BAILII is celebrating 24 years of free online access to the law! Would you consider making a contribution?
No donation is too small. If every visitor before 31 December gives just £5, it will have a significant impact on BAILII's ability to continue providing free access to the law.
Thank you very much for your support!
[Home] [Databases] [World Law] [Multidatabase Search] [Help] [Feedback] | ||
United Kingdom Journals |
||
You are here: BAILII >> Databases >> United Kingdom Journals >> UK Government Policy on Encryption URL: http://www.bailii.org/uk/other/journals/WebJCLI/1997/issue1/akdeniz1.html Cite as: UK Government Policy on Encryption |
[New search] [Help]
Ph.D. Researcher at the Centre for Criminal Justice Studies
Faculty of Law
University of Leeds
Copyright © 1997 Yaman Akdeniz.
First Published in Web Journal of Current Legal Issues in association
with Blackstone Press Ltd.
The impact of Internet technology has raised many privacy issues and it will be one of the greatest civil liberty issues of the next century. Millions of people use electronic mail (email) on the Internet and, at present, there is little security involved in sending an email. Cryptography may be an important tool to safeguard individual on-line privacy from others but its use and regulation has created many privacy and speech related issues especially in the USA. This article will discuss the recent UK proposals with regards to encryption in Britain and the European Union.
Cryptography and Anonymity on the Internet
Other Web Sites and Documents of Interest
".... at the heart of our concern to protect 'privacy' lies a desire, perhaps even a need, to prevent information about us being known to others without our consent." (Wacks 1996)
The impact of Internet technology has raised many privacy issues and it will be one of the greatest civil liberty issues of the next century. Millions of people use electronic mail (email) on the Internet and, at present, there is little security involved in sending an email. It is very easy to intercept emails or other type of information on the Internet. For example Internet service providers can intercept the user's emails, copy them and even delete them if they think it is appropriate to do so. In the US, one of the Internet service provider - America On-line - monitored its subscribers activities (mainly emails and electronic chats) over a two year period. This was done to supply the FBI names and addresses of users suspected of "being involved in child pornography and / or arranging sex with children". As a result of America Online's actions FBI made dozens of arrests and searched 120 homes nation-wide in early September 1995 (Johnston 1995).
By using the Internet, we are vulnerable to our personal information being easily picked, stored and copied for various reasons. The important point on privacy and the Internet is what to do about it. New media historically face suspicion and are liable to excessive regulation.(1) The implication is that the Internet may be at a similar stage when the natural reaction of the State is to try to regulate, but the possibility of successfully doing so is debatable.
"The real danger is the gradual erosion of individual liberties through the automation, integration, and interconnection of many small, separate record-keeping systems, each of which alone may seem innocuous, even benevolent, and wholly justifiable." (US Privacy Protection Study Commission 1977)
The Internet does not create new privacy issues but makes the existing ones - like confidentiality, authentication and integrity of the information circulated - difficult to control. Many of the privacy issues on the Internet are related to the use of the email. Cryptography and encryption issues are all related to the use of email. Intercepting and reading other people's communications can be seen as an intrusion into personal privacy.
Cryptography may be an important tool to safeguard individual
on-line privacy from others but its use and regulation has created
many privacy and speech related issues especially in the USA.
This article will discuss the recent UK proposals with regards
to encryption in Britain and the European Union.
Unlike other subjects, not much has been written about cryptography, and this part of the article will first explain what cryptography and encryption are by giving some technical details. It is essential to do so in this context because it will help to clarify the legal debate about the rights of the on-line users.
Over the Internet, various communications such as the use of electronic
mail or World Wide Web browsers, are not secure ways of sending
and receiving information. Information sent by those means can
include sensitive personal data which may be intercepted. There
is commercial activity being conducted on the Internet and many
Web sites require the users to fill in forms and include sensitive
personal information such as telephone numbers, and addresses.
Clearly, users would like to have secure, private communications
with the other party. On-line users may need private and secure
communications for other reasons as well. They may simply not
want third parties to browse their Internet activities or they
may simply wish to remain anonymous.
Top | Contents | Bibliography
The word cryptography comes from Greek and kryptos means "hidden"
while graphia stands for "writing". Cryptography defined
as 'the science and study of secret writing', concerns the ways
in which communications and data can be encoded to prevent disclosure
of their contents through eavesdropping or message interception,
using codes,(2) ciphers,(3) and other methods, so that only certain
people can see the real message. Although the science of cryptography
is very old, the desktop computer revolution has made it possible
for cryptographic techniques to become widely used and accessible
to non experts. David Kahn traces the history of cryptography
from Ancient Egypt into the computer age (Kahn 1972). According
to Kahn's research from Julius Caesar via Mary, Queen of Scots(4)
to Abraham Lincoln's Civil War ciphers, cryptography has been
a part of history. Over the centuries complex computer-based codes,
algorithms and machines were created. During World War I, the
Germans developed the Enigma machine to have secure communications
(Kahn 1991). Enigma codes were decrypted under the secret Ultra
project during World War II by the British.
Top | Contents | Bibliography
"Encryption is basically an indication of users' distrust of the security of the system, the owner or operator of the system, or law enforcement authorities." (Rose 1995, p 182)
Encryption transforms original information, called plaintext or cleartext, into transformed information, called ciphertext, codetext or simply cipher, which usually has the appearance of random, unintelligible data. The transformed information, in its encrypted form, is called the cryptogram (Russell and Gangemi 1991, pp 165-179).
The encryption algorithm determines how simple or how complex
the process of transformation will be. Encryption provides confidentiality,
integrity and authenticity of the information transferred from
A to B. It will be a secret transmission ensuring that its integrity
has not been tampered with and also it authenticates that the
information was sent by A. All these three points may be important
for different reasons for the transmission of data over the Internet.
While military and secret services will require a confidential
transmission, it will be important for banks to have accurate
information of their transactions by electronic means. Authentication
techniques provide digital signatures which are unique for every
transaction and cannot be forged.
Top | Contents | Bibliography
Complex ciphers use a secret key to control a long sequence of complicated substitutions and transpositions. Substitution ciphers replace the actual bits, characters, or blocks of characters with substitutes, e.g. one letter replaces another letter. Julius Caesar's military use of such a cipher was the first clearly documented case. In Caesar's cipher each letter of an original message is replaced with the letter three places beyond it in the alphabet. Transposition ciphers rearrange the order of the bits, characters, or blocks of characters that are being encrypted and decrypted. There are two general categories of cryptographic keys: Private key and public key systems.
Private key systems use a single key. The single key is used both to encrypt and decrypt the information. Both sides of the transmission need a separate key and the key must be kept secret. The security of the transmission will depend on how well the key is protected. The US Government developed the Data Encryption Standard ("DES") which operates on this basis and it is the actual US standard. DES keys are 56 bits long and this means that there are 72 quadrillion different possible keys. The length of the key was criticised and it was suggested that the short key was designed to be long enough to frustrate corporate eavesdroppers, but short enough to be broken by the National Security Agency ("NSA") (Bamford 1982).
Export of DES is controlled by the State Department. DES system is becoming insecure because of its key length. The US government offered to replace the DES with a new algorithm called Skipjack which involves escrowed encryption. The technology is based on a tamper-resistant hardware chip (the Clipper Chip) that implements an NSA designed encryption algorithm called Skipjack, together with a method that allows all communications encrypted with the chip, regardless of what session key is used or how it is selected, to be decrypted through a special chip unique key and a special Law Enforcement Access Field transmitted with the encrypted communications.
In the public key system there are two keys: a public and a private
key. Each user has both keys, and while the private key must be
kept secret the public key is publicly known. Both keys are mathematically
related. If A encrypts a message with his private key, then B,
the recipient of the message, can decrypt it with A's public key.
Similarly anyone who knows A's public key can send him a message
by encrypting it with his public key. A will then decrypt it with
his private key. Public key cryptography was developed in 1977
by Rivest, Shamir and Adleman ("RSA") in the US. This
kind of cryptography is more efficient than the private key cryptography
because each user has only one key to encrypt and decrypt all
the messages that he or she sends or receives. Pretty Good Privacy
('PGP'), an encryption software for electronic communications
written by Philip R. Zimmerman is an example of public key cryptography.
Top | Contents | Bibliography
The ability to protect and secure information is vital to the
growth of electronic commerce and to the growth of the Internet
itself. Many people need or want to use communications and data
security in different areas. Banks use encryption methods all
around the world to process financial transactions. For example,
the US Treasury Department requires encryption of all US electronic
funds transfer messages (Murphy 1992). Banks also use encryption
methods to protect their customers ID numbers at bank automated
teller machines.
"As the economy continues to move away from cash transactions towards "digital cash", both customers and merchants will need the authentication provided by unforgeable digital signatures in order to prevent forgery and transact with confidence." (Froomkin 1995, p 720)
This is an important issue for Internet users. There are many companies and even electronic 'shopping malls' selling anything from flowers to bottles of wine over the Internet, and these transactions are made by communicating credit card details via secure Internet browsers incorporating encryption techniques. The customers over the Internet want to feel secure about transmitting their credit card information and other financial details in a multinational environment. Such security can only be provided by the use of strong and unbreakable encryption methods.
The use of cryptography is also very important for some political
and special subject interest groups, such as users of the Critical
Path AIDS Project's Web site, or users of Stop Prisoner Rape (SPR)
in the USA and the Samaritans in the UK. Many members of SPR's
mailing list have asked to remain anonymous due to the stigma
of prisoner rape. It is important for this kind of user who seeks
to access sensitive information to remain anonymous, and it should
be their right to do so in this context. On-line users need or
desire electronic security from surveillance(5) and intrusions
into their activities on the Internet whether by government or
by third parties.
Top | Contents | Bibliography
The Clipper Chip is an escrowed encryption project proposed by the Clinton Administration in April 1993. This Escrowed Encryption Standard ("EES") uses a classified symmetrical algorithm developed by the National Security Agency ("NSA"). Escrowed encryption means that two government agencies, the National Institute of Standards and Technology ("NIST") and the Department of Treasury, each hold half of the encryption key. The Clipper Chip is available on hardware and not on software and the US Government's initial idea was to install the chip in every telephone, fax machine and modem and make it a national standard. By creating a national standard on this basis the US law enforcement agencies would be able to decrypt any messages encrypted by using the Clipper Chip upon due authorisation. The Clipper Chip was opposed by many civil liberties groups on the ground that it would infringe the privacy of users by the fact that the government has access to the keys. The image and fear of being watched by an Orwellian 'Big Brother' emerged.
According to the FBI, wiretapping is crucial to effective law enforcement:
"If the FBI and local police were to loose the ability to tap telephones because of the widespread use of strong-cryptography, the country would be unable to protect itself against terrorism, violent crime, foreign threats, drug trafficking, espionage, kidnapping, and other crimes." (Freeh 1994)
The US Government in December 1995 presented a revised version of their Clipper Chip proposal which keeps in place the current export ban on strong encryption tools but allows for the export of moderately strong, 64-bit key systems with key escrow systems. This new proposal known as Clipper II, does not go far away from the initial proposals.
In May 1996, the US Government published a new proposal, Achieving
Privacy, Commerce, Security and Public Safety in the Global Information
Infrastructure which would establish a new public key infrastructure
for encryption. Such a public key infrastructure proposed by the
new proposal already dubbed as Clipper III, would enable users
of encryption to clearly identify the people they are communicating
with, and is widely viewed as an important prerequisite for the
widespread use of secure electronic communications. However, as
the Center for Democracy and Technology argues, Clipper III will
not meet the privacy and security needs of Internet users because
all users of the new system would have to ensure government access
to their encryption keys through an approved key escrow agent.(6)
Top | Contents | Bibliography
The US National Research Council Report(7) which came out in May 1996, highlights the need for strong, reliable encryption to protect individual privacy, to provide security for businesses, and maintain national security.
The study explicitly states that:
"Current national cryptography policy is not adequate to support the information security requirements of an information society.... Current policy discourages the use of cryptography, whether intentionally or not, and in so doing impedes the ability of the nation to use cryptographic tools that would help to remediate certain important vulnerabilities." (CRISIS Report)
The report states that:
"widespread commercial and private use of cryptography in the United States and abroad is inevitable in the long run and that its advantages, on balance, outweigh its disadvantages. The committee concluded that the overall interests of the government and the nation would best be served by a policy that fosters a judicious transition toward the broad use of cryptography." (CRISIS Report)
The report finds that the current administration policy of limiting the export of strong encryption is impacting the domestic market and harming US business. The Committee recommends that export controls should be "progressively relaxed but not eliminated" at all.(8) The report also recognises that "cryptography is a two-edged sword" for law enforcement, providing both a tool to help prevent crime such as economic espionage, fraud, or destruction of the information infrastructure, and a potential impediment to law enforcement investigations and signals intelligence. The study is without doubt the most comprehensive and balanced analysis of the complex encryption policy debate yet published. Although it does not directly support the recent proposals(9) for reform it will be very important for the future US policy on encryption.
It will be difficult to find a foreign market and foreign users
for US products with the key escrow system, whatever their length
is, because an approved US agent will be watching abroad as well.(10)
The Clipper Chip proposal might, for instance, limit the survival
of some dissident movements where anonymity is an essential feature
(Froomkin 1995, p 817).
Top | Contents | Bibliography
Cryptography allows unprecedented anonymity both to groups who communicate in complete secrecy and to individuals who use anonymous remailers over the Internet to hide all traces of their identity when they communicate by email (Froomkin 1995, p 818). According to Raymond Wacks, 'it facilitates participation in the political process which an individual may otherwise wish to spurn' (Wacks 1996).
An anonymous remailer is simply a computer service that forwards emails or files to other addresses over the Internet. But the remailer also strips off the "header" part of the messages, which shows where they came from and who sent them. All the receiver can tell about a message's origin is that it passed through the anonymous mailer. There are instances where people may wish to or need to communicate anonymously. There are various recovery discussion groups and self lists such as the alt.sexual.abuse.recovery and soc.aids.
One of the best-known anonymous remailers on the Internet, anon.penet.fi, ran for more than three years by Johann Helsingius. Among the users of Helsingius's service were Amnesty International, the Samaritans and the West Mercia Police who used it as the basis of their "Crimestoppers" scheme (Private Eye 1996). However, the remailing service was closed in August 1996 partly because of allegations by the UK Observer newspaper that anon.penet.fi contributed to the distribution of child pornography.(11) Helsingius claims that the allegations against him by the Observer were false and is, at present, considering the issue of libel proceedings against the newspaper.
There may also be instances where postings may lead to persecution if the identity of the individual is known.(12) The Supreme Court in NAACP v Alabama ex rel. Patterson 357 US 449 (1958) stated that:
"inviolability of privacy in group association may in many circumstances be indispensable to preservation of freedom of association" (at p 462)
In McIntyre v Ohio Elections Commission 115 S.Ct. 1511, (1995), the Supreme Court stated that:
"an author's decision to remain anonymous, like other decisions concerning omissions or additions to the content of a publication, is an aspect of the freedom of speech protected by the First Amendment" and "the anonymity of an author is not ordinarily a sufficient reason to exclude her work product from the protections of the First Amendment."
This decision in McIntyre is related to elections and so benefited from the premium on political speech. Michael Froomkin argues that:
"Despite these ringing words, whether there is a right to be anonymous in the US remains unclear as a general matter, since difficult cases are precisely those in which exceptions are made to fit facts that sit uncomfortably within the rules that apply 'ordinarily'."(13)
Anonymity is important both to free speech and privacy on the Internet.(14) Key escrow and the Clipper Chip threatens this kind of anonymity on the Internet. The government agents will be able to identify the content of emails and the destination of the messages.
Recently, the UK Government has issued proposals on the regulation
of encryption tools which have similarities to the US approach.
The next section will examine these proposals.
Top | Contents | Bibliography
The UK Government's Department of Trade and Industry published a White Paper in June 1996 called 'On Regulatory Intent Concerning Use Of Encryption On Public Networks' and designed to address the growing demand to safeguard the integrity and confidentiality of information sent electronically over the Internet.
The services concerned cover the digital signature of electronic documents and the protection of the accuracy and the privacy of their contents. The UK Government proposed the introduction of the licensing of Trusted Third Parties ("TTPs") to hold the encryption keys. TTPs are trustworthy commercial organisations that can provide various information security-related services to enable transactions to be conducted securely. Typical services are management of cryptographic keys, time stamping of electronic documents and arbitration of repudiation claims regarding the origin, receipt, delivery and submission of electronic documents. The White Paper states that:
"It is not the intention of the Government to regulate the private use of encryption. It will, however, ensure that organisations and bodies wishing to provide encryption services to the public will be appropriately licensed." (White Paper 1996, para 8)
The UK Government does not intend to introduce its own hardware solution:
"The type of algorithm used for message encryption, and whether it is implemented in hardware or software, will be a matter of business choice." (White Paper 1996, para 12)
Nevertheless, there is to be control over the usage of encryption in a way which is otherwise similar to that of the US Clipper Chip. Science and Technology Minister Ian Taylor stated that:
"There is a growing demand for encryption services to safeguard the integrity and confidentiality of electronic information transmitted on public telecommunications networks. The Government therefore proposes to make arrangements for licensing Trusted Third Parties ('TTPs') who would provide such services. The licensing policy will aim to protect consumers as well as to preserve the ability of the intelligence and law enforcement agencies to fight serious crime and terrorism by establishing procedures for disclosure to them of the encryption keys, under safeguards similar to those which already exist for warranted interception under the Interception of Communications Act." (DTI Press Release 1996)
Basically, the UK government wants access to the electronic information of a similar sort to that of the US government. The UK government has taken into account the recent developments within the European Commission (A European Commission draft proposal includes the promotion of the TTPs) and the OECD (White Paper 1996, para 6). According to the White Paper, the European Commission has an important role in facilitating the establishment of an environment where developments in the use of TTPs can be fostered (White Paper 1996, para 13).
The proposals are far from complete and still unclear. The Data Protection Registrar's Twelfth Annual Report states that there are several problems to be resolved before setting up a TTP system:
"Who would supervise it; who would the TTPs be; what products would be used; how could you stop users from bypassing the system ......... would a TTP be able to offer services on a European or even a global basis ?" (DPR 1996, p 52)
These questions are unanswered at the time of writing and the
introduction of a key escrow system which would allow the interception
of communications over the Internet by law enforcement agencies
would be such a significant issue that it should only take place
after due consideration by the UK Parliament.
Top | Contents | Bibliography
The use of cryptographic software transmitted internationally may be restricted by export regulations in the UK as in the US. The Export of Goods (Control) Order 1994 as amended by The Dual-Use and Related Goods (Export Control) Regulations 1995 (Customs and Excise, No. 271, 1995) apply to the exportation of cryptographic software from the UK. The definition of cryptographic software is included in the Schedule 2, 5D2 of the Dual-Use and Related Goods (Export Control) Regulations 1995 and the export of this kind of regulated information requires an export licence from the Department of Trade and Industry (section 9). Failure to comply with the licence conditions may result in a maximum of two years of imprisonment (Section 8).
The DTI White Paper states that export controls will remain in place for encryption products and for digital encryption algorithms (White Paper 1996, para 15). The Government however states that it will take steps to simplify export controls within the European Union with respect to encryption products which are of use with licensed TTPs (Baker 1996).
Although this sounds like a good initiative, it only includes products which are of use with licensed TTPs. This means that other encryption tools which are not approved by the TTPs will still be subject to stricter export regulations.
While the UK Government intends to bring forward proposals for legislation following consultation by the Department of Trade and Industry on detailed policy proposals (White Paper 1996, para 3), the Labour Party thinks otherwise and states in their Year of Labour Party document that:
"We do not accept the "clipper chip" argument developed in the United States for the authorities to be able to swoop down on any encrypted message at will and unscramble it. The only power we would wish to give to the authorities, in order to pursue a defined legitimate anti-criminal purpose, would be to enable decryption to be demanded under judicial warrant."
It seems that Labour Party intends to penalise a refusal to comply with a demand to decrypt under judicial warrant.(15) Even if this proposal is never enacted, the courts may draw inferences under the new sections 34-37 of the Criminal Justice and Public Order Act 1994 because of the silence of the defendants. Lord Slynn in Murray v DPP 97 Cr. App. R. 151 stated that:
"If aspects of the evidence taken alone or in combination with other facts clearly call for an explanation which the accused ought to be in a position to give, if an explanation exists, then a failure to give any explanation may as a matter of common sense allow the drawing of an inference that there is no explanation and that the accused is guilty." (at 160)
Not providing an encryption key, which is like a long password, in the witness box may be similar to not providing a secret code to a safe and may result in judges commenting on the accused's behaviour and juries drawing inferences under the new controversial 1994 Act.(16)
The Labour Party further argues that attempts to control the use of encryption technology are wrong in principle, unworkable in practice, and damaging to the long-term economic value of the information networks (Labour Party Policy on Information Superhighway).
"It is not necessary to criminalise a large section of the network-using public to control the activities of a very small minority of law-breakers."
In formulating its own policy on encryption, the UK government
is likely to co-operate with the European Union in establishing
a regulatory framework.
Top | Contents | Bibliography
The European Commission has proposed a project to establish a European network of trusted third parties under the control of member nations which is parallel to the UK proposals (Crypto Law Survey and Cryptography in Europe). The EC scheme according to Dorothy Denning does not suggest that the key escrow should be mandatory (Denning 1996).
In 1995 the Council of Europe resolved that EU members' criminal procedure laws:
"should be reviewed with a view to making possible the interception of telecommunications and the collection of traffic data in the investigation of serious offences against the confidentiality, integrity and availability of telecommunications or computer systems." (Council of Europe Recommendation 1995, Appendix para 8)
The same resolution also advised that:
"Measures should be considered to minimise the negative effects of the use of cryptography on the investigation of criminal offences, without affecting its legitimate use more than is strictly necessary." (Council of Europe Recommendation 1995, Appendix para 14)
The Bangemann Report to the European Commission deals with the use of encryption tools and states that a solution at a national level will inevitably prove to be insufficient because communications reach beyond national frontiers and because the principles of the internal market prohibit measures such as import bans on decoding equipment.
"Therefore, a solution at the European level is needed which provides a global answer to the problem of protection of encrypted signals and security. Based on the principles of the internal market it would create parity of conditions for the protection of encrypted services as well as the legal framework for the development of these new services." (Bangemann Report 1994)
Top | Contents | Bibliography
OECD deliberations are not open to the public, and there appears to be no public information about the likely shape of the guidelines. Some recent OECD meeting reports however suggest that they are considering an escrow-based system.(17)
"Whatever it decides, the OECD resolution is likely to be influential. If the OECD member nations were to unite in favour of escrow, it would greatly aid the U.S. government's attempt to make key escrow the norm." (Froomkin 1996)
The OECD has no legislative power of its own. Any OECD resolution would need to be implemented by appropriate legislation or regulation.(18) But an international decision to use the key escrow encryption technique as a standard may have serious privacy implications. It will certainly facilitate the current US and UK government policies on encryption but will create disapproval from the online users and civil liberties groups fighting against the key escrow systems (See the Golden Key Campaign organised by Internet Privacy Coalition).
The debate into cryptography shows that there is legitimate state
interest in national security for stopping crime which can outweigh
the citizen's right to privacy (Froomkin 1995, p 883), and that
is the main reason why all the legal proposals for its regulation
involve the key escrow technology. However, state strategy seems
naive as it assumes that criminals will use encryption tools which
can be decrypted by the law enforcement bodies. More likely, the
key escrow technology will have a chilling effect on the online
users who seek to remain either secure or anonymous when communicating
through the Internet, whether for fear of retribution or other
reasons (Froomkin 1995, p 813).
Top | Contents | Bibliography
In the case of the Internet, we use the same technology at one point to achieve greater publicity and at other points to achieve greater privacy.(19) The fear of being monitored or being traced by the system operators, hackers or government agencies will not help the development of the Internet. So too, the fear of not knowing what information is available on the Internet about each of us, how it is being processed and in what ways it might be used will inhibit its growth. That is the reason why the privacy of the users should be respected and protected. On-line users must be safe from these possible intrusions. Powerful encryption tools are an important way to respect the privacy of such users and this technology should be free from control by governments and supranational bodies. Because of the various governmental attempts to control the use of encryption, technology has not been developed to be used easily and effectively. For this reason, there are not many people on the Internet using it. Encryption is essential both for anonymity and for the development of on-line commerce using, for example, digital cash. Without unbreakable encryption technology, nobody can rely on the security of the Internet.
Although it looks unlikely that there will be a general right of privacy in the English law in the near future,(20) the policy of the Government suggests that it will legislate on this individual area of the law,(21) and that the design will follow the US Clipper Chip proposals. The UK Government approved the Internet Watch Foundation proposal (formerly known as Safety-Net) recently(22) and the proposal sees anonymity on the Internet as a danger, by stating:
"... [A]nonymous servers that operate in the UK [should] record details of identity and make this available to the Police, when needed, under Section 28 (3) of the Data Protection Act (which deals with the disclosure of information for the purpose of prevention of crime)." (Safety-Net proposal 1996, para 30).
It is a key aspect of the Safety-Net approach that users take responsibility for material they post on the Internet (Safety-Net proposal 1996, para 29) and it is important to be able to trace the originators of child pornography and other illegal material. But the UK Government should think again in view of the difficulties encountered by the US Government to approve key escrow systems. It is absolutely vital that the right balance be struck between the protection of privacy of on-line users on the one hand, and the need for effective law enforcement on the other.
Baker, Stewart, "UK Plans for Trusted Third Party Encryption" at Steptoe & Johnson LLP - Attorney at: http://www.us.net/~steptoe/ukcrypto.htm
Baker, Stewart A., "Summary Report on the OECD Ad Hoc Meeting of Experts on Cryptography" at: http://www.us.net./~steptoe/276908.htm
Bamford, James, The Puzzle Palace: A Report on America's Most Secret Agency, 1982.
Data Protection Registrar, Twelfth Annual Report, HC 574 (HMSO, London: 1996).
Denning, Dorothy E., Comments on the NRC Cryptography Report (11 June 1996) at: http://guru.cosc.georgetown.edu/~denning/crypto/NRC.txt
DTI Press Release, "Government sets out proposals for encryption on public telecommunications networks" (10 June 1996) at: http://www.coi.gov.uk/coi/depts/GTI/coi9303b.ok
Freeh, Louis, FBI Director, Address at the Executives' Club of Chicago (17 February 1994).
Froomkin, A. Michael, "The Metaphor is the Key: Cryptography, the Clipper Chip and the Constitution" [1995] University of Pennsylvania. Law Review 143, 709-897.
Froomkin, A. Michael, "It Came From Planet Clipper: The Battle Over Cryptographic Key Escrow" DRAFT ver. 0.7b, 29 July 1996, at http://www.viper.law.miami.edu/~froomkin
Johnston, David, "Use of Computer Network for Child Sex Sets off Raids" New York Times, 14 September 1995.
Kahn, David, The Codebreakers (Macmillan, New York: 1972).
Kahn, David, Seizing the Enigma (Houghton Mifflin, Boston: 1991).
Murphy, Gerald, U.S. Dep't of Treasury, Directive: Electronic Funds and Securities Transfer Policy - Message Authentication and Enhanced Security, No. 16-02, section 3 (21 December 1992).
"Dirty Anoraks 2", 20 September 1996, Private Eye, No. 907 p6.
Rose, Lance, Netlaw: Your Rights in the Online World (Osborne McGraw-Hill: 1995).
Russell, Deborah and Gangemi, GT, Sr., "Encryption" from Computer Security Basics (O'Reilly & Associates, California: 1991), pp 165-179 taken from Hoffman, Lance J., Building in Big Brother: The Cryptography Policy Debate (Springer-Verlag, New York: 1995).
Wacks, Raymond, "Privacy in Cyberspace" presented at the Society of Public Teachers of Law (SPTL) Seminars for 1996 - Pressing Problems in the Law: Privacy (29 June 1996).
'Achieving Privacy, Commerce, Security and Public Safety in the Global Information Infrastructure' at: http://www.epic.org/crypto/key_escrow/white_paper.html
The Bangemann Report, "Europe and the Global Information Society" (July 1994) at: http://www.earn.net/EC/bangemann.html
Council of Europe Recommendation, "Concerning Problems of Criminal Procedure Law Connected with Information Technology", No. R (95) (13 September 1995) at: http://www.privacy.org/pi/intl_orgs/coe/info_tech_1995.html
Crypto Law Survey at: http://cwis.kub.nl/~frw/people/koops/lawsurvy.htm
Cryptography in Europe home page at: http://www.modeemi.cs.tut.fi/~avs/eu-crypto.html
Cryptography's Role in Securing the Information Society (CRISIS) Report at: http://www2.nas.edu/cstbweb/2646.html
Cyber-Rights & Cyber-Liberties (UK) web page monitors the UK Government's encryption policy at: http://www.leeds.ac.uk/law/pgs/yaman/yaman.htm
Golden Key Campaign organised by Internet Privacy Coalition at: http://www.privacy.org/ipc
The Joint Australian / OECD Conference on "Security, Privacy and Intellectual Property Protection in the Global Information Infrastructure" (Canberra, 7-8 February, 1996) at: http://www.nla.gov.au/gii/oecdconf.html
The Labour Party Policy on Information Superhighway at: http://www.poptel.org.uk/labour-party/policy/info-highway/content.html
OECD policy on "Security, Privacy, Cryptography and Intellectual Property Rights" at: http://www.oecd.org/dsti/iccp/legal/top-page.html
Paper On Regulatory Intent Concerning Use Of Encryption On Public Networks, DTI (10 June 1996) at: http://dtiinfo1.dti.gov.uk/cii/encrypt/
U.S. Privacy Protection Study Commission, 1977 taken from Privacy
Rights Clearinghouse at: http://www.manymedia.com/prc
(1)See e.g. Official Secrets Act 1920, section 4 - power to intercept foreign telegrams despatched to or from any private cable company in the UK and section 5 which compels a person in the business of receiving postal packets, to register his business. See Rosamund Thomas, Espionage and Secrecy, Routledge, 1991, page 17. Back to text.
(2)A code is a system of communication that relies on a pre-arranged mapping of meanings such as those found in a codebook. Back to text.
(3)A cipher is different from a code and it is a method of encrypting any text regardless of its content. Back to text.
(4)Mary, Queen of Scots, lost her life in the 16th century because an encrypted message that she sent from prison was intercepted and deciphered. Back to text.
(5)E.g. the FBI during 1970s wiretapped and bugged the communications of Black Panthers and other dissident groups. See Sanford J. Ungar, FBI 137, (1975). Also between 1953 and 1973, the CIA opened and photographed almost 250000 first class letters within the US from which it compiled a database of almost 1.5 million names. See Church Committee Report, S. Rep. No. 755, 94th Cong., 2d Sess., pt. 2, 1976, at 6. Back to text.
(6)See the CDT Preliminary Analysis of "Clipper III" Encryption Proposal, May 21, 1996 at http://www.cdt.org. See also Senator Conrad Burn's Response to the proposal, "Burns: Clipper III Strikes Out" at: http://www.epic.org/crypto/key_escrow/burns_on_white_paper.html Back to text.
(7)Committee to study National Cryptography Policy by Computer Science and Telecommunications Board, National Research Council, National Academy of Sciences and National Academy of Engineering. The Committee was founded at the request of the US Congress in November 1993 by the National Research Council's Computer Science and Telecommunications Board (CSTB). See http://www2.nas.edu/cstbweb/ Back to text.
(8)See Overview of the NRC Report's Policy Recommendations by the Center for Democracy and Technology at http://www.cdt.org Back to text.
(8)See The Promotion of Commerce Online in the Digital Era (Pro-CODE) Act of 1996 (Section 1726) introduced by Senators Conrad Burns (R-MT) in the US Senate to promote electronic commerce by facilitating the use of strong encryption, and for other purposes in May 1996. It has not been enacted into legislation by November 1996. Back to text.
(9)Leonard Doyle, "Spooks All Set to Hack it on the Superhighway" Independent (2 May 1994) reports that: "The US plan for a Clipper Chip has raised fears among European businesses that sensitive information would no longer be secret if it were vetted by the CIA or the FBI." Back to text.
(10)Another reason was a Finnish court's recent decision in favour of the Scientologists that Helsingius had to provide some of the users' names. For more information and the full press release, see http://www.penet.fi/ Back to text.
