[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


------- Forwarded Message Follows -------
From:          "Caspar Bowden" <cb@fipr.org>
To:            "Cryptography@c2. net (E-mail)" <cryptography@c2.net>
Date:          Sat, 24 Jul 1999 00:56:38 +0100
Importance:    Normal

Please link any story to Web Press Release at

Caspar Bowden                    http://www.fipr.org
Director, Foundation for Information Policy Research
Tel: +44(0)171 354 2333      Fax: +44(0)171 827 6534

News Release - Friday 23rd July 1999
Published Bill available at http://www.dti.gov.uk/cii/elec/ecbill.html

Contact: 	Caspar Bowden - Director of FIPR
   +44 171 354 2333


Since the early 1990s, civil service policy advice to Conservative and
Labour Ministers has advocated draconian legislation restricting the
use of encryption on the Internet. The Conservatives proposed
compulsory licensing of encryption in Government, but recanted in
opposition. Labour opposed controls in opposition, but now propose
"decryption notices" which overturn basic principles of human rights
and civil liberties.

Today the Government published an Electronic Communications Bill that
will give ministers broad powers to control the use of encryption in
electronic commerce. Although some of the more objectionable aspects
of previous proposals have been dropped from primary legislation, the
bill gives ministers the power to introduce them later as regulations.

Caspar Bowden (Director of FIPR) said:
"Electronic businesses can trade from anywhere in the world.
Threatening a mountain of red tape will cause e-business to move to
places with a more supportive climate such as Ireland or Canada."

"The Home Office argues that being asked to produce a decryption key
is like being asked to provide a DNA sample. But innocent people might
lose a key to stored data, or never know the key to data that is
e-mailed to them - and unless the court is convinced, it means jail"

Overwhelmed by resistance from industry and users, the government has
been forced to abandon a succession of elaborate but futile frameworks
for regulation, wasting three years in which UK e-commerce could have
established a world lead.

Big Bureaucracy
Compulsory licensing with mandatory key escrow subsequently became
"voluntary" licensing linked to key escrow, and now the terminology
has metamorphosed again into a "register of approved providers".
Despite a fiercely critical Trade and Industry Select Committee
report, the DTI has ignored the spirit of their findings and appears
still to want to keep open options for strict regulation. Six pages of
impenetrably worded legislation could see the return of key escrow
through secondary powers which would allow the Secretary of State to
make escrow a condition of approval.

Businesses already deterred by vacillation and delay, will have little
idea of what to expect until the regulations are eventually published.
Different regulations can be published by different departments, no
timescales are set out, and businesses will face constant debilitating
uncertainty about whether electronic products and services may in
future face much stricter regulation.

FIPR wishes to see cast-iron curbs on secondary powers which could
require (or coerce) without further primary legislation: (a) operation
of key escrow by approved providers, (b) linkage of weight or validity
of signatures to being an approved provider, (c) use of approved
provider of certificates or encryption for dealings with Government

Big Brother
There are also serious civil liberties concerns. The bill will give
police the power to demand decryption keys from anyone they suspect of
possessing them, and failure to hand keys over can lead to a two year
jail sentence. The defence will be presumed guilty of withholding a
key unless they can prove otherwise (a likely contravention of the
European Convention on Human Rights), and decryption notices will be
secret, so it will be impossible to complain effectively if they are
used in an oppressive way.

Handing over a decryption key used for years on end would give the
police access to very much more information than they need. Decryption
notices can also be served on innocent correspondents of a suspected
person, with an indefinite obligation not to change keys and maintain

FIPR believes that criminals should not be able hide behind
encryption, but the way in which the government intends to deal with
this is completely unsatisfactory and infringes basic human rights.

To obtain power to serve a decryption notice FIPR suggests that the
authorities should establish to a judge with reliable evidence that
the: - data in question contains a hidden or encrypted message -
person on whom the notice is served possesses a key - data contains
evidence of, or would assist in pursuit or detection of, a serious
criminal offence

Decryption Notices and Human Rights
- penalty of two years imprisonment for non-compliance
- can be served on a person who "appears" to have a key - there is no
requirement for any evidence to support this - discretion to demand
either keys or decrypted data - access to keys destroys privacy of all
past messages - can be used to obtain private keys from innocent
associates or professional legal advisers of suspected persons - do
not even have to specify what encrypted data has to be decrypted - can
ask for any and all keys - apply not just to data seized or
intercepted under warrant, but also to anything lawfully obtained
without a warrant (including published or public domain material) -
allows methods of incriminating innocent persons in ways against which
it will be impossible to defend reliably - will deter Cryptography
Service Providers who might operate key recovery (which could assist
law enforcement) from doing so, by exposing them to strict criminal
penalties if (for some reason) they are unable to comply.

*) No presumption of innocence : burden of proof on defence to show they DO
NOT have a key
- how is it logically possible to PROVE non-possession of key?
- asking for a decryption key is not like asking for a DNA sample -
innocent people lose keys, or might never know the  key to data that
is e-mailed to them

*) "Tipping-off" condition - actually an indefinite obligation of secrecy of
excessive width
- can impose an indefinite obligation of secrecy on suspects,
associates or legitimate third-parties - prevents innocent associates
from complaining publicly, with a penalty of five years imprisonment -
could actually be used against suspects themselves (prevent from
"tipping-off" themselves !) - with a penalty of five years

*) Safeguards?
- Complainants only recourse is to a Tribunal, which can hold
proceedings in their absence - Tribunal need not disclose reasons for
decisions, and operate special rules on burden of proof and
admissibility of evidence - no "equality of arms" between the
prosecution and the defence. - a Commissioner to "keep under review"
exercise of powers - abuse of powers breaching the Code of Practice
would not "of itself" create any criminal offence - duty on
authorities with access to keys to maintain only such safeguards "as
considered necessary"

Could key escrow return under secondary powers?
The Trade and Industry Select Committee commented in their report:
(115): "A number of respondents_advocated that statutory instruments
should be ratified by affirmative resolution_we have been critical in
the past of Government's reliance on regulations which escape
effective parliamentary scrutiny." (107). "Powers should not be taken
in the forthcoming Bill to permit the introduction of key escrow or
related requirements at a later date".

Part I:  Register of Approved Cryptography Service Providers
Secondary powers
- could compel key-escrow/recovery as a condition for approval as a
Registered Cryptography Service Provider

Part II: Admissibility of E-Signatures and Powers to Amend Legislation
------- Secondary powers - could prescribe use of a Registered
Provider for citizens or businesses to deal electronically with
Government. - be ratified by affirmative or negative resolution at the
discretion of the government

The Director of the Foundation, Caspar Bowden, said:

"Civil servants have tried for years to get industry to buy into their
proposals for regulating electronic commerce. It's time they realised
that this is not going to happen, and that the world has moved on.
Things are very different now from what they were in 1996 when these
ideas were first floated"

"Electronic commerce is being seriously harmed by the attempt to tie
electronic snooping provisions in with this Bill. The proper place for
snooping regulations is in the new Interception of Communications Act.
Making wiretapping a condition of the licensing of electronic commerce
will just undermine confidence and drive business away.'

Notes for editors
1. FIPR is an independent non-profit organisation that studies the
interaction between information technology and society, with special
reference to the Internet; we do not (directly or indirectly)
represent the interests of any trade-group. Our goal is to identify
technical developments with significant social impact, commission
research into public policy alternatives, and promote public
understanding and dialogue between technologists and policy-makers in
the UK and Europe. The Board of Trustees and Advisory Council
(http://www.fipr.org/trac.html) comprise some of the leading experts
in the UK.

2.  Chronology
10 Jun 1996 DTI paper on "regulatory intent concerning use of
encryption on open networks".

17 Mar 1997	DTI Consultation "Licensing of Trusted Third Parties for
the Provision of Encryption Services"

27 Apr 1998	DTI "Secure Electronic Commerce Statement"

19 Oct 1998 DTI Consultation paper postponed

24 Nov 1998 Queen's Speech announces "Electronic Commerce Bill" this
Parliamentary session

3 Dec 1998	Trade and Industry Select Committee announces inquiry into

19 Jan 1999	France abandons key escrow

4 Mar 1999	PIU study announced at No.10 meeting for industry leaders,
key-escrow "not the answer"

5 Mar 1999 	DTI Consultation "Building Confidence In Electronic

23 Mar 1999	"Scrambling for Safety III" conference: first public
discussion of encryption policy by Home Office

1 Apr 1999 	26 day response period of DTI Consultation ends: FIPR
accumulates submissions on website

19 May 1999	T&I Sel.Ctee Report "Building Confidence In Electronic
Commerce: The Government's Proposals"

26 May 1999	Cabinet Office Performance and Innovation Unit Report,
"Encryption and Law Enforcement"

22 Jun 1999	Home Office Consultation "Interception of Communications
in the United Kingdom"

8 Jul 1999	Conservatives refuse to allow introduction of Bill under
"carry-over" procedure this session

23 Jul 1999	Draft "Electronic Communications Bill" published

3. References
 Cryptography and Democracy: Dilemmas of Freedom, a paper by Caspar
Bowden, and Yaman Akdeniz, in Liberty eds., Liberating Cyberspace:
Civil Liberties, Human Rights, and the Internet, London: Pluto Press,
1999, 81-125 - http://www.fipr.org/publications/cryptfree.pdf

  "Regulatory intent concerning use of encryption on open networks",
DTI Jun 1996 - http://www.dti.gov.uk/cii/ENCRYPT/regpap1.htm

 "Building Confidence In Electronic Commerce: The Government's
Proposals", Trade and Industry Select Committee Report May 1999 -
/cmtrd ind/187/18702.htm

 "Encryption and Law Enforcement", Performance and Innovation Unit
Report, Cabinet Office, May 1999 -

 "Building Confidence In Electronic Commerce", DTI Consultation,
March 1999 - http://www.dti.gov.uk/cii/elec/elec_com.html

 "Interception of Communications in the United Kingdom", Home Office
Consultation June 1999 - http://www.homeoffice.gov.uk/oicd/ioca.pdf

 "Licensing of Trusted Third Parties for the Provision of Encryption
Services",  DTI Consultation March 1997

 "Secure Electronic Commerce", DTI Statement April 1998 -

 STAND Website http://www.stand.org.uk/

-- ends --