Interesting People mailing list archives
IP: UK Decryption powers raise human rights concerns
From: Dave Farber <farber () cis upenn edu>
Date: Sun, 01 Aug 1999 20:04:50 -0400
From: "Caspar Bowden" <cb () fipr org> To: "Dave Farber (E-mail)" <farber () cis upenn edu> http://www.sunday-times.co.uk/news/pages/sti/99/08/01/stiinnnws01005.html?99 9 E-commerce - Is the government doing enough for e-commerce? No, writes Caspar Bowden. Plans for a tough encryption law are raising human rights concerns THE government's electronic communications bill is the latest step in the long-running row over control of cryptography. It will give ministers broad powers to control the use of encryption in electronic commerce and has met with a mixed reception from industry. David Svendsen, managing director of Microsoft, welcomed the bill as a "golden opportunity" for Britain to become an e-commerce hub in Europe. But Richard Sullivan of the Computer Software and Services Association (CSSA) said closer co-operation with industry would be preferable to "introducing strict penalties and a raft of secondary legislation provisions". The bill was announced in the Queen's Speech last November, but was delayed as it became clear industry would not wear regulation designed to foist "key escrow" on users - the holding of spare keys by third parties in case needed by the police. The government expected the opposition to agree to the bill's introduction this session of parliament. Instead, the Tories described it as a "dog's breakfast" and blocked it. Vestiges of the "trusted third party" idea remain, a statutory but voluntary scheme for licensing bodies that provide encryption services. The Department of Trade and Industry (DTI) says there may be no need to invoke the law and is working with industry on self-regulation, but is keeping its options open. If the climate in America changes, the key escrow powers with minimal parliamentary scrutiny are still there. New law-enforcement powers to demand unscrambling of intercepted e-mails and coded data could wreck business and consumer confidence. The authorities would be able to demand decryption keys from anyone; those withholding keys would be presumed guilty unless they could show otherwise. The Home Office argues that being asked to provide a decryption key is just like requiring a DNA sample - but even a person not suspected of any crime who has lost or forgotten their key would have to convince the court or go to jail for two years. Decryption notices could be served on associates, legitimate third parties and legal advisers, with an obligation not to change keys if this would tip off the suspect. The most chilling provision is that notices can contain a total obligation of secrecy - this would prevent anyone complaining publicly, with a penalty of five years imprisonment. The Home Office fear is that if catch-22 safeguards unravel they face a policy meltdown. Ingeniously crafted for minimal compliance with a 1984 Commission on Human Rights ruling, the 1985 Interception of Communications Act (Ioca) created a tribunal that can only uphold a complaint if it is "manifestly unreasonable" to issue a warrant. Otherwise the tribunal does not tell complainants whether or not they were intercepted, on the ground that interception is most effective when it receives least publicity. For the same reason interception can only be used for intelligence, not evidence in court. In the bill, a complainant's only recourse is to a secretive Ioca-style tribunal, which can hold proceedings in their absence. The tribunal need not disclose reasons for decisions, and operates special rules on burden of proof and admissibility of evidence. Authorities with access to keys only need maintain such safeguards "as considered necessary", and even flagrant breaches of the code of practice would not "of itself" be a criminal offence. These issues are being dealt with in a DTI bill instead of the Ioca review because the Home Office's position is that decryption is about maintaining the effectiveness of existing legislation, but the Ioca review is about eavesdropping methods for internet service providers. Scientific reality does not conform to this legal framework. An encrypted message can actually be camouflaged by steganography - hiding it in digitised sound or pictures. Decryption notices would apply not just to data that can already be seized or intercepted under warrant, but also to published or public domain material. In this case, nobody knows whether there is a safe, let alone a key. The Foundation for Information Policy Research believes that criminals should not be able to hide behind encryption, but these proposals infringe rights to privacy and a fair trial. To prevent injustice and legal absurdities, a judge should issue a decryption notice only when there is reliable evidence that the data contains a hidden or encrypted message, the person on whom the notice is served possesses a key and the data pertains to a serious crime. To help the prosecution prove its case, Ioca may need to be changed to provide courts with circumstantial evidence from intercepts. The bill has been published for consultation and comments are due by October 8. Home Office ministers have so far not faced questions from the public or parliament, but as minister in charge of the bill, Stephen Byers has made a declaration of compliance with the European Convention of Human Rights. He may wish to examine decryption powers again before putting his name to the final bill this autumn. Caspar Bowden is director of the Foundation for Information Policy Research (http://www.fipr.org)
Current thread:
- IP: UK Decryption powers raise human rights concerns Dave Farber (Aug 01)