See also the Press Release: A New Report on Encryption Policy in the UK backed by many civil liberties organizations was published today.
<http://www.leeds.ac.uk/law/pgs/yaman/yaman.htm>
Cyber-Rights & Cyber-Liberties (UK) is a non-profit civil liberties organisation founded on January 10, 1997. Its main purpose is to promote free speech and privacy on the Internet and raise public awareness of these important issues. The Web pages have been online since July 1996. Cyber-Rights & Cyber-Liberties (UK) started to become involved with national Internet-related civil liberties issues following the release of the DTI white paper on encryption in June 1996 and the Metropolitan Police action to censor around 130 newsgroups in August 1996.
Cyber-Rights & Cyber-Liberties (UK) covers such important issues as the regulation of child pornography on the Internet and UK Government's encryption policy. The organisation provides up-to-date information related to free speech and privacy on the Internet. Cyber-Rights & Cyber-Liberties (UK) is a member of various action groups on the Internet and also a member of the Global Internet Liberty Campaign which has over 30 member organisations worldwide and advocates 'allowing on line users to encrypt their communications and information without restriction.' (See Appendix III and IV)
Full-time Ph.D Researcher at the Centre for Criminal Justice Studies, University of Leeds. January 1997 to December 1999. Thesis title: The Governance of the Internet.
Yaman Akdeniz studied law initially at the University of Ferrara, Faculty of Law, Ferrara - Italy (September 1987- July 1993) before completing his LLB degree in July 1995 at the University of Leeds, England. He then started a full-time MA at the Centre for Criminal Justice Studies, University of Leeds in October 1995. His 45000 word thesis entitled 'The Internet: Legal Implications for Free Speech and Privacy' was completed in November 1996 and is a comparative study between the UK and the USA.
The Department of Trade and Industry published a White Paper 'On Regulatory Intent Concerning Use Of Encryption On Public Networks' in June 1996 to meet the growing demands to safeguard the integrity and confidentiality of information sent electronically over the Internet. This was followed by the Public Consultation Paper, 'Licensing of Trusted Third Parties for the Provision of Encryption Services,' in March 1997(1). The relatively short consultation period of two months, which was to terminate on May 30, 1997, largely overlapped with the General Elections within the UK and the change of Government.
The actual goals of the Government were somewhat masked in the Consultation Paper. They claim to be concerned with promoting encryption for the good of commerce and citizen participation in the information infrastructure. But encryption is spreading already, without any particular government policy. The true goal of the government is to control and restrict encryption, not to promote it. We shall see this as we examine the key recovery aspects of the proposal, and their effects on the public adoption of encryption.
Cyber-Rights & Cyber-Liberties (UK) is dissatisfied with the process put in place by the UK Department of Trade and Industry by announcing a major new policy initiative without soliciting any prior public comment or review. The timetable for consultation proposed by the DTI has been so short as to preclude adequate public study and comment. There were two meetings during the consultation period, but neither of them was organised by the DTI,(2) and only one of them was open to public at large. (Cyber-Rights & Cyber-Liberties (UK) was present in both of these occasions.) Therefore, the timing of this announcement might uncharitably be construed as an attempt to present a new administration with a policy fait accompli. The consultation paper addresses many issues which may have an impact on the use of encryption tools on the Internet but the issue of whether blanket escrow of encryption keys presents unique civil liberties dangers is not addressed.(3)
In addition to its refusal to examine controversy, the paper is provincial and ahistorical. There is no mention of the four years of continual proposals for key recovery products by the Clinton Administration in the United States, even though their proposals have much in common with the DTI proposal and clearer inspired the latter. Even less does the paper admit the tremendous outcry against the proposals that have come from the technical members of the encryption community, the business sector, and civil liberties organiszations alike. Other countries, as well as international bodies such as the Organization for Economic Co-operation and Development ('OECD'), have also proposed encryption policies. In this paper, we explain some of this missing history.
The consultation paper was launched while the Conservative government was in charge. The ex-minister for Science and Technology, Mr Ian Taylor stated in the foreword of the consultation paper that they were looking to industry to work with them in close partnership on this important issue. The government-industry axis emphasised in the content of the paper clearly excludes citizens concerned with basic human rights such as freedom of expression and privacy. These concerns extend to the Internet and to the online users, but the DTI consultation paper excludes these issues completely, as will be explained in this paper.
Cyber-Rights & Cyber-Liberties (UK) confirms that by using the Internet we are open to our personal information being easily culled, stored and copied for various reasons. Any new media historically face suspicion and are liable to excessive regulation. For example, Official Secrets Act 1920, section 4 gave power to intercept foreign telegrams despatched to or from any private cable company in the UK. Section 5 of the 1920 Act also required a person in the business of receiving postal packets to register his business. Therefore, the implication is that the Internet may be at a similar stage when the natural reaction of the state is try to regulate, but the desirability or effectiveness of doing so is debatable. As the U.S. Privacy Protection Study Commission stated in 1977:
"The real danger is the gradual erosion of individual liberties through the automation, integration, and interconnection of many small, separate record-keeping systems, each of which alone may seem innocuous, even benevolent, and wholly justifiable."
The UK Government proposed the introduction of the licensing of Trusted Third Parties ("TTPs") to hold the encryption keys. TTPs are supposed to be trustworthy commercial organisations that can provide various information security related services to enable transactions to be conducted securely. But in the form required by the DTI paper, we would define TTPs as parties trusted by the former UK Government but not necessarily by the online users.
Although the DTI paper explicitly leaves freedom of choice to the users for encryption services, it simultaneously imposes restrictions that will end up limiting those choices severely. In short, they are exerting control over the usage of encryption in a way which is similar to the US 'Clipper Chip' proposals.
Let us start with the fundamental question: is privacy as a human value worth protecting within the UK legal system ? Sir Robert Megarry V.-C. held with regard to the interference with privacy in the Malone case that:(4)
"English law did not entertain actions for interference with privacy unless the interference amounted to one of the established causes of action in tort or equity(5)."
He accepted that his decision was inconsistent with Article 8(1) of the European Convention on Human Rights,(6) but the fact that the Convention is not directly enforceable in England justified his decision. Megarry V.-C. took the view that anyone is entitled to do anything which is not prohibited by law(7).
Glidewell L.J. in Kaye v. Robertson stated that:
"It is well-known that in English law there is no right to privacy, and accordingly there is no right of action for breach of a person's privacy. The facts of the present case are a graphic illustration of the desirability of Parliament considering whether and in what circumstances statutory provision can be made to protect the privacy of individuals......"(8)
Privacy is not a legal concept directly recognised as a human value, and there is no legal definition for privacy in the English legal system. The early case of Prince Albert v. Strange(9) which was the inspiration of Warren and Brandeis(10), recognised the right to an "inviolate personality" in the context of the plaintiff's right of property. Privacy is a difficult issue which has not been defined by the English law except that it is used in law in regard to the Broadcasting Complaints Commission (now replaced by Broadcasting Standards Commission)(11) by the Broadcasting Act 1990 (now replaced by the Broadcasting Act 1996). This is the only place where the word 'privacy' appears per se in English law.
Privacy is not so elusive in the legal traditions of other countries. Privacy as a fundamental human right has been affirmed by the US Supreme Court, the constitutions and laws of many countries, the European Convention on Human Rights, and the United Nations Universal Declaration of Human Rights.(12)Privacy is not an explicit right under the Constitution of the USA. The Fourth Amendment guarantees:
"the right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures."
