Consultation and Contemplation -- What Has Gone Before

Gus Hosein

Summary Report of Available Responses to the Department of Trade and Industry's proposal on the Licensing of Trusted Third Parties for the Provision of Encryption Services

Published in the Electronic Privacy Information Center's 1998 Sourcebook on Cryptography and Privacy.

1.0 Overview

This document brings together a collection of ideas that have been presented to DTI during its consultation phase on the licensing of trusted third parties. The ideas were presented as formal responses to the proposal from the UK Government, from various organisations, companies, and individuals.

It is clear there are now more questions than ever about the provision of encryption services. Why does government want to control encryption? Why is government involved? What does the market cater for on its own? What is the form of this new organisation, this trusted third party? In what sense is it trusted? These questions are not obscuring our vision, but are instead illuminating the discussion.

The purpose of this document is to re-introduce the areas of concern of various groups and individuals within the UK and to remind us of what has gone before the government as it was formulating its policy, to prepare for the next stage of the policy development process. This document was prepared by the Technology Policy Research Group at the London School of Economics, which is continuing its efforts to ensure a clear and open policy development process; as this document makes clear, there are a great deal of unanswered questions, and there are even greater issues that have not even been considered.

As we prepare for the release of the latest policy from the government, and await the developments in other countries within the EU and abroad, it as though as we are preparing for a storm. While we are preparing for the storm, some choose to fortify walls. At the Technology Policy Research Group, we are instead choosing to understand the wind.

DISCLAIMER: The opinions that are presented within this paper are the author's alone while the ideas are those offerred by the various respondents to the consultation exercise.

2.0 Introduction

In 1997 the UK Department of Trade and Industry released for public consultation a proposal on the licensing of Trusted Third Parties. It followed a previous report released in June of 1996 titled Paper On Regulatory Intent Concerning Use Of Encryption On Public Networks. Both documents acknowledge the growing information infrastructure, and the apparent need for securing it for the benefit of industry, government, and the public. This act of securing the network entails the use of cryptography, which is to be implemented while considering the needs of law enforcement and national security.

The consultation paper caused a great deal of discussion, and was responded to by various groups, organisations, companies, and individuals. This paper attempts to bring together a collection of these responses, particularly the responses that were made available on public networks. This is a collection of over twenty responses; however it is acknowledged that this is not necessarily a balanced summary. The submitted documents number far higher than the responses available at the above-mentioned site, while the site is limited to the documents that were made available for public consumption immediately without request. Thus, this document is not to be considered as the complete summary report that is available to the Members of Parliament, but instead as a significant sample selection of the ideas and beliefs that exist within industry, groups, and the public. Moreover, this document aims to enhance the current process through making available a collection of some astute observations and insightful ideas that are presented to the DTI in the responses. It is the hope of the author of this report that the DTI and associated institutions will hear and listen to what has gone before.

This report is divided into three sections. The first discusses the responses and proposals on the nature of the trusted third party. Issues range from the centralised or decentralised topology of the scheme, the varying definitions of the trusted third party, and even the questioning of the need for such an entity. The second section relates to the idea of the UK Government dictating a licensing scheme, as opposed to allowing the market to produce its own solution. Regulation of a national scheme is questioned, followed by discussion of the Organisation for Economic Co-operation and Development guidelines concluding with the issue of cost and risk. The final section illuminates the issues related to government access to keys. Inevitably, much debate arises from this requirement. A delicate balance is needed between the requirements of law enforcement and the needs of the individual. The appendix includes a collection of the Questions and Answers to the consultation document, which complement and are additional to this effort.

These sections are not mere parts of the whole. They are the foundations upon which the acceptance and even success of any government policy in technology lie. As governments around the world move toward policies, they need to understand their need, cause, repercussions and consequences. Within this document, some of these lie.

3.0 Nature

The proposal on the licensing of trusted third parties discusses much more than the creation of an entity that is to act as a third party to transactions. The UK Government Consultation document caused the respondents to question three aspects of the nature of the proposed scheme.

The first is the very notion of the trusted third party, i.e. establishing if there is a need for such an institution, what the exact definition of such an institution is and what it should be, while also remarking on the necessity behind licensing and the establishment of liability on these institutions.

The second aspect pertains to the nature of the provided encryption services. The requirement that the encryption services not include the escrowing of the signature key raises doubts in the UK Government intentions toward promoting a single encryption scheme. This results in the discussion that any policy needs to be technology neutral.

Finally, the third aspect is based on the nature of the trust within this third party. The current specifications of the trusted third party places a level of determinism on the structure of the network of third parties, and of the organisations themselves. Whether this is compatible with the structures of trust in the real world remains to be seen.

This chapter's appendix discusses exceptions to the rule.

3.1 Understanding the Party

Is there any need for the Trusted Third Party for the provision of encryption services?

The Consultation Document claims that TTPs will help UK business to take advantage of secure electronic trading (P42). However, requiring decryption keys to reside outside the grasp and responsibility of the owners is deemed questionable [LSEW, BSA, UKNF, Leech]. The resultant security risk is considered too high for UK businesses, as it offers the capacity to decrypt information to others outside the control of the sender and intended receiver [LSEW]. The proposals will thus develop a system and network of parties that few individuals or businesses will choose to use; this will result in crippling the very market that the proposals are trying to develop [BSA]. Individuals and businesses will not use a system that they do not trust, and in doing so they are forgoing security over an insecure network; this will not solve the declared problem.

