanted access to all the communications which it used in encryption for confidentiality, then they would have to wait a very long time, because that wasn't actually a realistic scenario to go for at all. And so we accepted quite quickly, at least some of us accepted quite quickly, and some of us accepted less quickly, that control on the use of encryption was a nonstarter. It wasn't sensible to even think about it. Secondly, we recognize that, if we were going to put strong encryption in the hands of ordinary people who, you know, just about know how to turn the PC on, they certainly don't know how to download PGP from the Internet and get it working properly. Then we had to solve for them the key management problem. The problem of making sure that, whoever they might want to communicate with, has the right key to enable them to do so. And so this sort of any to any secure communication capability, which we take for granted, if not in a secure way, with the telephone system, had to be potentially available, or we hoped would be available in the future to everybody who wants to use it.

The idea started to gel that this wasn't a problem to do with controlling encryption or anything like that. It was a problem to do with creating a key management infrastructure of some sort. And because we had been able to learn some lessons from efforts in other countries, for which we are very grateful, we were able to look at various features of what we were planning, and then change them so that we could avoid some of the traps that we might have otherwise fallen into. And one of the traps we decided we didn't want to fall into was in specifying any particular cryptographic algorithm or try to say how many bits the key length should be. That struck us as the beginning of a very long argument, that would never actually stop, because whatever you agreed to, the next day would, it wouldn't be good enough again. So we wanted to have a system which allowed free choice of the algorithm, free choice of the length of the key, and really just address the management of the keys.

The idea was that the individual users would be able to take their key management services from anybody who was providing them, well, that got changed later, it was anyone who was licensed to provided them, and I'll come back to that. And then we would concentrate on making sure that access to the key management services would include confidentially keys. Let me say, only for confidentiality keys, we won't...we will make it illegal, as it were, provide no legal basis for access to integrity keys. And indeed, make it, probably make it an offense to access integrity keys that you are not entitled to access to, and all that sort of thing. We really want this to be about confidentiality and escrow confidentiality only.

So the idea would be that somebody, in taking key management services from commercial players who were in competition with the right controls over access to the confidentiality keys for law enforcers, would provide a means by which strong encryption could be used, which would be both useful for electronic commerce, which is what the department of trade industries are particularly interested in. And would maintain some reasonable degree of lawful access, which is what the law enforcers are principally interested in. And we sort of recognized that, whatever we do, is only going to leave a proportionate of traffic accessible to the law enforcers, but then that is true, because whatever we did, I mean, I am sure we all understand that whatever extreme steps were taken, it would not stop those that decide to sidestep the controls from sidestepping them. So, there is no point in making life too difficult for everybody. I have heard some convincing arguments about the overheads on system design, if you make things too difficult. So we want to try to recognize that the experts and those that really want to, will always get around it, but have something in place which solves the key management problem for most people and which actually leaves a reasonable proportion of the confidentiality traffic with the keys available in escrow.

Now, quite how this will work out in practice I have no idea. And part of the reason for our discussion document was that we wanted to take this rather sort of superficial idea which I just sketched out and expose it to business and to people like you and to those that might be licensed service providers or licensed key management providers, or licensed TDB's, whatever you want to call them. And find out what was wrong with what we were proposing. Where were the points that were mistaken, or hadn't take in account of the way technology was moving, or just were plain stupid. Which were the good points that maybe we hadn't properly understood we needed to strengthen. Remembering, we are talking here about the key management infrastructure that will be used, mostly I guess, for integrity and we want contracts that are covered by keys provided on this key management infrastructure to be provable in courts. And actually for those electronic contracts to work is very important. So this thing, this discussion document has gone out, we first of all had a rather paranoid reaction on the Internet I thought and maybe that was because people were either misreading it or reading more into it than we intended. For example, the very first posting in the Cy.crypts news group on NewsNet said, "UK. government ban PGP Official!" and I didn't reply, but I wanted to reply, and actually, that was the one thing that we all agreed we were not going to do. And it has been explained to me that the document as it stands, at least makes that confusing, and perhaps is inaccurate in terms of what it says we are going to do. And so that is something we have got to look at so we will be trying to frame our legislation in a way that gets around it.

Now what happens next is slightly unclear because as some of you will be only too aware because you watch it on the television every night, and the rest of you will probably be aware, we have an election coming very shortly and so we have a new set of ministers. I don't know what their politics will be, but anyway, they will, I am sure, almost certainly, be new ministers, even if the existing party gets back in, then probably they will all take it from portfolios. So we will have to explain to new ministers what has been going on and what has been proposed up to now and what was the reaction from the consultation and I hope we will get lots of good solid reaction in writing. I mean, it is fine to have reaction today, but I would like to have it in writing too, so that way I won't forget it and my colleagues that do the detail work will be able to understand the nuances and take it all into account. And then we will discuss with you ministers what it is that we should do in the future, so to speak.

What actually should we do? I expect that if they agree we should put out a statement, probably two or three months after the new government takes office. Of course, it depends on the ministers making time to think about this, because they will, no doubt, have many other things to think about. If they think that this is important, and I certainly will be trying to persuade them of that even if escrow isn't a part of the future, that licensing of TTP's whether its mandatory or voluntary, certainly some sort of licensing of TTP's is probably necessary to create the framework of trust and to create the key management infrastructure that will make electronic commerce take off in the UK, then I expect we will be putting some sort of bill into Parliament to be discussed, maybe around about the end of the year. But again, that is for ministers to decide and I have absolutely no influence over that at all. Well, I guess that is the main point that I wanted to make.

There are dozens of things that have been said this morning that I entirely agreed with. There were a few that I didn't agree with, but I think the important thing, perhaps to say is that, you know, the department in the British government which is in charge of taking this forward is the Department of Trade Industry, not a law enforcement agency. And I think that that is a recognition really, that while there are law enforcement problems brought about by encryption, actually what we may be talking about is how to make the Internet work and to get the sort of growth in the UK that we had explained to us so very well just before this panel session. And I am quite sure that in putting the future policy together, and in developing it and indeed, in discussing with our colleagues in other countries, what they are wanting to do, and finding a way forward, the growth of the electronic society, which is so important to our sort of economic futures, I think in all our countries, that that has got to be absolutely a paramount consideration.

We can't ignore terrorism and so on. You know, only last weekend we had a demonstration that the terrorists aren't far away and that wasn't too serious, it just inconvenienced a few people and put an important horse race back a couple of days, but we have had some more serious incidents in recent years, very expensive and damaging explosions in the city of London and I don't think any society can ignore that sort of threat, when it is happening on their territory. So we have to find a balanced way forward and, well, I should be trying to make sure that the balance is genuinely taking accounts of the interest of the Internet users, all the users, and not just the concerns of the policemen. Let me end on that note.

Detlef Eckert:

We have two European views and two North American views, so the North American view will be completed by Canada.

Wynn Redden:

Thank you very much. I am very happy to be here to be here to participate as a panelist in your encryption feasibility summit.

A certificate-based public key infrastructure can provide the fundamental security mechanisms by which we can establish trust relationships. I believe that no one understands that. These trust relationships will cross international boundaries, that is the certification authority in Canada must be able to establish a trust relationship within a global key management environment, and must support a full mix of application products at the same time.

Now the role of my office in the Canadian Federal Government's Communication Security Establishment is to act as a technical authority for the design, the development, endorsement, and implementation of a public key infrastructure for the federal government of Canada. Components exist today, and they exist as commercial based products.

Our principle focus has been on electronic commerce and the business environment. This is where we focused for the past four years. We do share your goals in establishing a common policy framework, and we encourage open dialog and welcome advice and assistance from all quarters. In Canada, we are presently reviewing federal cryptographic policies. Given the time we have here today, I will just instruct you to the overview within the handout you received here, and it is in the briefing book at the opening of Section 6.

We have not made any decisions on key recovery in Canada. We are, however, well on our way toward a government account of public key infrastructure. And it is going to be driven by market demand and the government. It is presently software based and built using commercial standards, algorithm, and protocols. Now having been called on to reflect on the policy perspective, I selected a few points which I believe can help guide us.

But first let me pause for a moment to underline the importance of government and industry cooperation. This is essential if we are going to deal effectively with the issues thrown at us by the rapid development of a global information society. I believe at this time, this unique opportunity to continue work between government industry, to complete a common set of certificate policies and certification practice statements. There is an opportunity to reach agreement with industry on these basic concepts, as they are being progressed through the Internet Engineering Task Force today. It is worth calling to mind that an endeavor this broad, we are no more than the agents of change. I propose then that we do not have to get it perfect on the first try.

Perfection should be exchanged for incremental pushes in the direction we favor and crypto policy framework could provide some of this direction to us. This has been the foundation of our strategy in the Canadian government building our public key infrastructure. A compromise solution is one which is cost effective and can work in practice, and is required in the crypto policy area. Now permit me to draw upon our modest efforts over the last four years in order to extract a few points which perhaps could provide some guidance in meeting the policy challenges today. I have chosen several, although there are likely more which could be brought to mind, we will be within the time constraint. We do not have all the answers, but we do know some of the conditions which should be met in order to achieve success.

I believe first and foremost, development of a cryptographic infrastructure must be market driven. It must meet business needs and anticipate the evaluation of the marketplace. It cannot just react to it, it has to anticipate it. To achieve this, it should use commercially accepted protocols algorithm standards and practices. And for some people here, yes I do mean RSA.

The cryptographic infrastructure solution must be fully scaleable. We have heard this here before today. Addition of key recovery features should not require additional relationships between certification authorities. That is ones that were not already there to meet fundamental business needs in the first place. The resulting infrastructure must be fully scaleable for use in the global network environment.

We must maintain trust in the key and certificate management process. The key recovery should be implemented in a manner which maintains or enhances the level of trust. It should not detract from the level of security provided to meet the fundamental business requirements we began with.

A two-key system is required. That is a system where you could back up confidentiality secret keys without having to also back digital signature private keys. That is an essential feature. There should be no unnecessary overhead. Key recovery should not add unnecessary cost or complexity to the infrastructure. This includes installation, operation and support costs. It should be transparent to the user. It should also involve a low computational overhead on the desktop as well as within the infrastructure components themselves. Government should demand no more of the key recovery mechanism than that which is essential to meet their responsibilities. For example, the user should not have to communicate with the certification authority for every transaction. That kind of a system wouldn't work.

Nomenclature: We can focus too much on implementation technique. I find that we do that. Often we are discussing who is in control, but we are talking techniques, actually. To help get over this hurdle, perhaps we could start by presenting key recovery options in terms of who is implementing and operating the key recovery capability, not in terms of pure implementation techniques themselves. Identify key recovery to be under control of the individual end user, for example. In this case, a third party, a corporation or an individual, is trusted by the user to provide the backup decryption capability for them. And you should know that it may or may not have access to the user data itself. A government-controlled escrow agent is another possibility, or you could have all of the above, or perhaps some combination of the above.

If we broke it down that way, the implementation technique would no longer be the singular focus. The focus is on who controls the process if there is one. This tends to steer us back to the fundamental policy issues. And further, we probably sense that the characteristics of various techniques are not made clear by the present terminology. I worked in this business now for four years trying to build a system and I do not know what the terms mean. For example, the term key escrow, key archive, key backup, key recovery, data recovery, Trusted Third Party, all mean different things to each of us today.

We should ask ourselves if there are viable alternatives to licensing. Should we consider a policy framework which includes, or in fact encourages, professional CA associations? These could be largely self-regulating and where possible, fit within existing regulatory and professional bodies. That is a possibility. There is presently an urgent need to establish common policies and practices effecting the issuance and expected use of public key certificates in a multi-security policy environment. I am moving down below national security policy here. Without a clear certificate of policy and certification practice station framework, it will be difficult to establish the worth of a certificate, and this in turn, may hold back the commercial success of cryptographic infrastructure implementations. It is the hurdle we face today.

