GCHQ and the Patent Office

Dr Brian Gladman gladman@seven77.demon.co.uk
Fri, 24 Oct 1997 12:11:28 +0100 

>Ross Anderson wrote:
>
>However as GCHQ have now told the patent office that they can use strong
crypto
>if they want, and as it was GCHQ that ordered them to lie to this list, the
>patent office is clearly more sinned against than sinning. So as a
concession
>to the new mood of `glasnost' I have simply copied some of the evidence to
>Brian Gladman. I won't post it here unless officials push the issue.
>

Several people on the list have asked me to comment on the situation in
respect of the GCHQ advice to the Patent Office. What follows is ***my***
interpretation of events - neither Ross nor the Patent Office (nor anyone
else other than me) should be blamed for anything you read here!.

First of all it is important to understand how GCHQ works.

In order to preserve its intelligence collection capabilities GCHQ has a
vigorous policy of trying to undermine ***ANY*** R&D, implementation or use
of cryptography that is either outside its control or not of strategic
importance to its interests (and those of its larger cousin NSA).  It sees
its own interests here as identical to those of the UK as a whole but, as we
shall see, it does not want to have this identity of interests tested in any
open or democratic way.

This policy of preventing the spread of cryptography is closely co-ordinated
with NSA, it is comprehensive in scope and is very assiduously pursued.  It
includes, for example:

*divide and conquer: create fear, uncertainty and doubt about the meaning,
scope and application of all controls on cryptography; do not ever clarify
any particular interpretation of the rules; do not create precedents; press
all decisions on a detailed 'case by case' basis.

*use backdoor influence: suggest that companies who sell strong crypto
domestically that this will not find favour in government even though it is
perfectly legal.

*attempt to gain control or influence over any organisations that are seen
to be working on cryptography or closely related topics; ensure that R&D is
weakened in respect of cryptography wherever possible by suggesting or
imposing silly limits on it (e.g. zero strength algorithms in EC projects
imposed by SOGIS - not the fault of the EC folks);

GCHQ believe that if such a policy were published and openly operated its
validity would be questioned and its impact would be much reduced. They
point to the problems that NSA has in the US as evidence of this and argue
that the way things are done in the UK is much better.  Moreover, by
operating this policy as an unpublished one, it is not subject to the
careful scrutiny and rigorous analysis that the Treasury rightly insists
that all UK Government Departments conduct to show that their policies are
cost effective, affordable and of clear overall benefit to the UK citizens
who pay the bills.

My view on this is that this GCHQ policy may or may not be justified (I
suspect not) but what I consider totally unjustifiable and unethical is the
expenditure of ***huge*** sums of UK taxpayer's money to sustain a hidden
policy that is not subject to any effective scrutiny or accountability to
Parliament.

Now back to the Patent Office.

In my view, early on, the 'juniors' were sent in to see what could be
achieved in reducing the strength of what would be deployed by the Patent
Office.  None of this will have been written down because if it were the
advice would then be subject to scrutiny and the process of justifying it
would inevitably involve revelations about the underlying and hidden policy
set out above.

What Ross correctly reported were the results of these early 'behind the
scenes' interactions between the Patent Office and GCHQ.

When a piece of advice, given in the above fashion, is in danger of being
openly scrutinised it becomes very important to GCHQ that it is quickly
disowned and 'smoothed over' so that there is no publicity.  It is far
better to lose a minor battle rather than risk losing the whole war.

What the Patent Office reported to the list was this subsequent 'on the
record' GCHQ advice.

So both Ross and the Patent Office come out of the process with their honour
intact.  Moreover the UK public has benefited because one more small nail
has been hammered into the coffin of an outdated and questionable GCHQ
policy.  In my view both Ross and the Patent Office should be congratulated
for bringing this particular activity into the open and I hope that whenever
GCHQ gives questionable 'backdoor' advice on protective information security
those involved will have the courage to tell others about it.

As I know from direct personal experience from my time in MOD, going up
against GCHQ can be career threatening. This means that people often know
that what goes on is wrong but they are intimidated into staying silent
because GCHQ are known to be unscrupulous when under threat.

The only reason that I was not in this position was that I ran an
independent software business and hence had a substantial independent
income. I was thus able to do what was right without the need to fear what
GCHQ might do.   In such circumstances it is not difficult to have a
conscience - the people I admire most are those who have the courage to
exercise their conscience without the comfort that I had in doing so.

Finally a check list for those who are required to seek advice from GCHQ on
protective information security:

*make it clear that they are ***advisors*** - do not allow them to undermine
your accountability in your area of responsibility;

*ignore all advice unless GCHQ are prepared to confirm it in a written form
in which it can be properly scrutinised; bear in mind that this is vital for
your interests - if you are accountable and act on flawed advice, which you
could reasonably be expected to detect as such, then it will be your head on
the block, not theirs;  if they insist that you do something that you
believe conflicts with your accountability then insist that this is set out
in writing in such a way that they, not you, become accountable for the
consequences;

*where your department is committed to open government make it clear that,
where you take decisions on protective information security matters that
impact on UK citizens, these decisions and the rationale for them will be
subject to disclosure under your department's policy on open government.

*where possible follow the NHS example of employing an outside organisation
to act as your direct advisor (and to interface with GCHQ); commit to
publishing any resulting reports (I congratulate the NHS on this strategy).

  best regards, Brian

-----Original Message-----
From: John Young <jya@pipeline.com>
To: ukcrypto@maillist.ox.ac.uk <ukcrypto@maillist.ox.ac.uk>
Date: Friday, October 24, 1997 02:04
Subject: Re: DTI Report



>That evidence would be of public benefit would it not, and thus deserving
of
>publication?
>
>NSA at the moment is refusing to provide an ex-USG cryptographer personally
>exculpatory information and related cryptographic algorithms on the grounds
>that if the information is released only to him it will not receive
>sufficiently
>public distribution to warrant release as "an aid to the public's
>understanding of
>how government works."
>
>That is, because he is not a journalist or scholar or other well-linked
>personage,
>he does not qualify for receipt of data on himself and his cryptographic
>work at
>Sandia National Labs.
>
>See NSA's letters of refusal along with "neither confirm nor deny"
prevarication
>on electronic intercepts:
>
>   http://jya.com/nsasuit7.htm
>