IP: Cave-in on a key measure

[Dave Farber <farber () cis upenn edu>]

X-Sender: nbr () popin newcastle ac uk
Date: Fri, 12 Mar 1999 14:40:59 +0000
To: farber () cis upenn edu
From: Brian Randell <Brian.Randell () newcastle ac uk>
Subject: Cave-in on a key measure

Dave:

This article, sent to you in its entirety with the author's permission, is
from this week's issue of the Guardian computer supplement "Online". The
author, Duncan Campbell <duncan () gn apc org>, you may know of as the
investigative journalist who did much to expose the ECHELON system.

It is also available on the Web - there is a link to it at
http://www.newsunlimited.co.uk/The_Paper/Online/

Cheers

Brian

======

Computing and the Net

Cave-in on a key measure

The Government's abrupt turnaround last week on electronic security for the
Net may be the "last nail in the coffin" in a 20-year battle by
intelligence agencies to prevent private and commercial access to strong
cryptography, according to US privacy campaigners.

Guardian On-line : Thursday March 11, 1999



In what appeared to be almost a panic last-minute decision, last Thursday
the Government invited more than a dozen IT industry executives to a
private Downing Street breakfast briefing with Tony Blair and a Cabinet
team. The Prime Minister told them that a paper on government plans for
electronic commerce - first promised more than two years ago but held up by
a long internal Whitehall battle between intelligence agencies and economic
interests - would be published the next day. Legislation will follow within
the current session of Parliament.

Mr Blair revealed that the Government had decided to drop plans to require
British companies that provide electronic signature services to provide
"key escrow" or "key recovery" systems which would allow the police or
security services covertly to read private files and e-mail.

But he asked the industry executives to offer the Government alternative
ways of supporting police and security agencies in countering what he, Home
Secretary Jack Straw and Cabinet Secretary Richard Wilson all portrayed as
a serious and developing threat from encryption. He invited them to join a
task force which, in three weeks, is supposed to provide the answers. These
and other comments on the Department of Trade and Industry paper
(www.dti.gov.uk/cii/elec/ elec_com.html) have to be submitted by April 1.

The time which it has taken British governments of both parties to produce
electronic commerce legislation is a testament to the entrenched power of
the American electronic eavesdropping agency NSA, which 50 years ago joined
Britain, Canada, Australia and New Zealand in a secret treaty to monitor
the world's civil and military communications by means of Sigint (signals
intelligence). Since the late 1970s, NSA and its British partner agency
GCHQ have battled to suppress public, commercial and academic knowledge of
cryptography. In Britain and the United States, academics and companies
were threatened, research grants were withdrawn, and academic papers were
banned as "munitions exports". In 1993, the inventor of the famous PGP
encryption system, Philip Zimmerman, was arrested by the FBI and for more
than two years faced trial and possible imprisonment.

When commercial encryption seemed unstoppable, in 1993 the Clinton
administration proposed that anyone using encryption should fit an NSA
designed microchip, codenamed Clipper, inside their phones or computers.
Copies of the keys to decoding any information sent would be held by US
government agencies.

When the Clipper chip plan collapsed, the US government proposed first that
alternative key "escrow systems" should be introduced - meaning that
government agencies would still hold copies of everyone's secret keys. In a
final attempt to win the world over, this plan was later renamed "key
recovery" - meaning that non-government "trusted third parties" could hold
the keys instead. "The British decision effectively not to adopt this plan
is the last nail in the coffin" according to David Banisar of the
Electronic Privacy Information Center in Washington. For more than eight
years, he and others have battled successive US government plans to keep
personal communications visible to the Sigint agencies.

"If the British Government does go this way then key escrow really is
dead," he said this week. Britain was first promised an early start in
electronic commerce by the Conservative government in June 1996, as part of
its Information Society initiative. Six months later, according to US
diplomatic dispatches obtained by EPIC under the Freedom of Information
Act, the US government appointed a special ambassador for cryptography,
David Aaron, and sent him to lobby US allies to support its scheme.

The released documents show that Aaron visited Britain on at least three
occasions in late 1996 and early 1997, meeting with officials from the
Cabinet Office, the trade department and GCHQ. He told them: "Our goal is a
world in which key recovery encryption systems are the dominant form of
technology in the commercial market."

Aaron's dispatches show that, despite claims by the US government that key
recovery systems were designed to assist law enforcement, meetings were
attended only by staff from the Sigint monitoring agencies. When he arrived
in London he was accompanied by the Deputy Director of NSA, Dr James J
Hearn, who was then the NSA senior liaison official to GCHQ. Police and
Home Office representatives did not attend. When Aaron reported the results
of his meetings in London, he sent them to the NSA - not the FBI, the US
law enforcement agency.

His lobbying was effective. In March 1997, Ian Taylor, then Science and
Technology Minister, announced that Britain was going with the US and that
it would be compulsory for anyone providing cryptography services to give
keys to a government-run "central repository". New Labour was elected on a
firm pledge to abandon the scheme - but then faced renewed lobbying by
intelligence agencies and the US.

But the delays drew the Government into a crisis. During 1998, country
after country legislated for electronic commerce but not for key recovery.
Even countries often inimical to privacy rights - like Singapore, Taiwan
and France - have abandoned the US cause.

Pressure on the Government to make up its mind increased in January, when
the Commons Select Committee on Trade and Industry began hearings on
e-commerce. The committee has heard increasingly harsh criticisms of key
recovery proposals from major IT figures. Starting next Wednesday, Trade
Minister Michael Wills will be questioned in detail by the committee about
future policy. A week ago, Ian Taylor, who first proposed key recovery,
also recanted the US-backed policy. "I'm beginning to think I was wrong,"
he told Computing magazine. By the start of last week, new Labour had no
choice but to make a clear decision, one way or the other.

But in a last minute dither that is likely to please nobody and is being
seen as cynical, Blair has asked the IT industry to sort out the problems
police face by April 1. "He wants us to respond in three weeks when they've
spent three years talking uselessly about key escrow," complained Tim
Pearson, chairman of the UK Internet Service Providers' association.

Pearson criticised the government for having failed to provide the police
with a national centre of expertise for IT-related crime and criminal
activity. ACPO, the Association of Chief Police Officers, says that a plan
for a national centre is now being prepared. But the organisation fears
that, despite the Prime Minister's exhortations last week, the government
may not be prepared to make extra funds available to the police. "If as a
nation we can't afford the several millions of pounds per year to properly
fund such a unit, why burden UK plc with many tens or hundreds of millions
of pounds to maintain a key escrow system?" he asked.

Duncan Campbell is a freelance journalist, and not the Guardian's crime
correspondent of the same name



Dept. of Computing Science, University of Newcastle, Newcastle upon Tyne,
NE1 7RU, UK
EMAIL = Brian.Randell () newcastle ac uk   PHONE = +44 191 222 7923
FAX = +44 191 222 8232  URL = http://www.cs.ncl.ac.uk/~brian.randell/