Liability: I have found that government spotlights trained on the confidentiality service, and loss of escrow keys, often blinds one to the market driven imparitous of digital signature based services. Liability should be clarified for failure to correctly issue or maintain the certificate attesting to the binding between an entity and its associated public/private key pair. Those are the key pairs used for creating digital signatures and providing authentication services. They could also undermine the confidentiality service if they were not performed correctly. We must remember that we are devising an infrastructure intended for global operation, and most important, it was intended to conform to the laws and regulatory systems of various jurisdictions, then key recovery schemes should be adaptable to the regulatory environments encountered in these various global jurisdictions.

These regulatory environments will be devised to meet objectives much different than the business environment. They include individual privacy issues, controlling import, controlling export, controlling use of cryptography in some nations. And this could be done for law enforcement, national security purposes, or for commercial economic purposes, as well. The requirements of more regulated jurisdiction should not render the cryptographic infrastructure unacceptable to less regulated, or unregulated jurisdictions. It should be flexible enough to work in all jurisdictions, and should not present an additional barrier to trade in the process.

The final point I wish to note is that the debate should be framed in a much broader context than issues surrounding the needs of law enforcement and the right to privacy. The debate is much more complex, involves issues such as sovereignty, market driven product development, and trade. A compromise is clearly necessary, but whatever the policy outcome, in the end it must present a commercially workable solution on an international scale. If we wish to keep pace with the electronic commerce development, perhaps the best we can do is develop a common cryptography policy framework which we can all agree to. One which we can all find acceptable in our country. To find a place for ourselves there. And one which would serve as a catalyst and set us in the right direction now. That concludes my presentation and thank you very much for the opportunity to speak.

Detlef Eckert:

So, thank you for the Canadian view, which also touched, more than the other speeches on authentication, digital signature. I would say, instead of trying to summarize the positions, I open for floor for questions. Yes please.

[unidentified speaker]:

My question which I think a number of people here might like to hear an answer to...

Detlef Eckert:

For?

[unidentified speaker]:

The Honorable William Reinsch. Which is something that has been puzzling me for years, is how is export control suppose to keep cryptography out of the hands of criminals?

William Reinsch:

That is probably a serious question, and it is probably a bit of a straw man in terms of the policies that all of us are pursuing. To do the straw part first, and then the serious part. We don't, we do not assume, and have never assumed, that there is any policy that we can pursue that will effectively keep encryption out of the hands of criminals that are determined to have it and use it. To suggest that there are lots and lots of criminals out there who are desperate to use encryption underestimates their stupidity, overestimates their intelligence. But leaving that aside, let's assume there are dedicated bands of terrorists out there who want to communicate with each other in a secure manner, and have the money to acquire what they want and the intelligence to learn how to use it properly and the discipline to use it properly, which is also an issue.

Making all those assumptions, and I said we could question those, and I don't think, certainly our policy, and the others can speak for themselves, is not intended to deny such people the opportunity to do that. We would like to but we can't, it won't work. Our believe is that, while we cannot get at that problem, just as wire tapping can be defeated now, what we instead try to do is see if we can create a situation in which the larger amount of legitimate electronic commerce mainstream banks, retail institutions, financial institutions, etc., to the extent they are engaging in electronic commerce, are using key recovery. Because the very people that we are talking about here, at numerous points in their lives, particularly if they intend to commit a crime that is going to have any impact on society, are going to be, at some point, part of that normal commercial structure. They are going to launder money, in which case, they are going to need a legitimate bank. They are going to rent a car, they are going to go somewhere on an airplane. They are going to do a lot of things that necessitate dealing with normal people in their normal line of work, and at that point, law enforcement has an opportunity for access, if those legitimate institutions are using key recovery technologies.

From a law enforcement perspective, and as I said, I am not a law enforcement official, but from their perspective, that is the best we can do, because in this context, we can't do better than that. Now are they happy about that? No, not at all. Would the prefer a policy that was able to cover the situation that you describe? Yes, they would. But we are not there yet. Now to go to the other side, there is within your question, also to the question of our ability to enforce any policy that we put into effect. Is it possible to, and let me say, one of the things that the Bureau of Export Administration does is, we enforce our law. I have a group of federal agents who have guns and badges and, you know, are located at various ports of exit whose purpose it is to prevent people from exporting things that they shouldn't export. Is it possible for our people to properly interdict, seize, and prosecute and convict people who are effectively exporting their product over, you know, over a modem? Or who can put it in their pocket and make it through the airport detector? You know, the answer is, it is very difficult, obviously. We do the best we can, and sometimes we succeed and I suspect there are times when we fail. But what we are basing our policy on is the believe, which has been validated by, by all the companies that we have talked to, including those in the room, that the people in the business want to, they don't want to cheat, they want to be honest, they want to adhere to our policy, and they want to market their products legitimately. They don't want to sneak them out of the country.

[unidentified speaker]:

But the question is that there is one section of the population who wish to obey the laws, and they are not the problem. And the laws the US currently enacted which stop the technologies from being exported from the United States. Should anybody wish to circumvent them are essentially unenforceable, because of the nature of electronic data. And so, you seem to be penalizing people who benefit. Penalizing the people, the honest people, while having absolutely no effective control over the criminal.

William Reinsch:

Well, I wouldn't say it is no effective control. I think it is difficult, but, I mean, there are a variety of means that we use that, you know, allow us to have some success in some circumstances, as I said. Don't underestimate the stupidity of some of the people that we are dealing with. But you make a valid point. It is very difficult to enforce this activity. But as I said, what we are trying to do is to facilitate the movement of the market in the direction we think it is going anyway, because key recovery, which I think then gives our law enforcement community maintains their ability to do their job within this electronic framework. The alternative, which is what you are implying, is that they would have no capacity to do their job within the electronic framework, and we are just trying to provide more balance than that.

Detlef Eckert:

I have three questions, over there is the first, second, and then the third. But may I just add...when you say the market is going to key recovery anyway, do you mean key recovery for communication and all stored data? Because that was one of the results of discussion in the morning that I have noted.

William Reinsch:

Yeah, well, certainly for data. I think then communications more complicated subject, for e-mail, probably. For some voice communication, it doesn't matter, because a lot of voice communication is in the clear, either in total or at some point, you are left with this small, sort of universe, maybe it is not small, but universe of encrypted end-to-end encrypted voice communication and is the market going there? That, you know, that is a good question. I think everybody out there would say no. That is certainly what you all have told me. And I can't offer, I can't offer contrary evidence right now, but I'm...we will just have to see.

Detlef Eckert:

Okay.

William Reinsch:

These were the people, the same people in the room, who told me a year and a half ago that nobody was going to key recovery for stored data either. So there is not 100 percent credibility there and 0 credibility here.

Detlef Eckert:

And the next...sorry from having prevented you...but maybe waste your credibility.

Perry Six:

My name is Perry Six, I am Research Director at the Independent Cross Party Think Tank here in London. I had two related questions for David Hendon, though on one of my questions, I would also appreciate some comments from Ulrich Sandl, and then I think I have a piece of advise for David.

The first question is: If you are serious about not banning PGP, then could you say a little bit more about clarifying the meaning of the paper, because as I read your definition of encryption services, in paragraph 74 of the paper that we all have here, if those services include any of the following which includes key generation, then they have to be licensed? Which suggests to me a quite wide ranging set of controls.

The related question, on which again I would appreciate Ulrich Sandl's comments, is extra-territoriality. Are you actually purposing here that the UK government will require providers anywhere in the world who are offering services that might include key generation, to seek a license in the UK if they wish to offer their product available for downloading over the World Wide Web or any other Internet mechanism? Because I am not quite sure how that kind of extra-territoriality could be enforced. I would appreciate Ulrich Sandl's comments from the German perspective.

My piece of advice is, if you want to persuade a new administration to make legislation on this a priority, I would have thought you would have to wrap it up together with the office of public service proposals on primary legislation from the government direct paper. And probably also with the implementing legislation on the European directive on data protection. All of which have pretty similar deadlines. And given the priorities that I suspect a new government, if it is labor, is going to have. It would be very difficult for any one of those, actually, to get on the first year of primary legislation alone.

Detlef Eckert:

These two questions to David and to Ulrich. David?

David Hendon:

Okay. Well, let me just say...take something on that last point. I think the implementing the EC legislation probably doesn't need primary legislation because in general we can implement EC legislation with secondary legislation, so there isn't the same scheduling problem. And please don't make this more complicated than it is already. The though of trying to run a bill which tries to do three things instead of one just sort of fills me with horror. So I almost rather not have a slot. But anyway, let us just leave that aside. We will see what the minister's do.

On the PGP point. I agree that the paper as it stands now certainly leads you to the conclusion that we have tried to, we will try to control PGP. But that wasn't what we intended to do when we wrote the paper and I think the difficulty arises because we are trying to control the offering of encryption services in the UK. Now by encryption services, we mean, you know, key management services really. We don't mean to supply encryption software, for example. It is not a sort of black and white situation, and it is sort of obvious that the company sets itself in the UK and publishes advertisement in the newspapers that it is offering services in the UK. If somebody is running a keyserver on the Internet somewhere and offering PGP key pairs to all people that find a server, just people that read old security PGP or something, then, I mean, that is not something we want to control either. But if somebody sets up a PGP server specifically to try to side track the UK control on key management infrastructures, then that becomes a problem for us and we obviously, from the point of view of trying to have access to confidentiality keys in escrow for a reasonability large portion of traffic, not all, but a reasonably large proportion, then that would become a problem for us. And I don't at all know at the moment how we are going to solve the sorts of where in the gray area we come down.

Now that partly answers the extra territoriality point too. I mean, we can't of course, stop somebody from offering services which are accessible over the Internet from the UK because it is not possible to do that. I use the Internet myself and I understand very well that once you are in cyberspace, you are geographically disconnected from the territorial world. On the other hand, if somebody is offering, he is advertising and offering services in the UK, then that is something that we would try to control, because what we are saying is that we don't actually say anything about where the service that would run this key management system should be based. I mean, we don't actually care where in cyberspace these services are, and we expect they could move around as the business develops. All we are interested in is the offering of services in the UK.

[unidentified speaker]:

The criterion seems a bit crude.

David Hendon:

Well, yes, but, you know, what we have got here is an extremely sophisticated technology which is being scrutinized by an extremely sophisticated audience for the moment and it will be used by a largely unsophisticated audience and at the moment we are trying to apply a sophisticated sort of control tool which is legislation, but in its first pass, it is rather a course implement. It is a big chisel and we are chopping into the problem. Later we will file it down and everyone will think it looks wonderful.

Detlef Eckert:

So, I should give the opportunity to respond, then I have four questions, please. There are only fifteen minutes left. Cut your questions short please.

Ulrich Sandl:

Yes, and I'll cut my answers short.

Yes, I see your point about the enforceability of transfer of keys outside of our own jurisdictions. However, this is a very important point for my government and also because of our Constitution. We are looking for mechanisms when keys of user are kept in a TTP in Germany or if it is domestic or run by a foreigner, is that these keys are not transferred to be assessed and by foreign authorities without bilateral or multi-lateral agreement. We want that the users have the control over the keys, and we can imagine that there could be legal mechanisms or technical mechanisms.

Detlef Eckert:

Question over there please.

Adrian Norman:

Adrian Norman, who is interested like others in balance. And the balance that I am hearing from the platform seems to be placing in one hand the interest of commerce and industry and the consumer and in the other something that looks vast, but I think is very lightweight, the interests of law enforcement. Indeed, there seems to be in the law enforcement hand, no sophisticated villains, because they know that they can go offshore for the facilities they want. Nor are there any sophisticated villains communicating with the good guys, because the good guys are under jurisdiction and anything that they know, you can ask for properly. So that leaves us in the pan, a small number of unsophisticated villains. Who and when and where has there been a measurement of the threat from the unsophisticated villain that counterbalances the weight, for example, of a huge licensing bureaucracy that, no double will create a lot of jobs for civil servants, but that has got to paid for by industry? Who has done the balance? Where is it? And how can we test it?