The US Supreme Court implied a right to privacy and this also effected the state laws by virtue of the Fourteenth Amendment. Cases decided by the US Supreme Court such as Griswold v. Connecticut(13) Roe v. Wade(14) and Katz v. United States(15) show that privacy has been given constitutional status when the freedom of speech and the First Amendment is not in issue. This has been called a "penumbra right" of the Constitution.
The ideas of Warren and Brandeis(16), is the main starting point for the privacy arguments in the US. According to their thesis:
"The intensity and complexity of life, attendant upon advancing civilisation, have rendered necessary some retreat from the world, and man, under the refining influence of culture, has become more sensitive to publicity so that solitude and privacy have become more essential to the individual; but modern enterprise and invention have, through invasion upon his privacy, subjected him to mental pain and distress, far greater than could be inflicted by mere bodily injury."(17)
Fifteen years after their publication, following a decision of the Supreme Court of Georgia(18) most of the US states incorporated(19) "the right to privacy" in their legislation. It is important to note that Warren and Brandeis based their thesis on the English cases(20) but no similar development has occurred in England(21).
Britain's first law protecting personal privacy on a more general basis was part of Queen's Speech on the 14th of May 1997. It is a part of the new Labour Government policy 'Bringing Rights Home to Britain,' and the new privacy legislation will arise through legislation which incorporates the European Convention on Human Rights into UK law. If it is incorporated it would mean that 'a right to respect for a private life' will be part of the British law for the first time. In addition, individual privacy cannot be considered in isolation. Privacy must be weighed alongside freedom of speech and expression:(22)
"Freedom of speech and privacy are frequently conceived as rights or interests of the individual, and as rights or interests of the community as a whole."(23)
That is why privacy rights have developed better in the countries which have constitutional protection for freedom of speech, or the countries who have adopted the European Convention on Human Rights. Freedom of speech rights will also be incorporated into English law by the pending legislation.
"Encryption is basically an indication of users' distrust of the security of the system, the owner or operator of the system, or law enforcement authorities."(24)
The needs for the use of encryption tools are various in nature and should not be confused and mixed as happens at paragraph 16 of the DTI consultation paper. The DTI consultation paper simply tries to balance the need for encryption services for the development of online commerce with crime prevention, without fully recognising all the issues which arise with respect to the privacy of online users.
We agree with the DTI that the ability to protect and secure information is vital to the growth of electronic commerce and to the growth of the Internet itself. Many people need to use communications and data security in a broad variety of areas. Banks use encryption methods all around the world to process financial transactions. For example, the U.S. Department of the Treasury requires encryption of all U.S. electronic funds transfer messages. Banks also use encryption methods to protect their customers ID numbers at bank automated teller machines. There are also many companies and even shopping malls selling anything from flowers to bottles of wine over the Internet, and these transactions are made possible by the use of credit cards and secure Internet browsers including encryption techniques. The customers over the Internet would like to feel secure about sending their credit card information and other financial details related to them over a multi-national environment. Commerce will take advantage of electronic networks only by the use of strong and unbreakable encryption methods.
As the economy continues to move away from cash transactions towards the likes of "digital cash" there will be need for strong encryption tools. This kind of activity will benefit from the introduction of trusted third parties and perhaps key recovery techniques. The essential impetus behind trusted third parties is the need for users to know whom they are communicating with. Suppose, for instance, that a user wishes to exchange a political message with the opponent of another country's government, or to buy a product over the Internet from a company with which he has never had dealings before. The user must first know the encryption key that he can use to secure communications. Unless the correspondent uses another (and possibly unreliable) way to give the user the key, such as postal mail or the telephone, the user must rely on a trusted third party to give him the key.
The need for highly visible and identifiable trusted third parties will grow as more and more people use electronic networks, particularly for commerce. Many governments, therefore, including the U.S., France, and Britain are offering to set up licensing systems so that a set of trusted third parties can be easily found and employed by anyone interested in using the information highway.
Yet the "trusted third party" issue is a Trojan horse, into which governments are sneaking their plans for universal surveillance - surveillance of non-commercial messages. No government intervention is really needed to develop a set of third parties in respect to commercial transactions. Growing demand for electronic commerce will cause them to spring up naturally. After all, most of us use credit cards, and the governments did not have to pass special laws licensing the finance companies that issue credit cards. So despite the support that all governments profess in their key recovery proposals, we suspect that their true goal is not to promote electronic networks but to control them.(25)
Cyber-Rights & Cyber-Liberties (UK) believes that cryptographic technology is becoming an increasingly vital tool for human rights activists, political dissidents, and whistle blowers throughout the world to facilitate confidential communications free from intrusion.(26) The use of cryptography is essential for political and some special subject interest groups, such as users of the Critical Path AIDS Project's Web site, users of Stop Prisoner Rape (SPR) in the USA, and Samaritans in the UK. Many members of SPR's mailing list have asked to remain anonymous due to the stigma of prisoner rape. It is important for this kind of users who seek to access sensitive information to remain anonymous, and it should be their right to do so in this context. Online users need or desire electronic security from government intrusions or surveillance(27) into their activities on the Internet or from other third parties. Key escrow, key recovery, and the DTI's conception of trusted third parties create danger for the existence of this kind of communication on the Internet.
That is why we suggest that there should be a complete freedom of choice to use whatever encryption tools the online users like to use without restriction. The DTI paper suggests at section V - Trusted Third Parties (paragraph 42) that the use of licensed TTPs is voluntary and that those wishing to do otherwise are at liberty to do so. However, the DTI proposals suggest that online users who desire to communicate with strangers will want to use the services of the TTPs. The DTI proposals take advantage of this to choke off non-key-escrow encryption and refuse to allow any TTPs to function unless they give the government access to the users' keys. Some observers foresee a permanent plurality of digital identities for different purposes, but all agree that market forces will enforce a convergence (the 'VHS/Betamax' effect) towards inter-operability of signatures, encryption, electronic cash, and electronic copyright management systems ('ECMS'). This convergence will occur in leaps and bounds as new markets for digital services are carved out. Once a de facto commercial standard crystallises, it will be beyond the power of governments or even international regulators to change.
The DTI Consultation Paper devoted no space to the importance of privacy and anonymity on the Internet. Anonymous speech is very important, as explained below, but because it is not a commercial issue, it has been excluded from the content of the consultation paper. (See paragraph 16, and 36). This is a sad reflection on the previous government's sense of priorities.
Anonymity is socially useful. As Jonathan Wallace states, 'I may have a good idea you will not consider if you know my name. Or I may individually fear retaliation if my identity is revealed. Anonymity is therefore good, because it encourages greater diversity of speech.'(28)
Internet privacy activists have developed experimental anonymous remailer programs that address these concerns in respect to free speech and personal liberty. An anonymous remailer is simply a computer service that forwards e-mails or files to other addresses over the Internet. But the remailer also strips off the 'header' part of the messages, which shows where they came from and who sent them. The most untraceable remailers (e.g. MixMaster(29)) use public key cryptography which allows unprecedented anonymity both to groups who wish to communicate in complete privacy and to "whistle-blowers" who have reason to fear persecution if their identity became known.(30) According to Professor Raymond Wacks, 'it facilitates participation in the political process which an individual may otherwise wish to spurn.'(31)
One of the best-known anonymous remailers on the Internet, anon.penet.fi, was offered for more than three years by Johann Helsingius. Among its users were Amnesty International, the Samaritans, and the West Mercia Police who used it as the basis of their "Crimestoppers" scheme.
There may also be instances where Internet postings may lead to persecution if the identity of the individual is known.(32) The Supreme Court in NAACP v. Alabama ex rel. Patterson 357 U.S. 449 (1958) stated that "inviolability of privacy in group association may in many circumstances be indispensable to preservation of freedom of association" (at p 462). In McIntyre v. Ohio Elections Commission 115 S.Ct. 1511, (1995), the Supreme Court stated that:
"an author's decision to remain anonymous, like other decisions concerning omissions or additions to the content of a publication, is an aspect of the freedom of speech protected by the First Amendment" and "the anonymity of an author is not ordinarily a sufficient reason to exclude her work product from the protections of the First Amendment."
This decision in McIntyre is related to elections and therefore benefits from the premium placed by the courts on political speech.
Anonymity is important both to free speech and privacy.(33) Key escrow and the clipper chip threatens this kind of anonymity on the Internet because government agents will be able to identify the content of e-mails and the destination of the messages. Recent UK Government proposals on the regulation of encryption tools display similarities to the US approach. Although not mentioned in the consultation paper, the Internet Watch Foundation (formerly known as Safety-Net),(34) recently endorsed by the UK Government, sees anonymity on the Internet as a danger, stating:
'... [A]nonymous servers that operate in the UK [should] record details of identity and make this available to the Police, when needed, under Section 28 (3) of the Data Protection Act (which deals with the disclosure of information for the purpose of prevention of crime).'(35)
A key aspect of the Safety-Net approach is that users take responsibility for material they post on the Internet; that it is important to be able to trace the originators of child pornography and other illegal material. But on the other side, anonymity is important both to free speech and privacy on the Internet,(36) just as anonymity and anonymous speech have been used for thousands of years in the larger society. It is important for people's participation in online equivalents of 'Alcoholics Anonymous' and similar groups, and individuals have a right to this kind of privacy that should not be abridged for the pursuit of vaguely defined infractions.
The Internet is being used for more and more communications, including ones of a contractual nature. No business can be transacted if people find out that others are impersonating them and making promises in their name. Digital signatures are the solution to that problem.
Digital Signatures ensure the identity of the sender of the message in the same way that a normal signature at the bottom of a letter usually verifies that a letter is from a known corespondent. Signatures are useful when an electronic message is sent to ensure that it was not modified or falsely created by someone else. Also anyone possessing the public key of the sender of the message can verify that it was he who sent the message encrypted with his private key.
Digital signatures are already used by many people, thanks to Pretty Good Privacy,(37) and they will probably become everyday accompaniments to e-mail as Internet commerce grows. For most public purposes -- including commerce -- it is important that strangers can verify each other's public keys, which calls for a TTP structure. However, the fear that someone could steal a private key and sign a binding contract or legal document will hold back all these beneficial uses of digital signatures. Key escrow for private keys raises just this fear.
It is important to mention here a couple of recent studies which may influence in the global developments related to the use of strong cryptographic tools. First, the US National Research Council,(38) in a paper published in May 1996, highlighted the need for strong, reliable encryption to protect individual privacy, to provide security for businesses, and maintain national security. The US National Research Council undertook a study of cryptography policy options, on request from the US Congress, and convened a study group. On the group all the major stakeholders were represented, including the 'classified' community(39).
The biggest news to come out of the study was the classified subgroup's unanimous conclusion that one does not need access to classified information to make good decisions about cryptography policy. That myth had been perpetrated for decades to protect NSA and White House decisions from scrutiny. This study group, which included a former deputy director of NSA (Ms. Ann Caracristi) and a former US Attorney General (Mr. Benjamin Civiletti), exploded it. The study explicitly states that:
"Current national cryptography policy is not adequate to support the information security requirements of an information society.... Current policy discourages the use of cryptography, whether intentionally or not, and in so doing impedes the ability of the nation to use cryptographic tools that would help to remediate certain important vulnerabilities." (CRISIS Report)
The report further stated that:
"widespread commercial and private use of cryptography in the United States and abroad is inevitable in the long run and that its advantages, on balance, outweigh its disadvantages. The committee concluded that the overall interests of the government and the nation would best be served by a policy that fosters a judicious transition toward the broad use of cryptography." (CRISIS Report)
The report also recognised that "cryptography is a two-edged sword" for law enforcement, providing both a tool to help prevent crime such as economic espionage, fraud, or destruction of the information infrastructure, and a potential impediment to law enforcement investigations and signals intelligence. The study is without doubt one of the most comprehensive analysis of the complex encryption policy debate yet published. The report does not suggest immediate decontrol of cryptography exports(40) for reform, but it suggests a phased decontrol along with a corresponding build-up of alternative investigative capabilities. The report will be very important for the future cryptography policy both in the US and abroad, because of the depth, breadth, and authority of the work done by the study group. (See Appendix VI)
More recently, on May 21, 1997, a group of leading cryptographers and computer scientists released a report which for the first time examined the risks and implications of government-designed key-recovery systems. Among the authors of the report are recognised leaders in the cryptography and computer science field, including Ross Anderson, Matt Blaze, Whitfield Diffie, John Gilmore, Peter G. Neumann, Ronald L. Rivest, Jeffrey I. Schiller, and Bruce Schneier. The report, entitled 'The Risks of Key Recovery, Key Escrow, and Trusted Third-Party Encryption,'(41) cautions that 'the deployment of a general key-recovery-based encryption infrastructure to meet law enforcement's stated requirements will result in substantial sacrifices in security and cost to the end user. Building a secure infrastructure of the breathtaking scale and complexity demanded by these requirements is far beyond the experience and current competency of the field.'
Drawing a sharp distinction between government requirements for key recovery and the types of recovery systems users want, the report found that government key recovery systems will produce:(42)
Most people would accept the need for democratic governments to intercept communications on a limited scale, for detection and investigation of crime, and for 'defence of the realm'. Science and Technology Minister Ian Taylor stated that:
"The licensing policy will aim to protect consumers as well as to preserve the ability of the intelligence and law enforcement agencies to fight serious crime and terrorism by establishing procedures for disclosure to them of the encryption keys, under safeguards similar to those which already exist for warranted interception under the Interception of Communications Act." (DTI Press Release 1996)
So, basically, the UK government wants access to the electronic information just as the US government does in its key escrow and key recovery proposals. According to the FBI, wiretapping is crucial to effective law enforcement:
'If the FBI and local police were to loose the ability to tap telephones because of the widespread use of strong-cryptography, the country would be unable to protect itself against terrorism, violent crime, foreign threats, drug trafficking, espionage, kidnapping, and other crimes.'(43)
Without this capability, it may be suggested that the governments would be less able to protect the safety of the public, and this in itself would constitute an infringement of civil liberties. Internet Privacy Coalition states that:
'We do not object to the right of government to conduct lawful investigation. We recognise that the enforcement of law is a central concern in every democratic society. But no government has the right to restrict the ability of its citizens to make use of tools to protect their own privacy. Nor should any government put crime investigation before crime prevention.'(44)
The question is not whether any such interception is wrong, but whether it is safe to entrust all future governments in perpetuity with an unprecedented technical capability for mass surveillance. The state strategy seems naive as it assumes that criminals will use encryption tools which can be decrypted by the law enforcement bodies. More likely, the key escrow technology will have a chilling effect on the online users who seek to remain either secure or anonymous when communicating through the Internet, whether for fear of retribution or other reasons.
There are also practical issues here which are worthy of consideration. Surely we must accept that we cannot be in favour of terrorists and drug dealers using cryptography to plan or facilitate their crimes. But what if they do? The sending of messages in this way may still create evidence which is obtainable during the course of an investigation or trial. It is suspect users who should be targeted, not the whole world at large.(45).
