IP: UK Decryption powers raise human rights concerns

[Dave Farber <farber () cis upenn edu>]

> From: "Caspar Bowden" <cb () fipr org>
> To: "Dave Farber (E-mail)" <farber () cis upenn edu>
>
> http://www.sunday-times.co.uk/news/pages/sti/99/08/01/stiinnnws01005.html?99
> 9
> E-commerce - Is the government doing enough for e-commerce?
> No, writes Caspar Bowden. Plans for a tough encryption law are raising human
> rights concerns
>
> THE government's electronic communications bill is the latest step in the
> long-running row over control of cryptography. It will give ministers broad
> powers to control the use of encryption in electronic commerce and has met
> with a mixed reception from industry.
>
> David Svendsen, managing director of Microsoft, welcomed the bill as a
> "golden opportunity" for Britain to become an e-commerce hub in Europe. But
> Richard Sullivan of the Computer Software and Services Association (CSSA)
> said closer co-operation with industry would be preferable to "introducing
> strict penalties and a raft of secondary legislation provisions".
>
> The bill was announced in the Queen's Speech last November, but was delayed
> as it became clear industry would not wear regulation designed to foist "key
> escrow" on users - the holding of spare keys by third parties in case needed
> by the police.
>
> The government expected the opposition to agree to the bill's introduction
> this session of parliament. Instead, the Tories described it as a "dog's
> breakfast" and blocked it.
>
> Vestiges of the "trusted third party" idea remain, a statutory but voluntary
> scheme for licensing bodies that provide encryption services. The Department
> of Trade and Industry (DTI) says there may be no need to invoke the law and
> is working with industry on self-regulation, but is keeping its options
> open. If the climate in America changes, the key escrow powers with minimal
> parliamentary scrutiny are still there.
>
> New law-enforcement powers to demand unscrambling of intercepted e-mails and
> coded data could wreck business and consumer confidence. The authorities
> would be able to demand decryption keys from anyone; those withholding keys
> would be presumed guilty unless they could show otherwise.
>
> The Home Office argues that being asked to provide a decryption key is just
> like requiring a DNA sample - but even a person not suspected of any crime
> who has lost or forgotten their key would have to convince the court or go
> to jail for two years.
>
> Decryption notices could be served on associates, legitimate third parties
> and legal advisers, with an obligation not to change keys if this would tip
> off the suspect. The most chilling provision is that notices can contain a
> total obligation of secrecy - this would prevent anyone complaining
> publicly, with a penalty of five years imprisonment.
>
> The Home Office fear is that if catch-22 safeguards unravel they face a
> policy meltdown.
>
> Ingeniously crafted for minimal compliance with a 1984 Commission on Human
> Rights ruling, the 1985 Interception of Communications Act (Ioca) created a
> tribunal that can only uphold a complaint if it is "manifestly unreasonable"
> to issue a warrant. Otherwise the tribunal does not tell complainants
> whether or not they were intercepted, on the ground that interception is
> most effective when it receives least publicity. For the same reason
> interception can only be used for intelligence, not evidence in court.
>
> In the bill, a complainant's only recourse is to a secretive Ioca-style
> tribunal, which can hold proceedings in their absence. The tribunal need not
> disclose reasons for decisions, and operates special rules on burden of
> proof and admissibility of evidence. Authorities with access to keys only
> need maintain such safeguards "as considered necessary", and even flagrant
> breaches of the code of practice would not "of itself" be a criminal
> offence.
>
> These issues are being dealt with in a DTI bill instead of the Ioca review
> because the Home Office's position is that decryption is about maintaining
> the effectiveness of existing legislation, but the Ioca review is about
> eavesdropping methods for internet service providers.
>
> Scientific reality does not conform to this legal framework. An encrypted
> message can actually be camouflaged by steganography - hiding it in
> digitised sound or pictures.
>
> Decryption notices would apply not just to data that can already be seized
> or intercepted under warrant, but also to published or public domain
> material. In this case, nobody knows whether there is a safe, let alone a
> key.
>
> The Foundation for Information Policy Research believes that criminals
> should not be able to hide behind encryption, but these proposals infringe
> rights to privacy and a fair trial.
>
> To prevent injustice and legal absurdities, a judge should issue a
> decryption notice only when there is reliable evidence that the data
> contains a hidden or encrypted message, the person on whom the notice is
> served possesses a key and the data pertains to a serious crime.
>
> To help the prosecution prove its case, Ioca may need to be changed to
> provide courts with circumstantial evidence from intercepts.
>
> The bill has been published for consultation and comments are due by October
> 8. Home Office ministers have so far not faced questions from the public or
> parliament, but as minister in charge of the bill, Stephen Byers has made a
> declaration of compliance with the European Convention of Human Rights.
>
> He may wish to examine decryption powers again before putting his name to
> the final bill this autumn.
>
> Caspar Bowden is director of the Foundation for Information Policy Research
> (http://www.fipr.org)