Furthermore, there has never been an incentive for such a service. The presence of a commercial need for recovery of communication keys has not been verified, while the recovery of storage keys can occur using other means [Leech]. In fact, the disguising of government access to keys as commercial key recovery is misleading. Escrow is where a third party holds the key for release to an authority specifically for the interception of communications, thus requiring the confidentiality key, while recovery is about adequate backup. This backup does not necessarily imply the escrow of keys with a third party [BT].

Even the authentication of users, consumers and merchants may be unnecessary. A great majority of transactions do not require such intimacy between the merchant and consumer. Much of the transactions that occur at a distance have been and continue to be done on trust. When the risks involved in this transfer are outrun by the cost, trustworthiness is in fact gauged, with identity disclosure being a mere possibility, or consequence of this measurement [Bohm]. This only outlines further that it is not the identity of the parties that is of importance, but the trustworthiness; one does not necessarily require the other.

Beyond the need for such a system and network, there much controversy over the UK Government definition of the entity and its product.

The Consultation document refers consistently to the provision of encrypted services as a subset or the whole of the following collection: key management, key recovery, key certification, key storage, message integrity (through digital signatures), key generation, time stamping, key revocation services; which offered in a manner which allows a client to determine a choice of cryptographic key or allows the client a choice of recipient(s) (P74). This definition is viewed as defective for a variety of reasons [UKNF, Bell, BSA, CBI, EURIM, BT, Lindsey].

Most current encryption products could be subject to the mandatory licensing requirement; even a simple e-mail product that contains any encryption capability or functionality could be subject to the definition because they may permit a client to determine a choice of recipients [BSA]. This will result in the criminality of companies that sell products that have such encryption products while they are not licensed; to protect themselves, these companies will either leave the UK market or be forced into the licensing scheme [BSA]. Even the secure transport of Internet packets, which will soon be part of the basic service provided by the operating system (as with the work under the Internet Engineering Task Force's IPSEC working group) would be in contravention of the licensing requirement [HP].

Hewlett-Packard illustrates this further in an intricate and powerful model of what occurs in a transaction between two computers over the Internet. It shows that the core activity of a single commercial organisation is not currently, nor is likely to be the provision of encryption services as represented in the consultation paper. The end users, rather, combine products of multiple commercial organisations in achieving the secured communication, including the application software, library components, operating system services, telecommunications providers, Internet access providers, intermediate providers, and this is reciprocated by the other communicator. The DTI proposal is far from sufficient as it considers a single entity [HP].

"The ambiguity in the definition of keys needs to be resolved."

The ambiguity in the definition of keys needs to be resolved. The use of encryption for confidentiality services or authentication services is often confused for being one and the same, and this in part explains the magnitude of the criticism to the DTI paper [Leech]. In practice, authentication and confidentiality services may be divided, to the point where a trusted third party that provides authentication services only may be licensed, but does not necessarily require the same conditions as with the confidentiality service [Bell, Leech, DPR]. In fact, there are many different uses of cryptography and types of services that can be offered, and any future policy proposal will need to acknowledge a varying regulation between them [CBI]. This is particularly important to industry, where companies are more concerned with authentication, non-repudiation and proof of origin; this does not require such regulation [EURIM].

This is further accentuated through the confusion between a trusted third party and the role of a Certification Authority. A certification authority may not need to provide encryption services, but it is still a trusted third party; trusted to perform its task of binding signature keys to identities by issuing digital certificates [BT]. The Certification Authority does not need or want to handle the user's private key, and in this sense does not provide an encryption service [HP].

There are missing issues, such as the idea of services carried out on behalf of a user (generation, issue, revocation, storage, etc.), services carried out in support of the infrastructure (such as the certification between Certification Authorities), and other security related services that may make use of cryptography (such as time stamping or secure information storage) which should not fall under such restrictive controls [CBI].

UCISA notes the problem with the definition of public as stated in P74 as being any natural or legal person in the UK, as it loses any sense of an offering made generally and open to all. UCISA notes that under this definition, a mother giving her daughter a cryptography program would be considered to be offering it to the public; while this may be a mere draft shortcoming, it requires clarification. This is of particular interest to UCISA, who offers services to Higher Education institutions; licensing would be costly, onerous and counterproductive.

3.2 Understanding the Encryption Service

Beyond the difficulty in the definition of encryption services, their very nature leads to uncertainty, or perhaps on the other hand, to hard determinism.

Throughout the consultation period, due to ambiguity within the Proposal, the escrow of keys for the use of signatures accounted for a significant part of the prevailing uncertainty. The inevitable question is: will signature keys have to be escrowed? Of the responses that explicitly questioned this, the overwhelming view is that it is not necessary [R-Cube, Brazier, HP].

The necessity of a backup of a signature key can not be justified for the incurred risk. There will not be any user demand for such recovery since if a signature key is lost, it requires only a generation of another; there is never any reason to require recovery of the old private key [R-Cube]. And the risk is significant. The escrowing of the signature key immediately compromises it, as a third party could forge untraceably any transaction with that client's signing key [Brazier]. However, this escrowing of signature keys will occur in a roundabout way.

The question itself, and the proposed answer from the DTI, reflect a level of absurdity. While the risk and the needs of the government and public do not necessitate the recovery of signature keys, users will not need to escrow their signature keys. This solution hinges on a fatal flaw: a significant amount of the common encryption schemes that are in use utilise the same key for signing and confidentiality. This attempt to divide between the signing key and confidentiality key becomes futile. Worse yet, it becomes an acceptable method of escrowing signature keys in the name of law enforcement.