We should also remember that government access to encryption keys, as in the case of the use of Closed Circuit Television systems ('CCTVs') will not necessarily prevent premeditated brutal terrorist attacks such as the Lockerbie Pan AM 103, Docklands (near the Canary Wharf) and Manchester's Arndale shopping centre bombings, as it is wrong to assume that they will put a bomb in a place watched by the CCTVs or that they will plan the bombing using encryption tools which may be accessed by the law enforcement bodies. CCTVs did not stop bombings in, for example, Manchester or recently at the Leeds City Station. It takes an extraordinarily high level of constant surveillance and oversight to provide an effective deterrent through these means. More likely is that the terrorists will use encryption without detection or detection will come later through other means, by which time the refusal to provide the key will be incriminating evidence(46). Terrorists and organised criminals are detected through a variety of techniques involving mainly informers and surveillance. The interception of messages is important, but it should be remembered that the security are no shortage of powers to build up useful evidence.(47)
The other point to bear in mind is that if encryption is no longer secure, terrorists will no longer use licensed systems, as it will be easy to obtain unlicensed systems and it will be simple to use them for planned communications between willing parties. This is not like corresponding with Tescos or Barclays Bank - reputable companies such as that can be forced to comply and can then force their customers to comply.
The consultation paper in section V, paragraph 42 states that 'those wishing to use any other cryptographic solutions can continue to do so, but they will not be able to benefit from the convenience, and interoperability of licensed TTPs'. The consultation paper in paragraph 72 further states that 'encryption services by unlicensed TTPs outside the UK will be prohibited'. It further states that 'prohibition will be irrespective of whether a charge is made for such services'.
The consultation paper describes 'encryption services' as to encompass any service, whether provided free or not, which involves any or all of the following cryptographic functionality - key management, key recovery, key certification, key storage, message integrity, (through the use of digital signatures), key generation, time stamping, or key revocation services (whether for integrity or confidentiality), which are offered in a manner which allows a client to determine a choice of cryptographic key or allows the client a choice of recipient/s.
Although paragraph 45 states that the future legislation will be directed solely towards the provision of encryption services to subscribers in the UK and not the broader use of encryption, the above description of encryption services covers almost anything to do with the use of encryption. Let's take the hypothetical case of Pretty Good Privacy ('PGP,' described at <http://www.pgp.com>), a popular and oft-cited public key encryption tool written by Phil Zimmermann and available both for free on the Internet and as a commercial product.
PGP uses 'public key' encryption. Each user of PGP creates two keys, a public key and a secret key. The user then gives the public key to whomever they wish to correspond with and can even publish it publicly like a phone number. The secret key is kept in a safe place -usually with the PGP program - and protected by a password. The public key is used by other people to encrypt messages that they send to the secret key holder and only that person can unscramble the messages. Thus, public key cryptography avoids the need to meet in person or to carry codebooks to safely exchange keys and messages.(48)
Although the DTI officials stated in different occasions that they do not intend to make the use of PGP illegal,(49) the use of PGP may be within the above definition of 'encryption services.' Therefore, it may require a licence so that it can be used by the UK public. Now, PGP is a free software product available on the Internet which should be licensed to be used within the UK if it is within the definition of 'encryption services,' and Cyber-Rights & Cyber-Liberties (UK) does think that it is within that definition. It is not known whether PGP or Mr. Zimmermann would apply for a licence within the UK, but the answer seems unlikely, as Mr. Zimmermann never agreed with key escrow or key recovery initiatives by various governments. Applying for a licence to be a TTP would mean government access to PGP keys. Current debates suggest that this would be unacceptable by Mr. Zimmermann, which would result with PGP being an illegal use of encryption services under the current DTI proposals.
The DTI may argue that this is not the case, that the user choice would allow the UK users to use PGP, and that the use of PGP is not covered by the definition of 'encryption services' as described above. The systems and software that the public at large standardises on are the ones that have gained common use for a variety of reasons, not necessarily the technically most superior ones. For instance, witness the effect of Bill Gates's policy on Microsoft Internet Explorer, the Internet browser freely available to online users by Microsoft. Its inclusion in the Windows operation mechanism clearly pushes the users to use that system rather than other possible Internet browsers such as Netscape. Regulations such as those in the DTI proposal can similarly discourage the use of the most effective encryption products and artificially push the public toward weaker ones.
The Clinton Administration in the United States is using related tactics to impose its notion of encryption on the public. Its latest encryption proposal, like the DTI proposal, formally permits the public to use any kind of encryption desired. But the proposal suggests that the government will force all government agencies, and all parties communicating with the government, to use a form of encryption where the keys are escrowed and available to the government. The overwhelmingly large market thus created for key-escrow products could push out competing encryption products.
The paper also states without explanation at paragraph 47 that:
'The Government recognises that further legislation may be required in the future to enable the appropriate authorities to obtain private encryption keys other than those held by licensed TTPs.'
Therefore the DTI proposal does not ultimately intend to leave any backdoor for the online users. Even though the initial step may be towards a TTP-based system with free choice for online users for their encryption needs, this may not be the case in the future.
The sale or transmission of cryptographic software internationally may be restricted by export regulations in the UK as in the US. The Export of Goods (Control) Order 1994 as amended by The Dual-Use and Related Goods (Export Control) Regulations 1995 (Customs and Excise, No. 271, 1995) apply to the exportation of cryptographic software from the UK. The definition of cryptographic software is included in the Schedule 2, 5D2 of the Dual-Use and Related Goods (Export Control) Regulations 1995 and the export of this kind of regulated information requires an export licence from the Department of Trade and Industry (section 9). Failure to comply with the licence conditions may result with a maximum of two years of imprisonment (Section 8).(50)
The DTI White Paper states that export controls will remain in place for encryption products and for digital encryption algorithms (White Paper 1996, para 15). The Government however states that it will take steps to simplify export controls within the European Union with respect to encryption products which are of use with licensed TTPs. Although this sounds like a good initiative, it includes only products which are of use with licensed TTPs. This means that other encryption tools which are not approved by the TTPs will still be subject to stricter export regulations.
Section VI states that similar legislation to the Interception of Communications Act 1985 will be introduced for the recovery of keys from the TTPs. But this proposal seems to go further than the 1985 Act because the consultation paper suggests that the future legislation will not only deal with information on the move but also with 'lawful access to data stored and encrypted by the clients of the licensed TTPs.'
For the purposes of legal access, the government proposes a 'central repository' to be established that would 'act as a single point of contact for interfacing between a licensed TTP and the security, intelligence and law enforcement agencies who have obtained a warrant requiring access to a client's private encryption keys.' It is also stated in a footnote that the 'central repository' would be an existing government department or an agency set up specifically, by the government for the above purpose. This proposal poses precisely the danger which 'The Risks of Key Recovery, Key Escrow, and Trusted Third-Party Encryption' report recently warned against:(51) the concentration of keys in highly visible, centralised repositories like the one proposed by the DTI consultation paper. These will present an irresistible target for intruders, and such intruders cannot be kept out indefinitely. A history of many break-ins to networks owned by the military and by large corporations proves this.
The number of warrants issued under the 1985 Act is also an important factor to reflect when determining whether such legislation should be introduced under the DTI proposals and whether also the warrants should be provided by the Secretary of the State. According to Statewatch, 'the number of warrants issued in England and Wales for telephone-tapping and mail-opening reached its highest level for five years with 910 warrants issued in 1995 compared to 473 in 1990. The total number of warrants, covering phones and letter-opening, signed by the ex Home Secretary Michael Howard were 997 in 1995. Each of these warrants issued can cover more than one phonelines if they are issued to cover an organisation or group.'(52) As under the Police Bill 1996-97, it is wholly wrong that it is the Secretary of State who issues the warrants and not a judge (paragraph 76)(53).
