FITUG e.V.

Förderverein Informationstechnik und Gesellschaft

FIPR News Release: RIP BILL LEAVES SEIZED KEYS VULNERABL



------- Forwarded message follows -------
From:           	"Caspar Bowden" <cb@fipr.org>
To:             	"Ukcrypto \(E-mail\)" <ukcrypto@maillist.ox.ac.uk>
Subject:        	FIPR News Release: RIP BILL LEAVES SEIZED KEYS VULNERABLE
Date sent:      	Mon, 28 Feb 2000 16:34:10 -0000
Send reply to:  	ukcrypto@maillist.ox.ac.uk



IF YOU ARE WAITING FOR FIPR's FULL R.I.P. ANALYSIS
+ DRAFT AMENDMENTS - PLEASE BE PATIENT, IT'S IN THE WORKS



NEWS RELEASE               Contact:	Caspar Bowden
Mon 28th Feb 2000     	            director of FIPR
FOR IMMEDIATE USE				+44 (0)171 354 2333
      cb@fipr.org



RIP BILL LEAVES SEIZED KEYS VULNERABLE
======================================
The Government has not considered the problems and costs of handling
decryption keys when it takes new powers to seize them, says a
nine-page report (http://www.fipr.org/rip/RIPGAKBG.pdf) released today
by the influential Internet policy think-tank the Foundation for
Information Policy Research (FIPR). If the keys were disclosed, or
even stolen from the authorities that had seized them, then this could
result in extreme risks to physical safety and financial security. The
new powers are in the controversial Regulation of Investigatory Powers
(RIP) Bill that receives its second reading in the Commons on March
6th.



The report analyses the Government's proposals for safeguarding seized
keys, finding that they take no account of the technical security
measures used by government to protect their own keys, and make no
provision whatsoever for keys seized under RIP to enjoy comparable
levels of protection. Hundreds of public authorities are able to
demand keys (set out over five pages in Schedule.1), but none are
required to take concrete security precautions on behalf of those who
are forced to reveal their keys - whether suspect or innocent parties
in an investigation.



The report concludes that the necessary protection measures will be
very costly to implement and are hence likely to place a very high
burden on UK taxpayers if the interests of the owners of seized keys
are to be fully respected.  It concludes that there is a danger that
the costs of such measures will not be met and in consequence those
who have their keys seized will sometimes face extreme risks to their
safety and security.



Caspar Bowden, director of FIPR, said "either the Home Office has
completely overlooked the issue of technical security for keys seized
by a multitude of public authorities, or Parliament is being
hopelessly misled about the costs of implementation. When mandatory
escrow was proposed three years ago, the DTI judged then that a
'central repository' would be needed to receive and guard keys"
(para.71 - 'Licensing of TTPs for the Provision of Encryption
Services', DTI 1997.)



Nicholas Bohm, a solicitor and member of the Law Society's Electronic
Commerce Working Party, commented "the government evidently thinks
that it will be satisfactory for anyone with a seized key, from a
policeman to a trading standards officer, to lock a floppy disk away
in the top drawer of their desk".



Dr Brian Gladman, the report's author, commented, "the government
knows the importance of protecting keys and yet it has chosen to keep
Parliament in the dark; it is hard not to conclude that this is a
desperate attempt to prevent an unworkable policy from collapsing
under the weight of its own incompetence."



Notes for editors
-----------------
1.	Clause 51 of the Bill, which is intended to provide key custody
safeguards, contains no provision requiring adequate technical
security precautions, and the Regulatory Impact Assessment  provided
by the Home Office (http://www.homeoffice.gov.uk/oicd/riapt3.htm)
merely states that "providing actual figures on compliance costs is
difficult at this stage".



2.	The reports author is FIPR Advisory Council member Brian Gladman,
an internationally recognised leader in the field of information
security who has more than 25 years of experience in the UK Ministry
of Defence and NATO in the technologies and techniques required to
build computer systems in which safety and security are critical
requirements.



3.	FIPR is an independent non-profit organisation that studies the
interaction between information technology and society, with special
reference to the Internet; we do not (directly or indirectly)
represent the



interests of any trade-group. Our goal is to identify technical
developments with significant social impact, commission research into
public policy alternatives, and promote public understanding and
dialogue between technologists and policy-makers in the UK and Europe.
The Board of Trustees and Advisory Council
(http://www.fipr.org/trac.html) comprise some of the leading experts
in the UK.
------- End of forwarded message -------

Zurück