FITUG e.V. Förderverein Informationstechnik und Gesellschaft

TechWeb 10/2/2000: "E-Spying Bill Called 'Escrow By

------- Forwarded Message Follows -------
From:          "Caspar Bowden" <cb@fipr.org>
To:            "Ukcrypto \(E-mail\)" <ukcrypto@maillist.ox.ac.uk>
Subject:       TechWeb 10/2/2000: "E-Spying Bill Called 'Escrow By Intimidation'"
Date:          Fri, 11 Feb 2000 10:56:48 -0000
Importance:    Normal
Reply-to:      ukcrypto@maillist.ox.ac.uk

http://www.techweb.com/wire/story/TWB20000210S0005
E-Spying Bill Called 'Escrow By Intimidation'
(02/10/00, 12:58 p.m. ET) By Madeleine Acey, TechWeb

The British government published a bill Thursday to update law
enforcement's interception powers to include communications made via
company networks and ISPs.

The legislation was immediately slammed as threatening human rights
and labelled "key escrow through intimidation" by Internet think tank
the Foundation For Information Policy Research (FIPR). Key escrow is a
failed policy by which users of encryption software lodge copies of
security keys with third parties approved by government.

"This law could make a criminal out of anyone who uses encryption to
protect their privacy on the Internet," said FIPR director Caspar
Bowden.

Following the recent liberalization of U.S. encryption software export
laws, as tens of thousands of ordinary computer users start to use
encryption, a test case looks inevitable.

Requiring someone to prove they did not possess a key would likely be
a breach of the European Convention of Human Rights, FIPR and civil
rights group Justice concluded.

"The DTI [Department of Trade and Industry] jettisoned decryption
powers from its E-communications Bill last year because it did not
believe that a law which presumes someone guilty unless they can prove
themselves innocent was compatible with the Human Rights Act," Bowden
said. "The corpse of a law laid to rest by [trade secretary] Stephen
Byers has been stitched back up and jolted into life by [home
secretary] Jack Straw."

Straw insisted the Regulation of Investigatory Powers Bill ensure
citizens' privacy and comply with the European Court on Human Rights.

He said the interception methods of the past "sometimes led to serious
miscarriages of justice" and that the bill would more closely regulate
law enforcement and security agencies' activities.

Straw added that interception of telecommunications was only
legislated for in 1985.

"There was only one completely dominant [telecom] provider and only
landlines," he said. "No pagers, no mobiles, no e-mail, no Internet,
no encryption. The change in the telecom landscape in less than a
generation has been revolutionary. We have to ensure that the
legislation keeps pace."

Straw said interception played a vital role in the fight against
terrorists and encryption "can be misused to devastating effect by
criminals, not least in attempts by pedophiles to conceal their
activities on the Internet." However, in submissions to the DTI last
year, IT industry figures -- used as expert witnesses by law
enforcement -- said encryption had never thwarted police attempts to
crack encrypted files, and in some cases, the accused had handed keys
over voluntarily.

When asked at the time, security and police agencies, including the
FBI, were unable to show any case where encryption had been a barrier
to convicting a criminal.

FIPR's Bowden said the Bill incorporated some changes to draft
legislation to address previous criticisms. But, he said this was mere
"window dressing".

"To prove noncompliance with a notice to decrypt, the prosecution must
prove a person 'has or has had' the key," Bowden said. "This satisfies
the objection to the case where a person may never have had the key
but leaves unchanged the essential reverse-burden of proof for someone
who has forgotten or irreplaceably lost a key."