A Further Open Letter to the House of Lords
from Cyber-Rights and Cyber-Liberties (UK)
The Regulation of Invetigatory Powers Bill
For the press release associated with this statement see http://www.cyber-rights.org/press
House of Lords
Cyber-Rights & Cyber-Liberties (UK) (http://www.cyber-righs.org), is an organisation established to protect the interests of all honest, law abiding Internet users with the aim of promoting free speech and privacy on the Internet.
The Regulation of Investigatory Powers Bill aims to incorporate the decision of the European Court on Human Rights in the Halford v UK case (App. no. 20605/92, 1997-III, (1997) 24 EHRR 523) into UK law whilst also providing the new powers that UK law enforcement authorities are believed to need in order to counter criminal misuse of the Internet. Furthermore, the Home Secretary Mr Jack Straw stated that "the provisions of the Regulation of Investigatory Powers Bill are compatible with the European Convention rights" when the Bill was introduced to the Parliament.
On 26th June the Government introduced a series of amendments in the House of Lords in an effort to reduce opposition to this legislation. Since these amendments were introduced after we first raised our concerns with the House of Lords, this letter repeats our earlier input but with the addition of comments on the extent to which the Government amendments allay our fears. The new sections are in italic text.
Although we welcome, in principle, the Government's objectives in pursuing this legislation, we are concerned that the proposed Bill will not achieve the desired result. Indeed, it is our carefully considered opinion that a number of provisions will have the opposite effect and will bring aspects of UK law into direct conflict with the European Convention on Human Rights ("ECHR").
Moreover, for reasons we will explain, we do not believe that the proposed measures will provide an effective way of dealing with criminal misuse of the Internet but will instead have a detrimental impact on the perceived safety, security and privacy of UK citizens and businesses in Internet use.
This, in turn, will have a highly detrimental impact on the development of electronic commerce in the UK.
Although we have concerns with all parts of the Bill, the issues we raise here are, for the most part, confined to those raised by Part III dealing with the seizure of encryption keys.
Prior to the changes introduced by the Government the position on Government Access to Keys ("GAK") within the Regulation of Investigatory Powers Bill was that:
a number of authorities could seize keys or passwords;
at the discretion of these authorities, decrypted text might be acceptable in place of a key.
The position with the newly announced Government amendments is:
a number of authorities can obtain access to protected information in intelligible form;
at the discretion of those authorities, they can seize keys or passwords.
It can hence be seen that the Government amendments are essentially cosmetic they have left GAK powers essentially unchanged and this means that that most of the concerns that such powers create remain.
2. Human Rights Concerns
2.1 The Reversal of the Burden of Proof
Because of the nature of modern cryptography, only the recipient of a message may be able to decrypt it the sender may not be able to do so. As a result, the proposed powers to seize encryption keys may have to be applied to obtain the keys of innocent parties who have received messages from the target of an investigation. Such parties can find that passwords and keys that they used some time ago and no longer have can be subject to seizure in situations where they will have to prove that they no longer have them.
The Bill provides for the seizure of keys that individuals may no longer have. In this situation any honest individual will admit immediately that the keys were once in their possession (so the burden on prosecution to prove this is trivial). But at this point, a burden is placed on the accused to prove 'on the balance of probabilities' that they no longer have this key.
In our view this is not only a reversal of the burden of proof, but also fundamentally unreasonable, because the burden on the accused is impossible to discharge. It is never possible to prove a negative - how would anyone be able to prove to a Court that they had forgotten something or that they no longer possess something?
Although the Government has consistently maintained that it has acted on legal advice that this is compatible with the ECHR, the legal opinions leading to this conclusion have never been published. Moreover, there are many leading lawyers who have said publicly that they believe the Government to be wrong on this point. It is our position that to impose an impossible burden of proof on an accused (section 49 - Failure to comply with a notice) would amount to an infringement of the presumption of innocence embodied under article 6 of the ECHR. This would be contrary to the recently enacted Human Rights Act 1998 and would risk creating miscarriages of justice by seriously infringing the right to a fair trial.
The Government has proposed changes that provide a considerable degree of comfort on this issue the burden of proof is now more clearly on the prosecution to show that a key holder can comply with a notice to provide a key but refuses to do so.
When a key is seized from an accused and is used to decrypt a piece of encrypted data, it is possible that the resulting information will be incriminating. Compelling the accused to reveal the necessary password would hence breach the right of an accused not to incriminate himself or herself. The European Court of Human Rights reiterates that the right of any "person charged" to remain silent and the right not to incriminate himself are generally recognised international standards which lie at the heart of the notion of a fair procedure under Article 6 of the European Convention on Human Rights. Their rationale lies, inter alia, in protecting the "person charged" against improper compulsion by the authorities and thereby contributing to the avoidance of miscarriages of justice and to the fulfilment of the aims of Article 6. (See the following judgments of the Court: Funke v. France, 25 February 1993, Series A no. 256-A, p. 22, § 44; John Murray v. the United Kingdom, 8 February 1996, Reports of Judgments and Decisions 1996-I, p. 49, § 45; Saunders v. the United Kingdom, 17 December 1996, Reports 1996-VI, p. 2064, § 68; and Serves v. France, 20 October, 1997, Reports 1997-VI). The burden of proof cannot and should not be reversed for the suspect to provide the requested evidence or prove his/her innocence.