While the ex UK Government intended to bring forward proposals for legislation following consultation by the Department of Trade and Industry on detailed policy proposals, the Labour Party thought otherwise. They stated in their Year of Labour Party document that:
'We do not accept the "clipper chip" argument developed in the United States for the authorities to be able to swoop down on any encrypted message at will and unscramble it. The only power we would wish to give to the authorities, in order to pursue a defined legitimate anti-criminal purpose, would be to enable decryption to be demanded under judicial warrant.'
The Labour Party further argued that attempts to control the use of encryption technology are wrong in principle, unworkable in practice, and damaging to the long-term economic value of the information networks.
"It is not necessary to criminalise a large section of the network-using public to control the activities of a very small minority of law-breakers."(54)
It seems that Labour Party intends to penalise a refusal to comply with a demand to decrypt under judicial warrant.(55) Even if this proposal is never enacted, the courts may draw inferences under the new sections 34-37 of the Criminal Justice and Public Order Act 1994 because of the silence of the defendants. Lord Slynn in Murray v. DPP 97 Cr. App. R. 151 stated that:
"If aspects of the evidence taken alone or in combination with other facts clearly call for an explanation which the accused ought to be in a position to give, if an explanation exists, then a failure to give any explanation may as a matter of commonsense allow the drawing of an inference that there is no explanation and that the accused is guilty." (at 160)
Not providing an encryption key may result with judges commenting on the accused's behaviour and juries drawing inferences under the new controversial 1994 Act.(56)
With the Internet we use the same technology at one point to achieve greater publicity and at other points to achieve greater privacy.(57) We wrap our commercial transactions and personal communications in encrypted messages with digital signatures to keep them secret and prevent tampering. However, we also use anonymous email and news postings to spread our ideas without incurring retaliation.
The fear of being monitored or being traced back by the system operators, hackers or government agencies will not help the development of the Internet. The fear of not knowing what information is available on the Internet about ourselves and its process and use by others will affect the individual user. That is why the privacy of the users should be respected and protected. The online users must be safe from these possible intrusions. Powerful encryption tools are an important way to respect the online users' privacy, and this should be free from the various governments control and holding of the encryption keys for their purposes.
The central difficulty is that current technology does not admit striking a balance. It is all or nothing, a situation both unnerving and unpleasant for politicians, a genuine dilemma. We are at a cross-roads, where one path leads to a total surveillance infrastructure limited only by the self-restraint of Government; the other path leads to a dilution of power and strengthening of privacy.
Knowledge of cryptography has traditionally been the preserve of national security authorities, and the subject has been studied in industry and academia for only a few decades. There are few recognised centres of academic research in the UK, where civil liberties questions have hitherto been received peripheral treatment. Therefore the sources of independent expert advice to government are limited, and the UK public are by and large unaware of the issues to be decided.
Following the US and UK initiatives both the EC and the Organization for Economic Co-operation and Development ('OECD') are conducting research into the use of cryptography. A recent Council of Europe resolution advised that
Measures should be considered to minimise the negative effects of the use of cryptography on the investigation of criminal offences, without affecting its legitimate use more than is strictly necessary.(58)
Any OECD resolution would need to be implemented by appropriate legislation or regulation. In March, 1997, the OECD, which promotes the use of cryptography, rejected US proposals to base national encryption policy on key recovery. On March 27, 1997, while not taking a side on the benefits or drawbacks of key escrow, the OECD issued cryptography recommendations that warn against 'unjustified obstacles to international trade and the development of information and communications networks (8th principle)' and 'legislation which limits user choice. (2nd principle).'(59) One of the most important principles of the OECD GuidelinesGuideliness, the 5th principle stated that:
The fundamental rights of individuals to privacy, including secrecy of communications and protection of personal data, should be respected in national cryptography policies and in the implementation and use of cryptographic methods.
This is an unexpected but very important principle together with the use of word 'may' rather than 'should' in the 6th principle which states that 'national cryptography policies may allow access to cryptographic keys or encrypted data'. The 6th OECD principle concludes that 'these policies must respect the other principles contained in the guidelines to the greatest extent possible'.
As the DTI proposals try to set up a precedent in global terms (paragraph 12), the promotion of encryption services with government access could be a real threat for human right abuses in undemocratic countries.
Nevertheless, it seems like a change in the UK government may affect the current policy on the use of encryption tools and it would be very interesting to see what the new Labour government will say about this important issue. We hope to see the new government following their statements as explained above. Far more is at stake than a modest proposal to maintain current law enforcement capabilities – the claims that escrow represents merely a continuation of existing interception policy is disingenuous at best. A wide public debate, perhaps under the aegis of a Royal Commission, with representatives from academia, industry, the judiciary, and organisations involved with civil liberties issues, as well as the intelligence services, should fully consider the long-term balance of risks and benefits of different approaches(60).
Cyber-Rights & Cyber-Liberties (UK) 'First Report on UK Encryption Policy' has been endorsed and supported by 15 organizations.
(See Appendix I).
Yours sincerely,
Yaman Akdeniz
Head of Cyber-Rights & Cyber-Liberties (UK)
Cyber-Rights & Cyber-Liberties (UK) Reply to the DTI was endorsed and signed also by the following Organizations with similar aims and views:
Dear Nigel Hickson (DTI)
We are writing to offer an expert opinion in response to the paper released by the UK DTI, 'Licensing of Trusted Third Parties for the Provision of Encryption Services'. We are a group of public-interest organisations in Great Britain and elsewhere that inform the public about policy matters related to computers and networking. The principles in the U.K. paper are quite similar to those promoted in the Clipper Chip proposal by the U.S. government in April 1993, and related U.S. proposals since then. Therefore, we have been researching and debating the issue for four years.
We feel it necessary to argue against the whole notion of government access to keys. There are several political and technical difficulties with such a plan. While we understand that the British public is willing to give their government more investigative leeway than the U.S. public is, we think the British will be unhappy with the level of surveillance currently being suggested.
First, the plan involves an unprecedented level of government intrusion into daily life, because the government would potentially have access to all digital communications by all people living within the borders of the country, as well as anyone outside the country exchanging information in digital form with people within. Despite the formal guarantee that a warrant would be required to give law enforcement officials access to a key, there is a long history of abusing surveillance techniques by government officials. It is unfeasible to assume that government employees would refrain from asking for keys without just cause, or that the companies holding on to these keys would refuse to surrender them in response to an inappropriate request. In this context it is worth remembering that agents from one country often penetrate the security forces of another; not every responsible employee is automatically trustworthy.
In the United States, memories remain of the widespread illegal use of surveillance by the FBI against political opponents of the government in the 1950's through 1970's. Despite the passage of laws to prevent future abuse, incidents continue to come to light where the highest authorities break laws to obtain information.
Similar abuses have been documented in many other countries. The practice of wiretapping the civilian population to suppress political and civil rights was widespread throughout the Eastern Bloc, and continues unabated in many Asian and Latin American countries today. Citizens working peaceably for basic rights like free speech or democratic governance are bugged, tapped, harassed, tortured, and murdered by their own governments every day. Establishing an international regime which glorifies "the right of governments to successfully wiretap their citizens" will have serious consequences for basic human rights all over the globe.