William Reinsch:

I'll start. Let me say first of all. I don't know where the huge bureaucracy is. My entire bureau, which does a lot of things besides this, has a budget of 40 million dollars. This particular function you are talking about has, I think, ten people for everything that we do in the encryption area, so let's not conclude that there is an enormous budget and cost here.

As I said, now for the third time, I am not a law enforcement official. This is a question that is frequently asked in a slightly different form in our country, and the law enforcement officials generally respond with a list that is either long or short, depending on the time available, of crimes that have been committed and people who have been apprehended, where the ability of the law enforcement continue to do that successfully, has depended on their ability to access and decrypt encrypted information. And those cases include the most prominent ones have included terrorists. The gentleman who was convicted of trying to blow up the World Trade Center in New York was also, for example, involved in a plot to attempt to blow up eleven American planes simultaneously as they flew over the Pacific Ocean. All of his files on that were encrypted, and our ability to discover that plot depended upon the Justice Departments ability to obtain those files and decrypt them. Likewise, in our country, there was a rather significant child pornography case that depended on encryption.

And there are more, but this quantifying crime, you can quantify crime by talking about the ones you know about, the ones where you caught people and you have done something about it. You can't, of course, ever know about the ones that occur that you don't expect and can't find any...you know, are not able to apprehend anybody or convict anybody afterwards. So I don't know that it is possible to achieve the data you want, but I can tell you what our law enforcement people would say about your questions is that there is a lengthy and growing list of people that use this technology to commit serious crimes, and this is an important element and in fact, they believe a critical element of their ability to stop those people.

Ulrich Sandl:

Can I add one point. We can be glad now that we can have a balanced approach to this policy. What we, in my ministry are fearing is that there are some cases, maybe of child abuse in the Internet, where cryptography is used and the prosecution is not able to get the evidence. In this moment, we will get that political pressure, that no government can resist to have very restrictive measures of cryptography. So that in the present, we are really in a good situation to balance those positions one against each other. And you point is within the balancing, I promise you.

Detlef Eckert:

Yes sir.

[unidentified speaker #3]:

There is always problem in these things because many issues come up while you are waiting for your turn to speak, but. Mr. Reinsch, I have heard this argument that you made from Mike Nelson and from Clint Brooks and from other people, that criminals naturally, in the performance of any significant crime, I like the way you put it, they hope to have an affect on society, have to talk to legitimate organizations, like banks and car rental agencies, and travel agents, and so forth. Now that is true, quite independent of what the means of communications are. The essence of criminal investigation typically is talking to legitimate elements of society who have in some way been effected or contacted by participants in a criminal conspiracy. Typically, you don't already have a suspicion of a crime, sometimes you do, but most of them you don't before they commit it and under U.S. law, you wouldn't have a warrant for listening for those communications anyway, you would be going around after the fact, talking to the various people, communicated with somebody who has committed a crime, and learning what their records of their interactions are. So it seems to me that it comes down once again to a question of records. And you are talking about talking to legitimate organizations, details of how they handle their records aren't relevant. They will respond to a subpoena or probably just a request from an investigator.

William Reinsch:

Well, I think my next position in life needs to be Director of the FBI after getting all these questions. Louie Free's response to that would be that, well, I'm not sure what his response would be, let me say with respect to records, I think you make a good point. The records by and large are...legitimate institutions, by and large, would hand records over based on a subpoena,

[unidentified speaker #3]:

And they would permit a consensual overhear, which is the technical terms for listening at their end of the line.

William Reinsch:

Well, they might or they might not. I don't think that's as universally clear as you suggest. But that, you know, that would depend on the circumstances. I think from the law enforcement point of view, what they would most like to deal with is interception of voice communication prior to the commission of the crime. And this is why your question earlier about communication versus stored data was relevant. Now there is a significant question, I think, in everybody's mind as to the extent they can achieve that through the technology we are talking about, because of this question of whether anybody wants to buy products that would have these kinds of features or not, but clearly, that is what they are most interested in. And if you make the analogy to wire taps, which is imperfect, but I think relevant, you know, I can't really describe for you how a law enforcement official makes a judgment that an individuals communications are or are not worth listening to. Those are professional judgments that they make. And they go to court and they present their request to the court and they obtain, or do not obtain, in our system, permission from the court, to listen. We are not talking about using procedures that will change any of that and I am comfortable to rely on our law enforcement's community to make a professional enforcement judgment that some of these communications are worth listening to.

We are trying to facilitate the creation of a technological system that will enable them to achieve their objectives when the court approves their objectives. We may not succeed in doing that, particularly for communication. In which case, you know, their effort will be defeated. But this is what we are trying to do. Let me also say in passing that one of the things that I have learned about enforcement, also, is that there is a difference between going in after the fact and trying to figure out what happened, which is not always difficult. And going in after the fact and developing evidence that you can use in court to convict somebody. And that demands a different level of time, and a different of activity, and a different level of substantiation for which the kinds of things we are trying to do are very important.

[unidentified speaker #4]:

May I?

Detlef Eckert:

Yes. Very briefly.

I would like to ask, maybe also Wynn Redden, whether he would add to this question.

[unidentified speaker #4]:

Okay. Thank you. I would just like to pick up that last point, because one thing that was said this morning was that quite a lot of the problems could be solved if we had user controlled key recovery and people could go along to the service and get the stuff off afterwards. But the debate that I talked about in the UK has been really concentrated on how to keep the Intersection of Communications Act still working. In fact, there hasn't been so much of a law enforcement problem of getting access to encrypted stored data in the UK yet. No doubt it is coming, because I understand it is a big problem in the U.S. and usually we get the problems a little while after the U.S., so it will be a problem for us later. But right now, the problem that our law enforcers are worried about is the thought of the information that they would lose in terms of intercepted communications. So you can start to make calculations about the amounts of information that is going to be denied to you, and how much you would like it back again if you have got some sort of key management infrastructure in there. It is all very difficult to make any real assessments, but it is necessary to do it anyway, I think.

Detlef Eckert:

Wynn, would you like to add something?

Wynn Redden:

I think from Canada's perspective, we are committed to developing the balanced policy framework for the production and development and use of cryptography and we do not have a predetermined notion of what that outcome will be. We do not.

Detlef Eckert:

I have two further questions. A third one, but that was, I guess, your colleague over there.

Christopher Kuner:

I will just give my question now, if you don't mind Mr. Eckert. Christopher Kuner from Gleiss and Partners in Frankfurt. I have a question about the international feasibility of key recovery or key escrow. It seems to me that papers put forth, say by the US and the UK governments have recognized that it is not enough that a key recovery scheme be workable only within the US or within the UK. They have to be also internationally workable, for example, a law enforcement official in the UK could get access to keys stored in the US. This sort of infrastructure has to be developed fairly quickly because the technology is moving so fast. Now we know that this sort of international legal assistance doesn't work very well at the moment. And to put it diplomatically, also even within the states of the E.U. it doesn't work very well. So I am wondering, how do governments propose to develop this sort of highly complex, massive legal infrastructure within a fairly short time period?

Detlef Eckert:

David?

David Hendon:

Well, I think we will try hard. I think the cooperation is probably not as bad as within the E.U. anyway. I don't think it is as bad as it seems between the UK and countries like the US. I think there are always a few high profile extradition cases that go wrong. And usually that is because somebody didn't read the manual on how to do them beforehand. I think we are going to find a much greater need to get these things sorted out. If we are going to have this sort of key recovery, key escrow, whatever you would like to call it, sort of a cooperation between states. And if we don't get it sorted out, it is not going to work. So that is quite a good incentive to get it sorted out. And maybe, maybe the incentive didn't really exist before. But anyway, at least we are thinking about it, and in our document you will a section there which gives you our first thoughts on how that might work. And we are in the process of starting to talk to other countries about what that means and the sort of things that we would like to see happen. But at the moment, I can't think further than, you know, a whole bunch of bilateral agreements. And the thoughts of trying to keep those all up to date horrifies me. I guess eventually we will need some sort of multi-lateral agreement. But I am not sure under what umbrella such a thing exists. There is a lot of work to do.

William Reinsch:

If I could add. There is a structure in place for paper. We have reciprocal agreements. All, most countries do. They have been in existence, some of them for more than a hundred years. That regularize the passage of law enforcement related information back and forth between countries, consistent with both countries judicial procedures. If we have a problem in the UK that involves trying to access files that are here, we have a reciprocal means of going to David's government and making an appropriate request, consistent with their procedures, and obtain that information and vice-versa. What we were simply trying to do is apply existing procedures to a new technology. Now that is not going to be simple, by any means, and for a whole bunch of reasons that you know better than I. But the framework is there, and governments have addressed these questions in the past, and I don't think there is an unwillingness on the part of most governments. I think certainly the ones that are here, and the other ones that we are talking to, to try to create, you know, situations in which this kind of cooperation can occur.

Detlef Eckert:

If there are no further answers and comments to this question, I have two questions. Other there? Is there a question? One is there, because I would like now. We have to conclude. So I would like to combine the last question. This is one. There two. And then I would like to close.

And, so I would like to give the floor to each of the panelist for a concluding remark. Maybe stating whether they have learned today something which, I wouldn't say, changed their mind, but have at least, learned something of value which they didn't know before. So three questions, one over there, and please cut your questions short.

[unidentified speaker #5]:

This is a question to David Hendon and William Reinsch.

If I understood the German government's position correctly as Ulrich Sandl stated it, the German government is going for a voluntary approach with Trusted Third Parties. Basically saying that they will only certify Trusted Third Parties that set up an infrastructure that will be able to relinquish keys to law enforcement agencies. And basically leave the decision to the user if he wants to use such a Trusted Third Party. Only those Trusted Third Parties that have a certificate will be judged as safe by the user, and through this approach, they will try to get the users through to migrate to such Trusted Third Parties, but without forcing everybody to do that. Is such an approach, conceivable under the plans that the British or the U.S. government have, or are you saying no, that everybody has to use this Trusted Third Party by mandate?

Detlef Eckert:

The two other questions, please? Give him the microphone.

[unidentified speaker #6]:

My question was for Mr. Redden. The Canadian government sounds like it is quite a ways along in the development of a public key infrastructure. Can you expand on the interface between the Canadian government's plans and commercial industry? Like banks or other commercial institutions? And the interface to the Canadian BKI?

Detlef Eckert:

Please, and the last question, please.

[unidentified speaker #6]:

One further question. I attended the OECD conference with all the guys from IBM talking about encryption for a lengthy period of time. And out of that seemed to come the generalized viewpoint that encryption engines would be offered from alternative sources besides the United States. What was coming out of it was the encryption that would be required, could be provided by alternative suppliers outside the United States, and that, consequently, the length of the keys could be greatly expanded in use and application. And do you think that is going to affect the export requirements for these lengths of keys.

Detlef Eckert:

We have two questions from Mr. Wange. One for David, one for Wynn Redden. Ulrich, you have to start. A brief final remark.

Ulrich Sandl:

I can give one remark on the further steps. In the beginning of July, Germany, together with the European Commission intends to organize an European conference on Internet issues and IT security cryptography will be a very important point in the topic in this conference. Because we do feel we have made a very big step with the OECD guidelines, but I think everybody will agree, as of now, these guidelines need some interpretation and clarification. So what my ministry and government hope, is that we will, at this conference, we will get a bit more transparency and more clarity at least for the European side.

