UK: Electronic Communications Act Creates Legal Perils

"Decryption warrants": the replacement for key escrow.

After three years of unsuccessful attempts to introduce key escrow, the British government has written an "Electronic Communications Act" to force users of electronic privacy to hand over their keys, passwords or plaintext on demand to the police. Part 3 of the proposed Act grants police powers to seek two year jail sentences for anyone unable to provide them on demand with keys to encrypted files and communications. Both encryption users and service providers will be covered. Another new offence is aimed mainly at service providers. Called the "tipping off" offence, this provision would impose jail sentences on anyone who revealed that they had been served with a decryption warrant. It could be used to prevent the recipient, or even the user of the privacy keys concerned, from telling anyone else that their messages were no longer private or secure.

Ironically, progress of the new plan has been halted because the opposition Conservative party - who originally backed the US key escrow scheme - say that the new law is a unwelcome "dogs breakfast".

The Conservatives say that they will block attempts to rush the controversial Electronic Communications Bill into Parliament. Alan Duncan MP, Conservative Party spokesman on IT, said this week that his party would not agree to the government introducing the legislation in its current form.

Its "too long and too heavy for its purpose", he said. "What industry needs is a quick short bill". With 30 pages of dense, complex text when there should be 3, said Duncan, the Bill ought to be "shorter, simpler and lighter". He criticised the government for trying to bring the Bill before parliament at the last minute, when years had been wasted pursuing blind alleys.

The Conservatives' view was that the IT marketplace was already adequately providing most of what industry needed to facilitate commerce. Business did not need complex regulations or wide ranging ministerial powers to intervene, just recognition of structures already in place.

Under UK Parliamentary rules, the government must seek consent from the opposition to "carry over" a Bill from one session to another. The current session ends in about two weeks. If the Bill is not introduced now, it faces a further delay of six to nine months.

This would mean that for the fourth year running, British plans to legislate for E-commerce will have been halted because of government attempts to build in law enforcement and intelligence agencies access to private encrypted information.

It was originally devised in 1996 as a means to impose key escrow in the UK, in line with US policy. Certification authorities or trusted third parties in digital commerce would have been required to seek licenses and to escrow confidentiality as well as signature keys. In 1997, the government proposed that it would be compulsory for anyone providing cryptography services to copy private security keys to a government run "Central Repository ". New Labour was elected on a firm pledge to abandon the scheme. Electors were told:

But Labour then produced a further consultation paper, maintaining the key escrow policy. They met intense opposition, chiefly from the IT industry.

Four months ago, Prime Minister Tony Blair announced that escrow had finally been abandoned. He produced a third paper, describing draft legislation. He told top executives industry at a Downing Street breakfast that, in return for dropping key escrow, he expected industry to deliver a solution for law enforcement problems with crypto three weeks later.

Blair's March proposals encountered the most devastating criticism of all. The Parliamentary Select Committee on Trade and Industry reported two months ago that "the rationale for an electronic commerce bill is open to question". It is "not fit to be written into law" The government was told to drop "measures discarded from the previous key escrow policy which are concerned with controlling, not facilitating, electronic commerce".

This advice was ignored. Instead, the Electronic Communications Bill places "the onus on the recipient of a disclosure notice to prove to the authorities that the requested keys or plain text are not in his possession, and to state to the best of his knowledge and belief where they are". In other words, anyone in possession of information that they cannot decrypt has to prove that they do not have the key.

The requirement for users of encryption to prove their innocence has been dismissed by legal specialists as "logically absurd" and contrary to the new Human Rights Act. According to the specialist adviser to the Select Committee, Peter Sommer, "the requirement to prove innocence is only used in the most exceptional circumstances in English law".

The proposed decryption law ignores the new legal perils it creates.

The proposed decryption law ignores the new legal perils it creates. For example, anyone wanting to set up someone else as a victim of the new law need only mail them an encrypted file, apparently encrypted with a key registered to them. It also ignores the fact that when someone encodes an e-mail message with the addressee's public key, they are no longer able to read the message they wrote.

Critics from both sides of the political spectrum have repeatedly pointed out that law enforcement powers do not belong in an electronic commerce bill. According to Sommer, the Select Committee was concerned that the government had no evidence of a real problem with encryption. "Nobody has been collecting any data on the extent to which encryption is actually a problem for law enforcement", he said. It doesn't make sense to put it into a bill intended to deal with commerce. Both the all-party committee and the opposition say that decryption powers belong in a different new law, the Interception of Communications Act (IOCA). Decryption "should be dealt with in IOCA, not here", according to the Tory MP Alan Duncan.