Second, centralised storage for keys presents an irresistible target for intruders. One of the central principles of network security is that there cannot be a complete guarantee against break-ins, at least given current technology. The United States military has experienced break-ins many times, as have huge numbers of private organisations. One must assume that malicious intruders with large financial or other incentives will, at times, crack the security of the Trusted Third Parties (TTPs). By contrast, in the highly popular technology known as "public key encryption," each private key is held only by an individual.
Third, human weakness must be considered. The employees of the TTP will be subject to the temptation to share keys due to bribes, vengeful motives, or simple curiosity.
In short, government access and key escrow are inescapably insecure and subject to abuse. Furthermore, they're bad for business: British companies making encryption products will be at a competitive disadvantage with companies in other countries where encryption is not restricted. The Department is addressing this problem by proposing that other countries adopt the system as well.
However, the flaws in key escrow are greatly magnified as they extend across multiple countries. If one country imposes a requirement for government access, it legitimises corresponding demands by other countries, particularly those with poor records in human rights where encryption may be needed to protect people's lives.
The most secure form of digital transaction is one where the users choose their own keys and are responsible for managing the keys themselves. In some such systems, users' "public" keys are published in order to make each user's identity verifiable by any recipient. Normally the "private" keys are held securely by each user, never being revealed to anyone else. An organisation may choose to escrow its members' private keys so that information cannot be lost to the whole organisation, though in contrast to most government-inspired escrow schemes, such keys would normally be "backed up" to another location inside the company rather than being given to an outside firm to guarantee government access. These practices can flourish without government intervention. To use licensing as a subterfuge to quietly undermine the privacy of citizens is intolerable.
TTPs are useful because they allow individuals and organizations that have no prior knowledge of each other to communicate with the assurance that neither is being impersonated. But this service should not be used as a Trojan horse in which to sneak a system under which the government can access the keys—a system that undermines trust.
We understand the public's fear of terrorist violence, and certainly want to see it reduced. But outside of law enforcement agencies, most commentators have declared that the threat of increased terrorist or criminal activity is not so great as to justify the requirement that all members of society surrender their privacy.
Government attempts to impose key escrow are likely to eliminate privacy for the average citizen of the average country when communicating using telephones or computer mediated networks. The rights of free speech, free association, personal privacy, financial privacy, private property, and doctor- and lawyer-client privilege, would all be weakened or eliminated. The role of digital transactions in our future is too important to permit such risks.
16 organisations signed the above letter:
Cyber-Rights & Cyber-Liberties (UK), CommUnity (UK), ALCEI - Electronic Frontiers Italy, American Civil Liberties Union, AUI (Association des Utilisateurs d'Internet) - France, CITADEL Electronic Frontier France, Computer Professionals for Social Responsibility, EFF-Austin (Austin, Texas, USA), Electronic Frontier Foundation, Electronic Frontiers Australia, Electronic Frontiers Ireland, Electronic Privacy Information Center, FrEE-Fronteras Electronicas España (Electronic Frontiers Spain), Freedom on the Internet (Switzerland), NetAction, Privacy International, Stichting Digitale Burgerbeweging Nederland (Digital Citizens Foundation in the Netherlands).
Written by Andrew Oram, Computer Professionals for Social Responsibility.
WHEREAS the Organization for Economic Cooperation and Development (OECD) is now considering the development of an international policy for the use of cryptography; WHEREAS the use of cryptography implicates human rights and matters of personal liberty that affect individuals around the world;
WHEREAS national governments have already taken steps to detain and to harass user and developers of cryptography technology;
WHEREAS cryptography is already in use by human rights advocates who face persecution by their national governments;
WHEREAS the privacy of communication is explicitly protected by Article 12 of the Universal Declaration of Human Rights, Article 17 of the International Covenant on Civil and Political Rights, and national law;
WHEREAS cryptography will play an increasingly important role in the ability of citizens to protect their privacy in the Information Society;
RECOGNIZING that the OECD has made substantial contributions to the preservation of human rights and the protection of privacy;
FURTHER RECOGNIZING that decisions about cryptography policy may gives rise to communication networks that favourfavor privacy or favourfavor surveillance;
FURTHER RECOGNIZING that the promotion of key escrow encryption by government poses a direct threat to the privacy rights of citizens;
THE FOLLOWING NATIONAL AND INTERNATIONAL ORGANIZATIONS, concerned with matters of human rights, civil liberty, and personal freedom, have joined
together to URGE the OECD to base its cryptography policies on the fundamental right of citizens to engage in private communication; FURTHER URGE the OECD to resist policies that would encourage the development of communication networks designed for surveillance; and RECOMMEND that the OECD turn its attention to growing public concerns about the widespread use of surveillance technologies and the implications for Democratic Society and Personal Liberty around the world.
RESPECTFULLY ENDORSED,
The Global Internet Liberty Campaign was formed at the annual meeting of the Internet Society in Montreal. Members of the coalition include the American Civil Liberties Union, the Electronic Privacy Information Center, Human Rights Watch, the Internet Society, Privacy International, the Association des Utilisateurs d'Internet, and other civil liberties and human rights organizations.
The Global Internet Liberty Campaign advocates...
This is from <http://www.privacy.org/pi/reports/pgp.html>.
Recently, I received the following letters by email from Central Europe. The letters provides food for thought in our public debates over the role of cryptography in the relationship between a government and its people. With the sender's permission, I am releasing the letters to the public, with the sender's name deleted, and some minor typos corrected. This material may be reposted, unmodified, to any other Usenet newsgroups that may be interested.
Philip Zimmermann
Date:Sat, 09 Mar 1996 19:33:00 +0000 (GMT)
From: [name and email address deleted]
Subject:Thanks from Central Europe
To:Philip Zimmermann
Dear Phil,
This is a short note to say a very big thank you for all your work with PGP.
We are part of a network of not-for-profit agencies, working among other things for human rights in the Balkans. Our various offices have been raided by various police forces looking for evidence of spying or subversive activities. Our mail has been regularly tampered with and our office in Romania has a constant wiretap.Last year in Zagreb, the security police raided our office and confiscated our computers in the hope of retrieving information about the identity of people who had complained about their activitiesactivites.
In every instance PGP has allowed us to communicate and protect our files from any attempt to gain access to our material as we PKZIP all our files and then use PGP's conventional encryption facility to protect all sensitive files.Without PGP we would not be able to function and protect our client group. Thanks to PGP I can sleep at night knowing that no amount of prying will compromise our clients.I have even had 13 days in prison for not revealing our PGP pass phrases, but it was a very small price to pay for protecting our clients. I have always meant to write and thank you, and now I am finally doing it. PGP has a value beyond all words and my personal gratitude to you is immense. Your work protects the innocent and the weak, and as such promotes peace and justice, quite frankly you deserve the biggest medal that can be found.
Please be encouraged that PGP is a considerable benefit people in need, and your work is appreciated.Could you please tell us where in Europe we can find someone who can tell us more about using PGP and upgrades etc. If you can't tell us these details because of the export restriction thing, can you point us at someone who could tell us something without compromising you.
Many thanks.
[ I sent him a response and asked him if I could disclose his inspiringletter to the press, and also possibly use it in our ongoinglegislative debates regarding cryptography if the opportunity arisesto make arguments in front of a Congressional committee. I alsoasked him to supply some real examples of how PGP is used to protecthuman rights. He wrote back that I can use his letters if I deletehis organization's name "to protect the innocent". Then he sent methe following letter.—PRZ ]
Date:Mon, 18 Mar 1996 15:32:00 +0000 (GMT)
From: [name and email address deleted]
Subject: More News from [Central Europe]
To: Philip Zimmermann
Dear Phil,
I have been thinking of specific events that might be of use to your Congressional presentation. I am concerned that our brushes with Governments might be double-edged in that Congress might not like the idea of Human Rights groups avoiding Police investigation, even if such investigations violated Human Rights.