Detlef Eckert:

Conference takes place 6, 7 July. Yeah. Mr. Reinsch, for your last comments and answer to your questions.

William A. Reinsch:

Yes, to that question, I always say this with some caution because there is a thousand footnotes to everyone of these things, as I always discover after the fact. But you have described, which I gather is an accurate description of what he said, is consistent with, I think it sounds consistent with what I have said too, with respect to the American policy domestically. There are other features to our policy, particularly export controls that you didn't describe, but we also envision a voluntary system like the one that you said, we will have a government system with participation, and it will not be required. That may be the distinction. Now having mentioned export controls, that brings me to the second question, which I am glad came up. It comes up periodically, and I think it is a fair point to say that, if we are the only government pursuing or seeking to implement our policy, the export controls, then it is going to be difficult to implement our policy. And it will certainly be impossible to implement our policy in a way that does not disadvantage American producers, vis-à-vis others. That is why it is important, in our judgment, that all the countries have a common view, or as common a view as we can obtained on this, on all of these issues, and that is what we are working on, but we clearly haven't arrived. And my final point, you asked for lessons learned. I always learn from encounters like this and I thank you all for once again teaching me.

Detlef Eckert:

David.

David Hendon:

Okay. Thank you. Well the question that I was asked, along with Mr. Reinsch, was about the voluntary TTP or voluntary certification agents, and if a voluntary system could exist along side the mandatory system in the UK model. It is clear that, as described in our documents, and as we are thinking at the moment, it couldn't. And the main reason for that is that, you can imagine, that all of these criminals that are stupid and don't understand IT, who are remaining "in the pan", as someone said earlier. If they have the opportunity to go to an unlicensed TTP, who advertise that "you better not trust us, but the police don't trust us either" then we could take about three quarters of those people out of the pan.

So a sort of philosophical approach is one of making sure that confidentiality escrow is there in all the cases where key management services are being offered in the UK. We are not going to win all the time, but we want to make it reasonably difficult for people to get around that. I wait with interest to see all the coming arguments that people put against that proposal in response to our consultation document. The consultation doesn't end until the end of May, so there is plenty of time for all of you to explain to us in detail how stupid we are and we will promise at least to read them. I no doubt have to explain to our ministers, the way forward. When you sit in your office and you just read the Internet News Groups you get the feeling that sensible informed debate is not really possible about subject, because it is so emotive, and anarchic element, which is what makes its Net so great, is actually going to kill it off, but I take from today's meeting, at least what I have heard of it so far, that actually informed and sensible debate is possible. And I welcome that.

Detlef Eckert:

Thank you.

Wynn Redden:

What I have learned here today will probably help serve me very well. We have, in Canada, set up a multi-departmental committee, led by our industry department, to examine the issues around cryptographic policy. I am a member of that. I do see here that the Web environment, the Internet mutates very quickly. It is probably as hard to capture as a cure for the common cold and will remain that way for some time. The best we can do to watch it is to check what the technologists have at a particular time and that is all we will find out about where it is going in the next generation.

To answer the question directly, the Canadian government is quite a way along in developing the public key infrastructure. We probably have populated around 20 percent of the number of seats we would require for internal work in our PC environment. There are other institutions picking up on the technology we're using and that is actually our test of whether we have reached an acceptable balance in the business environment, because we were building this for electronic commerce. That is what we are building it for. Presently, around 15 percent of the products sold in what we are using now, have actually gone to the federal government. The rest is predominately out there in the financial institutions, the FI's, banking industry and other large corporations. So that helps us feedback. They are a much louder voice now in the development effort we are carrying forward, that we are ourselves. And that is our way of knowing, at times, whether we are heading in the right direction, and I, like others, would like to thank you very much for the opportunity to be here today.

Detlef Eckert:

Thank you. Let me briefly conclude, and following up what Mr. Reinsch said. And quoting Winston Churchill, who said, "I always liked to learn, but I don't like to be taught." Thank you.

John Gerdelman:

I think it is very important that we have had a tremendous amount of discussion today about the OECD Guidelines. And as you all know, the OECD took upon itself the Herculean task of trying to bring together the members of the OECD to reach a consensus on this very complex topic. And I know a lot of the people who are involved in those discussions from an industry point of view, such as Nanette, are here today. And I know that there were innumerable meetings in Paris and by telecom around the world. But to get the view from, as we say in the U.S., the horse's mouth, we have invited John Dryden to come along. John and his group, had the responsibility for pulling all this together from throughout the world. This has set a standard for discussion. It has become the Rosette stone for many people in terms of understanding the critical issues. So it is imperative today that I think we get John's explanation from his perspective, where these guidelines stand to help us set the agenda for how the individual nation's states will deal with the issues. So John Dryden.

John Dryden:

Thank you very much indeed Mr. Chairman. As I recall, the Rosette stone had hieroglyphics on it and the other language that it had was Greek. And I heard some comments about the OECD Cryptography Guidelines that...well, I shall say no more. The OECD Cryptography Guidelines were adapted on the 27th of March and they were developed by a special working group set up by the OECD's ICCP Committee. This is the committee for information, computer and communication's policy. I am the head of the division in the OECD, which deals with that committee, which in addition to cryptography, deals with many other issues, such as telecommunications, liberalization, convergence, and information economy issues and the legal and regulatory underpinning for what we suspect as the information economy and the information society of tomorrow.

So, the OECD developed the cryptography guidelines in response to requests from member countries who were conscience of the fact that cryptography is now out of the military and diplomatic domain, and into the private sector and business sector. The OECD is an organization which has broad economic and social goals and is conscience of the fact that, just a few years down the track in the next century, that we are looking at an information economy with an enormous part of the value added of the goods and services, produced in the economy being accounted for by the information content and a large proportion of the activities of citizens being very information intensive. One of the underpinnings for this is the electronic commerce, of course which will repose upon the proliferation or the promotion of cryptography techniques. As you have heard, almost ad nauseum today, can be used by bad guys for various evil purposes and Governments do have a responsibility to protect their citizens.

Very early on in the debate, the OECD made a distinction between the three main purposes of the use of cryptographic methods:

There is a need for cryptography policies to be able to handle, in an appropriate manner, these three aspects.

The Guidelines themselves are now available on the OECD's Website. It is a welcome change from having the OECD Guidelines on somebody else's Website. The OECD actually, being an intergovernmental organization, its work is usually done between governments and documents are restricted for official use only. As some observers pointed out, there was some distress in seeing that the intermediate versions of the OECD Guidelines were all over the Web, and even I yielded to the temptation to engage in some e-mail discussions with some of the people who responded to that, much to my chagrin. Anyway, these are the URL's where you can find the guidelines and the press release. I would like to also point out that Stewart wrote a rather excellent commentary on the OECD Guidelines. He was part of the OECD procedure and was part of the business delegation to the OECD and his commentary is in the briefing book and is extremely helpful in finding your way through some of the Greek or some of the hieroglyphics of the OECD Guidelines.

Why the OECD? The OECD did in fact have a track record, even though we are not usually a rule-making body. We make recommendations and we do analysis and we kind of convince my consensus, rather than being a rule-making body. But we do have some previous instruments and policy guidelines on the protection of privacy and transporter that flows with personal data. The declaration of transporter data flows, and then just a few years back, the Guidelines of the Full Security of Information Systems, which we just reviewed.

The OECD discussions themselves started with an approach from a group of member countries, spearheaded by the United States, I don't think that that is giving away any secrets if I was to say that. But not only the United States, other countries were involved. And the process started back in December, 1995 were we had an ad hoc meeting, the first ad hoc meeting of experts on cryptography policy, and the beginning of 1996 we created the ad hoc group of experts with a mandate of one year, with the target of producing the deadlines. And it met four times, including a particularly tiring and exhausting meeting back in December where some of the sessions went on until almost 10:00 p.m. But we eventually came up with a set of Guidelines that everyone could sign up to, or almost everyone, and these went through the various approval procedures, and came out. One or two bumps on the highway before they did come out, but it finally appeared on the 27th of March.

Who participated in the OECD Guidelines process? Incidentally, it may sound like producing Guidelines in one year is not particularly fast, but by the usual glacial standards of international intergovernmental talks, this was sprinting. This was really record time. The ad hoc group itself consisted of over 100 members, mainly from the member governments of the OECD, representing a variety of government ministries. Some of them dealing with industrial economic affairs, commerce, industry, telecom and so forth. But also, foreign affairs law enforcement and national security agencies and some governments also had civil servants responsible for privacy protection in their delegations. Somewhat unusually for the OECD, business participated in these discussions right from the very start. Notable with the BIAC, the BIAC is the Business and Industry Advisory Committee to the OECD. It is the official organ for, by which the private sector interacts with the OECD and there were business representatives also sitting on some national delegations behind their national flags at the table. We also had a number of experts. We were asked by the member countries to include experts on data protection, privacy protection, and on consumer protection.

The original intention was to draft these guidelines with a highly motivated competent drafting group of ten or a dozen people. So we asked our committee of 100, would this be a good idea, and of course 100 people put their hand up and said, yes, this is an excellent idea to have a little drafting group of 10. And who wants to be on it and 100 hands shot up, and so we went all the way with a very full and vigorous debate and I think the process gained in credibility and gained in quality from the participation in it. And we in the OECD also learned a lot, both from the procedural side as well as the substantive side.

The Guidelines themselves are recommendations. They are policy recommendations for member governments who are invited to apply them in compiling their national cryptography policies. As such, they do not represent a cryptography policy in themselves. Nor do they endorse any particular cryptographic system or software. And they do not, in themselves, represent international law.

The Guidelines themselves stand on eight principles:

The first draft of the Guidelines actually was generated by business. The first paper that the member governments debated was a paper prepared for us by the private sector, even though at the end of the day, the authors of that private sector paper could scarcely be hoped to recognize their work after the government delegates had finished with it.

Cryptography methods can only function in economic and social sense if they are trusted. The Guidelines state that cryptography methods should be trustworthy in order to generate confidence in the use of the information and communication systems. This is fundamental. Lack of security or lack of confidence in the security of these systems may hinder the development of the new systems and there is a need to build both consumer confidence and confidence by enterprises. The second principle is a question of user choice.

Users should have the right to choose any cryptography methods subject to applicable law. This may not seem to be particularly earth shattering, but don't forget that if you cast your minds back to just 12 or 18 months ago, it was not at all obvious that such a principle would be widely accepted by the member governments of the OECD. The user choice principle.

Moving right along to another principle which would have been quite surprising just 18 months ago, is one of the market-driven development of cryptography methods. And we heard the speaker this morning, formerly from the UK Ministry of Defense speak more eloquently than I ever could, on why this principle is important. Cryptography methods should be developed in response to the needs, demands, and responsibilities of the three major players in society. The individual's business and governments.

Standards and interoperability. Technical standards, criteria, and protocols for cryptography methods should be developed and promulgated at the national and international levels. Standardization is an important ingredient in any kind of security mechanism and it is important for both governments and industry to work together to provide the necessary architecture and standards so that information and communication systems can reach their full potential for economic and social benefits. And effective standard-setting processes for cryptography as with other things, should be industry led, voluntary, consensus based, and international.

Privacy, a principle which might have been surprising to those who believe that this project was driven by law enforcement and through letter agencies to restrict freedoms, is seen to be a fundamental right, including the secrecy of communications and the protection of personal data. That should be respected in national cryptography policies and in the implementation and use of cryptographic methods. And, well, it says it all. It says that cryptography methods can be a valuable tool for the protection of privacy, and it also includes the protection of the identity of individuals.

