Synopsis
The UK Home Secretary has announced his intention of introducing a plan to allow government access to encrypted communications. Such a plan will compromise privacy; (a right soon to be incorporated into UK law) will not enhance detection of crime; will increase opportunities for crime; and will hinder or halt the development of online commerce. Cryptography experts have stated that any cryptography system in which a third party has the ability to view the original communication is inherently insecure.
Introduction
The Global Internet Liberty Campaign is a group of human rights, civil liberties, and Internet advocacy organisations which favours the unrestricted use of cryptography to protect personal privacy. We, We, the undersigned members of GILC, are dismayed to read that UK Home Secretary Jack Straw is considering the resurrection of an oft-criticised plan to provide government access to private communications by individuals and companies.
Encryption has a long tradition in the military defence field. However, encryption technologies are increasingly integrated into commercial systems and applications and the exclusive character of encryption belongs to the past. Therefore, the debate about the prohibition or limitation of the use of encryption will not only have a terrible effect on online computer security - a national security issue itself - and electronic commerce, but also directly affects the right to privacy.
UK Home Secretary announces new encryption policy
Although the privacy of communications is explicitly protected by international agreements such as the European Convention on Human Rights, the UK Labour Party Government decided to change its plans on the regulation of encryption in Britain. It was announced in January 1998 that the UK Home Secretary, Jack Straw, is using Britain’s six-month EU presidency to focus governmental attention on the wishes of law enforcement facing some new challenges in policing the information society. Jack Straw and other EU ministers desire that such agencies must have access to the encryption keys. They warned that unbreakable encryption systems would mean organised crime could pursue its activities unhindered.
However, a recent European Commission Communication paper stated that "most of the (few) criminal cases involving encryption that are quoted as examples for the need of regulation concern ‘professional’ use of encryption. It seems unlikely that in such cases the use of encryption could be effectively controlled by regulation." (see EU Communication paper)
We, the undersigned members of the GILC also dispute this claim, finding no evidence that criminal rings cannot be broken through more traditional means such as examination of the evidence, use of informers, and so on. Inevitably, key recovery or "trusted third party" schemes introduce vulnerabilities into cryptographic systems, creating opportunities for insider abuse and criminal attack. (See EU Communication paper.) Key recovery agents will hold in centralised databases the keys to the information and communications their individual and corporate customers most value; and this key recovery infrastructure will become a highly attractive target for criminals. Moreover, the adoption of key recovery to meet law enforcement specifications will result in greatly increased costs to end users. Leading computer security experts have warned that building the secure computer communication infrastructures necessary to support government-specified key recovery is far beyond the experience and current competency of the field.
Also, the Internet Privacy Coalition stated that:
"We do not object to the right of government to conduct lawful investigation. We recognise that the enforcement of law is a central concern in every democratic society. But no government has the right to restrict the ability of its citizens to make use of tools to protect their own privacy. Nor should any government put crime investigation before crime prevention." (Internet Privacy Coalition, 1997)
A similar point has also been made by Gerard Walsh, a former deputy director-general of the Australian Security Intelligence Service, in "Review of policy relating to encryption technologies" made for the Australian Government. The review takes a balanced look at the issues and casts strong doubts on the workability and desirability of key recovery policies.
The other point to bear in mind is that if encryption is no longer secure, criminals will no longer use licensed systems. "As a result, restricting the use of encryption could well prevent law-abiding companies and citizens from protecting themselves against criminal attacks. However, it would not totally prevent criminals from using these technologies." (see the EU Communication paper, 1997)
In a statement which emphasises the need for increased protection of international commercial transactions on the Internet and the need to offer all Internet users an adequate degree of privacy, leading Internet standards organisations including the Internet Architecture Board ("IAB") and the Internet Engineering Steering Group ("IESG") stated that governmental restrictive policies "are against the interests of consumers and the business community" and "are largely irrelevant to issues of military or benefits to law enforcement agencies."
UK Encryption Policy
The UK Department of Trade and Industry published a Public Consultation Paper, "Licensing of Trusted Third Parties for the Provision of Encryption Services," in March 1997. The DTI consultation paper addressed many issues which may have an impact on the use of encryption tools on the Internet, but omitted the issue of whether "key escrow" or "key recovery" techniques present unique civil liberties dangers. In addition to its refusal to examine the controversy, the DTI paper was provincial and ahistorical. There was no mention of the four years of continual proposals and almost universal opposition for key recovery products by the US Government, even though their proposals have much in common with the DTI proposal and clearly inspired the latter. GILC co-sponsored the "Scrambling for Safety" Conference in London in May 1997 which ended with the DTI proposals being criticised not only by civil liberties organisations but also by crypto and security experts, and the Internet industry.
