30 April 1998
Source: http://online.guardian.co.uk/one.html
Thanks to YA, DC and TGO

The Guardian Online, April 30, 1998
This week, the Government rushed out its long-awaited guidelines for privacy online. Duncan Campbell reports

Coded message

Two new laws will regulate how cryptography is used to secure electronic information online, trade minister Barbara Roche told Parliament on Monday.

The first law, to be drafted by the Department of Trade and Industry, will not compel users to hand over copies of the software keys used to encrypt electronic data. But the second one, from the Home Office, will enable intelligence and law enforcement agencies to obtain a warrant for access to information necessary to decrypt the contents of communications or stored data. Failure to comply would be a criminal offence.

The Government says that providers and users of encryption products will have to hand over secret codes “only when appropriate authority has been obtained — for example, a judicial warrant”.

But plans to allow search warrants to be extended to the total contents of everyone’s computer files and e-mail, however private, have raised worries.

“This would be a monumental advance on government rights to invade privacy,” said leading civil rights lawyer Geoffrey Robertson QC. “It’s like invading the mind.” A “judicial warrant,” he added, “can come from a lay justice or a circuit judge whom the police select. It’s a classic case of Neanderthal thinking — no safeguard at all.”

Legal experts predict technical difficulties ahead for the new laws’ drafters. If the only suspected evidence of a crime is the unknown contents of encrypted computer files, then forcing a user to unlock them by handing over their codes would, controversially, remove the right to silence. The laws also face the same criticism as the “key escrow” plan they replace — that terrorists and organised criminals will be able to evade them. They will be useless against some telephone systems already in use.

US inventor Phil Zimmermann, in London this week to receive a major industry award (see opposite), said that although the planned new powers would allow intelligence agencies to read e-mail sent with his PGP (Pretty Good Privacy) system if users were legally compelled to produce their private key, this would not work for other products. In particular, the telephone version of his system, PGP Phone, which allows Net users to hold securely scrambled telephone conversations online, could never be unscrambled retrospectively. This is because the system uses “evanescent keys” that are randomly generated and are never stored. “These kind of systems will be used widely,” he said. In any case, Zimmermann added, “I would make systems which would be resistant to it [the new law]”.

With the European presidency under its belt, the government is also under increasing pressure to relax export controls within the EU. According to Cambridge University security specialist Ross Anderson, the restrictions have meant that gas meters made by a Birmingham company and using an American encryption system to validate prepayments cannot yet legally be exported to member states.

In Britain and the US, export controls have often been used to prevent code systems being exported unless the electronic intelligence agencies, GCHQ and NSA, were able to read the codes. Over the past year, the FBI and the US government have been locked in a losing battle with software providers to prevent “strong” encryption systems being exported.

Companies such as Microsoft, Lotus and Netscape have complied by distributing deliberately weakened versions of their built-in cryptographic security systems to non-US customers. But others have driven a coach and horses through the policy by using the US First Amendment, which prohibits restrictions on free speech. The latest two editions of PGP, the world’s leading cryptographic protection system, were recently legally exported from the US in the form of huge textbooks of code. These were then scanned and recompiled in electronic form by a team of researchers across Europe.

This week’s announcement was delayed for three months while the policy was reconsidered inside the Prime Minister’s policy unit. New Labour had previously considered adopting plans announced by the Conservative government shortly before the election. Under its proposals for “Licensing of Trusted Third Parties for the Provision of Encryption Services”, unveiled in March 1997, the last government had planned for privacy keys to be held compulsorily in central databanks, where police or intelligence agencies could electronically retrieve them if they wanted to read particular communications. This “key escrow” system were quickly condemned as complex, costly, dangerous and unworkable. Last October, the European Commission said that such central key recovery systems created enormous security dangers and significant costs for legitimate users, while providing no useful benefit in dealing with terrorism or major crime.

Instead, the DTI’s new law will set up a licensing system for so-called “Certification Authorities” (CAs). Although licensing is not compulsory, licensed CAs are offered the substantial carrot that their “digital signatures” certificates will be legally recognised.

The Government’s plan is “to offer certificates to support electronic signatures reliable enough to be recognised as equivalent to written signatures”.

The most important use of digital signatures is to verify the identity of a customer who places an order for goods or services to be delivered, often electronically. By early next century, this trade is expected to be worth £5 billion a year in Europe.

Countering criticism that law enforcement demands for key recovery systems had been mixed in with digital signature services for e-commerce, Roche claimed on Monday that “there is now a clear policy differentiation between digital signatures and encryption”. While her announcement tried to say as little as possible about key recovery (and as much as possible about e-commerce), it was not clear that the two systems were being kept separate.

Roche also said that “licensed service providers that provide encryption services will . . . be required to make recovery of keys (or other information protecting the secrecy of the information) possible through suitable storage arrangements.”

Government critics say that this is a betrayal of pre-election undertakings that New Labour would not accept the US requirement “to be able to swoop down on any encrypted message at will and unscramble it”. As Zimmermann put it, after reviewing the government statement: “In principle it’s voluntary; but, de facto, it’s compulsory. This is exactly what so many of us in the US have worked very hard to stop.”

Suspicious insiders also point to recent lobbying by IBM, the only major computer services supplier to have wholeheartedly backed the original “key escrow” plan. IBM, promoter of a code system called Secureway, is proposing a new UK “Trust Services Association” based on it. The system contains a built-in backdoor allowing law enforcement agencies to break the security codes.

Critics such as Robertson remain unconvinced of the need for new laws. “Do they really think that major criminals go home and log their crimes on the Internet in a computer diary?”

[Duncan Campbell is a freelance writer and broadcaster, and is not the Guardian correspondent of the same name]

30 April 1998

Copyright © The Guardian