Politech mailing list archives

Previous By Date Next
Previous By Thread Next

FC: UK think tank criticizes government crypto-key safeguards

From: Declan McCullagh <declan () well com>
Date: Tue, 29 Feb 2000 08:10:08 -0500


From: "Caspar Bowden" <cb () fipr org>
Subject: FIPR News Release: RIP BILL LEAVES SEIZED KEYS VULNERABLE
Date: Mon, 28 Feb 2000 16:34:10 -0000

IF YOU ARE WAITING FOR FIPR's FULL R.I.P. ANALYSIS
+ DRAFT AMENDMENTS - PLEASE BE PATIENT, IT'S IN THE WORKS

NEWS RELEASE               Contact:     Caspar Bowden
Mon 28th Feb 2000                   director of FIPR
FOR IMMEDIATE USE                               +44 (0)171 354 2333
                                                cb () fipr org

RIP BILL LEAVES SEIZED KEYS VULNERABLE
======================================
The Government has not considered the problems and costs of handling
decryption keys when it takes new powers to seize them, says a nine-page
report (http://www.fipr.org/rip/RIPGAKBG.pdf) released today by the
influential Internet policy think-tank the Foundation for Information Policy
Research (FIPR). If the keys were disclosed, or even stolen from the
authorities that had seized them, then this could result in extreme risks to
physical safety and financial security. The new powers are in the
controversial Regulation of Investigatory Powers (RIP) Bill that receives
its second reading in the Commons on March 6th.

The report analyses the Government's proposals for safeguarding seized keys,
finding that they take no account of the technical security measures used by
government to protect their own keys, and make no provision whatsoever for
keys seized under RIP to enjoy comparable levels of protection. Hundreds of
public authorities are able to demand keys (set out over five pages in
Schedule.1), but none are required to take concrete security precautions on
behalf of those who are forced to reveal their keys - whether suspect or
innocent parties in an investigation.

The report concludes that the necessary protection measures will be very
costly to implement and are hence likely to place a very high burden on UK
taxpayers if the interests of the owners of seized keys are to be fully
respected.  It concludes that there is a danger that the costs of such
measures will not be met and in consequence those who have their keys seized
will sometimes face extreme risks to their safety and security.

Caspar Bowden, director of FIPR, said "either the Home Office has completely
overlooked the issue of technical security for keys seized by a multitude of
public authorities, or Parliament is being hopelessly misled about the costs
of implementation. When mandatory escrow was proposed three years ago, the
DTI judged then that a 'central repository' would be needed to receive and
guard keys" (para.71 - 'Licensing of TTPs for the Provision of Encryption
Services', DTI 1997.)

Nicholas Bohm, a solicitor and member of the Law Society's Electronic
Commerce Working Party, commented "the government evidently thinks that it
will be satisfactory for anyone with a seized key, from a policeman to a
trading standards officer, to lock a floppy disk away in the top drawer of
their desk".

Dr Brian Gladman, the report's author, commented, "the government knows the
importance of protecting keys and yet it has chosen to keep Parliament in
the dark; it is hard not to conclude that this is a desperate attempt to
prevent an unworkable policy from collapsing under the weight of its own
incompetence."

Notes for editors
-----------------
1.      Clause 51 of the Bill, which is intended to provide key custody
safeguards, contains no provision requiring adequate technical security
precautions, and the Regulatory Impact Assessment  provided by the Home
Office (http://www.homeoffice.gov.uk/oicd/riapt3.htm) merely states that
"providing actual figures on compliance costs is difficult at this stage".

2.      The reports author is FIPR Advisory Council member Brian Gladman, an
internationally recognised leader in the field of information security who
has more than 25 years of experience in the UK Ministry of Defence and NATO
in the technologies and techniques required to build computer systems in
which safety and security are critical requirements.

3.      FIPR is an independent non-profit organisation that studies the
interaction between information technology and society, with special
reference to the Internet; we do not (directly or indirectly) represent the

interests of any trade-group. Our goal is to identify technical developments
with significant social impact, commission research into public policy
alternatives, and promote public understanding and dialogue between
technologists and policy-makers in the UK and Europe. The Board of Trustees
and Advisory Council (http://www.fipr.org/trac.html) comprise some of the
leading experts in the UK.


--------------------------------------------------------------------------
POLITECH -- the moderated mailing list of politics and technology
To subscribe: send a message to majordomo () vorlon mit edu with this text:
subscribe politech
More information is at http://www.well.com/~declan/politech/
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: