I submitted this document to the DTI by email as a MS word attachment. The format may have been changed by rendering it into HTML. Also a couple of miss-spellings have been corrected.
17th March, 1999
To: Stephen de Souza,
DTI (CIID) Dear Mr. De Souza
This document is a personal response to the March 1999 consultation document "Building Confidence in Electronic Commerce". It is based on over 15 years of managing computer networks and email systems for a large private company, (and 10 years as a computer user before that) as well as my personal experience as a frequent user of online services and as someone professionally interested in the future of electronic commerce.
These comments are entirely my own private and personal views and do not represent in any way the opinion of my employers or any other organisation.
"should the Government take further steps to regulate the use of spam?" At present commercial email spam is a nuisance rather than a serious problem. So far as it is serious it can be dealt with by email users and their service providers (many of which will no doubt continue to offer more or less "spam-proof" services). I do not think that "spoofing" should be prohibited in law. It is hard to imagine how it could be defined rigorously without excluding legitimate activities, and by its very nature it could be carried on from locations outside the reach of UK law. Even if it was illegal criminals would still be able to do it. Widespread use of digital signatures will remove most of the problem anyway.
These problems are best dealt with by a strong market, with many providers offering differentiated services which customers are free to choose from. The less legislation the better. Internet users can, already, choose their level of exposure to the Net.
Development of these services is best left to the market. It is still entirely unclear which intermediary services will be useful or profitable.
I find the inclusion of this paragraph hard to understand. Businesses already recognise "the importance of being able to recover critical data" and take steps to make sure that they can recover data. Protection and recovery of encryption keys is already a part of normal practice for businesses who rely on encryption; much as are data backup and recovery, or physical protection of equipment. "Suitable storage arrangements" and "key encapsulation products" are available and in use. Almost all businesses will already have made their own arrangements which are unlikely to involve KRAs except in very unusual circumstances. I dont see that there is any reason for government to encourage providers to make these products available. If there is a market for them they will anyway, and if not there is no point in offering them.
"how best to distinguish between the provision of licensed and unlicensed services" It is worth noting that if the government licenses CAs then the government is, in effect, setting itself up as a root CA (which may be a reason for government to be wary of getting involved) This would most logically be done by providing digital certificates to licensed services which could be tested by the public.
This in turn would require that OFTEL or whatever organisation it delegated responsibility to, should have the highest standard of information security arrangements, which would themselves to be open to public scrutiny. The licensing authority should conform with the same licensing criteria that it demands from licensees (Annex A (II)) and the information (such as methods used to generate keys & so on) should be publicly available. This would go a long way towards building confidence in the system.
Online markets are international. Legislation that restricts the ability of companies or individuals to trade across international boundaries from within the UK will be met by them trading from outside the UK. Availability of strong cryptography is a necessary pre-requisite of secure online trading. If UK service providers are forced to incorporate key storage or key recovery into products, regardless of their customers needs or wishes, then those customers will go somewhere else.
"There have been attempts to extort money from businesses by placing enciphered viruses into computer systems (so-called cryptoviral extortion). Law enforcement agencies would be better able to investigate such criminal activity if they has a power to obtain relevant encryption keys."
I find it astonishing that anyone thinks that a criminal who was capable of infecting the computer systems of financial institutions with encrypted viruses would make their keys available to the police, or use licensed providers! Maybe in a world where all robbers use licensed guns.
Presumably anyone accused of such a crime will judge whether the penalty for not disclosing their key is greater than the penalty for whatever crime they might be convicted of if they did - and if it isn't they will conveniently "forget" the key.
The way to fight such crimes is for companies to look after their own computer security and change control procedures. This will be made easier, not harder, by widely available strong cryptography.
I was struck by a sense of cognitive dissonance here. The entire document stresses that licensing is to be voluntary. (64) to (74) seem to imply that the new law will allow agencies to require disclosure of keys or plain text from users of encryption. But (77) and (78) assume that the police are approaching a third party for the keys - as if copies of the keys were being kept by licensed service providers. It is incredible that anyone using encryption with intent to hide evidence of a serious crime would knowingly use keys that were in the hands of a legitimate service provider if they had the choice of keeping their keys private.
The authors of the document are obviously aware of that problem because it is described in (80). But the entire rest of the section from (81) to (88) still seems to assume that the ability to decrypt communications will be in the hands of a third party, as if key escrow (or some logical equivalent under yet another jargon name) were inevitable. This reads more like a contribution to debate than a legislative proposal and, to be honest, a contribution from someone who still does not realise that it is impossible to guarantee decryption. Even if all communications were to be transmitted and encrypted by service providers accessible to UK law enforcement agencies; intelligent criminals would separately encrypt their messages before sending them to the SP. They probably will anyway.
The market for Internet services is worldwide and customers choose between legislative regimes as well as between suppliers. There is already widespread suspicion (whether or not it is well-founded is irrelevant) that US and UK governments have used intercepted communications for the commercial benefit of firms located in those countries. If government is serious about "developing the UK as the best environment in the world in which to trade electronically" then foreign traders will have to be persuaded that UK service providers are not acting as spies for their competitors. This will not be possible if there is any built-in requirement to enforce decryption.
We could end up with the worst of both worlds. Criminals and terrorists will be able to use strong encryption and legitimate users will be discouraged from doing business with UK suppliers.
Information made available to the licensing authority in order to meet whatever criteria are finally decided upon must also be made freely available to the public. Openness is a pre-requisite of trust.
The proposed licensing criteria for key generation seem to assume that service providers would issue keys to their customers. While this might be useful in some limited contexts - for example banks might issue keys to retail customers for use only with them - the industry consensus is that local key generation is necessary for security. This is obviously necessary for building confidence. If the only way to deal with UK licensed providers is to use keys that they provide, then many customers, especially overseas, will not wish to do business.
If the UK is to be "the worlds best environment for electronic trading", UK service providers will have to be the providers of choice for users world-wide. Some of these customers will be technically competent in computer security or cryptography, most will be completely ignorant of it. Some of them will reside in jurisdictions where their past experience encourages them to be very wary of all government or law enforcement agencies. Some of them will be highly suspicious of the UK government or UK business and some may even assume that any service providers will be spying for their national government as a matter of course. If we are to attract these people to do business with us then we must be entirely open with them.
Ken Brown, March 10th 1999
Go back to the start of this document.
Go to the library of current responses.
Go to FIPR home page.
Last Revised: April 20 1999