The lawful access issue was the one on which the most time was spent. About 11 months of the 12 months was spent discussing this one. I can only reiterate what I said, that this is not international law we are making here in the OECD. These are policy guidelines for national policy makers to apply. National cryptography policies may, that is the word we ended up with after a year's discussion, allow lawful access to plain text all the cryptographic keys of encrypted data. Now as I...luckily I am already running up against the...my time limit, so I won't expand on lawful access, except to underline that this principle, distinguishes very carefully between cryptography keys used for two major purposes:

Clearly, many national cryptography policies make this distinction and the lawful access principles in national cryptography policies.

Whether established by contract or by legislation, the liability of individuals and entities that offer cryptography services or hold or access cryptographic keys, should be clearly stated. In other words, people should know where they stand and what their liabilities are, of the various parties, both whether that liability be established by contract or by legislation. And there are some circumstances in which a mixture of both applies.

Turn to national cooperation. The governments should cooperate to coordinate cryptographic policies and as part of this effort, government should remove or avoid creating, in the name of cryptography policy, unjustified obstacles to trade. Of course, that immediately raises the question of what is a justified obstacle to trade? Which we have heard from the speakers in the previous panel of the former COCOM agreements and the rest of the Wasenhour arrangement which would represent an example of a justified obstacle to trade. But remove or avoid creating, in the name of cryptography policy, unjustified obstacles to trade.

Now what could be the next steps here in the OECD? Well, we have heard of some things today, which I have taken careful note of. For instance, it has been discussed in the previous panel of whether key recovery on an international basis is technically feasible or not and we heard that it was, but is it politically feasible? And that is another question altogether. The principles could be further developed with possibly an international convention, in other words, we are moving in the direction of international law here, such as legal recognition of digital signatures or international cross-certification of certification authorities. And of course, what I am doing today and what a lot of other people are doing today is promoting awareness of the issues and the policies related to cryptography and the need for compatible, national approaches. Those of us who are in the information technology and communications policy business, in cryptography, in touching upon cryptography, sometimes are unaware of the kind of things that our elected representatives get in their mailboxes every day of the week. And it clearly would be a mistake to underestimate the extent of the awareness problem that we have. Not only among our law makers, who I have found to be relatively well informed, actually, but the public at large, who are, in fact, remarkably suspicious about the many aspects of the coming information society.

Implementing the Guidelines. The OECD is trying to push the Guidelines forward. Recommending governments to establish new or amend existing policies, and so forth. To develop cooperative measures, to use the guidelines as a basis for agreements on international cryptography policy. And there I will refer you to the discussion in the last panel. Dissemination of the Guidelines and of course the trade-related point that I just mentioned. And to review the Guidelines every five years.

To conclude, Mr. Chairman, I would just like to stress that the OECD as an economic policy organization, recognizes that its relevance in the next century is going to be whether it can analyze and provide policy advice for the information economy. The information economy is going to be based on a whole new load of economic and social features, which will involve the new generation of open global information and communication's networks. Electronic commerce and electronic interchange is part of that and the cryptography is an essential underpinning to that process. Thank you.

John Gerdelman:

John will be at the reception this evening at the House of Lords. So if you have further questions for him, then would be a good chance. And other people who are very involved in it, such as Nanette and others will be around too, so if you have questions about it. But to pick up on something David Hendon said on the last panel discussion, I think this whole dialogue today has been very civil and positive and I think one of the reasons the whole discussion of encryption policy has become more so is because of the work of OECD. And I want to re-emphasize a point that John made. The conclusion of the OECD discussions and the document that was produced on March 27th was, I think, a lot different than many people would have expected just 18 months before that, in terms of what people thought the content of it would be. And I think that is because there was a constructive dialogue. Again, I want to remind you, if you haven't gotten an invitation to the reception at the House of Lords, make sure you see Pete Smith outside. We are going to be leaving the Hotel at 5:00 or five after. There is only one bus. People who don't get on the bus are going to have to take the good old British taxi system and you go to the House of Lords, the Blackrods Garden entrance. It is the entrance closest to the Thames on the South side of the Palace of Westminster. And you will be able to get in there. And then get the records to the Attlee room where Lord Renwick is hosting this reception this evening. We want to move on to get our last panel here. And I will ask Jeff Hilt from Visa and his colleagues on this final panel to come forward. Visa International is the most recent addition to the Global Internet Project. We are very glad to have Jeff and Andrew and Francois and the others who are now members, and we have asked Jeff to put this panel together. We need to conclude by 5:00, Jeff, so if you and your colleagues can shift your comments appropriately so we can get on the buses I would appreciate it.

Jeff Hilt:

With that thought in view, we will get right into the panel discussion. James Dunn from General Motors is our first presenter.

James Dunn:

Good afternoon. It has been a long day, but we are in the homestretch now. I am the person you have to talk to sooner or later, and that is the user. And given the size of our organization, probably someone once said, the mother of all users. I am from the General Motors International Operation and I am here to represent the viewpoint though, of the entire corporation. I guess they feel that because I am in international, I will know more about this. But I probably know less about this than the people in the States who seem to have been more preoccupied with this.

I want to talk today about two areas. One probably more important to me, and that is the business drivers. I think the encryption requirements that we have discussed are all needed. But I think we need to look at it from a perspective of the business itself. In order to do that, you need to back up a little bit. I would like to tell you that General Motors is, in case you don't know or you forgot, and despite our Japanese friends who have tried to push us out of the picture, the world's largest full-line vehicle manufacturer. We manufacture cars, trucks, automotive systems, and now, even today, we still manufacture locomotives. And all of these products are sold all over the world. Manufactured all over the world, for the most part, except I think the locomotives are only manufactured in the United States. We are also the owners of Hughes Electronics Corporation which manufacturers, distributes and sells automotive electronics, telecommunications, and space and defense electronics. These are the folks that put the satellites up in the air and who will run the satellite for you, and do anything you want with the satellite. And then finally, we are probably the owner of one of the largest finance companies in the world. General Motors Acceptance Corporation, GMAC, as it is normally referred to. It is a captive finance company with financiers and insurers, GM customers and viewers, and I guess they have got mortgage companies and all sorts of things. But a huge company, finance company in its own right, so a pretty complex organization.

To put some perspective on what the size of this organization is, the size being the world's largest, but that is not a qualitative terms. These are the 1995 figures. We haven't published the report for 1996. Its probably a little better with some adjustments for the spin-off of EDS and that type of thing. But this shows you the size and complexity of the corporation. In 1995 we had 168 billion dollars in sales and I recall a discussion earlier this afternoon, when they talked about 168 billion dollars in market capitalization, or some such number, or that market capitalization should equal sales, and of course we are a long way off from that, so the shareholders are probably not too happy about that. The annual current truck production in '95 was 8.6 million vehicles, that is cars and trucks. Probably, marginally, a little bit better in '96. Worldwide employment is now 745 thousand people, which is probably too many for an organization that wants to be lean, but nevertheless, it shows you the dramatic impact that any type of theft or any type of process that is going to slow us down in our growth or in our integration is going to have on the economics of this company. But also on a very broad-based basis. Seven hundred, forty-five thousand employees.

Perhaps after listening to the group today, the 170 countries where we have a worldwide presence, became more and more important to me because I think today I saw representatives of perhaps more countries, four very important countries, but we have to deal on some basis, at some level, from the smallest dealer up to very complex engineering, manufacturing, and sales organizations with 170 different countries. I don't know if you are all going to get your act together, all pull into one, but this is the scope of the problem.

Future manufacturing competitiveness has three major dependencies and the first one is the ability to access and leverage the best global design manufacturing and supplier resource, requires fast decision-making capability on a broad global basis and fast, reliable, secure global telecommunications capability. The key here is global. We are no longer a large American company that has a portfolio of international companies, but we are a highly integrated global company that is tremendously reliant on fast, secure communications capability.

And in line with that, I think we have all heard of world car concepts, global product platforms. We refer to them as global product platforms now, I think we used to refer to them as world cars, but I think that that is out of vogue now. But our vehicle product line, today, is now a global platform for the most part, as we start to bring new products on the market, they are going to be really global in nature. And the time to market innovation and again, there is that word again, secure information, can key competitive advantages. And in order to achieve these global platforms, we have four global engineering centers, one in Australia, one in Brazil, one in Germany, and several in the United States. And guess what folks, we are just going to open up another in Shanghai, in China, and I don't think they are part of this group. And I don't need to tell you the importance of engineering data to us in our business.

Global product planning requires integrated synchronize planning, design in manufacturing, and again, extensive use of voice data, fax and video communications. I don't think that this is a big secret. I think we have talked about all aspects of this today. These are real issues in our business. These are our potential global threats to General Motors. The national intelligence assets of certain foreign governments, suffocated, commercial, competitive intelligence organizations, private individuals and organizations, and known terrorist groups.

And putting aside the whole issue of encryption, I think this whole issue of proprietary knowledge came home to us in rather an unfortunate incident we have with another major European manufacturer recently, when one of the senior executives left us, along with some other information, and went to them. But I think, I think that really raised the sensitivity and the knowledge level about this area of the business called into question the methods by which we protect our proprietary information.

The next two charts and the last two, are preaching to the choir that these are the requirements that we have, we need the ability to choose the strength, the algorithm, and the key management system. We need the ability to fully judge the appropriateness of the algorithms, and we are talking here about common standards to the public be available, and that are interoperable between hardware and software. Key escrow recovery systems, and now I know I don't know the difference anymore. We have got to have some really strong laws for liability if disclosure becomes an issue. We need to be sure that this is going to have a minimum impact on the running of our business, both on the system performance and in administration, and in the personnel overhead that is going to be required to administer to these types of systems. We can build a huge conglomerate of infrastructure, but it is going to become so unwieldy that it is going to have a tremendous economic impact on our company if we are not careful. And then again, we need wide acceptance of methods by both businesses and by business and governments, free of import and export controls. The decision to use resting with the owner, and based on real business requirements, not on somebody's perceived theoretical model of what our requirements are. So that's our story. But we thought it was important that you understand that this isn't a bilateral situation for us. This is a huge, complex, multi-lateral situation for us, extending to hundreds of countries, literally, growing everyday, both in size and complexity, and if we fail here, it is going to have devastating economic consequences for us. Thank you.

Jeff Hilt:

Thank you very much Jim. And I think that this gives some perspective to the dimension here, especially the global aspect. Our next panelist is Dick Mabbott. He is head of Security Programs for APACS, which is the Association for Payment Clearing Services here in the UK.

Dick Mabbott:

Thank you Jeff. I will try to be brief as we are short of time. I will also stand out of the way. For those of you who don't know, APACS, the Association of Payment Clearing Services, is the association in the UK that represents most of the major high-stream banks and building societies, but it represents their payments system industry interests and to qualify that a bit further, it represents those areas within the payment systems that they wish to cooperate on. So I wouldn't want you to think that they operate as a cartel, and they certainly compete vigorously. But there are certain aspects within payment systems that I am sure you will all appreciate, that they do wish to cooperate on, and that is where we come in.

Just to reiterate some of the things that have been said today, we draw a major distinction between confidentiality and integrity. So we have been talking about encryption in a fairly broad sense of time today, and then at other times, in a very narrow sense. From a UK payment system's industry point of view, I think it is fair to say that most of the UK major banks and building societies are very interested in offering Trusted Third Party services. They see that as a natural thing, leveraging off their position within the UK culture. In particular, they would be interested in certification authority type activities. They are already heavily involved with a set initiative from Mastercard and Visa. Those things are seen as a new line of business. So if I am standing here representing a user community, were users of the cryptographic products that we have talked about today, and we are susceptible to the regulatory requirements that have been talked about here today, but in many respects we are looking to harness this technology, to offer it to the man in the street, to corporates, and to government.

For us, therefore, we come for a slightly different perspective, and liability in operating Trusted Third Party services is major in our minds. It is not simply a case of, we are professional enough to offer a slick operation. What we see is that if you are going to certify somebody, then you have to stand behind that certification. And therefore this is a revenue-generating business and it is geared to the liability that you are undertaking. And banks traditionally understand the risk business. So this is the business they are conscientiously getting into.