The mathematics does not support such a distinction. There are a number of using an authentication-only scheme to secure with confidence against even lawful interception. There are many options, including using a CA signed signature verification key directly as an encryption key to the RSA algorithm since the two large integers bear exactly the same relationship regardless of their intended use; using a certified authentication key pair to sign a certificate for a freshly created, locally stored, new public key; signing PGP keys with public key certificates; within the Authenticated Diffie-Hellman key-agreement protocol, using the certified authentication key to sign the initial setup messages. [HP]

"To have a proposal dictate a particular technology, particularly enshrined in current means and feats, is unacceptable."

The hole that is left open with this discrepancy is that the UK Government proposal is dictating technology enshrined in current means and feats. This is unacceptable [CBI, Anderson, Intel]. The signature and confidentiality private key distinction does not exist in RSA, and others responded that it would be possible to sign confidentiality keys without escrowing them; the proposed scheme can not work. This would make the use of PGP, which implements the RSA scheme, questionable, despite the fact that it is the de facto standard, because of the uncertainty that would arise that the signature key would have to be escrowed [Anderson]. The solution to this predicament is to mandate a scheme that uses separate signature and confidentiality keys; it is assumed that this requirement corresponds to the use of the Royal Holloway scheme [CBI].

The Royal Holloway CASM protocol is also alluded to through the requirement that the third party allow access to both incoming and outgoing traffic. Other systems that provide this functionality are limited [Anderson]. It is noted, however, that this scheme, while it is strongly favoured by the UK Government, it does not have the support of the industry [Leech]. Moreover, its applicability to commercial and individual needs is dubious; consumers, merchants, and businesses will not accept a scheme that is fundamentally different from those to which they are accustomed [Leech]. The fundamental requirement of the business relationship between a user or merchant with the third party is that the user/merchant expects the third party to protect them from any errors produced by any other third parties. Within the Royal Holloway scheme this will not be possible, as one third party will not know if the other TP discloses private keys improperly. A third party is thus unable to provide protection to its clients if neither third party is able of ascertaining if there has been an unauthorised key disclosure [Leech]. Movement continuing in this direction towards legislation promoting such a specific approach will enshrine current technology and restrict innovative schemes [Intel].

To demonstrate a manner in which businesses must conduct themselves is one thing, but changing the nature of the relationships of businesses due to the need to dictate a specific technology, enforced by the needs of government while government tries to control the amount of power it has over signature keys in order to gain acceptance of the proposals, produces an unstable, non-robust, mis-implemented feedback system of decision making.

3.3 Understanding Trust

The lack of technology neutrality, amongst other factors, leads to an uncertainty in the distributed nature of the third party infrastructure. In turn, this uncertainty places a further uncertainty into whether or not the UK Government understands the trust structures that are required for this infrastructure to be deemed trusted.

The proposal alludes to a highly centralised infrastructure in many respects [Hyperion, Anderson, Hansen, Lindsey, BT, Leech]. As the definition of encryption services covers a broad and a multitude of components and service providers, the requirement that a licensed TP must offer the full range of services seems to work in conflict. This centralisation is unavoidable if key recovery is the overriding constraint on system design, but has many unpleasant effects on the design of systems to suit real commercial and professional requirements [Anderson].

"The true need is to reflect the trust structures of the real world."

The centralisation of security mechanisms is becoming increasingly difficult in a distributed world. Although the idea of centralised key management may work for government departments, for much of industry, commerce, professional practice, or academia, it is unlikely to be successful [Anderson]. The true need is to reflect the trust structures of the real world. Individuals have multiple trust relationships of varying formats and levels; the complexity of this system can not merely be abstracted and left for a centralised system. People trust who they want to trust, and it is rare that this trust lies safely and comfortably within large centralised organisations such as banks and governments [Hansen, Lindsey].

The proposed internal structure of the organisation, although it does not necessarily have to be a large firm [Leech], and the required isolation of the TP function from other business functions, will be very hard to achieve in practice [BT]. The needs and the impracticalities are further enforced by the reluctance to deposit keys where they can be accessed by a corrupt employee. Large organisations such as banks and credit card companies already have leaks that permit information to be purchased on the black market [Bell]. The privacy mechanisms of organisations even under policies and regulations do not carry much weight after the fact when it is too late, as the AOL case has proven.

Trust is a nebulous, ambiguous, yet key term to the development of new marketplaces, leading to its importance in these discussions. Likewise, trust is embedded in a web of human relationships, and is an estimate by one human being of another's behaviour under certain conditions, from experience of knowing that person. This infers that only individuals, not institutions, can trust [Brazier]. Perhaps the very word should be avoided, if not left out of the term Trusted Third Party, since its ambiguity leads to faulty conclusions. Regardless, the point remains that trust remains at the core of the discussion, because business transactions hinge on trust, particularly when credit, exchange, and quality are being considered. Within the virtual electronic market, these driving forces behind trust are paramount, and assurance needs to be understood before we continue discussing solutions. And while we are considering what actually occurs in the real world, we have all perhaps overstated the need for trust to be hinged on certification of identity. Cryptography can verify that current communications are flowing from the same source as previous ones, without any need for certification; the need for instant certainty about the identity of unknown individuals has been greatly exaggerated [Bohm, R-Cube]. Unlicensed key certification has not proven to be hazardous or dangerous, and electronic commerce does not depend on public confidence in the licensing of these schemes, while it is possible that the risks of systemic failure inherent in a hierarchical system of certification would damage public confidence [Bohm]. This trust is under greater risk of being destroyed under the requirements even for legitimate attempts to secure access to encrypted material for law enforcement needs [BT].

