10 February 2000
From: "Caspar Bowden" <cb@fipr.org>
To: "Ukcrypto \(E-mail\)" <ukcrypto@maillist.ox.ac.uk>
Subject: Flash Release: UK PUBLISHES "IMPOSSIBLE" DECRYPTION LAW
Date: Thu, 10 Feb 2000 12:14:47 -0000
FLASH - FOR IMMEDIATE USE
FOUNDATION FOR INFORMATION POLICY RESEARCH (www.fipr.org)
=========================================================
News Release Thurs 10th Feb 2000
=========================================================
Contact: Caspar Bowden
Director of FIPR
+44 (0)171 354 2333
cb@fipr.org
Today Britain became the only country in the world to publish a law which could imprison users of encryption technology for forgetting or losing their keys. The Home Office's "REGULATION OF INVESTIGATORY POWERS" (RIP) bill has been introduced in Parliament: it regulates the use of informers, requires Internet Service Providers to maintain "reasonable interception capabilities", and contains powers to compel decryption under complex interlocking schemes of authorisation.
Caspar Bowden, director of Internet policy think-tank FIPR said, "this law could make a criminal out of anyone who uses encryption to protect their privacy on the Internet."
"The DTI jettisoned decryption powers from its e-Communications Bill last year because it did not believe that a law which presumes someone guilty unless they can prove themselves innocent was compatible with the Human Rights Act. The corpse of a law laid to rest by Stephen Byers has been stitched back up and jolted into life by Jack Straw"
Decryption Powers: Comparison with Part.III of Draft E-Comms Bill (July 99)
The Home Office have made limited changes that amount to window-dressing, but the essential human rights issue remains:
(Clause 46): authorities must have "reasonable grounds to believe" the key is in possession of a person (previously it had to "appear" to authorities that person had a key). This replaces an subjective test with one requiring objective evidence, but leaves unaffected the presumption of guilt if reasonable grounds exist.
(Clause 49): to prove non-compliance with notice to decrypt, the prosecution must prove person "has or has had" possession of the key. This satisfies the objection to the case where a person may never have had possession of the key ("encrypted e-mail out of the blue"), but leaves unchanged the essential reverse-burden-of-proof for someone who has forgotten or irreplaceably lost a key. It is logically impossible for the defence to show this reliably.
HUMAN RIGHT CHALLENGE "INEVITABLE"
As part of the consultation on the draft proposals last year FIPR and JUSTICE jointly obtained a Legal Opinion from leading human rights experts (http://www.fipr.org/ecomm99/pr.html) which found that requiring the defence to prove that they do not posess a key was a likely breach of the European Convention of Human Rights.
Mr.Bowden commented, "following the recent liberalisation of US export laws, as tens of thousands of ordinary computer users start to use encryption, a test-case looks inevitable after the Human Rights Act comes into force in October."
R.I.P. RESURRECTS KEY ESCROW BY INTIMIDATION?
Bowden said: "after trying and failing to push through mandatory key-escrow, then voluntary key-escrow, it now looks like the government is resorting to key-escrow through intimidation."
Notes for editors
1. Detailed analysis of the bill will be available on the FIPR website (www.fipr.org) later today.
2. FIPR is an independent non-profit organisation that studies the interaction between information technology and society, with special reference to the Internet; we do not (directly or indirectly) represent the interests of any trade-group. Our goal is to identify technical developments with significant social impact, commission research into public policy alternatives, and promote public understanding and dialogue between technologists and policy-makers in the UK and Europe. The Board of Trustees and Advisory Council (http://www.fipr.org/trac.html) comprise some of the leading experts in the UK.
From: "Caspar Bowden" <cb@fipr.org>
"Ukcrypto \(E-mail\)" <ukcrypto@maillist.ox.ac.uk>
Subject: BBC Online 10/2/2000: "UK publishes 'impossible' decryption law"
(13:29)
Date: Thu, 10 Feb 2000 14:13:19 -0000
http://news.bbc.co.uk/hi/english/sci/tech/newsid_638000/638041.stm
At issue is the burden of proof
The UK Government came under fire on Thursday from the internet community after it published a Bill to regulate covert surveillance. The critics say the legislation, if passed, could lead to innocent people being sent to jail simply because they have lost their data encryption codes.
The Regulation of Investigatory Powers Bill covers the monitoring and the interception of communications by law enforcement and security agencies. It will, for example, lay down the legal rules that must be followed by the police and security services when they tap someone's phone.
But it also regulates the authorities' access to the codes that encrypt data sent over the net. The Home Office is deeply concerned that criminals, such as paedophiles, will use encryption to hide their activities.
And, as a result, the Bill proposes that the police or the security services should have the power to force someone to hand over decryption keys or the plain text of specified materials, such as e-mails, and jail those who refuse.
The government believes it has built sufficient safeguards into the legislation. But Caspar Bowden, from the Foundation for Information Policy Research, said the law as drafted was "impossible" and accused the government of ignoring all the advice and lobbying it had received from the net community over the past year.
Net privacy
At issue is the burden of proof. Critics of the legislation say someone might go to jail unless they could prove they did not have a requested key - an impossible defence for someone who has lost the software code.
"This law could make a criminal out of anyone who uses encryption to protect their privacy on the internet," Mr Bowden said.
"The Department of Trade and Industry jettisoned decryption powers from its e-Communications Bill last year because it did not believe that a law which presumes someone guilty unless they can prove themselves innocent was compatible with the Human Rights Act.
"But the corpse of a law laid to rest by Trade Secretary Stephen Byers has been stitched back up and jolted into life by Home Secretary Jack Straw."
Under the new legislation, the police would have to have "reasonable grounds to believe" a key was in the possession of someone carrying out suspected illegal activity. Previous attempts to draft the legislation had only used the word "appear".
Human rights
Casper Bowden said the change merely replaced a subjective test with one requiring objective evidence. And it still left in place the presumption of guilt with only those who had innocently received a suspect e-mail able to mount a successful defence.
"It's clear we are heading for the courts with a human rights test case," Mr Bowden told BBC News Online. "The legislation could be amended, but it's obvious the government is not going to take that course."
However, the Home Secretary, Jack Straw, is clearly confident about the legal advice he has received.
"The Human Rights Act and rapid change in technology are the twin drivers of the new Bill," he said on publication of the Bill.
"None of the law enforcement activities specified in the Bill is new. Covert surveillance by police and other law enforcement officers is as old as policing itself; so too is the use of informants, agents, and undercover officers.
"What is new is that for the first time the use of these techniques will be properly regulated by law, and externally supervised, not least to ensure that law enforcement operations are consistent with the duties imposed public authorities by the European Convention on Human Rights and the Human Rights Act."