22 September 1997: Link to related exchange
19 September 1997
Source: Mail list ukcrypto@maillist.ox.ac.uk
To: ukcrypto@maillist.ox.ac.uk Subject: Latest words from DTI Date: Fri, 19 Sep 1997 14:25:29 +0100 From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk> Yesterday I shared a platform with Nigel Hickson at Cambridge's annual white collar crime conference, whose theme this year was `The Globalisation of Crime - The Electronic Dimension' (for a copy of the programme, see http://www.cl.cam.ac.uk/users/fapp2/15thISEC/programme.html). This conference typically attracts about 1,000 people from round the world - mostly cops of some kind or another; in addition to `proper' policemen, there are lots of prosecutors and interior ministry types. There are also some criminal lawyers and a few technologists: there is an exhibition of police systems, typically databases into which you can drop a country's itemised phone bills and get out a pretty colour picture of all the networks of contacts in which your target of investigation is involved. Anyway, as in previous years, the escrow sessions attracted only about 60 people, and the only real policeman I spotted there was Mike Dixon, a local detective constable who is one of the organisers. This all goes to show the priority that real working policemen place on wiretapping! I kicked off and described the bad effects that crypto policy has had over the years on a number of products from Sesame through alarm systems to DVD; I revealed that the UK patent office has been ordered by GCHQ to use only 256 bit RSA in securing its communications with the European patent office im Munich and with other national offices in Europe, and pointed out that this would enable the NSA to get details of British patents for its economic intelligence clients at the time they were filed rather than three years later when they were published. I also pointed out that police communications intelligence relies on traffic analysis rather than access to content - which would be clear to anyone looking at the systems being demonstrated in the foyer and which I have been pointing out for years (see `Crypto in Europe - Markets, Law and Policy' on my web page). I quoted DI John Austen from Scotland Yard who at a seminar in Cambridge in 1993 said that in the 12 years he had been responsible for warrants at the Yard, communications intercepts (as opposed to data on who had called whom) had made a difference to only one conviction. Jack Lang of ESI then summarised the likely business impact of the DTI policy (expensive and ineffectual). Then it was Nigel's turn to speak for the UK government. The points that he made were: * he denied that there had been government influence over the designers of car and burglar alarms (but hey - the burglar alarm supplier I had referred to is also a GCHQ crypto supplier) * he didn't accept that there was little law enforcement requirement for access to content. He expressed surprise that a police officer would have said what John Austen did and claimed that statistics collected by Dorothy Denning showed a growing number of cases in which encryption had been encountered * the outcome of the DTI consultation exercise is that business wants trust, and that there was not much opposition to the idea of licensing: indeed `most thought licensing a good thing'. The goals of licensing were trust, common standards and liability; the focus was on small to medium sized enterprises; and the vision was that a small firm on Cornwall could do business with a small firm in a Russian village * the hope was to separate out digital signatures from encryption, with its law enforcement interest, with UK and EU legislation * while the licensing aspects of digital signatures were easy, the law enforcement aspects were hard * the responses to the DTI proposals on this `clearly stated difficulties with people's perception' * he predicted a public backlash when it became known that some notorious crime might have been prevented had it not been for decryption * we had better accept that `key recovery is going to be a reality whether we like it or not, and probably in the very near future'. John Leach then spoke for TIS, and Alastair Kelman ended up; he remarked inter alia that in 20 years practice at the criminal bar, doing largely computer crime cases, he had yet to come across a case in which wiretaps made, or could have made, a difference. What struck me with particular force was the lack of qualification in Nigel's comments. At the `Scrambling for Safety' conference on May 19th (http://elj.warwick.ac.uk/jilt/confs/97_2cryp/), both he and his boss David Hendon took pains to say that the policy they were describing was one laid down by the previous government, and that it was open to change once ministers got round to considering the matter. That qualification was conspicuously absent this time. So what's going on? Maybe ministers have indeed considered the matter, and we are being softened up for a pro-spook U-turn that's already been decided in secret. Maybe on the other hand the civil servants reckon that they have ministers in the bag, and so the risk of Labour actually adhering to its pre-election commitments against key escrow is now so low that it can be safely ignored. Ross
Date: Fri, 19 Sep 1997 18:54:00 +0100 From: Hendon David <David.Hendon@CIID.dti.gov.uk> (Tel 0171 2151779) To: UKcrypto-outgoing@maillist.ox.ac.uk (Receipt Notification Requested) (Non Receipt Notification Requested) Subject: Re: latest words from the DTI To save a lot of speculation, I thought I would let you know what is happening at the DTI. At the moment, officials are working through what recommendations to put to Ministers in the light of the comments we received on our consultative document. The fact it is taking a long time might give a hint to you that it is not just a question of dusting off the last Government's policy and re-presenting it. We are trying to find a new policy that respects what people have told us and still meets the law enforcement policy objective. This is a challenge! And it takes time. To pick up one comment of Nigel's at Cambridge that was quoted in one of the UKcrypto postings in the thread, when Nigel said words to the effect that "Key recovery systems were coming to the UK whether we liked it or not", the "we" was "DTI", not any other readers of this group and "Key Recovery" meant products emerging in the US from the Key Recovery Alliance, not TTPs and key escrow. Or to put it another way, the remark was us recognising reality rather than a dark hint of some wicked intention. Nigel was making the point that in putting forward a UK policy, the Government had to recognise that there would be all manner of stuff in the UK market, including in particular, key recovery products. I hope this helps. David Hendon DTI
Date: Fri, 19 Sep 1997 14:48:48 -0400 From: Nigel Hickson <100633.3176@compuserve.com> Subject: Re: Latest words from DTI To: <ukcrypto@maillist.ox.ac.uk> Ross (and others) I return (from abroad) on a Friday night to these greetings! No time at present to go through all Ross's comments on what I said (many of which appear correct) but I must correct an impression he may have given with one of the quotes. When I said "key recovery is coming.........." I was simply refering to the US Administration licesning of key recovery products for use in the UK. I have, for some time, been trying to indicate the consequencies of the use of these products outside of the US. In my talk I mentioned this as the next speaker was John Leach from TIS, a leading manufacturer of such products. I was not at all referring to future UK policy, which, as I indicated, is for Ministers to decide upon. Regards Nigel PS I agree with Ross about the importance of this Conference.