(11)See the written evidence submitted by the Christian Action Research and Education (CARE) to the House of Lords, Select Committee on Science and Technology, "Information Society: Agenda for Action in the UK", Session 1995-96, 5th Report (London:HMSO: 1996) page 187. Back to text.
(12)See Michael A. Froomkin, "Flood Control on the Information Ocean: Living With Anonymity, Digital Cash, and Distributed Databases" at http://viper.law.miami.edu/~froomkin/. For a contrary view that "McIntyre will prove to be dispositive" in providing First Amendment protections to anonymous political speech, see Richard K. Norton, Note, McIntyre v Ohio Elections Commission: Defining the Right to Engage in Anonymous Political Speech (1996) 74 N. Cal. L. Rev. 553. Back to text.
(13)See the ACLU challenge to Georgia law restricting free speech on the Internet. ACLU and others stated that the law is unconstitutionally vague and too broad because it bars online users from using pseudonyms or communicating anonymously over the Internet. The Act also unconstitutionally restricts the use of links on the World Wide Web, which allow users to connect to other sites. ACLU press release dated 24 September 1996 is available at http://www.aclu.org/news/n092496a.html Back to text.
(14)UK Police already have had difficulties with encrypted files in the course of criminal investigations related to child pornography. See "Paedophiles use encoding devices to make secret use of Internet" The Times 21 November 1995. Back to text.
(15)See Cowan, Gayle, Ricciardi [1996] 1 Cr App R 1. See also Anthony F. Jennings, "Resounding Silence", [1996] New Law Journal 146, 6744 pages 725, 726, and 730 Back to text.
(16)See Stewart A. Baker, "Summary Report on the OECD Ad Hoc Meeting of Experts on Cryptography" at http://www.us.net./~steptoe/276908.htm. See also the Joint Australian / OECD Conference on "Security, Privacy and Intellectual Property Protection in the Global Information Infrastructure" at Canberra, 7-8 February, 1996 - http://www.nla.gov.au/gii/oecdconf.html. See further for the OECD policy on "Security, Privacy, Cryptography and Intellectual Property Rights" at http://www.oecd.org/dsti/iccp/legal/top-page.html Back to text.
(17)OECD Member countries moved ahead in drafting Cryptography Policy Guidelines that would provide internationally comparable criteria for encryption of computerised information in Paris on 1 October 1996. See "OECD Meeting Makes Progress On Cryptography Guidelines" at http://www.epic.org/events/crypto_paris/releaseE_OECD.html Back to text.
(18)E.g. to publicise my web page, Cyber-Rights & Cyber-Liberties (UK) I had to leave personal information such as my e-mail address, contact address, telephone number and other details with many web sites and search engines. Back to text.
(19)Sir Robert Megarry V-C held with regard to the interference with privacy in the Malone case that: "English law did not entertain actions for interference with privacy unless the interference amounted to one of the established causes of action in tort or equity." See Malone v. Metropolitan Police Commissioner (No.2) [1979] 2 All ER 620. Glidewell L.J. in Kaye v. Robertson stated that: Back to text.
(20)"It is well-known that in English law there is no right to privacy, and accordingly there is no right of action for breach of a person's privacy. The facts of the present case are a graphic illustration of the desirability of Parliament considering whether and in what circumstances statutory provision can be made to protect the privacy of individuals". (See Kaye v. Robertson [1991] FSR 62) Back to text.
(21)There has been some legislation in the UK dealing with computers and communications but none of them directly deal with privacy. See The Data Protection Act 1984 and Interception of Communications Act 1985. The Computer Misuse Act 1990 makes it an offence to gain unauthorised access into computers such as hacking into someone else's account and reading his e-mails. But the main idea behind the 1990 Act is the safeguarding of the integrity of computers rather than the protection of privacy or protection of information that computers contain. However some of the technological devices are still not regulated by any legislation. Computer eavesdropping and surveillance devices such as concealed transmitters or recorders or long range cameras are not regulated and it is not an offence to use such devices. See Nick Taylor and Clive Walker, "Bugs in the System" [1996] 1 Jo. Of Civ. Lib. 105. Back to text.
(22)Safety-Net, supported by the UK Government was announced on September 23, 1996. Safety-Net has an e-mail, telephone and fax hot-line from October 1, 1996 and online users will be able to report materials related to child pornography and other obscene materials. See the Safety-Net proposal, "Rating, Reporting, Responsibility, For Child Pornography & Illegal Material on the Internet" adopted and recommended by the Executive Committee of ISPA - Internet Services Providers Association, LINX - London Internet Exchange and The Safety-Net Foundation at http://dtiinfo1.dti.gov.uk/safety-net/r3.htm. Back to text.