Much more work is needed from the security engineering community before we are able to develop effective and resilient systems as an abstraction of the complex trust relationships that we forge [Anderson]. Legislation in this direction before such a model is understood could prevent the projection of the appropriate informal trust systems into the electronic market [Hyperion]. The necessity of trust, the nature of trust, and the consultation document are not cohesive, and do not together provide any coherence; the entire need for the Trusted Third Party may require more analysis before we even consider regulation. The risk of imposing a regulation too soon has been expressed clearly by Hyperion, drawing on the Red Flag Act and its crippling effect on the British automotive industry: an ill-conceived piece of legislation, imposed at a very early stage in an industry's development, nullifying the very advantage offered by a new technology.

Appendix to Section 3: Closed User Groups and Exclusions

The issue of closed user groups and their exclusion from the licensing proposal may become irrelevant if mandatory licensing is reduced to being voluntary. However, it is possible that it becomes rather important if the idea of voluntary licensing is used as a quiet tool to move the market towards licensed groups. While it was mentioned within Paragraph 48 of the Consultation Document, it does not discuss sufficiently all situations where the granting of certificates does not require intervention, let alone licensing.

To some, it is viewed as being, as stated, quite absurd. A company with offices inside and outside the UK which takes advantage of the intra-company exclusion, could avoid pursuing any licensed TP for external messages to companies and individuals located outside of the UK; this would only require that a company encrypt all e-mails at an office outside of the UK [BSA]. The exclusions expose the weakness of the underlying support for the mandatory scheme. A corporate body such as a company or a university should be able to issue certificates on behalf of its members; as it is currently termed within the consultation document, the closed user group does not include such situations, nor does it acknowledge that a company and its customers form a group, as well as a company and its suppliers. [Lindsey, UCISA].

This ambiguity is causing uncertainty. Others feel this exception should extend to virtual private networking, and business communities [BT, Intel]; they are unsure, however, whether these would fall under intra company TTPs as are described under closed user groups. It would be unacceptable to require licensing in the context of an Extranet trading community, and also in a teleworking environment [TMA].

This exclusion is not only for certification, but also for key recovery. The ABA argues that some with evidentiary privileges under common law, such as attorneys, physicians, and clergy, should be most logically eligible for exemption in order to operate effectively.

4.0 Market

At the heart of the Department of Trade and Industry, and at the heart of the role of legislation and regulation, lies the market. We all have an interest, within the various money markets, financial markets, and particularly with the electronic commerce market, and the market for encryption products and certification authorities. The consultation document proposes regulation, which as its motivation, aims to tamper with the free market, as it promises to protect the market's health to the benefit of the individual and society. This tampering results in a shift of power, which has been question. The shift can have a detrimental effect on the market it is trying to create, and this seems to be a worry amongst many responses.

This section discusses first this idea of the market for the establishment of third parties, as many of the organisations that have responded to the consultation document have an inherent interest in this. The notion of regulation will then be discussed, within the spotlight of the cryptography guidelines from the Organisation for Economic Cooperation and Development. This analysis leads to need for consideration of the international effects of regulation of the UK market. Finally, there is a discussion of the cost and the risk that will be incurred by Trusted Third Parties, and whether this will be enough of an obstacle to stop the market within the UK ever seeing its dawn.

4.1 Establishing a Market

There is a growing interest in the market for the establishment of third parties for electronic commerce. They already exist as banks and credit card companies, but due to electronic commerce, there is a possible revolution occurring. Within this revolution, anyone can have an interest, and many of those who responded do have an interest in either being a third party, or using them. This interest is thus in the establishment of a TP network that is appropriate for electronic commerce, and that is acceptable to the providers and users of the third party services.

This interest will quickly become disinterest if the regulation becomes too intense. The UK is uniquely well placed to take advantage of the emerging world of electronic commerce, but if the licensing proposals do not recognise the way trust is established, then the regulation would cause major problems to UK industry [EURIM]. Regulations on third party arrangements that are not sufficiently acceptable will not be taken up by users or providers, and this will provide a disadvantage for the future growth of electronic commerce in the UK [Leech]. Even the imposition of a particular third party architecture is likely to hinder the growth of the domestic market [BT]. The proposals can be interpreted as placing a substantial regulatory burden on all companies trading electronically, as the consultation document appears to focus on the needs of law enforcement at the expense of the needs of industry and the environment of trust [CBI, HP, BT, Leech, CRCL, BSA]. Intel "strongly believes governments should not limit the use, export and import of strong cryptography products and should not mandate that corporations place their keys in the of hands of government agencies or government-approved entities" [Intel]. It is even considered that the true goal of governments is not to promote electronic networks for commerce, but rather to control them [CRCL]. The proposed legislation will prevent the UK from exploiting its unique advantage as the base for global trusted third party service providers - a major new service industry [EURIM, BT].

The prevailing argument is that the market, not regulation, should decide the services offered by the third party. [BT, CRCL, BSA]. The market needs competition in order to be effective, and not necessarily regulation. In this case, regulation can provide enough disincentives to participate within the market for third parties. The regulatory burden will not create the right environment in which to encourage exploitation of electronic commerce [BT]. While the consultation document mentions that the market will decide if TPs will be used or not within paragraph 42, a true test of the validity of third parties will not occur unless the market is as lightly regulated as possible [Brazier, EURIM].

"We must be careful to not confuse market demand for key recovery products with the demand for third-party key escrow."

The BSA, which represents various companies in the software industry, has particular concerns. Customers have made it clear to BSA members that only in the rarest of instances would they trust their encryption keys to outside third parties. Users have shown little interest, and in some cases, extreme hostility, to turning their encryption keys over to third parties, and the third parties have shown resistance to the administrative burden of private key management. This raises a vital issue: we must be careful not to confuse market demand for key recovery products (used in the case of loss of a key or the departure of an employee) with the demand for third-party key escrow. It is crucial to distinguish between requiring legal access to all communication session keys which the consultation document seems to require, and data storage recovery. Otherwise, the policy is bound to fail.

