FIPR: Foundation for Information Policy Research

FOUNDATION FOR INFORMATION POLICY RESEARCH

Embargoed until release of bill: Friday 23rd July 1999

ELECTRONIC COMMUNICATIONS BILL WILL HARM UK INDUSTRY, HOLD BACK GROWTH OF ECOMMERCE, UNDERMINE CONSUMER PROTECTION, AND VIOLATE EUROPEAN CONVENTION ON HUMAN RIGHTS

For more information, contact FIPR.

Since the early 1990s, civil service policy advice to Conservative and Labour Ministers has advocated draconian legislation restricting the use of encryption on the Internet. The Conservatives proposed compulsory licensing of encryption in Government, but recanted in opposition. Labour opposed controls in Opposition, but now propose "decryption notices" which overturn basic principles of human rights and civil liberties.

Today the Government published an Electronic Communications Bill that will give ministers broad powers to control the use of encryption in electronic commerce. Although some of the more objectionable aspects of previous proposals have been dropped from primary legislation, the bill gives ministers the power to introduce them later as regulations.

Caspar Bowden (Director of FIPR) said:

Overwhelmed by resistance from industry and users, the government has been forced to abandon a succession of elaborate but futile frameworks for regulation, wasting three years in which UK e-commerce could have established a world lead.

Big Bureaucracy

Compulsory licensing with mandatory key escrow subsequently became voluntary licensing linked to key escrow, and now the terminology has metamorphosed again into a register of approved providers. Despite a fiercely critical Trade and Industry Select Committee report, the DTI has ignored the spirit of their findings and appears still to want to keep open options for strict regulation. Six pages of impenetrably worded legislation could see the return of key escrow through secondary powers which would allow the Secretary of State to make escrow a condition of approval.

Businesses already deterred by vacillation and delay, will have little idea of what to expect until the regulations are eventually published. Different regulations can be published by different departments, no timescales are set out, and businesses will face constant debilitating uncertainty about whether electronic products and services may in future face much stricter regulation.

FIPR wishes to see cast-iron curbs on secondary powers which could require (or coerce) without further primary legislation: (a) operation of key escrow by approved providers, (b) linkage of weight or validity of signatures to being an approved provider, (c) use of approved provider of certificates or encryption for dealings with Government.

Big Brother

There are also serious civil liberties concerns. The bill will give police the power to demand decryption keys from anyone they suspect of possessing them, and failure to hand keys over can lead to a two year jail sentence. The defence will be presumed guilty of withholding a key unless they can prove otherwise (a likely contravention of the European Convention on Human Rights), and decryption notices will be secret, so it will be impossible to complain effectively if they are used in an oppressive way.

Handing over a decryption key used for years on end would give the police access to very much more information than they need. Decryption notices can also be served on innocent correspondents of a suspected person, with an indefinite obligation not to change keys and maintain secrecy.

FIPR believes that criminals should not be able hide behind encryption, but the way in which the government intends to deal with this is completely unsatisfactory and infringes basic human rights.

To obtain power to serve a decryption notice FIPR suggests that the authorities should establish to a judge with reliable evidence that the:

• data in question contains a hidden or encrypted message
• person on whom the notice is served possesses a key
• data contains evidence of, or would assist in pursuit or detection of, a serious criminal offence

Decryption Notices and Human Rights

• penalty of two years imprisonment for non-compliance
• can be served on a person who "appears" to have a key - there is no requirement for any evidence to support this
• discretion to demand either keys or decrypted data - access to keys destroys privacy of all past messages
• can be used to obtain private keys from innocent associates or professional legal advisers of suspected persons
• do not even have to specify what encrypted data has to be decrypted - can ask for any and all keys
• apply not just to data seized or intercepted under warrant, but also to anything lawfully obtained without a warrant (including published or public domain material)
• allows methods of incriminating innocent persons in ways against which it will be impossible to defend reliably
• will deter Cryptography Service Providers who might operate key recovery (which could assist law enforcement) from doing , by exposing them to strict criminal penalties if (for some reason) they are unable to comply.

*) No presumption of innocence : burden of proof on defence to show they DO NOT have a key

• how is it logically possible to PROVE non-possession of key?
• asking for a decryption key is not like asking for a DNA sample - innocent people lose keys, or might never know the key to data that is e-mailed to them

*) "Tipping-off" condition - actually an indefinite obligation of secrecy of excessive width

• can impose an indefinite obligation of secrecy on suspects, associates or legitimate third-parties
• prevents innocent associates from complaining publicly, with a penalty of five years imprisonment
• could actually be used against suspects themselves (prevent from "tipping-off" themselves !)
• with a penalty of five years imprisonment.

*) Safeguards?

• Complainants only recourse is to a Tribunal, which can hold proceedings in their absence
• Tribunal need not disclose reasons for decisions, and operate special rules on burden of proof and admissibility of evidence - no "equality of arms" between the prosecution and the defence.
• a Commissioner to "keep under review" exercise of powers
• abuse of powers breaching the Code of Practice would not "of itself" create any criminal offence
• duty on authorities with access to keys to maintain only such safeguards "as considered necessary"

Could key escrow return under secondary powers?

