11 January 2000
From: "Caspar Bowden" <cb@fipr.org>
To: "Ukcrypto (E-mail)" <ukcrypto@maillist.ox.ac.uk>
Cc: "FIPR News Archive (E-mail)"
<news_archive@fipr.org>
Subject: VNUnet 11/1/00: "Encryption bill gets go-ahead for January"
Date: Wed, 12 Jan 2000 00:41:31 -0000
http://www.vnu.net/News/105202
Policy; Dan Sabbagh [11 Jan 2000]
The Government will introduce a long awaited bill to regulate encryption and introduce wire tapping for the Internet later this month, ignoring further consultation pleas from internet service providers.
As revealed in vnunet.com in November, the Government refused to have a period of consultation with Internet Service Providers despite the fact that they argued several issues remained unclear and that informal meetings were not enough to solve them.
The bill, dubbed the Regulation of Investigatory Powers bill, was announced in November's Queen's Speech - the government's annual legislative programme. It includes long standing proposals to insist on the decryption of encrypted data on demand by police, formerly in the electronic commerce bill, plus plans to update phone tapping legislation.
However, industry sources expressed concern that the Government was moving too hastily in an area which could lead Internet Service Providers, network owners and even network users with higher costs. The bill will be introduced straight into parliament.
Richard Clayton, Internet expert at Demon Internet, said: "I'm disappointed that there isn't going to be another round of consultation. So far the issues have been misunderstood. Let's hope we see a wonderful bill with no flaws in it."
He estimated that the email tapping plans could add between 10 and 15 per cent to its network running costs.
Expert legal opinion has warned that the decryption proposals will contravene human rights legislation, placing network managers implementing police requests to decode data in a difficult position.
Charles Clarke, Home Office minister, said: "The bill will be laid before the House in January," but he did not specify a date. He added that he was "keen for dialogue" but revealed little of the bill's details, saying: "You'll have to decide whether it's surprising."
He admitted however that the Home Office had been in detailed discussions about general technical developments with a range of large suppliers, including BT,Vodafone, Intel and Cisco.
Caspar Bowden, director of the Foundation for Information Policy Research, said: "I'm not in the least reassured to hear there'll be no further consultation." He added that it appeared large suppliers had greater access to the Home Office's thinking.
Clarke said he hoped the bill would become law by July.
From: "Caspar Bowden" <cb@fipr.org>
To: "Ukcrypto (E-mail)" <ukcrypto@maillist.ox.ac.uk>
Cc: "FIPR News Archive (E-mail)"
<news_archive@fipr.org>
Subject: FT 11/1/00:"LAW: Ministers rush through e-mail rights"
Date: Tue, 11 Jan 2000 11:51:04 -0000
Financial Times 11/1/2000
By Jean Eaglesham, Legal Correspondent
The government has admitted it is being forced to rush through controversial powers to unscramble encoded e-mail because of fears that its existing bugging and tapping powers could breach human rights.
The admission is likely to prove embarrassing for the government, which has set great store by its decision to incorporate the European Convention on Human Rights into UK law this October. The showpiece human rights legislation is likely to raise difficulties for the Home Office, not least in relation to its proposals for decrypting electronic data.
Charles Clarke, a Home Office minister, admitted yesterday that concerns had been raised about the cost and the human rights implications of the proposed powers. But he said that delaying the legislation - known as the regulation of investigatory powers (RIP) bill - to allow further consultation could have "serious knock on effects" for enforcement agencies.
Mr Clarke said the government could not hold a further round of open consultation on the bill, which will be published later this month, because of the time pressures it was under.
"The Human Rights Act becomes law on October 1 and we have to ensure all agencies are complying at that point. We have to get this (RIP) bill through parliament, ideally by the end of July," Mr Clarke added.
This rationale is unlikely to convince civil liberties and research organisations, which warned in October that the proposals - then part of the electronic communications bill - were likely to breach human rights on several counts.
Mr Clarke said the government was confident the published RIP bill would comply with the new rights act.
Critics of the government's approach to regulating e-commerce believe it has squandered time because of its initial reluctance to reverse policy decisions. While it has performed several U-turns, particularly on "key escrow" - the requirement that decryption keys to be lodged with third parties - the progress of the legislation has been very slow.
"It's a bit rich of them to say it's got to be on the statute book by October. The view we take is it's their own fault for wasting two years on key escrow and not listening to objections earlier," said Caspar Bowden, director of the Foundation for Information Policy Research. "There is a real danger without further consultation they will make a hash of the legislation," Mr Bowden added.
