Kevin Townsend [k.townsend@itsecurity.com] Security Column - IMIS Journal April As I write this column, the Regulation of Investigatory Powers (RIP) bill has reached the Committee stage in Parliament - in the Mother of Parliaments, in the fount of democracy in the Modern Age. What tragic irony. Now you may think that a bill ostensibly regulating (ie, limiting) the power of the Authorities to eavesdrop on our telecommunications would be a Good Thing, and not a matter for a security column. But it is a Bad Thing and very much concerned with computer security. The problem is the lengths to which the Government will go to obtain our private decryption keys. This is because we may be terrorists, or child pornographers, or drug smugglers, or all three. In order to catch the triple bogeymen that trip from the tongues of the RIP advocates, the Authorities must be able to obtain the means to decrypt our encrypted files. That means that the Authorities must be able to demand our decryption keys. But since I am such a well organised criminal I would simply deny ever having the key. That would clearly lead to a miscarriage of justice, so the bill makes it difficult for me to evade justice (notice that I haven't been proved guilty of anything yet), and easy for the Authorities to insist that I comply. Well, perhaps a security column is not the right place to dissect the legalese itself, but consider the following two comments: In an open comment on the Internet, Charles Clarke M.P., Minister of State, Home Office, stated, "The decryption proposals are not draconian…" A respected solicitor responded in an open reply: "Not draconian? How else would you characterise a scenario where a person (not under investigation himself) under pain of imprisonment can be forced not only to decrypt any specific information, but any information he may hold on his HDD, may by the same authority be barred from telling anyone of his predicament (again under pain of imprisonment) and can also be impersonated for an indefinite period and have all his subsequent correspondence read, and all this never has to go before a Judge and the notice allowing this need not be in writing or in a prescribed form or even served on the receiving party in a prescribed manner?" By now you will at least understand why there is some concern here. So it is worth noting the conclusions reached by other parties as far as law and order and data encryption are concerned. Before they came to power, New Labour had the following in its Manifesto: "We do not accept the 'clipper chip' argument developed in the United States for the authorities to be able to swoop down on any encrypted message at will and unscramble it… Attempts to control the use of encryption technology are wrong in principle, unworkable in practice, and damaging to the long-term economic value of the information networks… It is not necessary to criminalise a large section of the network-using public to control the activities of a very small minority of law-breakers…" What went wrong, Tony? In the United States the new millennium has been characterised by a reduction in the US crypto export restrictions, while a new 'Report of the President's Working Group on Unlawful Conduct on the Internet, March 2000' suggests that no radically new laws are necessary. "To the extent these existing laws adequately address unlawful conduct in the offline world, they should, for the most part, adequately cover unlawful conduct on the Internet." US attention seems to be shifting towards attacking anonymity. Challenges now "include the need for real-time tracing of Internet communications across traditional jurisdictional boundaries, both domestically and internationally; the need to track down sophisticated users who commit unlawful acts on the Internet while hiding their identities." Seizure of decryption keys seems to be on a backburner. Ireland, however, has a clear and refreshing attitude. The government's 'Basic principles of policy on electronic signatures and cryptography' include: · E-Commerce users shall have the right to access strong and secure encryption to ensure the confidentiality, security and reliability of stored data and electronic communications. · Users shall have the right to choose any cryptographic method. France has also recently relaxed its crypto regulations - and Germany is recognised as having a liberal attitude. The UK alone seems to be swimming against the tide. I have three problems with the Government's approach. The first is personal. The draconian nature of this legislation is difficult to justify - it amounts to a continuous and consistent degradation of our personal freedoms. With this bill even our ISPs may be forced to undertake secret surveillance of our communications. If they do, both the ISP and its employees must remain silent forever. The Government has been challenged time and again to produce the statistics to confirm the threat to law and order posed by criminals' use of cryptography and the Internet - and has consistently failed or refused to do so. The second problem is economic. The Government continually claims that its intention is to make the UK the world's centre for e-commerce. But consider the reality. Without trustworthy encryption we cannot have confidentiality. Without confidentiality we cannot have e-commerce. It will go elsewhere - probably to Germany. This is certain. Would you invest in a country where your employees could be forced to hand over your decryption keys to the Authorities, and would be prevented, on pain of imprisonment, from even telling you that it had happened? Commercial suicide comes to mind. And the third is straightforward computer security. Encryption is ultimately the basis of most of our computer security. Compromise the trust in that security and you compromise the very heart of our trust in our systems. So what can be done? I would suggest that everybody read the RIP bill; and then tell our Members of Parliament what we think about it. They are our representatives.