The Trade and Industry Select Committee commented in their report:

(115): 'A number of respondents advocated that statutory instruments should be ratified by affirmative resolutionwe have been critical in the past of Government's reliance on regulations which escape effective parliamentary scrutiny.'

(107): 'Powers should not be taken in the forthcoming Bill to permit the introduction of key escrow or related requirements at a later date.'

Part I: Register of Approved Cryptography Service Providers

Secondary powers

• could compel key-escrow/recovery as a condition for approval as a Registered Cryptography Service Provider

Part II: Admissibility of E-Signatures and Powers to Amend Legislation

Secondary powers

• could prescribe use of a Registered Provider for citizens or businesses to deal electronically with Government.
• be ratified by affirmative or negative resolution at the discretion of the government

QUOTES:

The Director of the Foundation, Caspar Bowden, said:

'Civil servants have tried for years to get industry to buy into their proposals for regulating electronic commerce. It's time they realised that this is not going to happen, and that the world has moved on. Things are very different now from what they were in 1996 when these ideas were first floated.'

'A signature is valid at present if you intended to make it. The government is taking powers which could discriminate in favour of signatures certified by organisations joining their approvals scheme. So in future if you complain to your bank and say `I never signed that!' they could be able to say: `tough luck, it's an approved signature - you're liable'. When frauds start happening, the customer will be blamed.'

'Electronic commerce is being seriously harmed by the attempt to tie electronic snooping provisions in with this Bill. The proper place for snooping regulations is in the new Interception of Communications Act. Making wiretapping a condition of the licensing of electronic commerce will just undermine confidence and drive business away.'

Notes for editors

1. About FIPR

FIPR is an independent non-profit organisation that studies the interaction between information technology and society, with special reference to the Internet; we do not (directly or indirectly) represent the interests of any trade-group. Our goal is to identify technical developments with significant social impact, commission research into public policy alternatives, and promote public understanding and dialogue between technologists and policy-makers in the UK and Europe. The Board of Trustees and Advisory Council comprise some of the leading experts in the UK.

2. Chronology

10 Jun 1996: DTI paper on regulatory intent concerning use of encryption on open networks.

17 Mar 1997: DTI Consultation Licensing of Trusted Third Parties for the Provision of Encryption Services.

27 Apr 1998: DTI Secure Electronic Commerce Statement.

19 Oct 1998: DTI Consultation paper postponed.

24 Nov 1998: Queen's Speech announces "Electronic Commerce Bill" this Parliamentary session.

3 Dec 1998: Trade and Industry Select Committee announces inquiry into E-Commerce.

19 Jan 1999: France abandons key escrow.

4 Mar 1999: PIU study announced at No.10 meeting for industry leaders, key-escrow "not the answer".

5 Mar 1999: DTI Consultation "Building Confidence In Electronic Commerce".

23 Mar 1999: "Scrambling for Safety III" conference: first public discussion of encryption policy by Home Office.

1 Apr 1999: 26 day response period of DTI Consultation ends: FIPR accumulates submissions on website.

19 May 1999: T&I Sel.Ctee Report "Building Confidence In Electronic Commerce: The Government's Proposals".

26 May 1999: Cabinet Office Performance and Innovation Unit Report, "Encryption and Law Enforcement".

22 Jun 1999: Home Office Consultation "Interception of Communications in the United Kingdom".

8 Jul 1999: Conservatives refuse to allow introduction of Bill under "carry-over" procedure this session.

23 Jul 1999: Draft "Electronic Communications Bill" published.

3. References

Cryptography and Democracy: Dilemmas of Freedom, a paper by Caspar Bowden, and Yaman Akdeniz, in Liberty eds., Liberating Cyberspace: Civil Liberties, Human Rights, and the Internet, London: Pluto Press, 1999, 81-125 - http://www.fipr.org/publications/cryptfree.pdf.

"Regulatory intent concerning use of encryption on open networks", DTI Jun 1996 - http://www.dti.gov.uk/cii/ENCRYPT/regpap1.htm.

Building Confidence In Electronic Commerce: The Government's Proposals, Trade and Industry Select Committee Report May 1999 - http://www.parliament.the-stationery-office.co.uk/pa/cm199899/cmselect/cmtrd ind/187/18702.htm.

Encryption and Law Enforcement, Performance and Innovation Unit Report, Cabinet Office, May 1999 - http://www.cabinet-office.gov.uk/innovation/1999/encryption/index.htm.

Building Confidence In Electronic Commerce, DTI Consultation, March 1999 - http://www.dti.gov.uk/cii/elec/elec_com.html.

Interception of Communications in the United Kingdom, Home Office Consultation June 1999 - http://www.homeoffice.gov.uk/oicd/ioca.pdf.

Licensing of Trusted Third Parties for the Provision of Encryption Services, DTI Consultation March 1997>.

Secure Electronic Commerce, DTI Statement April 1998 - http://www.dti.gov.uk/cii/c8/ana27p.htm.

STAND Website http://www.stand.org.uk/.

Other Press Releases:

• FIPR Press releases
• FIPR launch press release

Go to FIPR front page.

Go to FIPR E-Comm99 Draft Bill Review page.

Go to FIPR Electronic Commerce Policy Information Centre.

Go to FIPR Interception of Communications Information Centre.

Go to FIPR Regulations of Investigatory Powers Information Centre.