LEEDS - "Privacy is still not an issue with the newly announced UK government policy on the use of encryption systems within Britain," said Yaman Akdeniz, head of the Leeds based Cyber-Rights & Cyber-Liberties (UK) organisation in a statement issued this morning.
Cyber-Rights & Cyber-Liberties (UK)s immediate response to the newly announced government policy concentrates on the use of encryption for private communications. Although the governments commitment to develop online commerce and to follow international developments are welcome, Cyber-Rights & Cyber-Liberties (UK) is not satisfied with the fact that some of the more important issues, such as a right to private communications and some important issues related to the system of judicial warrants are not clearly explained or justified.
The Cyber-Rights & Cyber-Liberties (UK) Response to the Secure Electronic Commerce Statement
Introduction
The new policy was announced in the form of a written reply to a Parliamentary question. The newly announced policy is entitled "Secure Electronic Commerce Statement". This follows from the previous governments Trusted Third Party initiatives, and the idea of the TTPs still remain but this time on a "voluntary basis".
The Government statement now has a clear policy differentiation between digital signatures and the use of encryption. This statement concentrates more on the use of digital signatures and therefore the emphasis is on the Governments commitment to a safe and secure basis for the development of electronic commerce. Although this is welcome, it should be noted that these follow mainly from the OECD Guidelines on Cryptography Policy (which the paper claims to be fully compatible) and with the European Commissions Communication on Encryption and Electronic Signatures (COM (97)503). These were rather expected as in any other case the UK position would have serious conflicts with especially the European Union policy.
Privacy is not mentioned
While the government will contribute to the development of a European wide Electronic Signature Directive, the policy on the use of encryption for wider purposes (whether private or political) still remains unclear and muddy. Cyber-Rights & Cyber-Liberties (UK), a non profit organisation, is concerned with the privacy of online communications. It notes that although the new government proposals claim that the policy is fully compatible with the OECD Guidelines, the issue of privacy is carefully left out again, and there is not even a mention of the word "privacy" anywhere in the new statement. A right to privacy will soon be created within the United Kingdom under the Human Rights Bill and "a right to respect for a private life" will be part of the British law for the first time. (Note that specific and extensive rights to privacy will be the subject matter of another forthcoming legislation within the UK under the Data Protection Bill 1998.) Therefore these other national developments which have significant importance on the use of strong encryption should be respected and considered with any forthcoming policy. In conclusion, the DTI paper should be criticised as being fixated on the value of commerce and ignoring wider political and social uses of information technology which might legitimately require the use of encryption.
OECD Guidelines and the EU Communication paper do refer to privacy
It should also be noted that principle 5 of the OECD Guidelines on Cryptography Policy stated that "the fundamental rights of individuals to privacy, including secrecy of communications and protection of personal data, should be respected in national cryptography policies and in the implementation and use of cryptographic methods." In addition to the OECD Guidelines the European Commissions Communication on Encryption and Electronic Signatures (COM (97)503) which is mentioned by the governments new policy points out that:
"International treaties, constitutions and laws guarantee the fundamental right to privacy including secrecy of communications (Art. 12 Universal Declaration of Human Rights, Art. 17 International Covenant on Civil and Political Rights, Art. 8 European Convention on Human Rights, Art. F(2) Treaty on EU, EU Data Protection Directive) .. Therefore, the debate about the prohibition or limitation of the use of encryption directly affects the right to privacy, its effective exercise and the harmonisation of data protection laws in the Internal Market."
Warrants and crime prevention
In developing its policy on encryption, the new Government policy states that it has given serious consideration to the risk that criminals and terrorists will exploit strong encryption techniques to protect their activities from detection by law enforcement agencies. Therefore the government favours judicial warrants and legal interception of communications on a case by case basis. The policy paper states that "the new powers will apply to those holding such information (whether licensed or not) and to users of encryption products." This is justified by the fact that warrants are regularly used (see paragraph 13) for the interception of communications within Britain although there is not a direct reference to the interception of encrypted messages through the use of the Internet out of the 2600 interception warrants issued during 1996-97 by the Home Secretary. Another important issue to be noted is that the number of such warrants has risen considerably in the last two years (910 warrants issued in 1995 compared to 473 in 1990 - see for the full figures below). This suggests both that the current powers are more than adequate and even that they are not being properly regulated.
A further point to note is that the government is not wholly committed to searches purely under the authority of a judge (contrary to earlier promises). In the paper, a distinction is made between judicial involvement in "criminal investigations" and other "interceptions" which will be by order of the Secretary of State (paragraph 14). To some extent, it must be admitted that this follows the lax pattern of earlier legislation (such as the Interception of Communications Act 1985) but the replication of this absence of proper oversight should hardly be welcome. In any event, the access to a key should be treated as a different exercise to the original interception of a message.
Right to silence and self-incrimination
The interception of messages is important, but it should be remembered that terrorists and organised criminals are detected through a variety of techniques involving mainly informers and surveillance. In addition, those who choose to exercise their "right to silence" by not disclosing information to unlock encrypted files will risk adverse inferences being drawn from their silence under sections 34-37 of the Criminal Justice and Public Order Act 1994.
