13th January 2001 New Scientist www.newscientist.com

Hand over your keys

Protecting privacy could soon be more difficult in Britain than anywhere in the world, warns Caspar Bowden. Internet users may end up with fewer civil rights than terrorists

Crypto by Steven Levy, Viking, $24.95, ISBN 0670859508

SINCE the Second World War, international communications have been hoovered up from undersea cables and microwave links, and increasingly from computer networks and mobile phones. Sorted and sanitised, they become the intelligence reports intended for the eyes only of government ministers. In Britain, the agency that performs this work is Government Communications Headquarters (GCHQ) in Cheltenham, Gloucestershire.

It was here in 1969 that the mercurial scientist James Ellis invented "public key" cryptography, a revolutionary code that allows secret communication without sharing a secret key. As a direct consequence, Britain acquired a new law last year that compels the surrender of computer passwords, even by people not suspected of any crime. It means two years in jail if you refuse, and another five if you breach a secrecy order and complain publicly.

The story of what's brought us to this extraordinary state of affairs is told in Crypto. Written from an American viewpoint, it relegates GCHQ to an appendix and begins instead with the independent rediscovery of public key cryptography in 1975 by Whitfield Diffie, a Stanford computer scientist. Ever since, Diffie has championed the public's right to use it to protect individual privacy.

How is it possible to devise a code that does not require the sender's choice of key to be shared with the receiver of the message? The answer, realised by both Ellis and Diffie, is for the receiver to construct a kind of puzzle that the sender uses to scramble messages in a way that cannot be reversed unless you know the trick of the puzzle. GCHQ worked out the details (which involve enormous prime numbers) a few years before Diffie and others in the US. But it was the Americans who were granted patents on the underlying mathematics.

These algorithms are now fundamental to Internet security and e-commerce. Before you enter a credit-card number on the Web, there should be a padlock in the corner of your browser to tell you that all transactions to the website are now scrambled. In that case, all the computers of the US National Security Agency (NSA) will not be able put the pieces back together again.

Whitehall's confederacy of dunces simply did not know what to do with this invention. Not only did it let the American patents go unchallenged, it also kept the achievements of the GCHQ scientists an official secret until 1998. The US successfully prevented the proliferation of these techniques for more than a decade, using export controls, until a computer program called Pretty Good Privacy (PGP) found its way onto the Internet in 1991. Its author, Phil Zimmerman, was arrested for "munitions smuggling", and prolonged Kafkaesque investigations made him an Internet folk hero. Ironically, he was motivated by worries about computer networks becoming embedded in society, and the totalitarian consequences if these were systematically exploited for surveillance.

Last year, Britain belatedly abandoned an Orwellian scheme for "key escrow" , which would have meant the prior deposit of everyone's keys with government. But now it has the Regulation of Investigatory Powers (RIP) Act 2000. Any public authority can demand keys, and can even keep this a secret by using a gagging order "to protect investigative methods". The only redress will be through a complaints tribunal that can hear secret evidence which cannot be cross-examined. These powers are due to be activated in October 2001, when the next general election should be safely out of the way.

The RIP Act can also require Internet service providers to install "black boxes" that relay Internet wiretaps direct to the MI5 building, home of the British security service. The Home Secretary says these powers are necessary for catching drug dealers and paedophiles. But this will leave every Internet user with fewer civil rights and safeguards than are now enjoyed by terrorist suspects or asylum seekers (and for this Home Secretary that is saying something). Even more staggeringly, a leaked submission from the police and intelligence agencies to the Home Office recently revealed that they aspire to a seven-year computerised archive logging all phone calls, e-mails and web browsing. When online, this amounts to surveillance of your stream of consciousness without a warrant.

Crypto is a well-researched book. Its one flaw is its exclusively American perspective, which means that it overlooks the most repressive Internet legislation anywhere in the world: the RIP Act 2000.

Caspar Bowden is director of the Foundation for Information Policy Research