A recently published Cabinet Office paper entitled Encryption and Law Enforcement stated that "there must be a greater degree of international co-operation, particularly in relation to setting agreed standards." (para 7.10) The paper further stated that "there has been remarkably little co-ordination of policy on encryption matters" internationally apart from the OECD Guidelines on Cryptography Policy.
However, the Aaron Files that we are bringing to the attention of the public through these pages suggest otherwise - that UK Government encryption policy was closely co-ordinated by the US despite the denial in the Cabinet Office paper which concluded that the result of the absence of such a co-ordination "has been a degree of misunderstanding and suspicion as to the rationale behind attempts to regulate, or influence, the domestic use of encryption."
We believe there has not been a misunderstanding at all and secrecy played a key role in the formulation of UK Government policy on encryption so far. The responses received through the DTI in relation to requests made under the Open Government Code of Conduct procedure revealed nothing at all apart from references to "a whole range of papers (in up to 15 separate files)" which would be relevant to a better understanding of UK Government's policy on encryption.
|We were already suspicious about a US Government
involvement in May 1997, and as a response to the, March
1997 DTI Consultation paper, Cyber-Rights &
Cyber-Liberties (UK) stated that:
"The DTI consultation paper addressed many issues which would have an impact on the use of encryption tools on the Internet but the issue of whether blanket escrow of encryption keys (the central policy being put forward both to encourage trust in the integrity of encryption and to allow for investigation of those criminals and terrorists who abuse its facilities) presents unique civil liberties dangers was not addressed. In addition to its refusal to examine the core of the controversy, the DTI paper is provincial and ahistorical. There is no mention of the four years of continual proposals for key recovery products by the US Government, even though their proposals have much in common with the DTI proposal and clearer inspired the latter."
Cyber-Rights & Cyber-Liberties (UK), "First Report on UK Encryption Policy: A Legal Reply to the DTI Public Consultation Paper on Licensing of Trusted Third Parties For the Provision of Encryption Services," May 30, 1997, at http://www.cyber-rights.org/crypto/ukdtirep.htm
Now we have the opportunity to reveal the secretive process in which UK Government policy was influenced by the US Government between November 1996 and January 1997. In the absence of a Freedom of Information Act, it was not possible to obtain any documents from the DTI under the Open Government Code of Conduct in relation to the formulation of UK Government's policy on encryption. Therefore, we are grateful to the Electronic Privacy Information Center who has obtained the following documents under the US Freedom of Information Act which are historically important and shows a great deal on how policies are developed in secrecy.
Cyber-Rights & Cyber-Liberties (UK), July 1999.
page 10, December 1996 - This document shows the country clearence for visit of US Government team to discuss encryption issues with the UK Government on December 20, 1996. The December 20 meeting was the "second in a continuing dialogue on evolving cryptographic policies."
page 11, December 1996 - A document from USOECD Ambassador David Aaron - This document which is partially classified has the following subject line: Cryptography: US and UK continue dialogue, moving closer to active compatibility. According to this document Special Envoy for Cryptography Aaron, leading a US Government team, met for a second time with UK counterparts to discuss UK cryptography policy papers and legislative proposals, as well as possible future bilateral and multilateral cooperation. Furthermore, the US provided a copy of the commerce draft regulations and welcomed UK comments; also promised a copy of the US implementing legislation and additional information on US work to develop a Federal key recovery standard and pilot projects for possible UK participation. This document is prepared following the December 20 meeting.
page 12, December 1996 - The above document continues to say that the parties will meet again in early February 1997 [just over a month before the March 1997 DTI consultation was launched] depending on US availability. This page also states that "US and UK approaches are actively compatible".
page 13, December 1996 - Subject: Cryptography: US and UK continue dialogue, moving closer to active compatibility. "US Seek some clarifications".
pages 14, and 15, December 1996 - Subject: Cryptography: US and UK continue dialogue, moving closer to active compatibility - "US and UK consider further international cooperation and need for agreement." In this mostly classified document Aaron explained that the Commerce Department's Nationall Institute of Standards and Technology (NIST) will develop a Federal information processing standard for the US Federal Key Management Infrastructure. The US has estasblished a private sector technical advisory committee to develop this Federal standard. Aaron invited the UK to attend future public meetings and promised further details in writing. The US also noted possible cooperation in the area of pilot projects. The UK agreed to consider the proposals.
page 16, December 1996 - A document which outlines the Next Steps within the US and UK dialogue following a meeting between the parties- As follows-up to this meeting, the US promised to transmit the US implementing legislation as soon as available, comments on the UK paper outlining functional requirements for TTP's information on Commerce's Federal Technical Advisory Committee, and possible projects. The US will also advise on the date for the next bilateral meeting. Possibly early February 1997.
page 17, 6 January, 1997 - A letter from US Special Envoy for Cryptography, David Aaron, to the UK's Cabinet Office. This letter reveals further contacts between the US and UK authorities and includes an invitation to join the US Technical Advisory Committee to develop Federal Information Processing for the Federal Key Management Infrastructure.
page 18, 8 January, 1997 - US Mission to the OECD Memorandum. This one page Memorandum was sent to David Aaron with the subject referring to a Software Publishers Association Letter which states that "based on British papers received to date, export controls will remain in place for encryption products (both hardware and software) and for digital encryption algorithms.