The Government maintains that this is not correct and bases its argument on a subtle technical point by saying that it already has the information and all that the key does is to make it intelligible. We dispute this analysis and consider it to be seriously and self evidently flawed, since if the Government has the information, it obviously has no need for the key - the very fact that it needs this key is proof that it does not have the information in question.
In practice, for any effective encryption system, two pieces of data are needed to recover encrypted information - the 'key' and the 'encrypted data'. When only one of these two data items is available the information cannot be recovered. Hence if the Government has the encrypted data but not the key, it cannot claim to have the information but only the data from which this can be derived by using a key. In this situation it is the key that provides the information and if the latter is incriminating the act of handing over the key can only be an act of self-incrimination.
We hence conclude that the Government's view that key seizure cannot be an act of self-incrimination is seriously mistaken.
The new clauses offer no comfort here of any kind.
2.3 The Safety, Security and Privacy of Honest Key Owners
Encryption keys are used to protect information that, if revealed, will create safety, security or privacy risks for key owners. The protection that needs to be provided for keys depends on the consequences for the key owner if this protected information becomes available to others.
Many private encryption keys never need to be revealed to anyone and a fundamental principle for such keys is that the security of the key owner is totally dependent on the key never, ever being revealed to others. If such a key is ever so revealed, for example as a result of its seizure, the key owner has to presume that his security has been undermined. In consequence, an immediate result of the provisions for key seizure in the RIP Bill is that confidence in the safety, security and privacy of all honest Internet encryption users is undermined.
Some encryption keys do have to be shared with others and in such situations the key owner who is about to share a key will need to be sure that whoever they share it with will protect it to the same or higher standards as they apply themselves. The key owner may trust the potential recipient to do this without question but it is much more likely that they would ask for information about how the key will be protected in order to satisfy themselves that it will remain safe. No key owner who is serious about his or her security would ever willingly hand over such a key without knowing that the recipient will ensure its safety.
But if such a key were to be seized under the provisions in the RIP Bill, the key owner cannot be certain that it will be kept safe. The Bill does not contain explicit and unambiguous provisions to guarantee the safety of seized keys and fails even to make the authorities with key seizure powers accountable for such protection. And it does not contain any provisions for recompense for key owners whose keys are compromised. This applies for both private key owners and businesses and may impact in a major way on the latter if they are forced to bear the costs involved in recovering from an inadvertent or deliberate compromise of a key while in the hands of the authorities.
The Government has consistently refused to provide information about the procedures and technical measures that will be used to keep seized keys safe so innocent key owners who find their keys subject to seizure have no basis for assessing the level of protection that their keys will be afforded. The Government has also admitted that, in exercising RIP interception powers, it intends to relax its own standards for information protection in order to reduce costs. While this may not apply to keys, it does not provide confidence in the Government's determination to fully protect the information that law enforcement authorities obtain using this legislation.
There is, hence, a real concern that this legislation does not impose a clear duty on authorities to protect the keys and intercept information that they will obtain under its provisions. In our view this is unacceptable and must be rectified if these powers are to be retained.
GAK powers still exist and there are no proposals from the Government to strengthen the inadequate commitment within the legislation to the protection of seized keys. In consequence the impact on trust and confidence is unchanged. While GAK powers remain, confidence in the safety and security of the Internet in the UK is certain to suffer; moreover, confidence in the validity of digital signatures will be put in doubt and these factors in combination will undermine UK E-commerce aspirations. This is a very serious ongoing concern. (See amendments 139, 139WA, 139XA, 139YA, 139ZA, and 139A in relation to Clause 46 of the RIP Bill)
3. A Proportionate and Effective Response?
We recognise and support the need to counter criminal use of the Internet. Moreover, we also recognise that in countering such use it may sometimes be necessary to infringe the rights of honest Internet users in order to secure the prosecution and conviction of guilty parties.
But in considering such action we believe that it is necessary to apply the following tests to any proposals that are made:
1) That they provide clear net benefit for society. That is, the benefits are clear and are achievable by the measures proposed, with a detrimental impact on the rights of honest citizens that is as small as possible and one that is widely accepted as tolerable in the light of the gains secured.
2) That the measures proposed discriminate effectively between criminals and honest, law abiding citizens. Therefore, they should be balanced and should not, in an impetuous desire to counter crime, expose all honest Internet users to the risks of key seizure.