Also under the same heading, I have mentioned digital signatures, which we haven't talked about a lot today. You can, in a corporate-to-bank, or a corporate-to-corporate environment, survive with binding contracts that define digital signatures to be binding on the parties if there is a dispute in that contract. However, the complimentary side of that is, that certainly UK law would need to change in time to support electronic commerce, and the use of digital signatures in public, purely just to give a digital signature the same status as the written one has in terms of forensic evidences as it is today.

So that is what we are interested in. APACS, in terms of reflecting the views of its members, and individual members may take contrary views, but as a general rule, key escrow, and we tend to call it key escrow, doesn't do very much for us. As far as we are concerned, we are honorable members of society. We are on the side of the angels as far as direct regulatory authorities are concerned. But regulatory authorities have been getting information about people whose bank accounts, about money laundering, all sorts of things, under general legal warrant. And that information still exists today. It is not going to change in the new electronic environment. We are still going to have data bases, we are still going to have records in the bank. That self-saved information is exactly available as it always was. So key escrow is doing nothing for us.

We do currently use strong cryptography in our systems today. The banking industry, traditionally outside of governments and the military, has always been a major user of these technologies. And we have also been privileged to a certain extent in the part. But that is for closed systems among trusted partners. If the government is looking to open that up, then we certainly don't want to see our privileges eroded, but we do want to see a balance between what is our legitimate industry and the rights of the regulatory authorities.

We have no problem with payment systems at the moment. The regulatory authorities have no problems with the payment systems at the moment, so we feel they should be exempt. That maybe a special plea. However, if key escrow is going to arrive, what we would like to do is be involved in the discussions early with the regulatory authorities. We don't want to be running from behind. So this is an open dialogue. We are more than willing to talk and we will certainly be responding to the TTI consulted document. One of the advantages of only being able to talk for five minutes or so is that you have to distill your message down to a few bullet points, so the filter goes, the soft sell goes, and you tend to come down to the rather hard points.

Firstly, we would want no escrow on integrity only keys. Now I have heard reassurances here today that that is not the intention of DTI, but I have also heard different people's interpretations of what is in the consulted document.

We would agree, it has already been said, that key recovery techniques should be overtly specified. There should be no suspicion in the part of the public that there are any back doors or funny accesses, and it should all be well understood.

We would argue very strongly that key escrow should be in the jurisdiction where the cryptography processing takes place. Now in the case of the cross-border transaction, there will be two jurisdictions. We are not interested in a telecom's routing, so if it goes through another half dozen jurisdictions on route, it doesn't matter, they shouldn't have any access to cryptographic keys, nor any right to access, it should only be the two end points.

We certainly wouldn't want to see any tie up where key escrow is geared to the source of the product, as opposed to the domain where it is used. We would claim that key escrow agents must be certified and licensed, and accept liability for failure. So if you trust your sensitive keys with somebody, and there is a failure, whether it be theirs, or whether it be by license warrant, if there is a failure, you know who to sue. Now that comes down to understanding liability. You know who to sue.

The other half of that is the next bullet point that says the liabilities with the Trusted Third Party, not with the service provider, and he has a legitimate defense in law if he has been told by the regulatory authorities, under a proper warrant, that he has to pass up those keys. But these are important principles, and they underpin the commercial relationship which certainly, our banks will want to get into if they are going to start offering Trusted Third Party services on an income generating basis. They are not going to be in it for fun.

And finally, if we are imposed with a legislative regime, then it should not be retrospective. We would not want to be put to the indignity of retrofitting systems. Or if we must, then we don't see why we should pick up the cost. And that is it.

Jeff Hilt:

Okay. So, Dr. Frederick Tönsing is the Chief Scientist, and with Cryptography and System Security in Darmstadt, Deutsche Telekom.

Frederick Tönsing:

Good afternoon. My purpose is to present [inaudible - not near microphone] of Deutsche Telekom. It is not a promotion, what I want to do here, what I want to presented [present] here and my talk about [inaudible] and about position of [inaudible] to this [inaudible]. [inaudible] that would make security [inaudible] security, that department now company having to do with this, and for this department I work. As one of the largest health communication companies, Deutsche Telekom depends very much on information systems and the security of information systems that have [inaudible] which are more than a couple of them which are over and must use [inaudible]. Nearly half of all our staff use office communication systems, which are based on high speeds, [inaudible] that is very new for us, [inaudible] controlled by [inaudible] and therefore we have to face [inaudible] problems related to more information and technology and we have decided within our company to [inaudible] in this way that we have set up our own [inaudible] security policy for information system. And I think how we have done it is very well known, we have worked out an intersect strategy so we have [inaudible] strategy, we start by working [inaudible] security concepts called Secall [**] for information processing of which I applied to all networks and applications in our company. And this Secall contain a system [inaudible] tasks having to do with operation procurement. For doing this, we have developed and integrated security components [inaudible] what we call [inaudible] security [inaudible]. And the development of all security components is accompanied by a quality assurance and [inaudible] and also, just in Germany, we have to look, we have to consider, the data protection regulations of [inaudible] strong look on this. Just more detail on our Telekom's [inaudible] we have our products, our platforms, our information infrastructure, and we have separate from it, on an intersect platform [inaudible] we have called [inaudible] slot cards, based on an [inaudible] 7816 card, which is a type of [inaudible] cryptography keys, and sensitive cryptography procedures. We have, for example, the [inaudible] component that is our slot [inaudible] interfaced which allows the connection from, called SmartCards, to the system, for example, to the PC, at very low cost. And we have, we call it in Deutsche Telekom [inaudible] trust center which is a kind of Trusted Third Party. We use, this is entered with [inaudible]. So we have several basic security components, with those security [inaudible] comprises our intersecting platform. In this slide, I want to show an overview of all our SmartCards security application that either are or will be used by Deutsche Telekom. On one SmartCard there are [inaudible] we use it as a [inaudible] access card, we use it for flexi-time purposes, we use it for security purposes, intersect purposes, as a [inaudible] or as an electric [inaudible], and as a visual ID card. Just as one SmartCard [inaudible] telecom chip [inaudible] rating systems, we have cryptography procedures are involved, so are the secret support in the [inaudible] systems, [inaudible] we will use the idea of algorithm. Dealing with SmartCards, there must be a management issue. We are doing that by our Teletec TP service [**]. We are a little bit proud of our [inaudible] service, our [inaudible] because we are for Germany the first company operating [inaudible] TTP and [inaudible] this I think is well known [inaudible]. [inaudible] key generation composing of this [inaudible] and for the other side, the public keys must be [inaudible]. This is a little overview about how I have [inaudible] intersect [inaudible]. Now I want to say some words about the legal regulation aspects of cryptography technology in Germany and how we from Deutsche [inaudible] what is our position to it. At the moment, in Germany, the government, as we have heard it in the panel before, [inaudible] and in this [inaudible] there is one [inaudible] with digital signatures. That means that in Germany we would have a law giving some rules, how to work with digital signatures and in this context, the Deutsche Telekom supports the statement, what was [inaudible] worked out by the German Information Technology Manufacturers Association. And this statement on one [inaudible] of the German government that their digital signature act is created, but their feeling was [inaudible] that this [inaudible] if initiated should be accompanied by a legal [inaudible] of the [inaudible] documents with a digital signature, whether it is the electronic [inaudible], the old [inaudible], and paper documents [inaudible] signature. That was the statement of what [inaudible] statements [inaudible] relating to the digital signature [inaudible] and [inaudible] what on the other side the statement was enhanced because at the end of last year, there was some rules in Germany that there couldn't be a cryptography [inaudible] law, so in this statement, their position is [inaudible] what the German Information Technology Manufacturer's Association. In thinking about it, we have a feeling that the legal regulation of cryptography technology for all essential purposes [inaudible] not be theirs, because of points. The first point is that it could be bypassed. There are already known techniques. [inaudible] it is mentioned [inaudible]. We think this, the second point on the one side we have the high [inaudible] of the resourced information and on the other side the threat of [inaudible] for the government economy and we are sure it would be [inaudible] and therefore [inaudible] requirement for the use of strong cryptography without [inaudible]. The second point, the third one is that security companies of German would only be [inaudible] on the German [inaudible] on the [inaudible] market only [inaudible]. This statement is supported by us and I think it was a contribution to the OECD paper. Furthermore, in the business related [inaudible] of our trust [inaudible] trust center for [inaudible] we support a key separation, [inaudible] just before [inaudible] keys generated and this is [inaudible] by TP, [inaudible] from keys for confidentiality purposes. We do not want the [inaudible] keys used for [inaudible] purposes should be [inaudible] in the GPG or elsewhere, different from the [inaudible] environment of the user, because of the possibility of fraud [inaudible] and further on key recovery for keys generated [inaudible], used for confidentiality is at the moment not intended, but we have it as a technical option and [inaudible] very important point in Germany, [inaudible] storage and the security of the keys. Useful encryption. Which is not [inaudible] not allowed, it will [inaudible] violates the strong [inaudible] regulations in German law. Deutsche Telekom wants to be informed what happens in the world, what happens in civilization, organizations, what is [inaudible] international development, and [inaudible] to be able to use electronic communication services that cross boundaries with other countries having other [inaudible] policies, therefore we work in different groups, in different [inaudible] groups, this is only a section I've mentioned, for example, we have a group of the European Telecommunication [inaudible] we are a group [inaudible] algorithms and protocols [inaudible] worked out. We are a member of [inaudible] services [inaudible]. We are a partner in the intersect 1970 project. A project funded by the European community [inaudible] where the task of studying the use and [inaudible] of DTP's. We see this participation as a real [inaudible] research project and further on we are a member of a working group that was mentioned by Dr. [inaudible - Vonder?]. It was a working group [inaudible] organizational, and technical aspect of [inaudible] infrastructure which has [inaudible] and defines the conditions for construction and operation of the TTP [inaudible]. Thank you.

Jeff Hilt:

To move right along. We will now hear from Kathy Kincaid, who is the Director of Security Programs in the Internet Division at IBM.

Kathy Kincaid:

I oversee all the security we offer to customers from anywhere in IBM. This includes all the hardware, cryptos-marked cards, all the software, whether embedded or security products, the consulting practice and the services through our Global Services Organization. So with that role, which keeps me up at night, as you can well imagine, I talk to a lot of customers every day. My number one priority is meeting the needs of our customers so they can do business securely with their customers. So I will share with you some of our views that we have developed as a result of input from the customers that have come to IBM for security. And then I will talk a little bit about key recovery and the alliance, specifically the goals of it and what we are trying to do there so that it is clear to everybody. I know there is a lot of confusion between recovery and escrow still too. And I think there probably always will be.

To our customers encryption is really about doing business. It is not about technology. In fact, if you just look at the presentations we just had here, it is how they are going to do business in the world of today. We need this underlying technology an it needs to be very good. However, when you really go to apply it, you need to look at the needs of our customers and their end customers, suppliers, vendors, or whoever they are doing the secure transactions with.

We have really come up with three basic objectives that we are trying to accomplish, as we bring security out to customers. One is that encryption must be understandable to people. Now, we are not going to expect anybody out there to understand the difference in an algorithm of encryption, or even what public key cryptography is. If we hope that that is going to happen, we have got something like wool over our face. Right? It is not going to. It has to be couched in terms that people can understand. Whether it is the consumer public or users in a customer location, or in a retail store.

