Förderverein Informationstechnik und Gesellschaft
26 May 1999. Thanks to CB/FIPR.
NEWS RELEASE : FOUNDATION FOR INFORMATION POLICY RESEARCH ========================================================= (Notes for Editors, background information on www.fipr.org)
FOR IMMEDIATE USE 26/5/99
The Cabinet Office Task Force on Encryption and Law Enforcement has published its report at:
Caspar Bowden, director of the Foundation for Information Policy Research (www.fipr.org) agreed with the report's conclusion that "key escrow as a condition of licensing would not deliver to law enforcement agencies even a reasonable amount of assured access to decrypted communications."
Bowden said "it is a very thorough analysis, which clearly demonstrates why public-key cryptography requires a new approach to interception and law enforcement. The joint Government and Industry forum should be balanced by independent civil liberties representatives, to consider how new Internet policing methods may require new forms of oversight and safeguards. For example, putting the onus on a person to prove that they DO NOT possess a decryption key could lead to miscarriages of justice."
Official Summary of PIU report ============================== "Developments in encryption technology, products and services carry significant benefits in increasing consumers' levels of trust in the Internet, and particularly in e-commerce. However, they also give rise to a number of challenges for law enforcement, where it will become more difficult to derive intelligence from lawfully intercepted communications and retrieved data. This report considers the Government's response to the issues of encryption, e-commerce and law enforcement. The report is framed by two key objectives for the Government:
*) to make the UK the best environment in the world in which to trade electronically; and
*) to ensure that the UK remains a safe country in which to live and work.
The task force concluded that no single technique or system was likely to be enough to sustain law enforcement capabilities in the face of rising use of encryption by criminals. This being the case, a package of measures was needed to mitigate the consequences as set out below.
The voluntary licensing of providers of encryption services, proposed in the recent DTI consultation document on the forthcoming Electronic Commerce Bill, will help improve consumers' confidence and therefore support the development of e-commerce in the UK. However, these licensed providers should not be required to retain 'decryption keys' or to deposit them with third parties (i.e. no mandatory 'key escrow'). Whilst the introduction of a mandatory link between licensed providers of services and key escrow would provide the best technical solution to many of the problems caused by encryption, in practice it would not support achievement of both of the Government's objectives.
The Government should adopt a new approach based on co-operation with industry to balance the aim of giving the UK the world's best environment for e-commerce with the needs of law enforcement. There is no 'silver bullet' policy that guarantees that the development of encryption will not affect law enforcement capabilities.
*) A new Government/industry joint forum should be established to discuss the development of encryption technologies and to ensure that the needs of law enforcement agencies are taken into account by the market. This new co-operation should also be promoted at the international level. The forum should consist of a high-level group to discuss policy issues and be supported by specialist technical and legal groups.
*) A new Technical Assistance Centre should be established, operating on a 24-hour basis, to help law enforcement agencies derive intelligence from lawfully intercepted encrypted communications and lawfully retrieved stored data. The Technical Assistance Centre will also be responsible for gaining access to decryption keys, where they exist, under proper authorisation.
*) The task force welcomes the intention to include in the forthcoming Electronic Commerce Bill provisions to allow lawful access to decryption keys and/or plain text under proper authority. The task force also recommended that further attention should be given in the Bill to placing the onus on the recipient of a disclosure notice to prove to the authorities that the requested keys or plain text are not in his possession, and to state to the best of his knowledge and belief where they are.
*) The UK should encourage the development of an international framework, including a new forum, to deal with the impact of encryption on law enforcement."
-- Caspar Bowden http://www.fipr.org Director, Foundation for Information Policy Research Tel: +44(0)171 354 2333 Fax: +44(0)171 827 6534