Analysis of Part III of the (draft) Electronics Communications Act 1999

Session keys

It is common for messages to be encoded with a 'session key' and it is only this key that is sent using 'Public Key Encryption' because PKE can be rather slow. Many people have called for the Bill to recognise that supplying the session key would be a suitable response to a Section 10 notice.

The difficulty appears to be that the Bill envisages the authorities demanding a key so that they will be able to decode FUTURE messages. ie: the keys are wanted for reading intercepted traffic as it arrives.

There is also the difficulty that there might be some doubt that the plaintext supplied was genuine. In current products the session key will meet this objection. However, it should be noted in passing that if true One Time Pads are in use then if an incorrect OTP is supplied then ANY message can be the result of the decryption!

Releasing session keys was seen by some people as being a way of inherently limiting the power of Section 10 orders. However, phrasing this to be technology neutral may be complex.

The 'conversation' below brings out some more points:

Alastair Kelman
If the police, following due process, cannot read my files because they are encrypted AND there is evidence that these files relate to "electronic commerce" rather than personal matters THEN after due process I should be required to supply the authorities with the encryption key to enable them to read the files.

Brian Gladman
Why should you not simply be required to decrypt them? A requirement that you must hand over your keys places this burden on society as a whole and this means that everyone suffers increased risks in respect of privacy, security and safety as a result. This does not arise if your obligation is simply that of decryption.

What law enforcement needs is the data that has been encrypted - the government has so far made no case for wanting the ***keys*** and I consider this just key escrow or GAK in a more 'user friendly' guise.

Its time that the government made it a lot clearer why they consider access to keys to be necessary. Especially so since it seems that the US may be going down the 'obligation to decrypt' path.

Alastair Kelman
Provided that you can satisfy the authorities that the plaintext really is decrypted from the cyphertext then fine. I presume that this could be done by encrypting the plaintext using the public key. So let's word this requirement in terms of a requirement to do something positive - decrypt the cyphertext.

I refrained from putting it this way because the law tries to limit specific performance. Requiring a citizen to hand over his key, on the face of it, appears to be a lessor act than requiring the citizen to use his key to decrypt a particular message. The option for the citizen to perform the decryption without handing over his key should be included in the legislation.

That said I have encountered a whole range of problems in computer evidence cases where the prosecution have refused to allow computer evidence to be produced by an accused "because how can we know he has not tampered or forged it?". So the section in the legislation will have to be very clear.

Nicholas Bohm
But it's there already (clause 11): what's wrong is that the option is the authorities' option, not the citizen's.

It should be a precondition of any obligation to disclose a key that the protected information is provided to the person required to produce the key, if they do not already (or any longer) have it." Note that this guards against the message being substituted before delivery_ an issue which there is no discussion about the penalties for (see 16(10)).

Charles Lindsey
So the first change that needs to be made to the Bill is to recognise that there may be several keys that may enable decryption of a given protected text (usually several private keys and one session key) and that the person on whom the notice is served (the noticee?) should be allowed to choose which of those keys he delivers.

Brian Gladman
I believe that allowing any form of access to keys in the Bill will be dangerous because of the difficulty of legally defining the properties of cryptographic keys in a way that protects some from access while allowing others to be obtained.

For this reason I believe it would be much safer to press for a Bill that would (at most):

(1) allow decryption orders to impose an obligation to decrypt; (2) allow, where necessary, orders to impose an obligation to prove the correspondence between an encrypted text and a decryption of it.

This meets the need without mentioning keys and without imposing any constraints on how (2) might be met.

If, however, I have to give up my long term personal decryption keys (session keys are different I admit) than I have put my entire privacy, security and safety in the hands of the State. This is not something I wish to do and for me this is not a technical issue even though it has a technical basis.

David Swarbrick
The power should be just a minimal extension of PACE 20

20.--(1) Every power which is conferred by an enactment to which this section applies on a constable who has entered premises in the exercise of a power conferred by an enactment shall be construed as including a power to require any information contained in a computer and accessible from the premises to be produced in a form in which it can be taken away and in which it is visible and legible.

Ross Anderson
With many products, compliance is already impossible. PGP, for example, allows you to specify that the recipient will only be able to display a message on screen, not print or save it. Although in theory one can write a noncompliant implementation, it would be unreasonable for PC Plod to insist that a user do this.

It's not just PGP; I've helped people build PC database apps in which you can fetch only so many records at a time, and which have all sorts of tricks to prevent people stealing the whole database. With such products the source code isn't available (in the case of my client, it's not even in the UK) so the non-compliant implementation route is very much harder.

People like Intel and Microsoft are under much pressure from Hollywood to design products that provide ever better support for applications which won't provide information `in a form in which it can be taken away'. The P3 serial number is the start; if you assume that software can be made tamper resistant enough to defeat PC Plod, then P3 already lets you write applications which will only display file X on machine Y, and only if machine Z is currently online. Future processors that have a private key on-chip will raise the bar very much higher.

Nicholas Bohm
It may be worth the further comment that this is not just about the police v. master criminals. Any litigation (for example, sacked whistleblower suing employer) may involve discovery procedures that turn up encrypted files that are important for the whistleblower. We would all be the poorer if the court had no power to order decryption (and I think most judges already believe they have the necessary power as it is, probably correctly).

It already exists in a very limited format in the Police and Criminal Evidence Act 1984 s21 (Swarbrick)

Clause 10(2) depends on it appearing that a person has "a key", and enables a notice to demand disclosure of "the key".

Where it appears that a person has both a private key and a session key, I think that the notice could probably specify which had to be disclosed, although the drafting is not wholly unambiguous.

What amendments would do the trick? I suggest the following with explanatory comments [in square brackets]:

1 In subclause 10(1)(a) and (b) delete the words ", or is likely to come,".

[The session key approach fails if future encrypted data is within the scope of the notice]

2 In subclause 10(3) insert a new paragraph (c) as follows (renumbering accordingly):

"(c) must be accompanied by a copy of the protected information in electronic form;"

[The keyholder may never have received it, or may have deleted it (or not retained the encrypted form of it)]

3 In clause 11 add a new subclause 11(4) as follows:

"(4) Where a direction has been given in accordance with subsection (3) that a requirement to which it applies can be complied with only by the disclosure of the key to protected information, the person required to disclose the key shall be taken for the purposes of this Part to have complied with that requirement if, by the time by which he is required to disclose it to any person, he has provided that person with any key to that protected information."

[This ensures that where a key must be given, any key (i.e. including a session key) will meet the requirement]

[Note that this does not meet the point raised by Brian Gladman, that the keyholder may not be entitled to see the encrypted information - it may not yet have been released from a restriction under a confidentiality agreement for example, despite having come into the possession of law enforcement bodies. The only way to deal with that point is to limit my suggested clause 10(3)(c) so that the notice can be accompanied by just enough of the encrypted material to enable the session key to be extracted. This would complicate the thing a good deal to meet what I feel must be rather a rare contingency.]

Back to the analysis of part III

Return to the Draft E-Commerce 1999 Bill Review front page.