We try to liken things that are happening with cryptography to things that people understand. To use an example that we share with customers of a couple of items. Most people know, at least in the United States, what registered mail is, and I am sure there is an equivalent in almost every country. Where you are going to identify and ask for proof of who you are sending that letter to. You are also going to identify yourself at the Post Office. It does have a somewhat trusted communication's mechanism, to get the letter there, because it is under the control of the Post Office, however much you trust your Post Office, right? I'm not going to argue that, right? If we look at what we are trying to do on the Internet with encryption, using techniques like cryptolopes, or other forms of secure content distribution, where you are wrapping in an encrypted package the information. You want to identify who it went to. They need to know who it came from. They need to be able to open it. Cryptolopes can actually charge for the opening instead of charging for the sending, but it is a little different with registered mail. But that concept, of something that is not going to be opened until the person gets it, is a concept people understand, and the registering of the end users. That is a form of encryption on the Internet.

If we look at purchasing with a credit card. You can tell people, gee, right now you hand somebody your credit card and they either enter it by swiping it into their retail store system, or they punch that little machine with the digits in the U.S., right? They even have SmartCard readers in Europe, in most of the places. But what is happening to you when that occurs is that your credit is being checked to see if that card is okay to use for this purchase. It doesn't identify you as that person. It is not an identity card. So explaining that to people, they all...everybody knows how to buy with their credit card. You can say, the way that is done on the Internet is with encryption, because what you want to do is protect your credit card and the amount of money you are spending. In fact, it is even more secure because nobody in the store can look at it.

So trying to make things understandable is one of our key tenants to people. Some of this stuff is a little obscure to make understandable, as we all know, but we are working on that. The next thing is that it has to be useable. It has to be very easy to use or it is never going to succeed as a vehicle for securing things. We use the Lotus Notes as an example, where about 20 million Lotus Notes sent in encrypted form, every day. Seven million users sending notes are encrypted. And most of them don't even know that they encrypted it. If you have every used Lotus Notes, you can check that you want to encrypt it, or the data base administrator can say that everything on this server has to be encrypted, depending on your company's policy. I don't have to know that I am sitting there with a public key infrastructure and digital signatures in my Notes environment. It is useable security.

Using the credit cards is another example. We are using the credit card examples a lot, because that is what is starting to roll out and be deployed. We have got about 20 pilots in IBM going on around the world on this stuff, and many of you are part of that, or have your own. And that is useable because people can understand. It is easy to use, like a credit card, and it is going to be easy to use on the Internet. I don't have to understand how it happened. We are all very worried about it, and how to control it, and how to recover it but the customers don't have to be.

It also has to be useful. Nobody is going to buy this stuff unless they understand its useful and they reason that they need it. Now our customers, who are primarily businesses for IBM, want encryption to do business globally for two reasons. One is that they want to protect whatever they have as information assets. They want to move information securely across the Internet or whatever networks you are going across. So there is a business need for them to encrypt that information, if it is a data asset.

There are also regulatory, governmental policies requiring people to be able to encrypt things and to recover those encrypted pieces of information if they want to do business with them. It doesn't always require them to encrypt, but most people demand that for their business purposes. Now, what we are trying to do at IBM is not to argue all the policies of every government in the world. They are not going to vote themselves irrelevant anytime soon, so we are going to have to come up with a way to do business that lets the user be in control and lets a business decide what they will have to do to do business in the countries they want to do business in. We are trying to provide the capabilities to do that. And that is kind of what this key recovery activity is all about.

We use the definition, that key recovery is different than key escrow, and I know all the arguments, I don't want to argue the differences. When I say key recovery, we do not have anyone share the secret that the user has before setup. With key escrow, someone shares the secret of the user. And let's just assume that definition for what I am going to talk about.

We think it is important that we look at the customer requirements for key recovery. Not all the places they need to use it for can meet every government requirement, but what types of characteristics should it have? First, we feel that it must be self-contained. That you should not have to communicate with any other party during the setup of your encrypted communication, or encrypted file transfer, or whatever it is you are doing, or storing a file. So that means that you don't have to share a secret. You do not also have to talk to any key recovery agent at all. Because to impose a communications to a key recovery agent, or whatever you want to call the people that can later help you reconstruct, it is going to limit your scaleability and have a significant impact on performance, we feel.

We also don't want the keys for the session or the file to leave the cryptographic facility. Because that is not as secure. Your cryptographic facility could be in hardware to make it even more secure. And frankly, we are seeing a lot more requirement for hardware crypto engines right now. We are building a lot of those as fast as we can. But the demand for those is coming at a rapid ramp up. And you need hardware for two reasons. One is performance, it is faster to do encryption in hardware. The other is security. It is much more protection than sitting there with your keys to your encryption in software. In hardware, if somebody tries to get at them, it is going to destroy the machine. You just can't get those keys. And that is the type of hardware it is important to focus on. The set specification is specifying hardware for an inquiring bank and they are suggesting it for the merchant server too now. And there is reasons for that, it is for the security of it. It may be for the performance, but they haven't scaled up enough to run against that roadblock yet.

The other thing we think is important is that this must be very efficient. It has got to be scaleable. It has got to be very fast. In our key recovery we do hashing. Instead of encryption in the setup of key recovery. So there are some differences in the implementations. All of us who have key recovery techniques have this goal of making them not be a significant performance hit, right? You can't do that and expect people to use this. At least not in the scale that we think things will happen.

The other thing we have to make sure of is that it must be collusion resistant. No one person can go partner up with another person and say let's go recover all these keys. No one person can subvert it. And we also feel it is important to build a trust parameter around any key recovery scheme used. So that if your decision is to use key recovery, you want to be sure that the people, the products, the users, that are supposed to be using key recovery in your jurisdiction use that key recovery and do not subvert it or go around it. That also addresses some of the other management characteristics of security that we are worried about. You can have the best crypto in the world, but if you don't manage how you handle it is not secure. And it is not just access control list of passwords now, it is this: what are you going to do about the guys who can get in there who are very knowledgeable and can subvert things? What is your trust parameter? That is a concept we are working on right now with a lot of our products. So you need to think about that as you are developing your policies.

The other thing we feel is that it must be very flexible if you are going to use key recovery. Any solution should support any algorithm, anywhere, any length key. Should support any jurisdictions requirements. And a jurisdiction could be a country, a company, without favoring any one jurisdiction. So key recovery, we believe, should be possible, in either the sender or receiver's locations without bilateral coordination, or without any other country or jurisdiction imposing the ability to recover keys for two other jurisdictions. And that concept does not always sit right with a lot of people, so that is an important concept that we are working on. That we feel that the technology that we deliver must be capable of doing that. Now are people going to use that different ways? Absolutely. We have already seen lots of different requirements here today. We have seen lots of different governments present their roles. They are diametrically opposed, some of them. But the technology we deliver has to be capable of handling these different, cultural, governmental business needs, we think. That is really all I had to say, I could go on forever, but please, you have to stop me before I do that.

John Dryden:

All right. Thank you. Kathy. So we have 20 minutes left for questions.

I wanted to just make a few points. I originally was going to be a panelist before I was the moderator. Visa International has been active in trying to promote the use of the Internet and to some degree involved with cryptography or the use of public key cryptography. Many people focus as Kathy did on the analogy of keeping accounts secret. In fact banks and Visa have used this for many, many years to keep certain information private, such as the personal identification number, or PIN, that is entered in an ATM, and they we do that internationally. But if you think about a perspective of some of these user requirements that we have already talked about, GM is in 170 countries, Visa actually manages systemic risk in 177 countries and we have to deal with the governments in those areas and so there is more than just APACS here in the UK, you have APACS in the UK, well think of replicating that 170, 177 times around the world.

What we got involved with initially was not just to keep the account numbers secret because, as many people argue, you can go into dustbins and get a lot of Visa account numbers. What we were to establish was trust. Maintain the trust that customers, main customers have in the Visa payment paradigm, it isn't just credit, it also involves access to your current account or your checking account. So we were involved in trying to keep it secret to the extent that it wasn't broadcast on the Internet. We wanted to make sure that the well wasn't poisoned. Because when we began to look at the Internet back at the end of 1993 and how it could be used by our member banks to promote commerce, we were interested in keeping it secure.

But the other two areas that often are overlooked is data integrity. So that when you have a transaction for one car, you want it to be one car, not ten cars, or if it is for $1,000 it doesn't somehow mysteriously become $10,000 as it travels through the Internet. So digital signatures are the more important part.

The third aspect is, authentication. Authentication of the parties. What we were trying to look at, as when you walk into a store, you see a Visa decal, and you pull out your card, you see a Visa decal and there is closure there. What we were trying to do early on was say, how can I have the equivalent of that in cyberspace? How would I have the virtual decal on the cybermerchant's location that would authenticate that they have a relationship with the bank, and then how would you as a card holder, be able to represent your relationship with your bank. So that is a big part of the ASAT technology as it has come out. So those were some of the requirements.

Global banks and Visa had some special privileges in the use of cryptography in the past because of the amount of business that we do. Last year the Visa system, our banks, collectively, did a trillion dollars worth of sales. So there is trust. The governments recognize that in the 1014 where it has the UK model, you might notice that there is an exclusion for credit card authentication because we are recognized as responsible entities in the management of our keys. So with those just few words on our requirements as a worldwide organization, I would like to open the panel now to questions from the floor for about the next 15 to 20 minutes to stay on time. Do you have a question there in the back?

Yaman Akdeniz: My name is Yaman Akdeniz, I am a page theory searcher at the Center for Criminal Justice Studies, University of Leeds. I have more a comment than a question. We talked about the users perspective for using the encryption technology. But the civil libertarian aspects of using encryption is never mentioned. I am a student, and I don't have much money to spend on commerce, so I was thinking, I might not need Trusted Third Parties, or key recovery to use encryption technology on the Internet, but I might use encryption to communicate with my friends or others, just, not because I am a criminal, but I want to secure communications with others and I need privacy to do that. But then, it has been said that this is not possible because criminals use, terrorists use, encryption technologies so I have to give away my privacy just because the law enforcement bodies want to have access to this information. But then I think again, how are we going to stop criminals? They use mobile phones, the GSM technologies stolen mobile phones to communicate. They also use pigeons and the mail so what is the fear with the encryption keys and key recovery, I asked myself? And it is very often to systematic abuse because the information can be collected about myself, I mean, I want to use it for secure communications because I might want to use it for political speech, I might want to criticize the governments, or I might be a whistle blower, but I need security to do that and I don't want to others to access my information. Thank you.

Jeff Hilt:

Okay, as you said, that was more a comment than a question, so maybe we will take another question from the floor? Yes, one here in the back, and then there was another one here.

Perry Six: My name is Perry Six and I am Research Director at the Independent Cross Party Think Tank here in London. A question for Dick Mabbott, who is the one person who raised the liability issue.

I would like you to comment on the sort of thinking that is going on in the banking network in Britain, about the extent to which British banks see themselves as the victims of regulatory competition between different states for the location of corporate business. Because, after all, with various states competing for different digital signatures laws and different laws of liability of certification authorities, there are going to be a number of bodies potentially setting up Internet banks who will be choosing their jurisdiction to locate in, on the basis of the liability rules that they think are most attractive to their customers. And I hear two very conflicting stories when I talk to people in the trade. One is, people want very strong, clear liability on the TTP. Others contend that if we are going to create TTP's we want very light liability rules because that is the way we are going to construct a credible business plan. So I would like you to comment, really, about the extent to which the members of APACS see themselves as caught in this kind of trap of international regulatory competition over liability.

Dick Mabbott:

That is a fairly big issue all in one go. Firstly, I would say that the members of APACS are not fly-by-nights, so they are quite happy to go up against any other regulatory authority, but they would certainly look for a level playing field. So if there are impositions to be made, then they ought to be on everybody that is going to enter into offering those sort of services. The point I was making in my presentation was that the banks come from a culture of understanding risk management. And they understand that it costs money. You don't get risk managed and you don't get liability covered without somebody paying for the service.

