E-Commerce Bill Consultation Library: Charles Lindsey
-----BEGIN PGP SIGNED MESSAGE-----
Comments on the Draft Electronic Communications Bill
****************************************************
By Charles Lindsey
=========================================
5 Clerewood Avenue
Heald Green
Cheadle
SK8 3JU
Tel/Fax (0161) 437 4506
Date: Friday October 8th 1999
+++++++++++++++++++++++++++++
I am a retired Senior Lecturer in Computer Science at the University of
Manchester. Since my retirement, I have made it my business to take a
detailed interest in many activites related to the Internet, including in particular
matters connected with the authenticity and security of digital communications.
There are many features of this Bill which have attracted widespread adverse
comment, with most of which I agree. I have, however, chosen in these
Comments to address just a single issue - namely the section 10 notices, that which
they may contain, and the manner of complying with them. It is my opinion
that the Bill, as presently worded, deprives those who receive the notices of
some basic rights, whilst at the same time omitting some features which would be
of benefit to the Law Enforcement Agencies.
I start with Section 19, which defines some basic terms, and then proceed to
discuss sections 10 and 11.
Section 19.
+++++++++++
The definitions of "signature", "key" and "protected data" in this section
give cause for concern.
In particular, it is not recognised that electronic signatures may be used
for conveying permission to perform some act. This is done by constructing some
token which conveys the permission and signing it with the private key of
the person claiming to have authority to give that permission. Examples of the
permissions that might be conveyed in this way are permissions to access
(or rather to use) some other key (whether it be an encryption or a
signature key), and for delegating authority for the giving of some permission to
someone else.
For example, the Company Accountant might be authorised to make payments
using some form of electronic funds transfer, by creating a token containing
details of the transfer and giving permission for the corporate
fund-transfer-signing-key to be used to authenticate the transfer. He would
sign the token with his own private key so that the central secure computer
that actually generated the signed transfer could check that the token came
from a properly authorised person.
More likely, he would delegate authority to make such transfers (perhaps up
to some defined limit) to some member of his staff (and revoke that authority
also, as occasion demanded). Likewise, his own authority would have been
conveyed to the central computer by some token signed by the Managing
Director, and the Managing Director's authority would have been signed by
all the other Directors, and so on - presumably the buck stops somewhere. But
notice in particular
a) That long chains of authorizations can be built up in this way.
b) That the keys used to sign these tokens are just the ordinary
private signature keys of the individuals concerned.
c) That the tokens are not "protected information". Their content is
no secret; it is just that the central secure computer has been
programmed not to act upon them without the proper signatures.
This sort of complex system is likely to be prevalent within large
organisations where many people may have to generate signatures or to decode
documents using the Company's corporate keys, which necessitates keeping
them within some secure central computer within which the signatures or
decryptions are actually performed. Such systems will also be used by those Approved
Providers who choose to offer a Key Escrow service. In all such cases, the
corporate keys will remain at all times within the central secure computer
(they were likely even generated there) and will only be extractable from
same with extreme difficulty, if at all.
Although the keys used to sign these tokens are clearly "signature keys"
under the bill as presently worded, this matter is of sufficient importance that
this usage needs to be recognised in the text. I therefore propose that
part (c) of the definition of "electronic signature" be amended to read
as follows:
(c) is used for the purpose of facilitating, by means of a link
between the signatory or other source and the data, the
establishment of the authenticity, or the integrity, or the
authority conveyed by, the data, or any combination of these
things;
Given the strong promises made by the Government that "signature keys" would
not by subject to enforced disclosure, it is unthinkable that the Bill
should make any exception for signatures used to convey permissions as outlined
above. Nevertheless, this seems to be precisely what the Bill as currently
drafted purports to do.
Consider the definition of "key" which follows immediately after that of
"electronic signature". Firstly, the definition is circular, insofar as it
says that a "key" means, inter alia, a "key". More worrying is the use of
the word "password". Passwords, as normally understood, are not used for
encryption, nor for signatures. Rather, they are used for gaining access to
some facility. But the real sting is part (a) of the definition which
declares that a "key" can be anything which "allows access to the electronic data"
and, clearly, that covers the sort of signed token that I have described above
(it gives access to the keys stored in the central secure computer), or more
particularly the signature keys used to sign such tokens.