However we have one case where you could highlight the value of PGP to "Good" citizens, we were working with a young woman who was being pursued by Islamic extremists. She was an ethnic Muslim from Albania who had converted to Christianity and as a result had been attacked, raped and threatened persistently with further attack.We were helping to protect her from further attack by hiding her in Hungary, and eventually we helped her travel to Holland, while in Holland she sought asylum, which was granted after the Dutch Government acknowledged that she was directly threatened with rape, harassment and even death should her whereabouts be known to her persecutors. Two weeks before she was granted asylum, two armed men raided our office in Hungary looking for her, they tried to bring up files on our computers but were prevented from accessing her files by PGP. They took copies of the files that they believed related to her, so any simple password or ordinary encryption would eventually have been overcome. They were prepared to take the whole computer if necessary so the only real line of defence was PGP.
Thanks to PGP her whereabouts and her life were protected. This incident and the young woman's circumstances are well documented.We have also had other incidents where PGP protected files and so protected innocent people. If the US confirms the dubious precedent of denying privacy in a cavalier fashion by trying to deny people PGP, it will be used as a standard by which others will then engineer the outlawing of any privacy. Partial privacy is no privacy. Our privacy should not be by the grace and favour of any Government. Mediums that ensured privacy in the past have been compromised by advances in technology, so it is only fair that they should be replaced by other secure methods of protecting our thoughts and ideas, as well as information.I wish you well with your hearing.
Yours most sincerely
[name deleted]
On May 21, 1997, a group of leading cryptographers and computer scientists released a report which for the first time examines the risks and implications of government-designed key-recovery systems.
The report cautions that "The deployment of a general key-recovery-based encryption infrastructure to meet law enforcement's stated requirements will result in substantial sacrifices in security and cost to the end user. Building a secure infrastructure of the breathtaking scale and complexity demanded by these requirements is far beyond the experience and current competency of the field."
As the Clinton Administration continues to pursue a policy of encryption export controls and the compelled use of key-recovery both inside the US and abroad, this report provides an important baseline for considering the implications of such a policy.
The Report's authors, recognized leaders in the cryptography and computer science field, include Hal Abelson, Ross Anderson, Steven M. Bellovin, Josh Benaloh, Matt Blaze, Whitfield Diffie, John Gilmore, Peter G. Neumann, Ronald L. Rivest, Jeffrey I. Schiller, and Bruce Schneier
(*) I am very grateful to the following people who has helped me to prepare this report and I would like to thank them:
(1)An online version of the document is available at <http://www.dti.gov.uk/pubs> although the DTI What is New web page at <http://www.dti.gov.uk/whatsnew.htm> suggest that this version has not been put on the web till 11 April, 1997.
(2)The Global Internet Project - Encryption Summit was held in London on April 8, 1997, attendance was only by invitation and the majority of the attendees were from the Internet Industry. The Scrambling for Safety Conference was organized by Privacy International and the Global Internet Liberty Campaign at the London School of Economics on the 19th of May 1997. The conference was open to the public and more than 300 people attended the conference.
(3)See the DTI Consultation paper, para. 36.
(4)Malone v. Metropolitan Police Commissioner (No.2) [1979] 2 All ER 620.
(5)David Feldman, Civil Liberties & Human Rights in England & Wales, Oxford: Clarendon Press, 1993, pages 385-386.
(6)This was confirmed in the European Court of Human Rights in Malone v. UK, Series A, No:82, Judgement of 2 Aug. 1984, 7 EHHR 14.
(7)ibid., page 386.
(8)Kaye v. Robertson [1991] FSR 62.
(9)(1849) 1 Mac & G 25, 41 ER 1171, 64 ER 293.
(10)See D Warren and L D Brandeis, "The Right to Privacy" (1890) Harv L Rev 193.
(11)Broadcasting Act 1990, section 143 (1) provides that the function of the Broadcasting Complaints Commission shall be to consider and adjudicate on complaints, inter alia, of "unwarrented infringement of privacy" in programmes or in obtaining material for programmes.
(12)See Internet Privacy Coalition at <http://www.privacy.org/ipc/>.
(13)(1965) 381 U.S. 479..
(14)(1973) 410 U.S. 113.
(15)389 U.S. 347 (1967). Katz overturned Olmstead v. United States, 277 U.S. 438 (1928) which held that the evidence obtained through telephone taps offends neither the Fourth nor the Fifth Amendment. Justice Harlan held that:"the Fourth Amendment protects people, not places. What a person knowingly exposes to the public, even in his own home or office, is not subject of Fourth Amendment protection. But what he seeks to preserve as private, even in an area accessible to public, may be constitutionally protected" (at page 351).
(16)Warren and Brandeis, "The Right to Pirvacy" (1890) 4 Harv. Law. Rev. 193.
(17)ibid., 196 taken from Raymond Wacks, Personal Information: Privacy and the Law, 1989, Oxford: Clarendon Place, page 33.
(18)Pavesich v. New England Life Insurance Co. 50 SE 68 (1905).
(19)New York Civil Rights law sections 50 & 51 expressly recognise a right of privacy.
(20)Prince Albert v. Strange (1849) 64 ER 293 and Pollard v. Photographic Co. (1888) 40 Ch. Div. 345.
(21)Raymond Wacks, Personal Information: Privacy and the Law, 1989, Oxford: Clarendon Place, page 34.
(22)Report of the Committee on Privacy and Related Matters, Chairman David Calcutt QC, 1990, Cmnd. 1102, London: HMSO,para. 3.12, page 7.
(23)Raymond Wacks, "Privacy in Cyberspace" presented at the Society of Public Teachers of Law (SPTL) Seminars for 1996 - Pressing Problems in the Law: Privacy, 29 June 1996.
(24)See Rose, Lance, Netlaw: Your Rights in the Online World, Osborne Mc Graw-Hill, 1995, p 182.
(25)Andy Oram, 'British and Foreign Civil Rights Organizations Oppose Encryption', see Appendix 2 or <http://www.cpsr.org/cpsr/nii/cyber-rights/web/crypto_brit.html>.
(26)See David Banisar, 'Bug Off! A Primer on Electronic Surveillance for Human Rights Organizations', International Privacy Bulletin, October 1995, see <http://www.privacy.org/pi/reports/bug_off.html>.
(27)E.g. the FBI during 1970s wiretapped and bugged the communications of Black Panthers and other dissident groups. See Sanford J. Ungar, FBI 137, (1975). Also between 1953 and 1973, the CIA opened and photographed almost 250,000 first class letters within the US from which it compiled a database of almost 1.5 million names. See Church Committee Report, S. Rep. No. 755, 94th Cong., 2d Sess., pt. 2, 1976, at 6.
(28)See Jonathan Wallace, 'Mrs. McIntyre in Cyberspace: Some thoughts on anonymity', The Ethical Spectacle, May 1997 at < http://www.spectacle.org/597/mcintyre.html>.
(29) Lance Cottrel, Mixmaster FAQ, <http://www.obscura.com/~loki/remailer/mixmaster-faq.html>.
(30)See the written evidence submitted by the Christian Action Research and Education (CARE) to the House of Lords, Select Committee on Science and Technology, 'Information Society: Agenda for Action in the UK', Session 1995-96, 5th Report, London:HMSO, 31 March 1996, page 187.
