BAILII is celebrating 24 years of free online access to the law! Would you consider making a contribution?
No donation is too small. If every visitor before 31 December gives just £5, it will have a significant impact on BAILII's ability to continue providing free access to the law.
Thank you very much for your support!
[Home] [Databases] [World Law] [Multidatabase Search] [Help] [Feedback] | ||
United Kingdom Journals |
||
You are here: BAILII >> Databases >> United Kingdom Journals >> Akendiz Y, 'No Chance for Key Recovery: Encryption and International Principles of Human and Political Rights' URL: http://www.bailii.org/uk/other/journals/WebJCLI/1998/issue1/akdeniz1.html Cite as: Akendiz Y, 'No Chance for Key Recovery: Encryption and International Principles of Human and Political Rights' |
[New search] [Help]
Ph.D. Student at the Centre for Criminal Justice Studies, Law Faculty,
University of Leeds.
<[email protected]>
Copyright © 1998 Yaman Akendiz.
First Published in Web Journal of Current Legal Issues in association with
Blackstone Press Ltd.
New technologies always raise many privacy issues, and this is true of the Internet. This article will describe the current UK and EU debates on the use of cryptography to secure private and/or anonymous communications over the Internet. Recently, there have been important developments related to cryptography policy at both national and international level. This article both traces these developments and then focuses on one very important issue - human rights and the importance of using strong encryption tools.
`There are no borders in cyberspace. Actions by individual governments and international organizations can have a profound effect on the rights of citizens around the world. Users of the Internet must work together to protect freedom of speech and the right of privacy.'
New technologies always raise many privacy issues, and this is true of the Internet. This article follows from a 1997 article entitled `UK Government Encryption Policy' (see Akdeniz, 1997) and will describe the current UK and EU debates on the use of cryptography to secure private and/or anonymous communications over the Internet. There have been important developments and changes related to cryptography policy at both national and international level since the 1997 article was published. Therefore, this article not only updates last year's piece but also concentrates on an important issue - human rights and the importance of using strong encryption tools.
Top | Contents | Bibliography
Encryption is the science of concealing information and/or proving its authenticity and encryption can help keeping data and communication confidential. It has influenced the outcome of wars and diplomacy for thousands of years. Banks for example, use encryption for financial privacy; and every ATM machine uses encryption technology. Satellite TV systems use encryption to prevent theft of their intellectual property. The ever-increasing cheapness of computer encryption, combined with ever-increasing automated communication, makes encryption vital to the protection of individual privacy, free speech, freedom to assemble, anonymity, and intellectual property in the UK and elsewhere.
The Internet does not provide new privacy issues but makes the existing ones - e.g. confidentiality, authentication and integrity of the information circulated - difficult to control. Any new media historically face suspicion and are liable to excessive regulation.(2) Therefore, the implication is that the Internet may be at a similar stage when the natural reaction of the state is try to regulate, but the desirability or effectiveness of doing so is debatable. In reality, while the Internet tends to produce extreme versions of problems, it rarely produces genuinely new ones.
Encryption has a long tradition in the military defence field. However, encryption technologies are increasingly integrated into commercial systems and applications and the exclusive character of encryption belongs to the past. Therefore, the debate about the prohibition or limitation of the use of encryption directly affects the right to privacy. It should be remembered that individual privacy cannot be considered in isolation. It must be weighed alongside freedom of speech and expression (see Calcutt Committee on Privacy and Related Matters, 1990).
`Freedom of speech and privacy are frequently conceived as rights or interests of the individual, and as rights or interests of the community as a whole.' (see Wacks, 1997, p 103)
Britain's first law protecting personal privacy on a more general basis was included in Queen's Speech in May 1997. It is a part of the new Labour Government policy `Bringing Rights Home to Britain,' (Rights Brought Home: The Human Rights Bill, 1997) and the new privacy legislation will arise through legislation which incorporates the European Convention on Human Rights into UK law. If it is incorporated, it would mean that `a right to respect for a private life' will be part of the British law for the first time. This is now expected following the introduction of the Human Rights Bill, in the House of Lords in October 1997.
A right to privacy will be the subject matter of another piece of forthcoming legislation within the UK - the Data Protection Bill 1998. This follows from a recent EU Directive. The Council of Ministers of the European Union, in February 1995, adopted a Common Position on the European Union Directive on Data Protection which was published by the European Commission in October 1992. The Directive was adopted in October 1995. The Directive mainly dealt with the extension of data protection to manual files though it included some important points on the recognition of a right to privacy in general. The Common Position emphasised in Article 1(1) that its subject matter is the protection of:
`...the fundamental rights and freedoms of natural persons, and in particular their right to privacy, with respect to the processing of personal data.'
Cryptography may be an important tool to safeguard individual on-line privacy from others but its use and regulation has created many privacy- and speech-related issues. This article will now discuss the recent UK trusted third party proposals in the light of new European Union initiatives before moving into the section on the importance of the use of cryptography for human rights. (For a discussion of US `Clipper Chip' proposals see Akdeniz, 1997, and Akdeniz et al, 1997).