This, of itself, would not be of concern were it not for Section 11(2)(a)
which allows for a person to obtain access to some protected information
using a key in his possession, BUT specifically requires him to deliver up that
actual key if so "directed" in accordance with 11(3) even though that key is
likely to be a bona fide signature key being used in the manner I have
described above. This situation is quite intolerable. However, I think this
problem is best fixed in Section 10 or 11, for which see my proposals below.
Finally, the definition of "key" makes no mention of signatures, even though
the term "signature key" is used elsewhere in the Bill. So I therefore
propose that the definition of "key" be reworded as follows"
"key", in relation to any electronic data, means any code, phrase,
algorithm or other data the use of which (whether or not in
conjunction with other keys)-
(a) allows access to the electronic data, or
(b) facilitates the putting of the data into an intelligible form, or
(c) serves to establish the authenticity, or the integrity, or the
authority conveyed by, the data;
Having said that, I see no reason why the Bill needs to concern itself with
access to data at all. If there is data which is not encrypted (it is
already in intelligible form) but is inaccessible simply because the password (or
other more complex security feature) that would gain access to it is not
known, then surely all the LEA has to do is to seize the whole computer
under warrant and take it to pieces. Faced with the choice between having one's
computer seized, as opposed to giving up one's password and keeping the
computer, the average user would doubtless give up the password willingly.
So I would therefore prefer to see paragraph (a) removed from the above
definition entirely, along with the corresponding paragraph in the
definition of "protected information".
Section 10.
+++++++++++
The drafting of this and the following section leaves much to be desired.
Basically, it fails to take account of the realities of cryptography as
currenty used, let alone of possible ways it may develop in the future. Thus
it places some unacceptable burdens on some people, whilst at the same time
failing to provide the LEAs with some of the benefits they might have
expected to have.
The major failings I will deal with under Section 11, but in the meantime
there are various lesser matters which affect Section 10, the first of which
is the confusing terminology whereby the word "person" is regularly used,
even within the same paragraph, to refer to:
(a) The "person" who has acquired a copy of the protected data by some
statutory or other means (subsection (1)).
(b) The "person" with the appropriate permission to serve a notice.
(c) The "person" upon whom the notice has been served.
I propose that most of the confusion can be removed by using the word
"officer" to cover case (b), both here and in Schedule 1, and my further
proposals below are worded on that assumption.
subsection (2):
This needs to recognise that there may be several keys involved with access
to the protected data, that they may be in the possession of several persons,
and that some of them may need to be derived by possibly complicated processes.
My proposed ammendments are
p10 line 1 any person => any officer
line 2 a key to the protected information =>
a key or keys to the protected information, or the means
wherewith to derive such keys
line 3 any person => any person or persons
line 4 person => officer
line 5 possession of the key => possession of such a key
line 5 disclosure of the key => disclosure of that key
subsection (3):
Paragraph (a) seems to envisage notices being delivered by electronic means,
and seems to be based on the idea that "proof of posting" is equivalent to
"proof of delivery". That is grossly unfair. It must be possible for the
officer to prove that the notice has been received in much the same way that
the serving of paper documents currently reuqires proof.
Another problem is the time allowed for compliance with the notice. It is no
use the officer serving the notice and saying "right, you now have 5
minutes, or you will be charged under Section 12". For the reasons I have outlined
earlier on, it may take hours, or even days, to comply in some situations.
My proposed ammendments are
p10 line 10 given => given and received
p10 line 12 person => officer
p10 line 14 to be made =>
to be made, such manner and time being reasonable having
regard to the technical difficulties of performing the
disclosure
It is not stated how the noticed is supposed to identify the required key,
and this is particularly important in the case where several keys may be
involved, such as an asymetric private key and a session key. The only way to identify
the key is to provide the person with the protected data (if he does not
already have it). Or, if he does not have it and the officer does not want
him to be in a position to retrieve the plaintext, then at least a
sufficient part to enable the session key to be extracted. I would therefore propose an
additional paragraph (d)
(d) must, unless the protected information is already in the
possession of the person receiving the notice, incorporate that
protected information; or at least a sufficient part of it to
enable the person to identify all of the keys involved; or else,
in the case where the notice refers to information likely to come
into the possession of any person in accordance with paragraphs
(a) and (b) of subsection (1), sufficient information to identify
the class of protected data to which the keys are, or will be,
required.
subsection (4)
p10 line 17 person => officer
subsection (5)
This is an important safeguard, which has been guaranteed by the Government.