There is concern that legislation and regulation will prohibit organisations other than banks and telecommunication providers from entering the market [LSEW]. This if furthered by the fact that a number of major commercial service providers will not wait for legislation to be put in place before they develop new network-based services [Leech]; such a risk may only be taken by large players, rather than smaller companies with too much to lose over such an investment. Meanwhile, only a few expensive third parties will exist, limiting user choice [Hyperion].

The role of regulation in markets is often to provide protection for the individual. The DTI promises that this is the reason for licensing the third parties. There are other mechanisms of protection that the user can resort to. Evaluation bodies such as the Consumers' Association, or reviews in specialist magazines, or by demanding indemnity insurance to a suitable level, etc. can be considered as they allow users to evaluate the third parties by their individual criteria [Hyperion]. There is a link, however, between data protection and consumer protection, particularly within the market for third parties. There is a strong parallel between protecting the interests of users of third party services by regulation and protecting the interests of users of other services, such as banking by regulation [DPR]. The need is to provide the criteria for individual decision in the case of users without expertise in the area of third parties, as many will be in the first generation of use. The regulation will provide a baseline standard for third parties; effective and efficient third parties that fulfill their functions in a trustworthy way should promote justifiable confidence in their services and also in those systems and services dependent upon those encryption services.

4.2 The OECD Cryptography Guidelines

The Data Protection Registrar continues from its protection of users to insist that the market should drive the development of cryptographic methods in accordance to the Organisation for Economic Cooperation and Development guidelines for Cryptography Policy. It argues that individuals should be free to use whatever techniques they wish to protect information content and for authentication and validation purposes [DPR, BT]. This is in order to enable Principle 8, which states that governments should remove or avoid creating unjustified obstacles to trade in the name of cryptography policy [BT].

This continues into the debate over law enforcement, where the OECD guidelines mention that policies can cater for law enforcement's need to legally access data - whether stored or in transmission - and encryption keys. However, this is merely an optional guideline, permitting access to either plaintext or keys, but there is no presumption that one method of securing access is preferred over another. The UK Government has clearly and questionably opted for the latter [IT, Intel, Lindsey].

However, the awareness and knowledge of these guidelines seem to be alarmingly low. This may be a criticism of the commercial representation at the talks rather than the OECD itself, but it does limit seriously the value of the guidelines. [Leech].

4.3 The International Dimension

The reasoning behind the OECD and its initiatives in the area of cryptography policy is to enable international markets to develop. The need for coherence within international markets is apparent, since electronic commerce does not recognise national boundaries; international agreement is thus essential [BT]. This is particularly true within the European Single market. It is imperative that any national proposals do not offend the Single Market principle and throw up barriers to restrict the free movement of encryption technologies and trade in encryption products [INTEL]. The licensing of cryptography imported into the UK would force software producers to tailor their products to the licensing criteria, rather than customer and industry demand, further frustrating market needs [ABA, INTEL].

"The proposals do not acknowledge the complex ways in which international business operates."

While the regulation of particular encryption products is ambiguous, the regulation of third parties may provide barriers to trade within international markets. The proposed regulations provide such barriers for the development of third parties for operation internationally, while also limiting non-UK companies from basing their operations in the UK [EURIM]. This is further frustrated since the proposals do not acknowledge the complex ways in which international business operates: companies create joint ventures and subsidiaries necessary to meet specific market opportunities; the proposals will push for these international businesses to be licensed where common trust systems were involved (see closed user groups appendix to the previous chapter), resulting in the UK industry being at a significant disadvantage [EURIM].

Beyond the licensing, even the self-escrow scheme creates liabilities and imposes costs that some organisations may not wish to bear, so they will be forced either to abandon operations in the UK, or not use encrypted communications, thus undercutting one of the primary goals of the DTI [BSA].

Illustration: Prohibition

The consultation document does not take sufficient account of the development of TP services and regimes in other countries [EURIM]. UK companies with international trading links cannot consider relying on a UK third party scheme which does not have seamless relationships with similar schemes in countries where their trading partners are established [TMA]. This is further frustrated by the prohibition of marketing of non-UK third parties, as proposed by the consultation document.

These informational prohibitions over encryption products from outside the UK could apply to non-UK third parties, and will restrict the free movement of goods and services within the EU and threaten the efficient operation of the Single Market [BSA]. The problems will become worse in the case of Internet based vendors being unable to sell products to companies in the UK that do not use encryption services from DTI licensed providers since the vendors will not be able to receive credit card payments on a secure basis [BSA].

The prohibition of foreign third parties is even deemed unenforceable [BT, Lindsey]; the limit on marketing is even more difficult over the Internet, while the regulation may be applied to advertising agencies within the UK [Lindsey]. This is again in contravention to the OECD guidelines, and the reason is obvious: trade is restricted across countries [BT].

The effect of these prohibitions is analysed in the following section, cost and risk. Fewer companies will develop and offer encryption products and services within the UK if they are confined to producing products users do not want and trust. UK users will be cut off from the much larger pool of encryption products and services developed outside the UK in markets that take a more enlightened, market driven approach to encryption regulation. Out of these will arise unnecessary costs. The newly licensed third parties will have to pass the costs of the initial investments to the companies and individuals. The side effect of these costs is that individuals and companies will simply not be able to pay the added expense, resulting in the defeat of many of the DTI's claimed goals [BSA].