Top | Contents | Bibliography
Since the publication of `UK Government Encryption Policy' (see Akdeniz,
1997), the UK Government launched a consultation document on the `Licensing
of Trusted Third Parties for the Provision of Encryption Services,' in March
1997 through the Department of Trade and Industry (`DTI'). The relatively
short consultation period of two months, which was to terminate on 30 May
1997, largely overlapped with the General Elections within the UK and the
change of Government. The new Labour government policy on encryption looks
also controversial and a sea change from non regulation before the elections
to heavy handed legislation after the elections has been signalled in early
1998 (BBC News, 1998). These issues will be discussed throughout the article
together with the new OECD Guidelines on cryptography which were issued in
April 1997 and the new EU Policy which was launched as a communication paper
from the European Commission in October 1997. The emphasis here will be on
human rights rather than on electronic commerce.
The DTI published a White Paper `On Regulatory Intent Concerning Use Of Encryption On Public Networks' in June 1996 to meet the growing demands to safeguard the integrity and confidentiality of information sent electronically over the Internet. (see Akdeniz, 1997 for details) This was followed by the Public Consultation Paper, `Licensing of Trusted Third Parties for the Provision of Encryption Services,' in March 1997. The DTI consultation paper addressed many issues which may have an impact on the use of encryption tools on the Internet but the issue of whether blanket escrow of encryption keys presents unique civil liberties dangers is not addressed. In addition to its refusal to examine controversy, the DTI paper is provincial and ahistorical. There is no mention of the four years of continual proposals for key recovery products by the US Government, even though their proposals have much in common with the DTI proposal and clearer inspired the latter (see Akdeniz et al, 1997 for details).
The European Commission, in October 1997 published a communication paper, `Towards A European Framework for Digital Signatures And Encryption,' (October 1997), which in contrast to the UK initiatives and despite years of US attempts to push the `government access to keys' idea overseas, finds key escrow and key recovery systems to be inefficient and ineffective.
`Key escrow' and `key recovery' are not exactly the same but they are used for same purposes and the difference is a technical point. Key escrow was the idea behind the initial US Clipper Chip proposals and it was a hardware solution while key recovery, as introduced by the likes of the UK government is a software solution. The basic idea behind both systems is that the governments could get access to the encryption keys.
The EU communication stated that `the European Union simply cannot afford a divided regulatory landscape in a field so vital for the economy and society.' The Communication paper further stated that:
`Problems caused by encryption to crime investigation and the finding of evidence are currently limited, but they may increase in the future. As with any new technology, there will be abuse of encryption and criminal investigations will be hindered because data was encrypted. However, widespread availability of encryption can also prevent crime. Already today, the damage caused by electronic crime is estimated in the order of billions of ECUs (industrial espionage, credit card fraud, toll fraud on cellular telephones, piracy on pay TV encryption). Therefore, there are considerable economic and legal benefits associated with encryption.'
The EU communication paper points out that:
`International treaties, constitutions and laws guarantee the fundamental right to privacy including secrecy of communications (Art. 12 Universal Declaration of Human Rights, Art. 17 International Covenant on Civil and Political Rights, Art. 8 European Convention on Human Rights, Art. F(2) Treaty on EU, EU Data Protection Directive)... Therefore, the debate about the prohibition or limitation of the use of encryption directly affects the right to privacy, its effective exercise and the harmonisation of data protection laws in the Internal Market.'
Top | Contents | Bibliography
The Organisation for Economic Co-operation and Development (`OECD') issued guidelines on Control of Encryption in March 1997. To the surprise of many (especially the US government), the OECD guidelines did not include any direct references to the concepts of `key escrow' or `key recovery' (OECD Guidelines, 1997). The guidelines were of a more general nature. They included the following important principles:
PRINCIPLE 2: Users should have a right to choose any cryptographic method, subject to applicable lawPRINCIPLE 5: The fundamental rights of individuals to privacy, including secrecy of communications and protection of personal data, should be respected in national cryptography policies and in the implementation and use of cryptographic methods.
The fifth principle is an unexpected but very important principle taken together with the use of word `may' rather than `should' in the 6th principle which states that `national cryptography policies may allow access to cryptographic keys or encrypted data.' The 6th OECD principle concludes that `these policies must respect the other principles contained in the guidelines to the greatest extent possible'.
A further comment on principle 2 states that `this principle should not be interpreted as implying that governments should initiate legislation which limits users choice.'
`The OECD Guidelines endorse action by Governments to protect their national security and economic well-being, but these guidelines fall far short of endorsing what the UK and US governments are currently proposing. It is very possible that many governments are afraid of the situation that would obtain if `key escrow' systems are implemented, particularly any variation of the Clipper proposals.' (See Akdeniz et al, 1997)
Any OECD resolution would need to be implemented by appropriate legislation or regulation as they are not binding on Member States.
Top | Contents | Bibliography
There may be different needs and uses for cryptography and these needs are normally confused especially by the law enforcement agencies. Current US and UK proposals, for example, try to balance the need for encryption services for the development of online commerce with crime prevention, without fully recognising all the issues which arise with respect to the privacy of online users. This article recognise that strong cryptography is vital to the development of online commerce and that key recovery techniques may also be needed together with the services of Trusted Third Parties (`TTPS'). TTPs are supposed to be trustworthy commercial organisations that can provide various information security related services to enable transactions to be conducted securely. But in the form specified in the DTI paper, the author would argue that TTPs are parties trusted by the UK Government but not necessarily by the online users.
`Any involvement of a third party in confidential communication increases its vulnerability. The main reason for involving a third party in the management of keys for confidentiality is to allow that party to make the keys available to other than the two communicating parties, for example, to law enforcement.' (EU Communication paper)
It also needs to be recognised that key recovery, key escrow and the TTPs are not needed to establish simple private communications between users as is explained below. The distinction is very important and in the case of the use of cryptographic software by human rights organisations and dissident groups it is vital. While A may need a TTP to buy a book online, B may not need this kind of service to establish a private communication with C.
In a statement which emphasises the need for increased protection of international commercial transactions on the Internet and the need to offer all Internet users an adequate degree of privacy, leading Internet standards organisations including the Internet Architecture Board (`IAB') and the Internet Engineering Steering Group (`IESG') stated that governmental restrictive policies `are against the interests of consumers and the business community' and `are largely irrelevant to issues of military or benefits to law enforcement agencies.' (see Internet Engineering Task Force statement, 1996).
The following headings will explore in more detail the different uses for cryptographic software.
Top | Contents | Bibliography
The ability to protect and secure information is vital to the growth of electronic commerce and to the growth of the Internet itself. Many people need to use communications and data security in a broad variety of areas. Banks use encryption methods all around the world to process financial transactions. The customers over the Internet would like to feel secure about sending their credit card information and other financial details related to them over a multi-national environment. Commerce will take advantage of electronic networks only by the use of strong and unbreakable encryption methods.
As the economy continues to move away from cash transactions towards the likes of `digital cash' there will be need for strong encryption tools. This kind of activity will benefit from the introduction of TTP and, perhaps, key recovery techniques. The essential impetus behind TTP is the need for users to know whom they are communicating with. Suppose, for instance, that a user wishes to exchange a political message with the opponent of another country's government, or to buy a product over the Internet from a company with which he has never had dealings before. The user must first know the encryption key that he can use to secure communications. Unless the correspondent uses another (and possibly unreliable) way to give the user the key, such as postal mail or the telephone, the user must rely on a trusted third party to give him the key.
The Internet is being used for more and more communications, including ones of a contractual nature. No business can be transacted if people find out that others are impersonating them and making promises in their name. Digital signatures are the solution to that problem. Digital signatures ensure the identity of the sender of the message in the same way that a normal signature at the bottom of a letter usually verifies that a letter is from a known corespondent. Signatures are useful when an electronic message is sent to ensure that it was not modified or falsely created by someone else. Also anyone possessing the public key of the sender of the message can verify that it was he who sent the message encrypted with his private key. Digital signatures are already used by many people and they will probably become everyday accompaniments to e-mail as Internet commerce grows. For most public purposes - including commerce - it is important that strangers can verify each other's public keys, which calls for a TTP structure. However, the fear that someone could steal a private key and sign a binding contract or legal document will hold back all these beneficial uses of digital signatures. The use of key escrow or key recovery approaches for private keys raises just this fear.
`There has been no time that human rights concerns have been more visible than recent years as networks of local and international activists bring abuses to light. Global integration of telephone and fax lines are a direct cause.' (PoKempner, 1997)
By providing quick and cheap communications and access to any kind of information, the Internet is the first truly interactive mass medium. It is not only used for fun and commercial purposes by the `consumers' but also used by those campaigning against human rights abuses. There are many organisations dealing with human rights abuses all around the world and these organisations do use the Internet to communicate with their members or with dissident groups. Before the governments can suppress the dissemination of critical writings, and reports, the authors can distribute their work through the Internet outside repressive regimes. It is well known that the Burmese dissidents(3) or the Mexican Zapatistas use the Internet to communicate with the rest of the world (see e.g. Cleaver). It is critical and vital for human rights activists, political dissidents, and whistle blowers throughout the world to facilitate confidential communications free from government or any other intrusion. Strong encryption is the only answer for this problem (see e.g. Banisar, 1995).
'The criticism of tyranny is the most profound form of democratic speech. It is also the most dangerous.' (Ball, 1997)
The use of cryptography is an essential and powerful tool for human rights work. Examples of such use by political and some special subject interest groups include the Critical Path AIDS Project's Web site, Stop Prisoner Rape (`SPR') in the USA, and the Samaritans in the UK. For example, readers of notices from groups which send out electronic alerts, such as Amnesty International, American Civil Liberties Union and the Tibetan Government-in-Exile, can ensure that the alerts have not been altered by people wishing to disrupt the group's activities. On the other hand, many members of SPR's mailing list have asked to remain anonymous due to the stigma of prisoner rape. It is important for this kind of user seeking to access sensitive information to remain anonymous, and it should be their right to do so in this context. Online users need or desire electronic security from government intrusions (and/or from other third parties) or surveillance into their activities on the Internet. Key escrow, key recovery, and the DTI's conception of TTP create dangers for the existence of this kind of communication on the Internet.
Here, it is suggested that there should be a complete freedom of choice to use whatever encryption tools the online users wish to use without restriction. Although the DTI proposals suggested that the use of licensed TTPs is voluntary and that those wishing to do otherwise are at liberty to do so, (see the DTI paper, Section V - Trusted Third Parties, paragraph 42) the users will be forced to use the services of TTPs. The current proposals are pushing the market into a standard rather like that witnessed in the `VHS/Betamax' convergence of video tapes. Once a de facto commercial standard crystallises, it will be beyond the power of governments or even international regulators to change and few people will use non-TTP services and/or strong encryption tools like Pretty Good Security (`PGP') (see further Akdeniz & Bowden, 1998).
Anonymity is socially useful. As one commentator states,
`I may have a good idea you will not consider if you know my name. Or I may individually fear retaliation if my identity is revealed. Anonymity is therefore good, because it encourages greater diversity of speech.' (Wallace, 1997)
Internet privacy activists have developed experimental anonymous re-mailer programs that address these concerns in respect of free speech and personal liberty. An anonymous re-mailer is simply a computer service that forwards e-mails or files to other addresses over the Internet. But the re-mailer also strips off the `header' part of the messages, which shows where they came from and who sent them. The most untraceable re-mailers (e.g. MixMaster - see Cottrel) use public key cryptography which allows unprecedented anonymity both to groups who wish to communicate in complete privacy and to `whistle-blowers' who have reason to fear persecution if their identity became known. According to Wacks, `it facilitates participation in the political process which an individual may otherwise wish to spurn.' (Wacks, 1996.)
One of the best-known anonymous remailers on the Internet, anon.penet.fi, was offered for more than three years by Johann Helsingius. Among its users were Amnesty International, the Samaritans, and the West Mercia Police who used it as the basis of their `Crimestoppers' scheme.
Anonymity is important both to free speech and privacy just as anonymity and anonymous speech have been used for thousands of years in the wider society. It is important for people's participation in online equivalents of `Alcoholics Anonymous' and similar groups, and individuals have a right to this kind of privacy. This right should not be abridged for the pursuit of vaguely defined infractions. The ACLU challenged a Georgia law restricting free speech on the Internet. ACLU and others stated that the Georgia law was unconstitutionally vague and over-broad because it barred online users from using pseudonyms or communicating anonymously over the Internet in September 1996. (ACLU, 1996) Key escrow and the clipper chip technologies threaten this kind of anonymity on the Internet because government agents will be able to identify the content of e-mails and the destination of the messages. But on the other side, anonymity is important both to free speech and privacy on the Internet.
The DTI Consultation Paper devoted no space to the importance of privacy and anonymity on the Internet. Anonymous speech is very important, but because it is not a commercial issue, it has been excluded from the content of the consultation paper (see paragraph 16, and 36). This is a sad reflection on the previous UK government's sense of priorities.
Top | Contents | Bibliography
Crime prevention is the most cited excuse for the development of strong encryption tools and the major reason behind the idea of access to encryption keys by the law enforcement agencies. Most people would accept the need for democratic governments to intercept communications on a limited scale, for the detection and investigation of crime, and for the `defence of the realm'. The ex Science and Technology Minister Ian Taylor stated that:
`The licensing policy will aim to protect consumers as well as to preserve the ability of the intelligence and law enforcement agencies to fight serious crime and terrorism by establishing procedures for disclosure to them of the encryption keys, under safeguards similar to those which already exist for warranted interception under the Interception of Communications Act.' (DTI Press Release, 1996)
So, basically, the UK government wants access to the electronic information
just as the US government does in its key escrow and key recovery proposals.
According to the FBI, wiretapping is crucial to effective law enforcement:
`If the FBI and local police were to loose the ability to tap telephones
because of the widespread use of strong-cryptography, the country would be
unable to protect itself against terrorism, violent crime, foreign threats,
drug trafficking, espionage, kidnapping, and other crimes.' (Freeh, 1994)
FBI director Louis Freeh recently told the US Senate Subcommittee on Technology that:
`[L]aw enforcement is in unanimous agreement that the widespread use of robust unbreakable encryption ultimately will devastate our ability to fight crime and prevent terrorism. Unbreakable encryption will allow drug lords, spies, terrorists and even violent gangs to communicate about their crimes and their conspiracies with impunity. We will lose one of the few remaining vulnerabilities of the worst criminals and terrorists upon which law enforcement depends to successfully investigate and often prevent the worst crimes.' (see Freeh, 1997, and Freeh, 1998)
Freeh offered key recovery as the balanced solution to this so-called law enforcement problem in his speech. According to Freeh, criminals were using strong encryption tools such as Phil Zimmermann's 128 bit PGP software and he demanded laws that `would require all such encryption products and services to contain features that would allow for the immediate access by law enforcement to the "plaintext" of encrypted criminal-related communications or electronically stored data pursuant to a court order.'
At her Web site, Denning states that encryption is used by organised crime and for espionage. She cites seven cases of terrorism which involved encrypted files within computers but in all of these cases the law enforcement agents managed to decrypt the files during their investigation. (Denning &. Baugh, 1997). Even without a key escrow or key recovery system, the law enforcement agents managed to decrypt the encrypted files in these cases and even with a key escrow or key recovery system, criminals cannot be entirely prevented from using strong encryption.
Without this capability, it may be suggested that the governments would be less able to protect the safety of the public, and this in itself would constitute an infringement of civil liberties. Internet Privacy Coalition states that:
`We do not object to the right of government to conduct lawful investigation. We recognise that the enforcement of law is a central concern in every democratic society. But no government has the right to restrict the ability of its citizens to make use of tools to protect their own privacy. Nor should any government put crime investigation before crime prevention.' (Internet Privacy Coalition, 1997)
For the purposes of legal access, the UK government proposes a `central repository' to be established that would `act as a single point of contact for interfacing between a licensed TTP and the security, intelligence and law enforcement agencies who have obtained a warrant requiring access to a client's private encryption keys.' It is also stated in a footnote that the `central repository' would be an existing government department or an agency set up specifically, by the government for the above purpose (see the DTI Consultation paper). This proposal poses precisely the danger which the report `The Risks of Key Recovery, Key Escrow, and Trusted Third-Party Encryption' warned against in May 1997: the concentration of keys in highly visible, centralised repositories like the one proposed by the DTI consultation paper. These will present an irresistible target for intruders, and such intruders cannot be kept out indefinitely. A history of many break-ins to networks owned by the military and by large corporations proves this.
There are also practical issues here which are worthy of consideration. Surely we must accept that we cannot be in favour of terrorists and drug dealers using cryptography to plan or facilitate their crimes. But what if they do? The sending of messages in this way may still create evidence which is obtainable during the course of an investigation or trial. It is suspect users who should be targeted, not the whole world at large.
We should also remember that government access to encryption keys, as in the case of the use of Closed Circuit Television systems (`CCTVs') will not necessarily prevent premeditated brutal terrorist attacks such as the bombings of Lockerbie Pan AM 103, Docklands (near the Canary Wharf) and Manchester's Arndale shopping centre. It is wrong to assume that terrorists will put a bomb in a place watched by the CCTVs or that they will plan the bombing using encryption tools which may be accessed by the law enforcement bodies. CCTVs did not stop bombings in, for example, Manchester or recently at the Leeds City Station. It takes an extraordinarily high level of constant surveillance and oversight to provide an effective deterrent through these means. More likely is that the terrorists will use encryption without detection or detection will come later through other means, by which time the refusal to provide the key will be incriminating evidence. Terrorists and organised criminals are detected through a variety of techniques involving mainly informers and surveillance. The interception of messages is important, but it should be remembered that there is no shortage of powers to build up useful evidence.
Following the crash of the TWA Flight 800 and the pipe bomb that exploded at the Olympics in Atlanta, the US took the opportunity to pressure the G-7 meeting in France to address restrictions on the use of cryptography. The G-7 adopted a final statement which urged the need to `accelerate consultation on encryption that allows, when necessary, lawful government access to data and communications in order to prevent or investigate acts of terrorism, while protecting the privacy of legitimate communications.' In response, the Global Internet Liberty Campaign (`GILC') was established comprising a number of international human rights, privacy and computer user groups. GILC then announced that they would oppose the G-7 initiatives to restrict free speech and privacy on the Internet (Schneier, & Banisar, 1997, p 322, and the GILC Resolution in Support of the Freedom to Use Cryptography, 1996).
The other point to bear in mind is that if encryption is no longer secure, terrorists will no longer use licensed systems. `As a result, restricting the use of encryption could well prevent law-abiding companies and citizens from protecting themselves against criminal attacks. It would not however prevent totally criminals from using these technologies.' (see the EU Communication paper, 1997).
Top | Contents | Bibliography
According to a recent BBC report, the UK Home Secretary, Jack Straw, is using Britain's six-month EU presidency to raise awareness of the task facing law enforcement agencies on the Internet. The EU ministers agreed in Birmingham that such agencies must have access to the encryption keys used to scrambled information. They warned that unbreakable encryption systems would mean organised crime could pursue its activities unhindered (Orlowski, 1998).
Straw's new initiatives are at odds with what the Labour party stated in their Manifesto before the May 1997 elections.
`We do not accept the `clipper chip' argument developed in the United States for the authorities to be able to swoop down on any encrypted message at will and unscramble it. The only power we would wish to give to the authorities, in order to pursue a defined legitimate anti-criminal purpose, would be to enable decryption to be demanded under judicial warrant.' (Labour Party Policy on Information Superhighway, 1995)
The Labour Party Manifesto further stated that:
`It is not necessary to criminalise a large section of the network-using public to control the activities of a very small minority of law-breakers.'
According to Straw, this change in policy is necessary to crack down on organised
crime. This policy change may lead with new powers being given to the UK
police to intercept e-mail messages and also to access encryption keys in
the near future without the need for judicial warrants (BBC News, 1998).
This would undoubtedly lead to a systematic invasion of privacy of online
communications. Therefore, the UK version of the `Big Brother' would
emerge.
It looks like politicians change their minds without warning or simply bow
to pressure. Therefore, we cannot trust them. The current views of Jack Straw
and the DTI proposals which were launched in March 1997 are also in clear
contrast with the EU communication paper mentioned throughout this article.
The EU communication paper on encryption stated that:
`...most of the (few) criminal cases involving encryption that are quoted as examples for the need of regulation concern "professional" use of encryption. It seems unlikely that in such cases the use of encryption could be effectively controlled by regulation.'
Criminals cannot be entirely prevented from having access to strong encryption and from bypassing escrowed encryption. Benefits of regulation for crime fighting are therefore not easy to assess and often expressed in a fairly general language. However control measures could make use of encryption for criminal activities more difficult and cumbersome (EU Communication paper).
The Global Internet Liberty Campaign, criticised the change of policy in Britain with a member statement which was signed by 22 organisations world-wide in February 1998. The GILC member statement concluded that `mandatory key recovery policies would make Britain a second-class nation in the Information Age.' (see GILC Member Statement, 1998)
Top | Contents | Bibliography
` ... and it will fall out as in a complication of diseases, that by applying a remedy to one sore, you will provoke another; and that which removes the one ill symptom produces others....' (More, 1516, see also Lerch, & Gray, 1997)
Cryptography can be essential to secure private communications and anonymity on the Internet. All the debate about its use and regulation is related to free speech theories. The protection of anonymous speech and freedom of expression can be achieved only by the use of strong encryption without government intrusion and access to the encryption keys. While the TTP initiatives and the key recovery techniques may to some extent be helpful to the development of online commerce, there is no need for these systems to secure private communications between online users.
Yet the TTP issue is a Trojan horse, into which governments are sneaking their plans for universal surveillance - surveillance of non-commercial messages. No government intervention is really needed to develop a set of third parties in respect to commercial transactions. Growing demand for electronic commerce will cause them to spring up naturally. After all, most of us use credit cards, and the governments did not have to pass special laws licensing the finance companies that issue credit cards (Oram, 1997). The true goal of governments remains the control of global information networks.
The needs for the use of encryption tools are various in nature and should not be confused and mixed as happens in the UK's DTI consultation paper. The DTI consultation paper simply tries to balance the need for encryption services for the development of online commerce with crime prevention, without fully recognising all the issues which arise with respect to the privacy of online users. Neither human rights organisation nor anybody in danger would communicate sensitive material through the Internet knowing that the encryption key on the receiving point may be decrypted.
We cannot also trust the TTPs or the law enforcement agencies who hold the copies of the encryption keys as they may pass the information to the law enforcement agencies of the more repressive governments either directly or indirectly. For example, the FBI, during the 1970s wiretapped and bugged the communications of Black Panthers and other dissident groups (Ungar, 1975). Also between 1953 and 1973, the CIA opened and photographed almost 250,000 first class letters within the US from which it compiled a database of almost 1.5 million names (Church Committee Report, 1976). In many countries in the world, human rights organisations, journalists and political dissidents are the most common targets of surveillance by government intelligence and law enforcement agencies and other non-governmental groups. The U.S. Department of State, in its 1996 Country Reports on Human Rights Practices, indicated widespread illegal or uncontrolled use of wiretaps by both government and private groups in over 90 countries (GILC, Cryptography and Liberty: An International Survey of Encryption Policy, 1998).
Strong encryption technology without key escrow or key recovery offers the
fundamental protection to those who seek to bring official abuses of power
to light. Any restrictions on use of encryption would create opportunities
for the violation of free expression for individuals in countries where dissent
is punished. Dissidents and human rights organisations under repressive regimes
use encryption technologies to share their concerns and transmit often sensitive
information. Encryption has the power to authenticate the identity of these
authors to their partners abroad, and protect their identity from despots
at home. Any key escrow mechanism will result in loss of confidence among
groups and individuals, mostly based in repressive regimes. This would mean
a tremendous blow to international efforts to support the cause of human
rights.
Global Internet Liberty Campaign which favours the unrestricted use of
cryptography to protect personal privacy recently stated in a paper on Human
Rights and the Internet that:
`[W]e believe that policies concerning cryptography should be based on the fundamental right to engage in private communication. We oppose efforts that would lead to the development of communications infrastructure designed for surveillance.' (GILC statement, 1998)
The group also urged the development of a public education campaign to inform various political, labour and social groups on the benefits of and techniques for using encryption (GILC, Cryptography and Liberty: An International Survey of Encryption Policy, 1998).
The question is not whether any such interception and access to encryption keys is wrong, but whether it is safe to entrust all future governments in perpetuity with an unprecedented technical capability for mass surveillance. The state strategy seems naive as it assumes that criminals will use encryption tools which can be decrypted by the law enforcement bodies. More likely, the key escrow technology will have a chilling effect on the online users who seek to remain either secure or anonymous when communicating through the Internet, whether for fear of retribution or other reasons.
Restrictions on the use of the Internet for secure communications would damage these values which are relevant to a new form of `digital democratic environment.' The encryption wars will continue in different forums. Last year the hope was the Labour Manifesto on encryption. This year it is the EU proposals. One thing that will never change is that there key recovery or key escrow systems are not suitable for human rights work.
ACLU press release dated 24 September 1996 at
http://www.aclu.org/news/n092496a.html
Akdeniz, Y. et al, `Cryptography and Liberty: Can the Trusted Third Parties
be Trusted? A Critique of the Recent UK Proposals,' 1997 (2) The Journal
of Information, Law and Technology (JILT).
<http://elj.warwick.ac.uk/jilt/cryptog/97_2akdz/default.htm>
Akdeniz, Y., `UK Government Encryption Policy,' [1997] Web Journal of
Current Legal Issues 1.
<http://webjcli.ncl.ac.uk/1997/issue1/akdeniz1.html>
Akdeniz, Y., & Bowden, C., `Cryptography and Democracy : Dilemmas of
Freedom,' in Jonathan Cooper eds., Liberating Cyberspace: Civil Liberties,
Human Rights, and the Internet, London: Pluto Press, April 1998.
Ball, P., `Security problems and cryptographic solutions for human rights
organisations working on the Internet,' US Congressional Briefing, August
1, 1997, at
<http://www.aaas.org/spp/dspp/cstc/briefings/crypto/hr/index.htm>.
See also Ball, P., `Security Problems and Cryptographic Solutions for Human
Rights Organisations,' Computers, Freedom, and Privacy, 19 February 1998,
at
<http://www.aaas.org/spp/crypto/cfp98/index.htm>.
Banisar, D., `Bug Off! A Primer on Electronic Surveillance for Human Rights
Organizations,' International Privacy Bulletin, October 1995,
<http://www.privacy.org/pi/reports/bug_off.html>
BBC News, `Labour reverses policy on Net encryption,' January 30, 1998, at
<http://news.bbc.co.uk/hi/english/sci/tech/newsid_52000/52117.stm>
Calcutt Committee on Privacy and Related Matters, Cmnd. 1102, London: HMSO,
1990, para. 3.12, page 7.
Church Committee Report, S. Rep. No. 755, 94th Cong., 2d Sess., pt. 2, 1976,
at 6.
Cleaver, H., `The Zapatistas and the Electronic Fabric of Struggle,' at
<http://www.eco.utexas.edu:80/Homepages/Faculty/Cleaver/zaps.html>.
Cottrel, L., Mixmaster FAQ,
<http://www.obscura.com/~loki/remailer/mixmaster-faq.html>
Council Directive on the Protection of Individuals with regard to the Processing
of Personal Data and on the Free Movement of Such Data, COM (92) 422 Final
- SYN 287, Brussels, 15 Oct. 1992.
Data Protection Bill 1998, is available at
<http://www.parliament.the-stationery-office.co.uk/pa/ld199798/ldbills/061/1998061.htm>
Denning, D. E. &. Baugh, Jr., W. E, `Cases Involving Encryption in Crime
and Terrorism,' October 1997,
<http://guru.cosc.georgetown.edu/~denning/crypto/cases.html>
Department of Trade and Industry, Consultation Paper, `Licensing of Trusted
Third Parties for the Provision of Encryption Services,' March 1997,
<http://www.dti.gov.uk/pubs/>
Department of Trade and Industry, `Paper On Regulatory Intent Concerning
Use Of Encryption On Public Networks,' June 10, 1996,
<http://dtiinfo1.dti.gov.uk/cii/encrypt/>
Directive 95/46/EC of the European Parliament and of the Council of 24 October
1995 on the protection of individuals with regard to the processing of personal
data and on the free movement of such data.
