FC: Hong Kong proposes mandatory disclosure of encryption keys

[Declan McCullagh <declan () well com>]

************

From: "Caspar Bowden" <cb () fipr org>
To: "'Declan McCullagh'" <declan () well com>
Subject: RIPlist Bulletin 21/3/01: Hong Kong proposes decryption powers 
similar to RIP
Date: Wed, 21 Mar 2001 05:46:23 -0000

   ===================================================
   Hong Kong proposes decryption powers similar to RIP
          http://www.fipr.org/rip#HongKong
   ===================================================

Hong Kong proposed decryption powers similar to RIP on 1st December. There
is streaming video (GAK starts 7m 30s) of the government Press Conference
that is well worth a listen.

I cannot find reports of this until
Register 19/03/01: Hong Kong ISPs slam encryption demands
(from South China Morning Post 19/3/01 : Stream of protest at proposed
e-crime policies - anyone have this?)

There was a public consultation between through December and January
(responses or summary published ?).

In some respects the proposed law is harsher than RIP...."penalties [for
non-disclosure] should in principle be commensurate with those for the
specific offence under investigation", but on the other hand disclosure
could only be required in connection with a serious crime - at least 2 years
sentence - (RIP can require decryption in relation to any crime).

There is no reference to the burden-of-proof issue, the only mention is of
(5.27) "the failure, without reasonable excuse, to comply with an order to
allow access to encrypted information".

There does not appear to be any secrecy obligation provision ("tipping-off")

Excerpts below and relevant links at http://www.fipr.org/rip#HongKong

- would appreciate others to hongkong () fipr org

--
Caspar Bowden               Tel: +44(0)20 7354 2333
Director, Foundation for Information Policy Research
RIP Information Centre at:          www.fipr.org/rip


5.22 The Working Group recommends..."production orders" .. be adopted...to
allow access to encoded computer information relevant to an investigation.
The access may be provided in the form of the plain or decrypted text or the
necessary passwords, encryption codes, decryption codes, software, hardware
and any other means to enable comprehension of the computer information in
question.

...5.25 To cater for the above considerations, we recommend that an extra
safeguard be built in by limiting the disclosure power to offences of a more
serious nature. Only offences attracting a maximum penalty on conviction of
not less than, say, 2 years' imprisonment should be subject to this
disclosure requirement.

5.27 ...A mere fine would not be a sufficient deterrent, as it could be
treated just as an operating cost. We recommend that the penalties should in
principle be commensurate with those for the specific offence under
investigation.

14/3/01 Law Society Submission

In deciding whether such investigatory powers should be given to the law
enforcement agencies and the scope and manner of exercising such power, the
Committee has the following concerns: (a) implications of the proposed
legislation on the development of e-commerce; (b) potential infringements of
privacy; (c) implications for the disclosure of encrypted information, which
may include legally privileged information; (d) the right of individuals
against self-incrimination, (e) the need for disclosure of keys when access
to plain text would be sufficient; and (f) the need for the empowered
agencies to be fully accountable to democratic institutions and subject to
public scrutiny. It should be noted also that cryptography is usually used
to thwart criminals rather than to help them and care should be exercised
before breaking security.

The Committee recommends that the following safeguards be embodied in the
proposed legislation regarding access to encryption keys: (a) there should
be disclosure only where obtaining the key is really necessary; (b)
disclosure should be "proportionate" to what might be achieved; (c) there
should be provisions for the protection of the relationship between
solicitors and clients; (d) there should be provision for the destruction of
the encrypted information once it is obtained; and (e) there should be a
right to sue law enforcement agencies if any material is leaked as a result
of the negligence of the law enforcement agencies


RIPlist Bulletin 21/3/01: www.fipr.org/rip
==========================================
email riplist () fipr org to be added to our mailing list
for press releases and news bulletins relating to RIP




-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if it remains intact.
To subscribe, visit http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
-------------------------------------------------------------------------