E-mail: lawya@leeds.ac.uk. Copyright © 1996 Yaman Akdeniz. Please cite as Yaman Akdeniz, "UK Encryption Policy" August 1996, Cyber-Rights & Cyber-Liberties (UK) at http://www.leeds.ac.uk/law/pgs/yaman/ukencryp.htm.
This paper examines and discusses the recent attempt by the UK Government to legislate on encryption. It also examines the developments within the European Community and the OECD.
An updated version of this paper has been published recently as UK Government Policy on Encryption - 1997 Web Journal of Current Legal Issues 1 (February).
The Department of Trade and Industry, in June 1996, published a white paper (1) on the provision of encryption services to meet the growing demands to safeguard the integrity and confidentiality of information sent electronically over the Internet.
The services concerned cover the digital signature of electronic documents and the protection of the accuracy and the privacy of their contents. The UK Government proposed the introduction of the licensing of Trusted Third Parties ("TTPs") (2) to hold the encryption keys. The White Paper states that:
"It is not the intention of the Government to regulate the private use of encryption. It will, however, ensure that organisations and bodies wishing to provide encryption services to the public will be appropriately licensed." (3)
The introduction of the TTPs reminds the key escrowed system introduced in the US with the Clipper Chip. Although the UK Government did not introduce a hardware solution, the proposal follows similar ideas with the now failed US proposal for the Clipper Chip.
"The type of algorithm used for message encryption, and whether it is implemented in hardware or software, will be a matter of business choice." (4)
Science and Technology Minister Ian Taylor stated that:
"There is a growing demand for encryption services to safeguard the integrity and confidentiality of electronic information transmitted on public telecommunications networks. The Government therefore proposes to make arrangements for licensing Trusted Third Parties (TTPs) who would provide such services. The licensing policy will aim to protect consumers as well as to preserve the ability of the intelligence and law enforcement agencies to fight serious crime and terrorism by establishing procedures for disclosure to them of the encryption keys, under safeguards similar to those which already exist for warranted interception under the Interception of Communications Act." (5)
The Government had taken into account the recent developments within the European Commission (6) and the OECD (7). According to the white paper, the European Commission has an important role in facilitating the establishment of an environment where developments in the use of TTPs can be fostered (8).
The use of cryptographic software transmitted internationally may be restricted by export regulations in the UK like in the US. The Export of Goods (Control) Order 1994 as amended by The Dual-Use and Related Goods (Export Control) Regulations 1995 (9) apply to the exportation of cryptographic software from the UK (10). The export of this kind of regulated information requieres an export licence from the Department of Trade and Industry (11). Failure to comply with the licence conditions may result with a maximum of two years of imprisonment (12).
The DTI white paper states that Export controls will remain in place for encryption products and for digital encryption algorithms (13). The Government however states that it will take steps to simplify export controls within the European Union with respect to encryption products which are of use with licensed TTPs (14).
Although this sounds like a good initiative, it only includes products which are of use with licensed TTPs. This means that other encryption tools which are not approved by the TTPs will still be subject to stricter export regulations. This will not help the online users and they will be restricted to use TTP approved encryption tools.
While the UK Government intends to bring forward proposals for legislation following consultation by the Department of Trade and Industry on detailed policy proposals (15), the Labour Party thinks otherwise and states in their Policy on Information Superhighway that:
"We do not accept the "clipper chip" argument developed in the United States for the authorities to be able to swoop down on any encrypted message at will and unscramble it. The only power we would wish to give to the authorities, in order to pursue a defined legitimate anti-criminal purpose, would be to enable decryption to be demanded under judicial warrant." (16)
It seems that Labour Party intends to penalise a refusal to comply with a demand to decrypt under judicial warrant (17). Even if this proposal is never enacted, the courts may draw inferences under the new sections 34-37 of the Criminal Justice and Public Order Act 1994 because of the silence of the defendants. Lord Slynn in Murray v. DPP (18) stated that:
"If aspects of the evidence taken alone or in combination with other facts clearly call for an explanation which the accused ought to be in a position to give, if an explanation exists, then a failure to give any explanation may as a matter of commonsense allow the drawing of an inference that there is no explanation and that the accused is guilty." (19)
Not providing an encryption key orally may be similar to not providing a secret code to a safe and may result with judges commenting on the accused's behaviour and juries drawing inferences under the new controversial 1994 Act (20).
The Labour Party further argues that attempts to control the use of encryption technology are wrong in principle, unworkable in practice, and damaging to the long-term economic value of the information networks (21).
"It is not necessary to criminalise a large section of the network-using public to control the activities of a very small minority of law-breakers." (22)
It looks like a change in the UK Government may change the current encryption policy completely.
The European Commission has proposed a project to establish a European network of trusted third parties under the control of member nations which is parallel to the UK proposals (23). The EC scheme according to Dorothy Denning dose not suggest that the key escrow should be mandatory (24).
In 1995 the Council of Europe resolved that EU members' criminal procedure laws:
"should be reviewed with a view to making possible the interception of telecommunications and the collection of traffic data in the investigation of serious offenses against the confidentiality, integrity and availability of telecommunications or computer systems." (25)
The same resolution also advised that:
"Measures should be considered to minimize the negative effects of the use of cryptography on the investigation of criminal offences, without affecting its legitimate use more than is strictly necessary." (26)
The OECD intends to negotiate multilateral cryptography guidelines by the end of 1996 (27). OECD deliberations are not open to the public, and there appears to be no public information about the likely shape of the guidelines. Some recent OECD meeting reports however suggest that they are considering an escrow-based system (28).
"Whatever it decides, the OECD resolution is likely to be influential. If the OECD member nations were to unite in favor of escrow, it would greatly aid the U.S. government's attempt to make key escrow the norm." (29)
The OECD has no legislative power of its own. Any OECD resolution would need to be implemented by appropriate legislation or regulation. But an international decision to use the key escrow encryption technique as a standard may have serious privacy implications. It will certainly facilitate the current US and UK government policies on encryption but will create disapproval from the online users and civil liberites groups fighting against the key escrow systems (30).
With the Internet we use the same technology at one point to achieve greater publicity and at other points to achieve greater privacy (31).
The fear of being monitored or being traced back by the system operators, hackers or government agencies will not help the development of the Internet. The fear of not knowing what information is available there in the cyberspace about ourselves and its process and use by others will affect the individual user. That is why the privacy of the users should be respected and protected. The on-line users must be safe from these possible intrusions. Powerful encryption tools is the only way to respect the online users privacy and this should be free from the various governments control and holding of the encryption keys for their purposes.
Although it looks like there won't be a general right of privacy in the English law in the near future, the policy of the Government shows that it is possible to legislate on individual areas of the law. Recent attempts to legislate on encryption proves that though it mainly follows the US Clipper Chip proposals.