The industry has also raised concerns about the proposals, particularly over their cost. "If the government wants to do the interception, are they going to pay for it?" asked Nick Landsman, secretary general of the Internet Service Providers Association.
Mr Clarke said the government was taking the costs issue "very seriously".
From: "Caspar Bowden" <cb@fipr.org>
To: "Ukcrypto (E-mail)" <ukcrypto@maillist.ox.ac.uk>
Subject: FT 21/12/99: "Decrypt with care"
Date: Tue, 11 Jan 2000 11:50:16 -0000
Financial Times 21/12/99
Cryptography is routinely used to keep credit card numbers safe during electronic transactions, and to scramble confidential e-mails so only the intended receiver can read them. It is a basic tool against computer hackers.
The need for electronic security in transactions over the internet is forcing radical policy changes on government. But in seeking to combat crime, there is a real danger that the Home Office will assume new powers so draconian that they could wreck confidence in British e-commerce.
When the electronic communications bill finally arrived in parliament last month, it did not include provision for mandatory "key-escrow" - the blanket requirement to deposit spare keys to all stored or transmitted data with the authorities.
It appeared that Whitehall had heeded warnings that unilateral controls would drive e-business offshore. However, the controversial clauses may soon reappear in the Home Office's regulation of investigatory powers (RIP) bill.
Under the proposed law, failure to decrypt data on demand would carry a presumption of guilt that the key was being wilfully withheld, with obvious dangers that innocent persons could be falsely implicated or intimidated. The defence in court must somehow prove that the accused does not have a key.
How can this be done? A key may be irreplaceably lost or forgotten, so there is no analogy to existing laws that require production of a DNA sample or a driving licence. Even a person not suspected of a crime could go to jail for two years if he could not decrypt data required in an investigation. More worrying, a discretionary gagging order could prevent him complaining publicly, with a penalty of five years imprisonment.
It is a principle of British justice that an accused person is presumed innocent until proven guilty. But the detailed legal opinion of two experts on the European Convention on Human Rights, obtained by the Foundation for Information Policy Research, suggests that the decryption powers would "have the inevitable consequence of compromising the affected individual's whole security and privacy apparatus" and would be likely to contravene Article 8 of the European Convention, on respect for private life.
The legal experts also found a likely violation of Article 6, on the right to a fair trial. Provisions requiring a suspect to turn over a key violate the right not to incriminate oneself, also protected under Article 6.
Moreover, unless the RIP bill becomes law by October, the proposed Home Office powers would be vulnerable to further challenges under the Human Rights Act.
After wasting two years on key-escrow, the government is under pressure to give law enforcement agencies new powers to police the internet. The danger is that it will legislate in haste.
Meanwhile, the scope for surveillance is growing rapidly. Under the RIP bill, internet providers will be required to install tapping equipment, but that is of little use if the traffic is encrypted. The only recourse for law enforcement then will be a great deal more bugging - to replace and to supplement digital interception, and obtain keys through covert means. Prima facie, the rules for bugging should therefore be at least as rigorous as for tapping, but they are not. Jack Straw, the home secretary, supposedly scrutinises tapping warrants, but search warrants are issued by judges or the police, and bugging is authorised by senior police officers.
Lord Nolan, as interception of communications commissioner, makes spot-checks on interception paperwork, but has no technical staff and depends on the police or spy agencies to tell him what is happening.
The efficacy of current safeguards is already dubious, and almost certainly insufficient to cope with the bewildering complexities of internet surveillance.
Powerful new techniques will be used to analyse patterns in web sites visited and e-mail contacts, and flag suspicious associations in traffic logs that record the activity of the innocent and guilty alike. But incredibly, policymaking on encryption, tapping and bugging is still not joined up.
The government risks starting an arms race that it cannot win. The very existence of encrypted data can be camouflaged, rather like hiding pebbles on a beach. It is futile to demand the key to a locked safe if the existence of the safe can be plausibly denied. Oppressive decryption laws will accelerate the take-up of such "steganographic" software, free prototypes of which already abound on the internet.
Two years ago at a G8 summit, Jack Straw said 21st century crime could not be fought with 19th century laws. The proposed decryption powers have more in common with the notorious Court of Star Chamber. Modernising the authorisation of surveillance must be accompanied by effective technical and legal safeguards.