FT 21/12/99: "Decrypt with care" PERSONAL VIEW - Caspar Bowden
Cryptography is routinely used to keep credit card numbers safe during electronic transactions, and to scramble confidential e-mails so only the intended receiver can read them. It is a basic tool against computer hackers.
The need for electronic security in transactions over the internet is forcing radical policy changes on government. But in seeking to combat crime, there is a real danger that the Home Office will assume new powers so draconian that they could wreck confidence in British e-commerce.
When the electronic communications bill finally arrived in parliament last month, it did not include provision for mandatory "key-escrow" - the blanket requirement to deposit spare keys to all stored or transmitted data with the authorities.
It appeared that Whitehall had heeded warnings that unilateral controls would drive e-business offshore. However, the controversial clauses may soon reappear in the Home Office's regulation of investigatory powers (RIP) bill.
Under the proposed law, failure to decrypt data on demand would carry a presumption of guilt that the key was being wilfully withheld, with obvious dangers that innocent persons could be falsely implicated or intimidated. The defence in court must somehow prove that the accused does not have a key.
How can this be done? A key may be irreplaceably lost or forgotten, so there is no analogy to existing laws that require production of a DNA sample or a driving licence. Even a person not suspected of a crime could go to jail for two years if he could not decrypt data required in an investigation. More worrying, a discretionary gagging order could prevent him complaining publicly, with a penalty of five years imprisonment.
It is a principle of British justice that an accused person is presumed innocent until proven guilty. But the detailed legal opinion of two experts on the European Convention on Human Rights, obtained by the Foundation for Information Policy Research, suggests that the decryption powers would "have the inevitable consequence of compromising the affected individual's whole security and privacy apparatus" and would be likely to contravene Article 8 of the European Convention, on respect for private life.
The legal experts also found a likely violation of Article 6, on the right to a fair trial. Provisions requiring a suspect to turn over a key violate the right not to incriminate oneself, also protected under Article 6.
Moreover, unless the RIP bill becomes law by October, the proposed Home Office powers would be vulnerable to further challenges under the Human Rights Act. (sub-editors garbled)
After wasting two years on key-escrow, the government is under pressure to give law enforcement agencies new powers to police the internet. The danger is that it will legislate in haste.
Meanwhile, the scope for surveillance is growing rapidly. Under the RIP bill, internet providers will be required to install tapping equipment, but that is of little use if the traffic is encrypted. The only recourse for law enforcement then will be a great deal more bugging - to replace and to supplement digital interception, and obtain keys through covert means. Prima facie, the rules for bugging should therefore be at least as rigorous as for tapping, but they are not. Jack Straw, the home secretary, supposedly scrutinises tapping warrants, but search warrants are issued by judges or the police, and bugging is authorised by senior police officers.
Lord Nolan, as interception of communications commissioner, makes spot-checks on interception paperwork, but has no technical staff and depends on the police or spy agencies to tell him what is happening.
The efficacy of current safeguards is already dubious, and almost certainly insufficient to cope with the bewildering complexities of internet surveillance.
Powerful new techniques will be used to analyse patterns in web sites visited and e-mail contacts, and flag suspicious associations in traffic logs that record the activity of the innocent and guilty alike. But incredibly, policymaking on encryption, tapping and bugging is still not joined up.
The government risks starting an arms race that it cannot win. The very existence of encrypted data can be camouflaged, rather like hiding pebbles on a beach. It is futile to demand the key to a locked safe if the existence of the safe can be plausibly denied. Oppressive decryption laws will accelerate the take-up of such "steganographic" software, free prototypes of which already abound on the internet.
Two years ago at a G8 summit, Jack Straw said 21st century crime could not be fought with 19th century laws. The proposed decryption powers have more in common with the notorious Court of Star Chamber. Modernising the authorisation of surveillance must be accompanied by effective technical and legal safeguards.