The New York Times, March 27, 1997, pp. A1, D3. U.S. Rebuffed in Global Proposal For Eavesdropping on the Internet By John Markoff In a setback for the Clinton Administration that demonstrates the difficulty of setting global policies for the Internet, the leading industrial nations have declined to embrace a United States proposal to allow computer eavesdropping by the world's law enforcement agencies. The United States proposal, backed by Britain and France, was an attempt to restrict the private use of increasingly advanced data-scrambling technology that can protect the privacy of electronic mail and other forms of computer communication. The equipment can make it difficult for law enforcement officials to crack a code when they suspect it is masking criminal or terrorist activities. The proposal called for international endorsement of a system in which mathematical keys to computer-security codes would be held by escrow agents from whom law enforcement officials could obtain the keys once they have a court's wiretapping warrant. But policy guidelines scheduled to be released in Paris today by the 29-nation Organization for Economic Cooperation and Development fail to endorse the United States proposal. And they leave such leeway for members to regulate data-scrambling technology--or not--that computer security experts say any uniform international policy remains elusive. "The difficulty with the guidelines is that anybody can interpret parts of them in their own way," said Konstantine Papanikdaw, a policy analyst for information security at the European Commission in Brussels. Indeed, the industrial world seems to be deeply divided on whether governments can ever legitimately eavesdrop on the electronic communication of their citizens. Because messages on the Internet are easy to intercept, a growing number of individuals and corporations are protecting the privacy of their communications and the security of their commercial transactions by scrambling such information. Some O.E.C.D. nations, including Britain and France, have either outlawed or are in the process of tightly regulating the private use of data-scrambling systems. But other nations--including Australia, Canada Denmark and Finland--have policies that protect individual privacy. Among other member nations, Japan had initially resisted the United States proposal but was said to be moving closer to it, while Germany remained deeply divided. Most other countries, inside or outside the O.E.C.D., have yet to confront the data-scrambling issue. And even the United States has a somewhat contradictory national policy that permits citizens to use whatever data-scrambling software they wish within the nation's borders, but restricts the export of the most up-to-date computer-coding technology. That seeming contradiction, however, did not prevent the Clinton Administration in recent months from waging a vigorous behind-the-scenes effort for its proposal. And hoping to resolve some of the policy conflicts, the Administration is now circulating draft legislation on Capitol Hill which would attempt to control even the domestic use of data-scrambling software and establish a key-escrow system for the United States. While the O.E.C.D. has no authority to set international policy, its recommendations are frequently used by member nations in setting their own foreign and trade policies. And the privacy and law-enforcement aspects of the Internet are issues on which member governments have been desperate for guidance. But even though most of the O.E.C.D. discussions involved law enforcement officials, who have been the main advocates for measures that would insure their ability to crack codes, European officials say that there was never much agreement on what to do. And so the primary recommendation in the report, a copy of which was obtained by The New York Times, simply gives O.E.C.D. member nations the latitude to do as they see fit when it comes to data scrambling, which is formally known as cryptography. "National cryptography policies may allow lawful access to plain text, or cryptographic keys, or encrypted data," the report says. Privacy-rights advocates see the O.E.C.D. guidelines as a critical setback for the Clinton Administration. "The U.S. proposal to endorse lawful access to private keys was explicitly rejected by the O.E.C.D. member countries," said Marc Rotenberg of the Washington-based Electronic Privacy Information Center and a member of the O.E.C.D.'s advisory group. "The O.E.C.D. chose instead a policy based on voluntary, market-driven development of cryptography products." And even supporters of the United States position acknowledged that guidelines were a disappointment. "The United States probably had more success raising consciousness then getting language that could he treated as an endorsement for key recovery," said Stewart Baker, a former National Security Agency official who participated on the American delegation to the O.E.C.D. Meanwhile, executives for the United States computer industry were critical of the O.E.C.D. for even leaving the door open for governments to set national policies on data scrambling. "We think that markets, not governments, should be the primary determinants of technology solutions," said Jon Englund, a vice president at the Information Technology Association of America, a trade group. Many experts question whether governments can ever hope to insure law enforcement access to electronic messages or to restrict the spread of super-strong coding software, because new, more powerful versions can always be developed and easily transmitted over the Internet in the blink of an eye. And any international effort is almost certainly doomed if some countries refuse to go along with a common approach, because people looking for strong encryption can simply acquire it wherever the laws are lax. In fact, the big German company Siemens A.G. recently introduced an encryption system that it advertises as being much more powerful than American companies can export under United States law. Besides the United States, France and Britain both support a system for enabling law enforcement officials to obtain keys to data-scrambling codes. France has already passed a stringent law that requires participation in such a system, although the rules to carry out the law have not yet been worked out. And in recent days, Britain has quietly circulated the most restrictive proposal of any nation, a domestic policy under which the Government would allow private use only of cryptography that was officially licensed, to make sure that the software uses code that law enforcement officials can crack. Under such laws, of course, criminals and terrorists might logically choose to use unauthorized encryption software. But the mere fact that such use would be a crime may be a deterrent--or give the police grounds to arrest anyone whose communications were indecipherable. In Germany, encryption remains a deeply divisive issue. The Interior Ministry has supported the need for encryption restrictions of some sort, but the Justice Ministry and the Economics Ministry have both signaled their opposition. And German businesses have been outspoken opponents against any new restrictions on data scrambling. Meanwhile, United States export restrictions have been a boon for Brokat Informationssysteme G.m.b.H., a two-year-old start-up company in Boblingen, Germany. Brokat supplies secure electronic transaction software for banks like Deutsche Bank and on-line services like America Online in Europe. One of Brokat's hottest products is the Expresso Security Package which essentially adds strong encryption to the World Wide Web browsers and Internet server software sold by two of the largest American software companies-- Microsoft and Netscape Communications. [End]