Although the OECD Guidelines stated that "national cryptography policies may allow lawful access to plaintext, or cryptographic keys, of encrypted data," it immediately reiterated that "these policies must respect the other principles contained in the guidelines to the greatest extent possible" and this would include respect to privacy under the fifth principle (see above).
Conclusion
The EU communication paper on encryption stated that "most of the (few) criminal cases involving encryption that are quoted as examples for the need of regulation concern professional use of encryption. It seems unlikely that in such cases the use of encryption could be effectively controlled by regulation." Criminals cannot be entirely prevented from having access to strong encryption and from bypassing escrowed encryption. Benefits of regulation for crime fighting are therefore not easy to assess and often expressed in a fairly general language as happens with the new government policy. However, the chilling effect on Internet usage, especially for legitimate political purposes in opposition to states, is easier to see.
It remains to be seen what the Home Office will suggest and how they will tackle the issue but certainly the encryption wars and the debates about access to keys will continue and Cyber-Rights & Cyber-Liberties (UK) will continue to address these fundamental issues.
Written and signed by:
Mr Yaman Akdeniz, Cyber-Rights & Cyber-Liberties (UK)
(Professor Clive Walker also contributed to this statement)
Notes for the Media
Department of Trade and Industry, "Proposals For Secure Electronic Commerce Bill Published," PN/98/320, 27 April, 1998 at http://www.coi.gov.uk/coi/depts/GTI/coi0803e.ok
Department of Trade and Industry, Secure Electronic Commerce Statement is available at http://www.dti.gov.uk/CII/ana27p.html
Cyber-Rights & Cyber-Liberties (UK), "First Report on UK Encryption Policy" is available at http://www.leeds.ac.uk/law/pgs/yaman/ukdtirep.htm.
Cyber-Rights & Cyber-Liberties (UK) advises Jack Straw, the UK Home Secretary, on the issue of encryption, press release, 02 February, 1998, at http://www.leeds.ac.uk/law/pgs/yaman/crclukpr-3.html.
British and Foreign Civil Rights Organisations Oppose Encryption Paper, 9 April 1997. See http://www.leeds.ac.uk/law/pgs/yaman/crypto_b.htm.
Akdeniz, Y et al, "Cryptography and Liberty: Can the Trusted Third Parties be Trusted? A Critique of the Recent UK Proposals," 1997 (2) The Journal of Information, Law and Technology (JILT). http://elj.warwick.ac.uk/jilt/cryptog/97_2akdz/.
Total figures for warrants issued in England and Wales 1989-1995: 1989- 458, 1990 - 515, 1991 - 732, 1992 - 874, 1993 - 998, 1994 - 947, 1995 - 997. See UK: Phone-tapping doubles in 5 years, Statewatch Bulletin, Vol 6 no 3, May-June 1996, and also the Report of the Commissioner for 1995, Interception of Communications Act 1985. Cm 3254, HMSO, Report of the Commissioner for 1994, Security Service Act 1989, for 1995. Cm 3253, HMSO, Intelligence Services Act 1994, for 1995. Cm 3288, HMSO, MI5 The Security Service, 2nd edition, HMSO.
Akdeniz, Yaman and Bowden, Caspar, "Cryptography and Democracy: Dilemmas of Freedom," in Jonathan Cooper eds., Liberating Cyberspace: Civil Liberties, Human Rights, and the Internet, London: Pluto Press, April 1998. See http://www.leeds.ac.uk/law/pgs/yaman/cryptdem.htm
Akdeniz, Y., "No Chance for Key Recovery: Encryption and International Principles of Human and Political Rights," (1998) Web Journal of Current Legal Issues 1. See http://webjcli.ncl.ac.uk/1998/issue1/akdeniz1.html
Abelson, Anderson, et al., "The Risks of Key Recovery, Key Escrow, and Trusted Third Party Encryption," 1997, at http://www.crypto.com/key_study/.
Global Internet Liberty Campaign Member Statement: New UK Encryption Policy criticised, February 1998, is available at http://www.leeds.ac.uk/law/pgs/yaman/crypto-uk.html.
GILC, Cryptography and Liberty: An International Survey of Encryption Policy, February 1998, at http://www.gilc.org/crypto/crypto-survey.html. A world survey of crypto policies released in February has found that most countries do not restrict the use of encryption.
The Labour Party Policy on Information Superhighway before the May 1997 elections, "Communicating Britains Future," http://www.labour.org.uk/views/info%2Dhighway/content.html.
European Commission Communication, "Towards A European Framework for Digital Signatures And Encryption," Communication from the Commission to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions ensuring Security and Trust in Electronic Communication, COM (97) 503, October 1997, at http://www.ispo.cec.be/eif/policy/97503toc.html.
OECD Cryptography Policy Guidelines: Recommendation of the Council Concerning Guidelines for Cryptography Policy, 27 March 1997, at http://www.oecd.org/dsti/sti/it/secur/prod/e-crypto.htm.