(31)Raymond Wacks, 'Privacy in Cyberspace,' presented at the Society of Public Teachers of Law (SPTL) Seminars for 1996 - Pressing Problems in the Law: Privacy, 29 June 1996.
(32)See the written evidence submitted by the Christian Action Research and Education (CARE) to the House of Lords, Select Committee on Science and Technology, "Information Society: Agenda for Action in the UK", Session 1995-96, 5th Report, London:HMSO, 31 March 1996, page 187.
(33)See the ACLU challenge to Georgia law restricting free speech on the Internet. ACLU and others stated that the law is unconstitutionally vague and overbroad because it bars online users from using pseudonyms or communicating anonymously over the Internet. The Act also unconstitutionally restricts the use of links on the World Wide Web, which allow users to connect to other sites. ACLU press release dated 24 September 1996 is available at <http://www.aclu.org/news/n092496a.html>.
(34)Safety-Net, supported by the UK Government was announced on September 23, 1996. Safety-Net has an e-mail, telephone and fax hot-line from October 1, 1996 and online users will be able to report materials related to child pornography and other obscene materials. See the Safety-Net proposal, 'Rating, Reporting, Responsibility, For Child Pornography & Illegal Material on the Internet' adopted and recommended by the Executive Committee of ISPA - Internet Services Providers Association, LINX - London Internet Exchange and The Internet Watch Foundation at <http://dtiinfo1.dti.gov.uk/safety-net/r3.htm.>
(35)Safety-Net proposal 1996, para 30.
(36)See the ACLU challenge to Georgia law restricting free speech on the Internet. ACLU and others stated that the law is unconstitutionally vague and overbroad because it bars online users from using pseudonyms or communicating anonymously over the Internet. The Act also unconstitutionally restricts the use of links on the World Wide Web, which allow users to connect to other sites. ACLU press release dated 24 September 1996 is available at <http://www.aclu.org/news/n092496a.html>.
(37)Readers of notices from groups which send out electronic alerts, such as Amnesty International, American Civil Liberties Union and the Tibetan Government-in Exile, can ensure that the alerts have not been altered by people wishing to disrupt the group's activities.
(38)Committee to study National Cryptography Policy by Computer Science and Telecommunications Board, National Research Council, National Academy of Sciences and National Academy of Engineering. The Committee was founded at the request of the U.S. Congress in November 1993 by the National Research Council's Computer Science and Telecommunications Board (CSTB). See <http://www2.nas.edu/cstbweb/>.
(39)Indeed, thirteen of the sixteen members got very high security clearances, and were able to ask serious questions and have them answered by senior people from NSA and other agencies.
(40)See The Promotion of Commerce Online in the Digital Era (Pro-CODE) Act of 1996 (Section 1726) introduced by Senators Conrad Burns (R-MT) in the US Senate to promote electronic commerce by facilitating the use of strong encryption, and for other purposes in May 1996. It has not been enacted into legislation by November 1996.
(41) See Encryption Policy Resource Page for the full report at <http://www.crypto.com/key_study/>.
(42)See for a summary of the 'The Risks of Key Recovery, Key Escrow, and Trusted Third-Party Encryption' Report in Centre for Democracy and Technology Policy Post, Vol 3 (6), May 21, 1997, at <http://www.cdt.org/>.
(43)FBI Director Louis Freeh, Address at the Executives' Club of Chicago, Feb. 17, 1994, at13.
(44)See Internet Privacy Coalition at <http://www.privacy.org/ipc/>.
(45)See eg the Prevention of Terrorism (Temporary Provisions) Act 1989, Schedule 7.
(46)See the section on Labour Party Manifesto.
(47)See for example, section 3 of the Security Service Act 1989.
(48)See David Banisar, 'Bug Off! A Primer on Electronic Surveillance for Human Rights Organizations', International Privacy Bulletin, October 1995.
(49)This was stated by Nigel Hickson from the DTI at at least two occasions - (1) At the 8th Joint European Networking Conference, Edinburgh 14th of May 1997 (video of the session available from the author) and (2) Scrambling for Security Conference, London LSE, 19th May 1997.
(50)See Yaman Akdeniz, 'UK Government Encryption Policy', [1997] Web Journal of Current Legal Issues 1 (February) at <http://www.ncl.ac.uk/~nlawwww/1997/issue1/akdeniz1.html>.
(51)See for a summary of the 'The Risks of Key Recovery, Key Escrow, and Trusted Third-Party Encryption' Report in Centre for Democracy and Technology Policy Post, Vol 3 (6), May 21, 1997, at <http://www.cdt.org/>.
(52)These figures in the latest annual report from Lord Nolan only give - as usual - part of the picture. Under Section 2 of the Interception of Communications Act 1985, warrants to intercept communications are meant to be applied for by the Metropolitan Police Special Branch, the National Criminal Intelligence Service (NCIS), Customs and Excise, Government Communications Headquarters (GCHQ), the Security Service (MI5), the Secret Intelligence Service (MI6), the Royal Ulster Constabulary (RUC) and Scottish police forces. Total figures for warrants issued, England and Wales 1989-1995: 1989- 458, 1990 - 515, 1991 - 732, 1992 - 874, 1993 - 998, 1994 - 947, 1995 - 997. See 'UK: Phone-tapping doubles in 5 years', Statewatch Bulletin, Vol 6 no 3, May-June 1996, and also the Report of the Commissioner for 1995, Interception of Communications Act 1985. Cm 3254, HMSO, Report of the Commissioner for 1994, Security Service Act 1989, for 1995. Cm 3253, HMSO, Intelligence Services Act 1994, for 1995. Cm 3288, HMSO, MI5 The Security Service, 2nd edition, HMSO.
(53)This may be the case under the Interception of Communications Act 1985 Act and Security Service Act 1989, but they are also wrong.
(54)See The Labour Party Policy on Information Superhighway, 'Communicating Britain's Future', 1995, available at <http://www.labour.org.uk/views/index.html>.
(55)See the Prevention of Terrorism (Temporary Provisions) Act 1989, Schedule 7. Note also that the UK Police already had difficulties with encrypted files in the course of criminal investigations related to child pornography. See "Paedophiles use encoding devices to make secret use of Internet" The Times, Nov. 21, 1995.
(56)See Cowan, Gayle, Ricciardi [1996] 1 Cr. App. R. 1. See also Anthony F. Jennings, "Resounding Silence", [1996] New Law Journal 146, 6744 pages 725, 726, and 730.
(57) E.g. to publicise my web page, Cyber-Rights & Cyber-Liberties (UK) I had to leave personal information such as my e-mail address, contact address, telephone number and other details with many web sites and search engines.
(58)Council of Europe Recommendation, 'Concerning Problems of Criminal Procedure Law Connected with Information Technology', No. R (95) 13, Sept. 1995, Appendix, para. 8. An online version is available at <http://www.privacy.org/pi/intl_orgs/coe/info_tech_1995.html>.
(59)See OECD Cryptography Policy Guidelines: Recommendation of the Council Concerning Guidelines for Cryptography Policy, at <http://www.oecd.org/dsti/iccp/crypto_e.html>, 27 March 1997.
(60)See Yaman Akdeniz & Caspar Bowden - 'Cryptography and Democracy : Dilemmas of Freedom,' in a forthcoming book 'Civil Liberties and the Internet' by Liberty (Pluto Press - 1997).
Copyright © May 1997 Yaman Akdeniz
HTML Version by Oliver Clarke. Last revised 29th May 1997