European Commission, `Towards A European Framework for Digital Signatures
And Encryption,' Communication from the Commission to the European Parliament,
the Council, the Economic and Social Committee and the Committee of the Regions
ensuring Security and Trust in Electronic Communication, October 1997, COM
(97) 503, at
<http://www.ispo.cec.be/eif/policy/97503toc.html>.
Freeh, L., (FBI Director), `Address at the Executives' Club of Chicago,'
Feb. 17, 1994.
Freeh, L., `The Impact of Encryption on Public Safety,' Director of Federal
Bureau of Investigation Before the Permanent Select Committee on Intelligence
United States House of Representatives Washington, D. C. September 9, 1997,
at
<http://www.fbi.gov/congress/encrypt4/encrypt4.htm>.
Freeh, L., `Threats to U.S. National Security Statement,' Director of Federal
Bureau of Investigation before the Senate Select Committee on Intelligence
Washington, D.C. January 28, 1998, at
<http://www.fbi.gov/congress/threats/threats.htm>.
GILC Resolution in Support of the Freedom to Use Cryptography, September
1996,
<http://www.gilc.org/crypto/oecd-resolution.html>
GILC statement, `Human Rights and the Internet,' January 1998,
<http://www.gilc.org/news/gilc-ep-statement-0198.html>.
GILC Campaign Member Statement: New UK Encryption Policy criticised, February
1998, at
<http://www.leeds.ac.uk/law/pgs/yaman/crypto-uk.html>.
GILC, Cryptography and Liberty: An International Survey of Encryption Policy,
February 1998, at
<http://www.gilc.org/crypto/crypto-survey.html>
Internet Engineering Task Force statement, `Internet groups critical of
government proposals to restrict encryption technology,' July 1996, at
<http://info.isoc.org:80/whatsnew/cryptog.html>.
Internet Privacy Coalition at
<http://www.privacy.org/ipc/>.
Labour Party Policy on Information Superhighway, 1995, `Communicating Britain's
Future,'
<http://www.labour.org.uk/views/info%2Dhighway/content.html>.
Lerch, I. and Gray, M., `Cryptography in America,' (1997) Science Magazine,
Volume 278 (5343), p. 1545.
More, Sir Thomas, Utopia, 1516, (Wordsworth: Classics of World Literature,
1997).
Oram, A., `British and Foreign Civil Rights Organizations Oppose Encryption,'
April 1997, at
<http://www.cpsr.org/cpsr/nii/cyber-rights/web/crypto_brit.html>.
OECD Cryptography Policy Guidelines: Recommendation of the Council Concerning
Guidelines for Cryptography Policy, 27 March 1997, at
<http://www.oecd.org/dsti/sti/it/secur/prod/e-crypto.htm>.
Orlowski, A., BBC News - The key debate on encryption, January 30, 1998,
at
<http://news.bbc.co.uk/hi/english/sci/tech/newsid_51000/51997.stm>.
PoKempner, D., `Briefing Paper: Encryption in the Service of Human Rights,'
paper presented at the Cryptography: Scientific Freedom and Human Rights
Issues, US Congressional Briefing August, 1997, at
<http://www.aaas.org/spp/dspp/cstc/briefings/crypto/dinah.htm>.
The Risks of Key Recovery, Key Escrow, and Trusted Third-Party Encryption
Report, May 1997,
<http://www.crypto.com/key_study/>
`Rights Brought Home: The Human Rights Bill,' CM 3782, London: HMSO, October
1997, at
<http://www.official-documents.co.uk/document/hoffice/rights/rights.htm>.
Schneier, B., & Banisar, D., The Electronic Privacy Papers: Documents
on the Battle for Privacy in the Age of Surveillance, New York: John
Wiley & Sons, 1997.
Sanford J. Ungar, FBI 137, 1975.
Wacks, R., `Privacy in Cyberspace,' presented at the Society of Public Teachers
of Law (SPTL) Seminars for 1996 - Pressing Problems in the Law: Privacy,
29 June 1996.
Wacks, R., `Privacy in Cyberspace: Personal Information, Free Speech, and
the Internet,' in eds Birks, P., Privacy and Loyalty, Oxford: Clarendon
Press, 1997.
Wallace, J., `Mrs. McIntyre in Cyberspace: Some thoughts on anonymity,' The
Ethical Spectacle, May 1997 at
<http://www.spectacle.org/597/mcintyre.html>
Footnotes
(1) This paper will be presented at the ETHICOMP98
Conference, Erasmus University, Rotterdam, The Netherlands, March 1998.
(2) For example, Official Secrets Act 1920,
section 4 gave power to intercept foreign telegrams dispatched
to or from any private cable company in the UK. Section 5 of the 1920 Act
also required a person in the
business of receiving postal packets to register his business.
(3) For example, in Burma, it is illegal to
own a computer with networking facility. See Free Burma Web
site at
<http://freeburma.org/>)