Nevertheless, there exist keys (notably PGP keys generated by earlier
versions) which the user now uses only for signature purposes, but had once
used for encryption many years ago. Or since, with some keys, it is
impossible to prevent them from being used for encryption, someone might send him a
message encrypted with it, so as to embarass him. It is hard to see how to
deal with this entirely, but at least it should be incumbent upon the LEA to
prove that a supposed signature key was in fact being used for encryption,
and for sure the fact that it had only been so used long before the present
circumstances arose should not provide an excuse for the LEA to demand a
signature key, as the present wording clearly allows. I propose, at the
least
p10 line 24 has not in fact been used for any other purpose =>
is not in fact currently in use for any other purpose
There is a further problem in that private keys (whether for signature or
encryption) are customarily stored on the user's computer in encrypted form,
and he needs to provide a "passphrase" in order to decrypt them whenever he
needs to use them. It was clearly the intention of the Government's
guarantee that a user should not be compelled to divulge either his private signature
key, or the passphrase that protected it. Nevertheless, in the case where
the (passphrase-encrypted) private signature key has come into the possession of
the LEA (by seizure of the computer under warrant, for example) the Bill, as
currently drafted, would allow the officer to demand the passphrase. For the
encrypted signature key is clearly "protected data", and hence the officer
can demand the key to put it into intelligible form (i.e. the form in which it
could then be used to sign documents). Clearly, this is intolerable.
Furthermore there is the loophole which I identified above when discussing
signed tokens. I therefore propose an extra paragraph (c):
...; or
(c) where the protected information to which the key relates is or
contains a further key which is not itself the subject of this or
any other notice.
Section 11.
+++++++++++
The wording of this section is convoluted and full of double negations, it
contains a right to direct that actual keys be provided even when the person
is willing and able to provide timely decryption into intelligible form,
with absolutely no restrictions on the exercise of that right, and it is couched
in terms that are only applicable to the simplest and most straightforward
cases of encryption, such as were commonplace 10 years ago, but bear no
resemblance to the sophisticated and complex systems which are encountered today, and
still less to what may be found in the future. Thus this section does not
provide the LEAs with the powers that they actually need, not does it
provide the owners of the keys with the protection that is their due.
It cannot be overemphasised how serious it would be for a large undertaking,
such as a bank, to have its main corporate encryption keys seized. The costs
to the Bank would run into millions. It is useless to argue that the seized
keys would be in safe hands as set out in Section 15. No corporate executive
in his right mind would place any credence in such promises, especially
given the knowledge of the collusion of the UK in the Echelon project. But this is
not all bad news. A bank faced with the prospect of losing its keys would be
willing to fall over backwards in an effort to provide all assistance to the
LEA short of actual disclosure. The Bill should be worded so as to give the
LEAs full benefit of such willingness.
The basic fallacy of the present Bill is that it keeps speaking of "the" key
to the data, and fails to recognise that
(a) There may exist several alternative keys ANY ONE OF WHICH would
suffice to access the protected information. This arises
particularly where the information is first encrypted with a
transient "session key", which is then itself encrypted with the
user's private key. Since the compromise of the latter would be
disastrous for the user, he must have the absolute right to
choose to disclose only the session key. Other cases of multiple
alternative keys arise when an encrypted communication is
addressed to several people.
(b) There may exist sevral keys ALL OF WHICH (or, at least, several of
which) are required in order to access the protected information.
This usually arises when some sensitive piece of information (such
as an important corporate key that would, for example, unlock the
central secure computer) is divided into several parts, each part
being deposited with a different person for secure keeping. If,
for example, it were split amongst 8 people, then it could be
arranged so that the bringing together of any 6 of them would
suffice to access the protected information. Techniques for doing
this securely have been known for many years, though they are not
yet as widely deployed as they should be.