In terms of Internet banks, then you are into a slightly different regulatory conundrum. To operate as a bank under UK law, you have got to be recognized as a bank under the Bank of England or under the Building Society Commissioners. I am not quite sure those regulatory authorities have wrestled with a cyberbank as such and certainly I wouldn't speak for them here. You almost come down to caveat emptor, but if you are willing to put your money with a bank that you have only communicated with over the Internet, versus one that you have grown up with from your childhood, that has bricks and mortar in the high street and that you feel has a reputation, then that is your choice. To a certain extent, you pay for what you get. And I know that is not a very reassuring answer, but that must be the answer that we all face in an ever diversifying economy. You want to do things on the cheap, fine. There is a difference between doing things on the cheap and shopping around for the best price while also having fairly high levels of quality and standards that you, as the buyer, will want to see.

Jeff Hilt:

We will take this question here.

Brian Collins:

My name is Brian Collins and I am an independent consultant.

I would like to focus in on key management because it seems to me that we talked about the cryptographic mechanisms, but the real strength comes from managing those mechanisms properly, and key management is central to that. Now, it seems to me that in a commercial organization the governance of key management not only resides with the organization itself, but with the auditor of that commercial organization. And I would be interested in the panels views of the role of the auditor. A statutory audit function, external, not only internal, which should be there anyway, in ensuring, not only for the general public, but for the shareholders who are a bit closer, that key management, if it is that important to your commercial success, is being handled with the appropriate governance. And I would guess the banks, because they have been using this stuff for some time, and I should know from my personal experience, do get audited, I have done it, in great depth. Whether you would feel comfortable about the audit firm who you have a statutory responsibility to allow to infiltrate your premises, to review your key management process, not your keys, but your key management processes?

James G. Dunn:

I will start off trying to answer that. I think it is inevitable. I think we have a very real fiduciary responsibility to the shareholders that's unavoidable. And it is becoming more and more visible in this particular area. And I eluded to the problem that we had with one of our competitors here in Europe that had nothing to do specifically with technology, but it is a way, as I said before, it has raised people's awareness of the real value of this information. So I fully expect that shortly the outside auditors, the company auditors, are going to come in and ask to look at how do we manage this whole process. And I am not going to pretend that in General Motors that we are so sophisticated that we have a very good answer, because I am afraid we don't, right now today. But I think it is inevitable, this is going to happen, cause this is just another piece of this whole fiduciary relationship we have with the shareholders. And it is probably one that we have got to step up to sooner rather than later.

Kathy Kincaid:

Understand that I think it is not just the key management that needs the auditing focus now. I have seen a significant increase in requirements for security auditing in general of all assets of security now. It is kind of come along with the focus on security from all the hype and everything that is happening. I think it is very good that we are getting this focus on security. I just want people to focus on it as an enabler instead of just a concern. But we are seeing quite a bit of requirement for auditing. We are putting some stuff into our major platforms now, to help with security auditing. And I think, you are right, that security, the key management is going to be one of the main aspects, especially on Internet encryption auditing.

[unidentified speaker #1]:

I actually wanted to hear something from the corporate user perspective as to whether key recovery is really needed or not. And if it is then what would you feel that actually looks like.

James G. Dunn::

Well, I think it is a requirement. But again, I guess, as I move through the day, I became more and more confused because...what you are really talking about. I think there has to be some provision for it, I'm not sure, you know, just exactly that should be at this point quite frankly.

Kathy Kincaid:

What we have seen in our customers is quite a bit of requirement for the stored data key recovery. We have had a few customers come in with the requirement for, what I would call telecommunications, which would have been a telephone conversation before, but they now want to do it over the Internet. It is primarily securities exchange companies, stock sales, where they have a requirement to not resend the transmission, they can't do that. Because they must recover the current transmission or two stock purchases would have occurred if later the one that was lost got there. So that is a specific requirement for that industry, for recovery of what we would call a conversational activity. There may be others too, I have heard of one on collaboration of engineering in multiply countries which is an Internet online active, real-time communication that they want to be able to recover that. Now you can, in effect, say that that could become a stored data concept then, when you record that engineering conversation.

Jeff Hilt:

Question?

[unidentified speaker #2]:

Yeah, I just wanted to add to what Kathy said and I guess Mr. Dunn also. You know, I am a technologist and I will always be a technologist, love the technology. But we are really forgetting the fundamentals here.

The human factor is always the weakest link, whether it is industrial espionage or government espionage. And we are not putting enough focus on the individual and educating the individuals, both the end user individual and the auditing, because now we are seeing a convergence, not only in technology for communications, but we are seeing it focus in a convergence in the policy management of the security policy, financial policy, and operational policy. And it is management's responsibility, we all as vendors and technologists, we need to train the users, what their responsibilities are, and you must have a good plan. If you have a bad plan and you throw technology at it, then you will have a bad plan with good technology. So I think we need to shift the focus of key escrow, key management. Most of the data in the corporation is stored in the plain. When we go over the Internet point to point, we have VPN's. There will be very little data that is actually encrypted, maybe Mr. Dunn's new car will be encrypted because it is highly competitive and very volatile. But the focus has to be on education and training and policy, not going crazy on key management. It is irrelevant.

Jeff Hilt:

Was that a comment or a question? Okay.

[unidentified speaker #3]:

Somebody said from the platform that as the time goes on we get more and more confused. I share the confusion. I am beginning to wonder whether there is any third party that I can trust to tell me which third parties I can trust. And in particular, whether the trust structure is a hierarchical structure at the top of which our government is claiming that they can be trusted. Or is the structure in fact a networked structure in which we pass around to each other the experience of who turns out to be trustworthy and whose brand name is going to be something in which we can have confidence?

Jeff Hilt:

The process that we set up with SET, if you look at the hierarchy there, if you look at privacy enhanced mail in the hierarchical structure that is there, and you look at the Visa structure where we have 18,000 banks, you may not know who they are, you may not know who their customers are, and yet, through that hierarchy, which is very similar, we issue plastic certificates to people to be used all over world, and they are trusted. Because it works. Now that grew over a period of time, and there was fraud, and there is still fraud, but it is manageable, at least at the current levels. And we keep ahead of technology to manage that. But I think one of the points you mentioned about brand, the Visa brand, the Sun brand, IBM's brand, Hewlett-Packard and those kinds of brands are things that people trust, because it is a function of caveat emptor. Over time, they have learned to trust those, and the people that are going to be doing business on the Internet are going to look for those trusted brands, because you have that trust in their physical world, and it is going to pour to the cyber world. In fact, that is one reason why we put so much effort into it. Because we didn't want to poison the well and have, what could be a tremendous channel, but it isn't going to be somewhat dictated, and the problems we face is where government says they want to be the top in that hierarchy. Well, we have the problem where we have 177 of them. Okay? And they can't all be on the top of the hierarchy. So it would be national associations, or groups like ourselves. One of the reasons we are trusted is we take liability. A lot of other people who want to be certificate authorities or whatever ID people, don't want to take any liability. But we do take liability and we stand behind that, and because of that, we have acquired trust. We will take one more question here.

[unidentified speaker #4]:

I would like to hear comments from the panel. It seems to me that part of the confusion that is associated with all of this is the reusing and redefinition of a lot of terms. Like Trusted Third Party, when it was first used in the circles, it meant someone that you would trust to give you a certificate to authenticate who you are. Now the reappropriation by a lot of the policy, government policy, a Trusted Third Party no longer means who the users trust, but who the government trusts. But they didn't tell everyone they changed that definition. And so it is very confusing to track.

I have heard the words Trusted Third Party used here and that has been merged with certificate authority and those two functions have merged in a lot of people's thinking and explanation. I would be interested in hearing, especially APACS, whether the activity that the banks are interested in doing is certificate authority which is an authentication role, or Trusted Third Party in the government's perspective which is key recovery, etc., etc., so that the governments know who to go to, to get that information.

Dick Mabbott:

Very much the former. It is all about certification authority. You may not like your bank, you may have complaints about the level of service or fees he charges you but you salary gets paid in every month, you get your money out of the ATM, you keep your valuables in the deed box, etc., etc., so it is very much about customer facing and being trusted by the customer. There is a view, the contrary view, that says that if we get too close to government, does that taint our position of trust in the eyes of the client base? Which is why we would insist on warranted intercept and the parallels of the existing wire taps.

Jeff Hilt:

Okay, I think we are going to have to...

[unidentified speaker #5]:

I have one quick comment. We would rather not be involved with the government as a Trusted Third Party. We, as an American corporation, free market player, have an aversion to the government being involved in something like this. It is very difficult to control. So we would rather have the ability to choose who that Trusted Third Party is. But again, I think this goes back to the point that has been made several times. We run a very real danger of becoming so esoteric with our terminology, with our architecture, with the way we bring this to the user, that in the end, the user is going to be totally frustrated. If you are working with one product, and I am not demeaning the bank, for instance, because they have several products now that are credit card companies, but when you get into these complex organizations with thousands and thousands, hundreds of thousands of people involved, you have got to keep it simple, or you are going to have big, big problems. They are just going to walk away from you.

Jeff Hilt:

Okay, well, I would like to thank our panelists. And thank you for your participation.

[unidentified speaker #5]:

I'd like to thank you and thank the panelists. Just a few words before we break and go to the House of Lords. First of all, again, I would like to thank British Telecom, Bob Foster, David Hughes, Janet Henderson and her colleagues for hosting the GIP meeting. Secondly, I would like to thank, ironically she couldn't be here today because she has the stomach flu, Roberta Katz of Netscape, who really developed the idea of this GIP encryption summit. It was here idea, and she got sick and she couldn't be here, but of course, Jim Clark was here at lunch, and Peter Harter is a great asset to us. I would also like to thank all the GIP members who participated in both yesterday's meeting and the summit today. In terms of specific deliverables, I want to let you know we are going to have the proceedings transcribed and we will have them available on the GIP Website in the very near future. So you will be able to get access to those. We will also try to do and we will have a search capability, so if you want to search the words and find out what key escrow means as opposed to key management, you had can look it up. We are going to put together a summary of the comments as well as some key findings coming out of this meeting.

Also, the GIP will be releasing in the next couple of weeks the GIP's comments on the implementation of the OECD Guidelines and those will also be available and we are going to try to put as much of the briefing book as possible, available on the Website also. As John Gerdelman said in his initiating remarks this morning, the GIP doesn't think that this is by any means the end of the conversation on encryption. We understand that this is an on-going and constantly evolving dialogue. Just keeping the terminology straight alone is a major challenge, so we are going to continue to work on it, including the definition issues which have been highlighted today by various comments, and the GIP will continue that as an ongoing activity. We at ITAA are very proud to be the secretariat for the GIP and will continue to provide services to the organization. I want to thank Jon Englund and my staff who was very instrumental in the organization, Pete Smith who did a lot of the organization work and help recruit our speakers, and helped to put this all together. And again, I think there has been a tremendous amount of information exchanged today and we have an opportunity to continue it in a much more intimate dialogue in a lovely venue at the House of Lords where Lord Renwick is hosting this reception.

You are asked to please take your name tags with you, so that we will know who you are after we have had a couple glasses of sherry at the House of Lords. As I mentioned, there will be a bus out front. It doesn't seat everybody and for those people who don't manage to jump on the bus, we have several taxis ordered, Pete, is that correct? And they will be out front, and it is just about a ten minute ride over to the Palace of Westminster. Does anybody have any questions? If you don't have an invitation with you and you want to go get one from Pete. Pete is standing up here waving them around. You do need that invitation to get past the guards at the House of Lords and into the reception. Well, again, thank you all very much for participating and hope to see you over at the House of Lords for the reception.

Note to users: All information provided is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the facts of the particular situation.
1997 GIP (Global Internet Project) All rights reserved.