IP: UK Decryption powers raise human rights concerns

[Dave Farber <farber@cis.upenn.edu>]

>From: "Caspar Bowden" <cb@fipr.org>
>To: "Dave Farber (E-mail)" <farber@cis.upenn.edu>
>
>http://www.sunday-times.co.uk/news/pages/sti/99/08/01/stiinnnws01005.html?99
>9
>E-commerce - Is the government doing enough for e-commerce?
>No, writes Caspar Bowden. Plans for a tough encryption law are raising human
>rights concerns
>
>THE government's electronic communications bill is the latest step in the
>long-running row over control of cryptography. It will give ministers broad
>powers to control the use of encryption in electronic commerce and has met
>with a mixed reception from industry.
>
>David Svendsen, managing director of Microsoft, welcomed the bill as a
>"golden opportunity" for Britain to become an e-commerce hub in Europe. But
>Richard Sullivan of the Computer Software and Services Association (CSSA)
>said closer co-operation with industry would be preferable to "introducing
>strict penalties and a raft of secondary legislation provisions".
>
>The bill was announced in the Queen's Speech last November, but was delayed
>as it became clear industry would not wear regulation designed to foist "key
>escrow" on users - the holding of spare keys by third parties in case needed
>by the police.
>
>The government expected the opposition to agree to the bill's introduction
>this session of parliament. Instead, the Tories described it as a "dog's
>breakfast" and blocked it.
>
>Vestiges of the "trusted third party" idea remain, a statutory but voluntary
>scheme for licensing bodies that provide encryption services. The Department
>of Trade and Industry (DTI) says there may be no need to invoke the law and
>is working with industry on self-regulation, but is keeping its options
>open. If the climate in America changes, the key escrow powers with minimal
>parliamentary scrutiny are still there.
>
>New law-enforcement powers to demand unscrambling of intercepted e-mails and
>coded data could wreck business and consumer confidence. The authorities
>would be able to demand decryption keys from anyone; those withholding keys
>would be presumed guilty unless they could show otherwise.
>
>The Home Office argues that being asked to provide a decryption key is just
>like requiring a DNA sample - but even a person not suspected of any crime
>who has lost or forgotten their key would have to convince the court or go
>to jail for two years.
>
>Decryption notices could be served on associates, legitimate third parties
>and legal advisers, with an obligation not to change keys if this would tip
>off the suspect. The most chilling provision is that notices can contain a
>total obligation of secrecy - this would prevent anyone complaining
>publicly, with a penalty of five years imprisonment.
>
>The Home Office fear is that if catch-22 safeguards unravel they face a
>policy meltdown.
>
>Ingeniously crafted for minimal compliance with a 1984 Commission on Human
>Rights ruling, the 1985 Interception of Communications Act (Ioca) created a
>tribunal that can only uphold a complaint if it is "manifestly unreasonable"
>to issue a warrant. Otherwise the tribunal does not tell complainants
>whether or not they were intercepted, on the ground that interception is
>most effective when it receives least publicity. For the same reason
>interception can only be used for intelligence, not evidence in court.
>
>In the bill, a complainant's only recourse is to a secretive Ioca-style
>tribunal, which can hold proceedings in their absence. The tribunal need not
>disclose reasons for decisions, and operates special rules on burden of
>proof and admissibility of evidence. Authorities with access to keys only
>need maintain such safeguards "as considered necessary", and even flagrant
>breaches of the code of practice would not "of itself" be a criminal
>offence.
>
>These issues are being dealt with in a DTI bill instead of the Ioca review
>because the Home Office's position is that decryption is about maintaining
>the effectiveness of existing legislation, but the Ioca review is about
>eavesdropping methods for internet service providers.
>
>Scientific reality does not conform to this legal framework. An encrypted
>message can actually be camouflaged by steganography - hiding it in
>digitised sound or pictures.
>
>Decryption notices would apply not just to data that can already be seized
>or intercepted under warrant, but also to published or public domain
>material. In this case, nobody knows whether there is a safe, let alone a
>key.
>
>The Foundation for Information Policy Research believes that criminals
>should not be able to hide behind encryption, but these proposals infringe
>rights to privacy and a fair trial.
>
>To prevent injustice and legal absurdities, a judge should issue a
>decryption notice only when there is reliable evidence that the data
>contains a hidden or encrypted message, the person on whom the notice is
>served possesses a key and the data pertains to a serious crime.
>
>To help the prosecution prove its case, Ioca may need to be changed to
>provide courts with circumstantial evidence from intercepts.
>
>The bill has been published for consultation and comments are due by October
>8. Home Office ministers have so far not faced questions from the public or
>parliament, but as minister in charge of the bill, Stephen Byers has made a
>declaration of compliance with the European Convention of Human Rights.
>
>He may wish to examine decryption powers again before putting his name to
>the final bill this autumn.
>
>Caspar Bowden is director of the Foundation for Information Policy Research
>(http://www.fipr.org)
>