Today Britain became the only country in the world to publish a law which could imprison users of encryption technology for forgetting or losing their keys. The Home Office's Regulation Of Investigatory Powers (RIP) bill has been introduced in Parliament: it regulates the use of informers, requires Internet Service Providers to maintain "reasonable interception capabilities", and contains powers to compel decryption under complex interlocking schemes of authorisation.
Caspar Bowden, director of Internet policy think-tank FIPR said, "this law could make a criminal out of anyone who uses encryption to protect their privacy on the Internet."
"The DTI jettisoned decryption powers from its e-Communications Bill last year because it did not believe that a law which presumes someone guilty unless they can prove themselves innocent was compatible with the Human Rights Act. The corpse of a law laid to rest by Stephen Byers has been stitched back up and jolted into life by Jack Straw."
The Home Office have made limited changes that amount to window-dressing, but the essential human rights issue remains:
(Clause 46): authorities must have "reasonable grounds to believe" the key is in possession of a person (previously it had to "appear" to authorities that person had a key). This replaces an subjective test with one requiring objective evidence, but leaves unaffected the presumption of guilt if reasonable grounds exist.
(Clause 49): to prove non-compliance with notice to decrypt, the prosecution must prove person "has or has had" possession of the key. This satisfies the objection to the case where a person may never have had possession of the key ("encrypted e-mail out of the blue"), but leaves unchanged the essential reverse-burden-of-proof for someone who has forgotten or irreplaceably lost a key. It is logically impossible for the defence to show this reliably.
As part of the consultation on the draft proposals last year FIPR and JUSTICE jointly obtained a Legal Opinion from leading human rights experts which found that requiring the defence to prove that they do not possess a key was a likely breach of the European Convention of Human Rights.
Mr.Bowden commented, "following the recent liberalisation of US export laws, as tens of thousands of ordinary computer users start to use encryption, a test-case looks inevitable after the Human Rights Act comes into force in October."
Bowden said: "after trying and failing to push through mandatory key-escrow, then voluntary key-escrow, it now looks like the government is resorting to key-escrow through intimidation."
February 10, 2000
+44 (0)171 354 2333
FIPR is an independent non-profit organisation that studies the interaction between information technology and society, with special reference to the Internet; we do not (directly or indirectly) represent the interests of any trade-group. Our goal is to identify technical developments with significant social impact, commission research into public policy alternatives, and promote public understanding and dialogue between technologists and policy-makers in the UK and Europe. The Board of Trustees and Advisory Council comprise some of the leading experts in the UK.
Go to FIPR front page.
Go to FIPR RIP Information Centre.
The Foundation for Information Policy Research is registered in England and Wales under the Companies Act 1985 as a private company limited by guarantee (No.3574631). Application for charitable status is in progress
Released February 10, 2000.