Jack Straw’s new initiatives are at odds with what the Labour party stated in their Manifesto before the May 1997 elections. "We do not accept the ‘clipper chip’ argument developed in the United States for the authorities to be able to swoop down on any encrypted message at will and unscramble it. The only power we would wish to give to the authorities, in order to pursue a defined legitimate anti-criminal purpose, would be to enable decryption to be demanded under judicial warrant."
The Labour Party Manifesto further stated that: "It is not necessary to criminalise a large section of the network-using public to control the activities of a very small minority of law-breakers." Indeed, strong encryption is now commonly available in commercial products and free software that can be downloaded from the Internet; restrictions such as suggested by Mr Straw would criminalise current practices by thousands of citizens.
UK Encryption Proposals are in contrast with recent global initiatives
The current views of Jack Straw and the DTI proposals which were launched in March 1997 are also in clear contrast with a recently issued EU communication paper, released in October 1997 and titled "Towards A European Framework for Digital Signatures And Encryption". In contrast to the UK initiatives, and despite years of US attempts to push the "government access to keys" idea overseas, this paper finds key escrow and key recovery systems to be inefficient and ineffective. The EU communication states that "the European Union simply cannot afford a divided regulatory landscape in a field so vital for the economy and society."
"Problems caused by encryption to crime investigation and the finding of evidence are currently limited, but they may increase in the future. As with any new technology, there will be abuse of encryption and criminal investigations will be hindered because data was encrypted. However, widespread availability of encryption can also prevent crime. Already today, the damage caused by electronic crime is estimated in the order of billions of ECUs (industrial espionage, credit card fraud, toll fraud on cellular telephones, piracy on pay TV encryption). Therefore, there are considerable economic and legal benefits associated with encryption."
The EU communication paper follows from the last summer’s European Ministerial Conference entitled "Global Information Networks: Realising the Potential", which recognised that information security is one of the key issues for the emergence of the Global Information Society and that strong encryption technology is central to electronic commerce. The EU ministers agreed that they will work to achieve international availability and free choice of cryptography products and interoperable services, subject to applicable law.
OECD Guidelines and policies announced in 1997 seem to be against the current UK proposals. A recent OECD report stated that:
"National cryptography policies may allow lawful access to plaintext, or cryptographic keys, of encrypted data," but immediately reiterated that "These policies must respect the other principles contained in the guidelines to the greatest extent possible" and, "This principle should not be interpreted as implying that governments should, or should not, initiate legislation that would allow lawful access."
Conclusion
Strong encryption technology without "key escrow" or "key recovery" offers the fundamental protection to those who seek to bring official abuses of power to light. Any restrictions on use of encryption would create possibilities for the violation of free expression for individuals in countries where dissent is punished. Dissidents and human rights organisations under repressive regimes use encryption technologies to share their concerns and transmit often sensitive information. Encryption has the power to authenticate the identity of these authors to their partners abroad, and protect their identity from despots at home. Any "key escrow" mechanism will result in loss of confidence among groups and individuals, mostly based in repressive regimes. This would mean a tremendous blow to international efforts to support the cause of human rights.
The GILC Members have urged national governments not to adopt controls on cryptography technology on several occasions. Most recently, we released "Cryptography and Liberty: An International Survey of Encryption Policy" which showed that most countries in the world do not have controls on the use of cryptography. The GILC report concluded that recent trends in cryptography policy suggest greater liberalisation in the use of this technology, which was originally controlled during the Cold War for reasons of national security.
When formulating policy with respect to the Internet, respect for the privacy of communication on the Internet should be guaranteed by:
- Ensuring that personal information generated on the Internet for one purpose is not used for an unrelated purpose or disclosed without the person's informed consent;
- Enabling individuals to review personal information on the Internet and to correct inaccurate information;
- Providing privacy measures for information regarding on-line business transactions as well as content; and
- Allowing users of the Internet to encrypt their communications and information without restriction.
The above recommendations are also pertinent to individual governments in shaping their own policies with respect to on-line communication.
Therefore, the undersigned members of the Global Internet Liberty Campaign believe that policies concerning cryptography should be based on the fundamental right to engage in private communication. We oppose efforts that would lead to the development of communications infrastructure designed for surveillance. To conclude, we do state that mandatory key recovery policies would make Britain a second-class nation in the Information Age.