Now it would be foolish for the wording of the Bill to get involved in
detailed technicalities such as "session keys". Nevertheless, it needs to be
worded in such a way as to encompass all the above possibilities in as
general a manner as possible. I therefore offer the following wording for your
consideration:
11.-(1) Subject to the exception listed in subsection (2), a person required
by a section 10 notice to disclose a key to some specified protected
information, or to protected information of some specified class may, in
order to satisfy that requirement, and at his choice, either
(a) where there exists only a single key matching the requirement,
disclose that key; or
(b) where there exist several keys, any one of them being sufficient
to match the requirement, disclose any such key; or
(c) where there exist several keys needing to be assembled together in
order to match the requirement, disclose such of them as are in
his possession; or
(d) where there exist several keys needing to be assembled together in
order to match the requirement, make arrangements with other
persons who have also been given section 10 notices, and are in
possession of such of those keys as he does not himself possess,
to derive from them a single key which matches the requirement,
and then disclose that key; or
(e) where the notice specifies a class of protected information likely
to come into the possession of any person persuant to subsection
(1) paragraphs (a) or (b), make arrangements for keys to specific
items of protected information to be disclosed in a rapid and
timely manner upon being presented with those items, or at least
with sufficient parts of them, by the officer who gave the notice;
or
(f) where he is in a position to disclose any key or keys in
accordance with paragraphs (a) to (e) above, and the protected
information is already in an intelligible form but cannot readily
be accessed without that key or keys, use that key or keys to
access the protected information and then disclose it in place of
that key or keys, provided he does so by the time before which he
would otherwise have been required to provide that key or keys; or
(g) where he is in a position to disclose any key or keys in
accordance with paragraphs (a) to (e) above, and the protected
information cannot readily be put into an intelligible form
without that key or keys, use that key or keys to put the
protected information into an intelligible form and disclose that
intelligible form in place of that key or keys, provided he does
so by the time before which he would otherwise have been required
to provide that key or keys, and provided he is able to
demonstrate that the form disclosed corresponds to the protected
information provided.
Observe that I have distinguished (f) (access to unencrypted information
protected by some lock, and which I have already suggested should be
excluded from the bill anyway) from (g) (decryption, or putting into
intelligible form).
Now to the matter of the right of the LEA to demand keys even when decrypted
information is on offer. I oppose this also, but here is the wording that
would apply if it is needed. Note that I have carefully excluded case (f)
above - if the data itself is offered, why on earth should the LEA require
the key (in this case the password) as well?
11.-(2) A person required to disclose a key to protected information may not
avail himself of the option instead to put it into intelligible form as
provided in paragraph (g) of subsection (1) if
(a) the relevant authority who for the pourposes of Schedule 1 granted
the permission for the giving of a section 10 notice in relation
to that information, or
(b) a person whose permission for the giving of such a notice in
relation to that information would constitute the appropriate
permission under that Schedule,
has given a direction that the requirement can be complied with only by the
disclosure of the key itself. Such a direction shall not be given unless
there are exceptional and cogent reasons whereby disclosure of the protected
information in intelligible form would vitiate the whole purpose of serving
the notice.
That last sentence (which could perhaps be worded better) is intended to
make it clear that such directions are not to be given by those with the relevant
authority (that is the Secretary of State, Judges, etc) as a matter of
routine, but only reserved for exceptional situations (which the Tribunal
might want to be explained to them afterwards). I find it hard to imagine a
circumstance where this would apply, expect perhaps where the person on whom
the notice was served was himself under suspicion, and the LEAs has come
into possession of encrypted communications which, for some reason, had not been
delivered to that person, and which they did not want that person to see. It
all sounds pretty far fetched to me. Parliament would certainly need to be
convinced of the necessity for this if this feature is to remain in the
bill.
Section 12.
+++++++++++
This and the following section contain so many violations of basic humans
rights, notably the presumption of innocence until proved guilty, and is in
such blatant disregard of the European Convention on Human Rights (shortly
to be enacted into British Law) that the mind boggles. How Ministers could
stand up in public and deny these breaches beggars belief.
However, these matters have already raised such a furore that I have no
doubt that other commentators will have addressed them fully.
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv
iQB8AwUBN/4Z2K1e6k0sFfGpAQGdAQMyApV2VR+UrBduXvWIUYetc7k0PXEjR0ac
R77i6SedxMORSslh4JaXYoNDFpZ7a2zmDbHvkzNkxjCkJASkgEbjOgFBL9dWk5xI
mcpBEaGa/HOoYHitUR4YHETZM0gbibiToopguaKALw==
=dPWj
-----END PGP SIGNATURE-----
The Foundation for Information Policy
Research is registered in England and Wales under the Companies Act 1985 as a
private company limited by guarantee (No.3574631). Application for charitable
status is in progress.
Last Revised: October 17 1999