Cyber-Rights & Cyber-Liberties (UK) response in relation to the DTI, Promoting Electronic Commerce: Consultation on Draft Legislation and the Governments Response to the Trade and Industry Committees Report, CM 4477, July 1999.
To the Attention of Mr. Stephen de Souza,
Communications and Information Industries Directorate
Department of Trade and Industry
Room 220, 151 Buckingham Palace Road
London SW1W 9SS
(1) Cyber-Rights & Cyber-Liberties (UK) (http://www.cyber-righs.org), is a non profit civil liberties organisation that was founded with the aim of promoting free speech and privacy with regard to the Internet. This statement contains the views of Cyber-Rights & Cyber-Liberties (UK) in relation to the draft Electronic Communications Bill.
(2) Cyber-Rights & Cyber-Liberties (UK) notes that "the Governments policy is to facilitate electronic commerce." (paragraph 3 of the explanatory notes). However, we regret that the Electronic Communications Bill deals with matters that have nothing to do with the promotion and development of electronic commerce.
(3) The law enforcement provisions of the Electronic Communications Bill (part III) will not help to "build confidence in electronic commerce" as stated in paragraph 7.
(4) It is also doubtful that the proposed law enforcement powers (part III) will maintain the effectiveness of existing law enforcement powers. Furthermore, the Government misses yet another opportunity to provide detailed information and statistics to back its claim that there is an "increasing criminal use of encryption". (paragraph 8).
(5) This response will concentrate on Part III, Investigation of Protected Electronic Data of the Electronic Communications Bill.
(6) The proposals made in Part III are a potentially very dangerous infringement of civil rights.
Clause 10 of part III deals with a "power to require disclosure of key" in relation to protected (encrypted) information. Clause 10(2)(b) gives power to any person with the appropriate permission under Schedule 1 to require the disclosure of the encryption key by a notice to the person appearing to him to have possession of the key.
(7) However, we stated in a letter sent to the Right Honourable Tony Blair, PC, MP, The Prime Minister on 14 June, 1999, that "when Public Key Cryptography is used it is possible that an innocent message recipient can be put in jeopardy by a third party simply by sending them an encrypted message. An innocent party might then be forced to compromise their privacy by handing over their secret decryption keys. In this circumstance it should be sufficient for the party to offer the decrypted text, not their keys."
(8) Furthermore, we stated that "it would also be easy for someone to send a message to another person using a random private key. The innocent party would then have to prove that they dont have a key to decrypt this message. How this could be done is impossible to imagine: no objective evidence could be capable of proving this negative."
(9) Under clause 10 (and Schedule 1) of the Electronic Communications Bill, the authority which authorised the search or seizure by which the encrypted material comes into the possession of the investigating authorities can also issue (either at the time of initial authorisation or later) the written notice to decrypt and can do so without any further proof as to degree of possession on the part of the suspect or the importance to the investigation. The forced disclosure of documentation may not be considered as serious as the demand for personal testimony (see Saunders v. the United Kingdom, 17 December 1996, Reports 1996-VI, p. 2064, § 68 and compare Funke v. France, 25 February 1993, Series A no. 256-A, p. 22, § 44), but it can be personally incriminating as implying the admission of the existence and possession of keys.
(10) Accordingly, it is very likely that such a requirement would breach Article 6(1) to (3) of the European Convention on Human Rights by being considered unfair in the circumstances and by reversing the burden of proof, especially since: it is not made clear what suspicion or belief in relation to what levels of offence should be established or what other evidence be possessed by the law enforcement authorities, or what other avenues of investigation be exhausted prior to the issuance of a notice; it is not certain that legal advice will be available; but it is certain that a failure to comply will itself automatically be an offence.
Clause 12(1) creates a new offence and states that "A person is guilty of an offence if he fails to comply, in accordance with any section 10 notice, with any requirement of that notice to disclose a key to protected information." Furthermore, clause 12(2)(a) states that "in proceedings against any person for an offence under this section, it shall be a defence for that person to show (a) that the key was not in his possession after the giving of the notice and before the time by which he was required to disclose it." Clause 12(3) states that "in proceedings against any person for an offence under this section it shall be a defence for that person to show (a) that it was not reasonably practicable for him to make a disclosure of the key before the time by which he was required to do so; (b) where the key was not in his possession at that time, that it was not reasonably practicable for him, before that time, to make such a disclosure as is mentioned in subsection (2)(b)."
(11) Clauses 12(2)(a) and 12(3)(a) switch the burden of proof onto the accused or onto the person who was served a clause 10 notice to provide the right private encryption key to decrypt the encrypted message (or messages) that are the subject of the the notice under clause 10. As already discussed, there are circumstances in which this will be an impossible task. . He/she may not be in a position to provide a key or an explanation on why there is no such a key. To impose an impossible burden of proof on an accused in this way will inevitably amount to an infringement of the presumption of innocence embodied in the European Convention on Human Rights, which would be a significant breach of one of the United Kingdoms most important international obligations with the introduction of Part III of the Electronic Communications Bill.