4.4 Are cost and risk differentiable?

The point being made in the illustration needs re-emphasising: the costs incurred by organisations wishing to becoming third parties can be seen as insurmountable, either by small and medium enterprises, or then by the users who will then decide to not use the offered services. Why is the cost such an issue? Risk and liability is the most likely answer.

The report released in May last year entitled "The Risks of Key Recovery, Key Escrow and Trusted Third Party Encryption" was referred to by many responses, including the ABA, BSA, Anderson, and IT. With the stated requirement of legal access to keys, third parties will need to keep these keys within their systems; this has important diseconomies with regard to both cost and the effectiveness of key security [BSA, HP]. The possibility for criminal theft of keys increases exponentially when key escrow is implemented; the effect will be the increase of the cost of doing business, and may discourage high-technology investment in the UK and in Internet commerce around the world [ABA]. The proposals in the Consultation documents are in general neither technologically or economically feasible; the key management infrastructure envisioned does not exist [BSA, IT], and at the very earliest would take several years to develop [BSA]. Because of the requirement of law enforcement access, UK users will be waiting for years to take advantage of new and better encrypted services and products. The Business Software Alliance argues that this will leave the UK to return to the backwaters of the Global Information Infrastructure.

These costs stem from the risks incurred in the storage of keys by a third party. Users have to worry about the third party's ability to keep the keys secure [HP, Bohm, LSEW]. The third parties themselves are exposed to the risk of accidental or corrupt disclosure or misuse of private keys; this is more than about confidentiality, but rather enables the undetectable forgery in the name of the proprietor of the private key, in the case where one key pair is used for authentication and for encryption [Bohm, LSEW, UCISA] (see previous chapter on technology neutrality).

To counter the accidental disclosure of keys from within the organisation, the third party would inevitably try to use conventional techniques of making access depend on several different senior individuals having to co-operate before a key is released; this is practically impossible with the requirement for one-hour access of law enforcement agencies to the keys [Bohm]. The benefit, however, of the accidental or malicious release of the signature key within the UK for the third parties is that the risk will lie with the individual. The irrebuttable presumption of authenticity may apply, as it does within banking [Bohm, Anderson].

The question remains: why would two users or organisations need to take such a risk, when they can forgo the use of the third party, as is often the case in the real world? [LSEW]. The cost of creating such third parties, or transforming current certification authorities, could create a situation where the economic loss would outweigh any conceivable law enforcement gain [Anderson].

5.0 Law enforcement

Law enforcement access to keys is the most controversial issue within the Consultation document, and the forthcoming policy proposal.

It is true that much of the resistance to the consultation document's law enforcement access is a renewed resistance to the interception of communications, but it is also ignorant to assume this is all. The resistance is not only to government's access to keys, but to the need to alter the implementation of a new infrastructure in order to cater for government's requests.

After a discussion of the resistance to law enforcement access to keys, we analyse the voluntary nature of the policy, and whether this is feasible for the needs of law enforcement, or if it is a Trojan horse that leads to future changes in policy. The preservation and dangers to civil rights is discussed throughout this section, and also in an appendix to the chapter that discusses the alternatives to the government scheme that were presented by various individuals and organisations.

5.1 Reviewing Law Enforcement's Requirements

The need for law enforcement access has never been justified. Criminals want communications to be unobtrusive rather than encrypted, so use traffic security techniques instead of content protection [Anderson]. Moreover, the UK Government line of reasoning may require re-analysis with the adoption of the European Convention on Human Rights into British law, in order to ensure that there is a pressing social need for access to the keys. This need must be first established publicly, and this should be the motivation behind a consultation period. Clearly, this was not the case. It is argued that at present it is an inconvertible fact that Britain's police forces do not consider encryption to be an issue and have not pressed in any public forum for warranted access to keys [Anderson, Bohm]. These agencies, however, can be convinced easily of the fact that escrow would be beneficial, but the pressing social need clause will require more support than mere benefit.

5.2 Stored data

The largest issue within the law enforcement requirements is the need for a clear distinction between the encryption of stored data and of data being communicated [EURIM, BSA]. The ability to escrow storage keys may be possible, but it is quite difficult, if not unfeasible in the case of real-time interception of communications [EURIM, BSA]. For stored information, the need for escrow is not apparent, as warrants can already force criminals to reveal their stored data in the same way as the Inland Revenue may now force business to reveal their records [Brazier].

The lack of the provision of technical means to assure the effectiveness of access provisions provides a high level of uncertainty on the feasibility of such an implementation [HP]. The greatest problem is the number of keys that are generated. Internet protocols generate new session keys each and every time a user connects to a Web site, for example; thus there will be hundreds of millions of Internet and intranet users creating hundreds of billions of session keys, and these numbers will grow by orders of magnitude [BSA]. To manage a database of these keys will frustrate the real-time interceptions of communications, while the incurred costs and complexity will be incredible. Beyond the mere technical means, there does not seem to be an economic motive for the implementation of an application or service that recovers session keys; users do not require them because if the communication is successful, then the plaintext will exist; if it is not, a mere resending of the message is required. To reroute these keys through the trusted third party scheme has no benefit, as it imposes substantial unnecessary technical and economic burdens [BSA].

5.3 Burdens lead to Failure

These unnecessary burdens work against the benefits of strong cryptography's availability to the UK public. Controlling strong encryption may hinder law enforcement efforts by leaving UK companies vulnerable as they forego the benefits of strong encryption due to the costs of the regulation. The widespread use of strong encryption is perhaps the greatest way to deter criminals and terrorists from acquiring access to confidential documents [BSA]. Even the escrow of keys provides vulnerabilities in the security of strong encryption by encouraging breaches from extortion or the malicious nature of employees within the third parties.

"The cost of governments mandating the use of third parties and escrow is that no one will use the services."