Signed by:
Bulgarian Institute for Legal Development, http://www.bild.acad.bg
Center for Democracy and Technology, http://www.cdt.org
Cyber-Rights & Cyber-Liberties (UK), http://www.leeds.ac.uk/law/pgs/yaman/yaman.htm
CommUnity UK, http://www.community.org.uk/
Computer Professionals for Social Responsibility, http://www.cpsr.org/
Derechos Human Rights, http://www.derechos.org/
Digital Citizens Foundation Netherlands - DB-NL, http://www.db.nl
Electronic Frontiers Australia, http://www.efa.org.au
Electronic Frontier Foundation, http://www.eff.org
EFF-Austin, http://www.eff-austin.org
Electronic Privacy Information Center, http://www.epic.org/
Equipo Nizkor, http://www.derechos.org/nizkor/
FITUG Foerderkreis Informationstechnik und Gesellschaft, http://www.fitug.de/
FIfF, http://www.fiff.de
FrEE (Electronic Frontiers Spain), http://www.arnal.es/free
Human Rights Watch, http://www.hrw.org
Internet Society, http://www.isoc.org/
IRIS (Imaginons un Reseau Internet Solidaire - France), http://girafe.ensba.fr/iris/
NetAction, http://www.netaction.org
Privacy International, http://www.privacy.org/pi/
Quintessenz, http://www.quintessenz.at
XS4ALL, http://www.xs4all.nl/.
For further information see:
Global Internet Liberty Campaign Member Statement: New UK Encryption Policy criticised, February 1998, is available http://www.gilc.org/crypto/uk/gilc-dti-statement-298.html. The press release for this statement is available at: http://www.gilc.org/crypto/uk/gilc-dti-release-298.html.
GILC, Cryptography and Liberty: An International Survey of Encryption Policy, February 1998, at http://www.gilc.org/crypto/crypto-survey.html. A world survey of crypto policies released in February has found that most countries do not restrict the use of encryption.
GILC statement, "Human Rights and the Internet," January 1998, http://www.gilc.org/news/gilc-ep-statement-0198.html.
GILC Resolution in Support of the Freedom to Use Cryptography, September 1996, http://www.gilc.org/crypto/oecd-resolution.html.
The Labour Party Policy on Information Superhighway before the May 1997 elections, "Communicating Britain’s Future," http://www.labour.org.uk/views/info%2Dhighway/content.html.
European Commission Communication, "Towards A European Framework for Digital Signatures And Encryption," Communication from the Commission to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions ensuring Security and Trust in Electronic Communication, COM (97) 503, October 1997, at http://www.ispo.cec.be/eif/policy/97503toc.html.
OECD Cryptography Policy Guidelines: Recommendation of the Council Concerning Guidelines for Cryptography Policy, 27 March 1997, at http://www.oecd.org/dsti/sti/it/secur/prod/e-crypto.htm.
Cyber-Rights & Cyber-Liberties (UK), "First Report on UK Encryption Policy" is available at http://www.leeds.ac.uk/law/pgs/yaman/ukdtirep.htm.
Cyber-Rights & Cyber-Liberties (UK) advises Jack Straw, the UK Home Secretary, on the issue of encryption, press release, 02 February, 1998, at http://www.leeds.ac.uk/law/pgs/yaman/crclukpr-3.html.
British and Foreign Civil Rights Organisations Oppose Encryption Paper, 9 April 1997. See http://www.leeds.ac.uk/law/pgs/yaman/crypto_b.htm
"Scrambling for Safety - Privacy, security and commercial implications of the DTI’s proposed encryption policy," Conference Report, 1997 (2) The Journal of Information, Law and Technology (JILT). http://elj.warwick.ac.uk/jilt/confs/97_2cryp/.
Scrambling for Safety Conference web site is at http://www.privacy.org/pi/conference/dti/.
"Cryptography and Liberty: Can the Trusted Third Parties be Trusted? A Critique of the Recent UK Proposals," 1997 (2) The Journal of Information, Law and Technology (JILT). http://elj.warwick.ac.uk/jilt/cryptog/97_2akdz/.
Internet Engineering Task Force statement, "Internet groups critical of government proposals to restrict encryption technology," at http://info.isoc.org:80/whatsnew/cryptog.html.
Abelson, Anderson, et al., "The Risks of Key Recovery, Key Escrow, and Trusted Third Party Encryption," 1997, at http://www.crypto.com/key_study/.
IRIS Report, "Cryptography : on the necessity of totally liberalising the French law," at http://girafe.ensba.fr/iris/rapport-ce/annexe7.html.
The Walsh Report, "Review of policy relating to encryption technologies," at http://www.efa.org.au/Issues/Crypto/Walsh/.
Kryptographie, Cryptography resources in German from FITUG, at http://www.fitug.de/ulf/krypto/.