(12) It should be noted that the right to a fair trial under article 6 of the European Convention of Human Rights incorporated by the Human Rights Act 1998 includes "the right of anyone charged with a criminal offence ... to remain silent and not to contribute to incriminating himself." (See Funke v. France (1993) 16 E.H.R.R. 297).
(13) Furthermore, the European Court of Human Rights reiterates that the right of any "person charged" to remain silent and the right not to incriminate himself are generally recognised international standards which lie at the heart of the notion of a fair procedure under Article 6 of the European Convention on Human Rights. Their rationale lies, inter alia, in protecting the "person charged" against improper compulsion by the authorities and thereby contributing to the avoidance of miscarriages of justice and to the fulfilment of the aims of Article 6. (See the following judgments of the Court: Funke v. France, 25 February 1993, Series A no. 256-A, p. 22, § 44; John Murray v. the United Kingdom, 8 February 1996, Reports of Judgments and Decisions 1996-I, p. 49, § 45; and Saunders v. the United Kingdom, 17 December 1996, Reports 1996-VI, p. 2064, § 68; Serves v. France, 20 October, 1997, Reports 1997-VI). The burden of proof therefore, cannot be reversed for the suspect or for anybody served with a clause 10 notice to provide the requested evidence or prove his/her innocence.
(14) Article 6 of the European Convention of Human Rights, as incorporated by the Human Rights Act 1998, should have been more carefully analysed by the Government before part III of the Bill was drafted. In our view there remain serious compatibility problems with article 6 as far as the offences under Part III are concerned. We hence dispute the view of the Secretary of State for Trade and Industry that "the provisions of the Electronic Communications Bill are compatible with the Convention rights."
(15) In addition to these core issues, there are a number of other features which give rise to doubts under the Convention. For lawful seizures not pursuant to warrant (e.g., under the Police and Criminal Evidence Act 1984, sections 17, 18, 19, 32 or the Telecommunications Act 1984, section 45), the police and Customs (and soldiers) can be self-authorising in regard to the appropriate permission to issue a notice to decrypt (under Sched.1 para.2, 4). For data obtained without the exercise of statutory powers (such as the voluntary disclosure of material), the permission is granted either by the Secretary of State (to an intelligence agency) or by a circuit judge (to the police and Customs) (under Sched. 1 para.3, 4.). The forced disclosure under other powers, such as the Criminal Justice Act 1987 section 2, is also preserved: clause 10(7). It follows from the provenance of the original seizure of the material that the written notice to decrypt is not necessarily issued on the basis of judicial authority (it will be in the cases of search and seizure under the Police and Criminal Evidence Act 1984, sections 8 and 9), but can be authorised by the Home Secretary as a follow up to an authorisation to intercept public system telecommunications or by a chief police officer as a follow up to a bug under the Police Act 1997 (under Sched. 1 para.1). At least there is oversight in these cases by the Tribunal and Commissioner as in the 1985 Act (cl.17 and 18), though whether they suffice to satisfy the standards of the European Convention is open to question. The relevant authorities can also decide at their discretion whether it is sufficient to supply plaintext or whether a key must be disclosed (under clause 11) even though the disclosure of a key is much more intrusive than disclosure of plaintext and much more open to abuse. And there is also under clause 12 of the Bill a switch in the onus of proof onto the recipient of a notice to prove no knowledge. This seems contrary to the presumption of innocence: Salabiaku v France (1988) 13 EHRR 379) and not just a matter of evidence whose weight can be expressly weighed in the trial as a whole. The device may help in a few cases but can only be legitimate if the foregoing conditions are met. Even then, difficulties may arise because of the official embargo on the use of interception evidence in court under section 9 of the Interception of Communications Act 1985, which means that refusal to cooperate is probably the preferred option. (Section 9 of the IOCA 1985 legislation will be amended by clause 14(3) of the Electronic Communications Bill to provide the same provisions for the offences under clause 12 and 13).
(16) The Electronic Communications Bill should have been about electronic commerce and Part III of the draft Bill should have been dealt thoroughly elsewhere.
|Cyber-Rights & Cyber-Liberties (UK) Policy Issues and Special Sections:
|Crypto Policy and Privacy pages ¦ Regulation of Child Pornography on the Internet ¦ Interception of Communications ¦ Enfopol and Echelon ¦ Freedom of Information Files Section ¦ European Union Watch ¦ Official Secrecy and Cyber-Censorship ¦ Reports and Publications ¦ Broxtowe Case, 'The JET Report' and related materials ¦ UK Police Ban of Newsgroups ¦ CR&CL(UK) CensorWare pages ¦ Domain Name Policy Pages ¦ Documents, Case Reports and other publications of Interest Info on Hate Speech Related Material on the Internet ¦ American Civil Liberties Union v Reno case related materials ¦ ISPs and Privacy Concerns
|Home Page | Background Info | Press Enquiries| Reports | Policy Issues | News Items | Press Releases | Mailing Lists | Bookstore