It is worth noting that organisations do not necessarily want or need escrow, despite what the UK government may assume and argue. The Business Software Alliance has analysed the customer feedback to the member companies, and it indicates that most of the demand for a key recovery capability does not involve third-party escrow. While individuals and organisations may wish to require lost keys, it is best to leave the development of solutions to this predicament to the market; the cost of governments mandating the use of third parties and escrow is that no one will use the services, and the market will suffer [BSA].

Worse yet, setting a precedent within the UK for the rest of the world could create a situation where other national law enforcement agencies could easily obtain information to enable their own national businesses to compete against UK companies operating abroad [BT, Hosein]. The further effect is that we are promoting the use of escrow to governments that can not be trusted, that will use information to spy not only on companies for economic benefit, but on their own people for political advantage [Hosein, CCSR].

If the burden of managing all the session keys was replaced by access to the private key for decryption, the problems change drastically. Consider the following situation: a malicious party sends encrypted messages to his Bank, using the Bank's public key. The LEA will have to apply for a warrant to obtain the Bank's private key, thus giving it access to the communications of a large number of the Bank's honest customers. The Bank could be ruined if it is discovered that their public key is now in the possession of the law enforcement agency [Lindsey].

5.4 Devil in the Details

A concern is that Government could hold private keys for significant periods, which could kill the market [BT]. Warrants need to be cleared for only finite periods, that is a single interception, after which the key will be destroyed. An even better mechanism would be to allow the individuals concerned to change their keys once the warrant has expired [BT]. Otherwise, the temptation to continue to decrypt communications upon having access to the private key could prove to be too strong, and this would be contrary to OECD Principle 6 [Lindsey].

5.5 Voluntary Criminals

There is consolation in the idea that the use of licensed services is to be done on a voluntary basis [DPR].

The question is asked over and over again: why will criminals use a system voluntarily that they can evade? The answer is often that they will not [EURIM, Bell, Bohm, HP, BSA, LSEW, Barwood, Brazier, Hansen, Lindsey, Hyperion]. Many solutions already exist for criminals to benefit from communications between themselves that will make legislation on the voluntary basis entirely futile. However, the government moves forward on proposals that will provide facilities for surveillance of law-abiding citizens [Bell]. The remaining question is how the government proposes to prevent or limit the use of non-escrowed encryption by criminals? [Leech]

"Unless a tamperproof policy can be created, mandatory escrowing will be the outcome of this policy."

What seems inevitable is that voluntary escrow will continue until a large planned public backlash occurs against the illogical voluntary scheme, which will prompt the transformation of the legislation to being mandatory. This can be the only logic within the entire scheme. Unless a tamperproof policy can be created, mandatory escrowing will be the outcome of this policy [Hosein, Lindsey, Brazier, HP, BSA, Hansen], and the consultation session will be considered a waste of time for all of those who participated on the grounds of civil rights.

Meanwhile, law-breaking criminals will resort to using illegal encryption services provided offshore, so they will be merely breaking the law of using illegal encryption [TMA]. Or they can use alternative, lawful methods. All through this, the greatest crime will then become the act of certifying the authenticity of another's public key [Barwood]. This can be highlighted by the following experiment: create two key pairs, one for signatures, one for confidentiality; register the public signature key and get it certified; then sign the public confidentiality key and make it available public; the third parties will not have a copy of the confidentiality key, while the public confidentiality key can be verified [Lindsey]. Or, more resourceful criminals can go on using steganography, the US Digital Signature Algorithm (which has been found to have several subliminal channels), Diffie-Hellman key exchange protocols, and code books to continue doing what they do: evading laws and law enforcement [Brazier].

It is inevitable that people will use encryption to hide their crimes as much as people will use it for electronic transactions. Throughout history, we have not been able to stop all crime, with or without interception. The regulation of cryptography should not be seen as a magic bullet. As with any tool or technology, encryption can be used for good or ill [Hyperion].

5.6 Balance with Civil Rights

The consultation document is often criticised for not establishing a valid balance between civil rights, commercial benefits and law enforcement requirements.

We must be aware of the powers that the state would acquire from the acquisition of keys. The third party is to allow access to both incoming and outgoing traffic for the benefit of law enforcement; this demand for bi-directional access to traffic is an attempt to increase the surveillance powers of the state. This is illustrated by the fact that the state may be able to open the mail that arrives at a destination, but cannot track outgoing letters; similarly, public key encryption permits users to send electronic mail messages to other people that even the user can no longer read once the plaintext has been erased. Such an increase in state power would need to be justified by a pressing social need, as promised by the newly embraced European Convention on Human Rights [Anderson].

As it is, covert wiretapping and decryption without notice are not processes that encourage accountability on the part of authorities [ABA]. If users are going to surrender their ability to have impenetrable security, then it would seem that they have the right to require more accountability on the part of those with access to what has been protected; re-analysis of warrant processes is a good start [ABA, CCSR]. Perhaps warrants can be submitted to the court, rather than by the Secretary of State, as mandated currently under the Interception of Communications Act of 1985 [ABA, UKNF]. An issue is whether an individual or company will be notified if the TP has made their keys available to law enforcement agencies within the UK or abroad [BSA]. This would be particularly important if this happens to be a rogue government searching for information that is passing through its channels for the purpose of obtaining industrial technical secrets from critical multinational companies [ABA]. Even rogue nations that allow for unregulated use of encrypted products and services will disallow the creation of bilateral or multilateral agreements; this will not work unless a world-wide system is established. If the UK is alone in regulation, it may stand alone, and be vulnerable [BSA]. Users must understand the full implications of lawful access [DPR].

