IP: Stewart Baker's thoughts on British encryption policy

[Dave Farber <farber@central.cis.upenn.edu>]

Date: Sat, 18 May 96 15:58:27 EST
From: "Stewart Baker" <sbaker@mail.steptoe.com>
To: farber@central.cis.upenn.edu


     I enclose a shortened version of my (somewhat personal)  
     take on British encryption plans.  I would welcome 
     corrections and elaborations from more knowledgeable 
     sources. A longer version of the piece is posted on the 
     Steptoe "Law and the Net" page:
     
     www.us.net/~steptoe/pubtoc.htm#net
     
     
     
             According to sources within the British 
     government, plans to implement "trusted third party" 
     encryption services are fairly far along, although it is 
     unlikely that any legislation would be introduced prior 
     to the election that will occur within the next nine 
     months.  Since the polls suggest that the election will 
     bring Labour to power for the first time in a decade and 
     a half, it is uncertain what the Labour Government will 
     do about the encryption issue.  But, in the absence of 
     firm policy guidance from political leaders, the 
     permanent UK government seems to be reaching consensus 
     on a plan to encourage but not mandate use of trusted 
     third party encryption services.
     
                In examining their options, it appears that 
     British policymakers have ruled out either a flat ban on 
     the use of encryption, or an effort to license 
     encryption products, hardware, and software, sold to the 
     public.  Similarly, the government seems uninterested in 
     efforts to control the length of encryption keys.
     
                British authorities appear to be 
     contemplating a trusted third party encryption system 
     that would be given a jumpstart by tying it to a wide 
     variety of government services and programs, such as the 
     National Health Service.  There is no plan to regulate 
     encryption products.  Mass-market software producers 
     would be free (as at present) to offer strong 
     over-the-counter encryption.  Makers of personal 
     computers and PC cards could apparently do the same.
     
                The British government would apparently 
     prefer to encourage escrowed encryption by "bundling" a 
     variety of trusted third party services together.  Like 
     other European governments, the British have seized on 
     the observation that digital commerce requires an 
     infrastructure of digital signatures, certification 
     authorities, and assorted other services such as 
     time-stamping.  They evidently hope to limit this role 
     to companies that are also prepared to offer encryption 
     and key management services and that are prepared to 
     provide keys to the government when presented with a 
     warrant.
     
                Although billed as a trusted third party 
     approach, it seems that the British government is not 
     planning to insist that all parties escrow their keys 
     with a third party.  The plan will allow a significant 
     amount of "self escrow," at least on the part of large 
     companies that are willing to establish special escrow 
     units that can be walled off from the rest of the 
     company in the event of a criminal investigation of 
     corporate higher-ups.
     
                I talked to British government sources about 
     the plan and raised questions about its details.  Some 
     simply have not been worked out.  The effort to create 
     trusted third party services without regulating products 
     is understandable. Regulating products would mean 
     picking a fight with the large and aggressive retail 
     software industry, as well as directly affecting 
     purchases by individuals.  It would also expose 
     regulators to the criticism that they are regulating 
     software sold in stores but are unable to prevent 
     downloading of free and unescrowed encryption software 
     from anonymous sites in Finland and the like.  
     
                Nonetheless, free competition between 
     unescrowed products and escrow services may raise 
     problems for the government plan.  The UK government 
     will likely have to bear some of the costs of 
     maintaining a trusted third party infrastructure, or 
     encryption users and providers will have an incentive to 
     avoid escrowed encryption and instead use encryption 
     products in order to minimize costs.  It is not clear 
     how the government plans to deal with that possibility 
     other than to note that products cannot provide 
     up-to-date certification and other services.
     
                Even with respect to third-party services, it 
     is not clear how the government will deal with 
     "unbundling."  Certification services probably have 
     fewer infrastructure costs than trusted third party 
     encryption.  There may be a temptation, therefore, on 
     the part of consumers (and service suppliers) to use 
     (and provide) only certification rather than encryption 
     services.  It is not clear whether the British 
     government intends to prohibit unbundling, discourage it 
     through regulatory action, or simply hope that it 
     doesn't happen.