3) That of all the options available they are the best in the sense that they are the most effective in countering criminals while having the least impact on honest citizens and the lowest costs for taxpayers and businesses.
4) They should be based on clearly defined policy objectives which citizens understand and which command widespread public support.
5) They should be enforceable, transparent, and accountable.
It is our considered opinion that the powers for key seizure and Internet interception in this legislation fail every one of these tests and also fail the Cabinet Office Regulatory Impact Units principles of good regulation.
Firstly, the Government has not shown these powers to be either necessary or effective in countering criminal misuse of the Internet. Most experts agree that they will not be effective against serious criminals. Moreover, other countries such as Germany (a partner of the UK within the European Union) have considered and rejected such measures as (a) unnecessary, (b) ineffective, and (c) detrimental to the safety, security and privacy of honest citizens and businesses who make use of the Internet.
Secondly, these measures are indiscriminate and make no distinction between the keys and information owned by criminals and those owned by honest citizens. They are technically ineffective and easy to circumvent from a criminal perspective and yet create potential risks for honest citizens and businesses that are more than sufficient to undermine confidence in Internet use in the UK.
Lastly, and most importantly, they represent a poor choice in terms of value for money for UK taxpayers and industry when compared with other ways of countering criminal misuse. The costs of the technical measures needed to provide for key seizure and Internet interception are subject to fierce debate but very few experts put these below £30m per annum. If the UK were to spend as little as one third of this sum, it would be possible to recruit more than 100 experts to support UK law enforcement authorities in the pursuit of criminals, paedophiles and others who misuse the Internet.
In our view such an approach would be much less costly and infinitely more effective in countering criminal misuse than any of the measures embodied within the proposed legislation for this purpose. The Governments proposals are technically naive and cannot succeed against serious criminals who will find the measures easy to circumvent. In contrast a substantial body of expert technical assistance in support of UK law enforcement authorities would provide a major deterrent for Internet crime and hence a sound basis for the development of confidence in the safety and security of the Internet, a confidence which is vital if electronic commerce is to develop in the way that the Government desires.
We remain convinced that there are far more effective ways of countering criminal misuse of the Internet.
We conclude that the RIP Bill is seriously deficient in that it contains provisions that will undermine important rights that exist to protect the innocent without having the intended impact on criminals.
The measures are indiscriminate and not effectively targeted at criminals with the result that they undermine the confidence of honest Internet users in the safety, security and privacy that they will obtain when they use the Internet.
These proposals are also an ineffective investment of taxpayers money when compared with alternative ways of countering criminals that will be less costly and much more effective.
We hence urge the House of Lords to reject this legislation and to seek major changes in the Government strategy for countering criminal misuse of the Internet.
Even with the proposed changes, we conclude that the RIP Bill remains seriously deficient.
GAK powers remain intact and the new clauses have not changed the inadequate commitment to the protection of seized keys in any way. This means that the personal and business keys on which the safety and security of the Internet depend are still at serious potential risk. This in turn will continue to undermine confidence in the UK as an Internet and e-commerce friendly country.
We see nothing in the Governments amendments that changes our fundamental objection to the introduction of GAK powers for which the Government has failed to provide any sound justification. In our view the GAK powers in this Bill are seriously flawed and should be rejected by the House of Lords. It simply makes no sense to seriously curtail the rights of all honest personal and business users of the Internet while achieving nothing of significant value in the fight against criminal misuse.
Mr. Yaman Akdeniz, Director of Cyber-Rights &
CyberLaw Research Unit, Centre for Criminal Justice Studies,
University of Leeds, Leeds, LS2 9JT,
Tel: +44 (0) 498 865116, Fax: +44 (0) 7092199011
Dr. Brian Gladman, Technology Policy Advisor, Cyber-Rights
& Cyber-Liberties (UK)
Mr. Nicholas Bohm, E-Commerce Policy Adviser, Cyber-Rights
& Cyber-Liberties (UK); Member of the Law Societys
Working Party on Electronic Commerce
Salkyns, Great Canfield, Takeley,
Bishops Stortford CM22 6SX,
Tel: +44 (0) 1279 871272, Fax: +44 (0) 1279 870215
Professor Clive Walker, Deputy Director of Cyber-Rights &
CyberLaw Research Unit, Centre for Criminal Justice Studies
University of Leeds, Leeds, LS2 9JT,
Tel: +44 (0) 2335033, Fax: +44 (0) 113-2335056
Dr. Louise Ellison, Deputy Director of Cyber-Rights &
The University of Reading, Department of Law, Old Whiteknights House,
Whiteknights, PO Box 217, Reading RG6 6AH,
Tel: +44 (0) 118 9875123 (ext. 7507), Fax: +44 (0) 118 9753280
Relevant Reports and Papers Published by Cyber-Rights & Cyber-Liberties (UK)