Searches without notice threatens the basic civil liberties surrounding the right to privacy and the right of free association; encrypted communications and transactions should not provide an excuse for governments to abrogate long-standing, prized rights simply because new technology is involved [ABA].

Appendix to Section 5: The Existence of Alternatives?

A selection of alternatives has been presented to avoid the access to keys by government under the current specifications. The motivation behind these alternatives is to avoid the possibility of an easily created surveillance state that some see as a danger, as the escrowing of keys may put all keys in reach of government.

One response recommends various methods. The use of bugging has advanced greatly; law enforcement agencies could bug the receiving end of the communications upon being decrypted. Audit trails can be used to track crime on the Internet. Tracking of criminals can be performed using large databases that store and analyse their behaviours. [Brazier]

Another response offers the alternative of law enforcement agencies providing the third parties with the ciphertext, who then decrypt the communications and retain the key, keeping the private key private [Lindsey].

There is always the option to obtain a warrant and attempt to seize the computer to recover stored information. Particularly within modern operating systems, there is a likelihood that the information from communications will be stored in the clear in a swap file, or a deleted temporary file [Hansen].

Finally, traffic analysis is an invaluable tool for law enforcement agencies in ascertaining the nature of a crime, and timing its occurrence [R-Cube, Anderson].

The crucial message of these alternatives is that escrow is not the be-all and end-all for law enforcement access.

6.0 Summary

"We must release the obscurity, stop the scrambling, and introduce the sunlight."

While there is no clear consensus on the outcome of any policy that is to be introduced, what must be acknowledged is that within the UK we have a wealth of knowledge, a wealth of experience, and a wealth of opportunity. Any future development in the field of cryptography policy needs to capitalise on this, embrace the participation and invite the knowledge. We must release the obscurity, stop the scrambling, and introduce the sunlight.

7.0 Sources

American Bar Association Science & Technology Information Security Committee, Response to the Department of Trade and Industry's Licensing of Trusted Third Parties for the Provision of Encryption Services.

Anderson, Ross, Response to the DTI.

Barwood, George, Letter response to the DTI paper.

Bell, Noel, Letter in response to the DTI proposal.

Bohm, Nicholas, Licensing Of Trusted Third Parties For The Provision Of Encryption Services, Comments On The DTI Public Consultation Paper Published In March 1997.

Brazier, John R T, Professional Projects Company Ltd., Response To The Dti Public Consultation Paper Licensing Of Trusted Third Parties For The Provision Of Encryption Services, Version 1.0, 28 May 1997.

BT Comments on the public Consultation Paper "Licensing of Trusted Third Parties for the Provision of Encryption Services", May 1997.

Business Software Alliance, Comments to the UK Department of Trade & Industry on The Licensing of Trusted Third Parties for the Provision of Encryption Services June 1997.

CBI Response to the DTI Public Consultation Paper on Detailed Proposals for Legislation for Licensing of Trusted Third Parties for the Provision of Encryption Services.

Centre of Computing and Social Responsibility at De Montfort University, Licensing Of Trusted Third Parties For The Provision Of Encryption Services, by S Rogerson and N B Fairweather, 30 May 1997.

Cyber-Rights & Cyber-Liberties (UK), First Report on UK Encryption Policy, 'A Reply to the DTI Public Consultation Paper on Licensing of Trusted Third Parties For the Provision of Encryption Services' written by Yaman Akdeniz, May 30, 1997.

Data Protection Registrar, Response Of The Data Protection Registrar to the Licensing Of Trusted Third Parties For The Provision Of Encryption Services, A Public Consultation Paper on Detailed Proposals for Legislation, March 1997 - URN 97/669 - DTI.

EURIM, Response to DTI Consultation Paper on Licensing of TTPs: A EURIM Position Paper, May 1997 .

Hansen, David, Letter to Ian Taylor, dated 14 July 1996.

Hewlett-Packard Ltd. response to the DTI's consultation paper on "licensing of Trusted Third Parties for the provision of encryption services", John Taylor, Director, HP Labs Bristol, Stefek Zaba.


Hyperion Systems Limited, Response to the publication by the DTI of a proposal on the licensing of trusted third-parties, Neil McEvoy (1997).

I.T. Consultancy Limited - Response to DTI, 31 May 1997.

Intel Corporation (UK) Ltd. response to the UK Government consultation paper on the licensing of trusted third parties for the provision of encryption services.

Law Society of England and Wales, June 1997, Licensing of Trusted Third Parties for the Provision of Encryption Services, Consultation Paper published in March 1997 by the Department of Trade & Industry - an Information Society Initiative.

Leech, Dr. John, Letter to Nigel Hickson, Subject: Licensing of TTPs for the Provision of Encryption Services, dated 28 May 1997.

Lindsey, Charles, Comments on the DTI proposals for the Licensing Of Trusted Third Parties, Thu May 22 12:39:58 1997.

R-cube Systems Ltd., Response to DTI Proposals on Trusted Third Party Encryption Services, written by Paul Rouse.

Telecommunications Managers Association, The TMA Response to the DTI Consultation on the Licensing of Trusted Third Parties for the Provision of Encryption Services, 30 May 1997.

UK Notarial Forum Response to the DTI Consultation Paper Licensing of Trusted Third Parties for the Provision of Encryption Services. This Comment was published on 15 July 1997: Citation: UK Notarial Forum, 'Response to the DTI Consultation Paper, Comment, 1997 (3) The Journal of Information, Law and Technology (JILT).

Universities and Colleges Information Systems Association (UCISA) response to DTI consultation paper on the Licensing of Trusted Third Parties for the Provision of Encryption Services.