CR&CL(UK) Response to the Secure Electronic Commerce Statement

Yaman Akdeniz lawya at lucs-01.novell.leeds.ac.uk
Tue, 28 Apr 1998 13:33:23 GMT0BST 

Cyber-Rights & Cyber-Liberties (UK)
<http://www.leeds.ac.uk/law/pgs/yaman/yaman.htm>

For Immediate Release, April 28, 1998

The Cyber-Rights & Cyber-Liberties (UK) Response to the Secure
Electronic Commerce Statement

Press Release

LEEDS - "Privacy is still not an issue with the newly announced UK
government policy on the use of encryption systems within Britain,"
said Yaman Akdeniz, head of the Leeds based Cyber-Rights &
Cyber-Liberties (UK) organisation in a statement issued this morning.

Cyber-Rights & Cyber-Liberties (UK)'s immediate response to the newly
announced government policy concentrates on the use of encryption for
private communications. Although the government's commitment to
develop online commerce and to follow international developments are
welcome, Cyber-Rights & Cyber-Liberties (UK) is not happy with the
fact that some of the more important issues, such as a right to
private communications and some important issues related to the
judicial warrants are not clearly explained nor justified.

The Cyber-Rights & Cyber-Liberties (UK) Response to the Secure
Electronic Commerce Statement

Introduction

The new policy was announced in the form of a written reply to a
Parliamentary question. The newly announced policy entitled "Secure
Electronic Commerce Statement". This follows from the previous
government's Trusted Third Party initiatives and the idea of the TTPs
still remain but this time on a "voluntary basis".

The Government statement now has a clear policy differentiation
between digital signatures and the use of encryption. This statement
concentrates more on the use of digital signatures and therefore the
emphasis is on the Government's commitment to a safe and secure basis
for the development of electronic commerce. Although this is welcome,
it should be noted that these follow mainly from the OECD Guidelines
on Cryptography Policy (which the paper claims to be fully compatible)
and with the European Commission's Communication on Encryption and
Electronic Signatures (COM (97)503). These were rather expected as in
any other case the UK position would have serious conflicts with
especially the European Union policy.

Privacy is not mentioned

While the government will contribute to the development of a European
wide Electronic Signature Directive, the policy on the use of
encryption still remains unclear and muddy. Cyber-Rights &
Cyber-Liberties (UK), a non profit organisation, is concerned with the
privacy of online communications, notes that although the new
government proposals claim that the policy is fully compatible with
the OECD Guidelines, the issue of privacy is carefully left out again
and there is no mention of the word privacy in anywhere in the new
statement. A right to privacy will soon be created within Britain
under the Human Rights Bill and "a right to respect for a private
life" will be part of the British law for the first time. (Note that a
right to privacy will be the subject matter of another forthcoming
legislation within the UK under the Data Protection Bill 1998.)
Therefore these other national developments which have significant
importance on the use of strong encryption should be respected and
considered with any forthcoming policy.

OECD Guidelines and the EU Communication paper do refer to privacy

It should also be noted that principle 5 of the OECD Guidelines on
Cryptography Policy stated that "the fundamental rights of individuals
to privacy, including secrecy of communications and protection of
personal data, should be respected in national cryptography policies
and in the implementation and use of cryptographic methods." In
addition to the OECD Guidelines the European Commission's
Communication on Encryption and Electronic Signatures (COM (97)503)
which is mentioned by the government's new policy points out that:

"International treaties, constitutions and laws guarantee the
fundamental right to privacy including secrecy of communications (Art.
12 Universal Declaration of Human Rights, Art. 17 International
Covenant on Civil and Political Rights, Art. 8 European Convention on
Human Rights, Art. F(2) Treaty on EU, EU Data Protection
Directive)__.. Therefore, the debate about the prohibition or
limitation of the use of encryption directly affects the right to
privacy, its effective exercise and the harmonisation of data
protection laws in the Internal Market."

Judicial Warrants and crime prevention

In developing its policy on encryption, the new Government policy
states that it has given serious consideration to the risk that
criminals and terrorists will exploit strong encryption techniques to
protect their activities from detection by law enforcement agencies.
Therefore the government favours judicial warrants and legal
interception of communications on a case by case basis. The policy
paper states that "the new powers will apply to those holding such
information (whether licensed or not) and to users of encryption
products." This is justified by the fact that judicial warrants are
regularly used (see paragraph 13) for the interception of
communications within Britain although there is not a direct reference
to the interception of encrypted messages through the use of the
Internet out of the 2600 interception warrants issued during 1996-97
by the Home Secretary. Another important issue to be noted is that the
number of such warrants has gone considerable high in the last two
years (910 warrants issued in 1995 compared to 473 in 1990 - see for
the full figures below). Therefore these figures do not justify the
government's worries.

Right to silence and self-incrimination

The interception of messages is important, but it should be remembered
that terrorists and organised criminals are detected through a variety
of techniques involving mainly informers and surveillance. It should
also remains to be seen how the Home Office will tackle the issue of a
"right to silence" sometimes termed a privilege against
self-incrimination with the judicial warrants being served for the
decryption of messages. The right embraces the idea that the accused
is under no legal obligation to assist police with their inquiries
although the courts may draw inferences under the sections 34-37 of
the Criminal Justice and Public Order Act 1994.

Although the OECD Guidelines stated that "national cryptography
policies may allow lawful access to plaintext, or cryptographic keys,
of encrypted data," it immediately reiterated that "these policies
must respect the other principles contained in the guidelines to the
greatest extent possible" and this would include respect to privacy
under the fifth principle (see above).

Conclusion

The EU communication paper on encryption stated that "most of the
(few) criminal cases involving encryption that are quoted as examples
for the need of regulation concern `professional' use of encryption.
It seems unlikely that in such cases the use of encryption could be
effectively controlled by regulation." Criminals cannot be entirely
prevented from having access to strong encryption and from bypassing
escrowed encryption. Benefits of regulation for crime fighting are
therefore not easy to assess and often expressed in a fairly general
language as happens with the new government policy.

It remains to be seen what the Home Office will suggest and how they
will tackle the issue but certainly the encryption wars and the
debates about access to keys will continue and Cyber-Rights &
Cyber-Liberties (UK) will continue to address these fundamental
issues.


Written and signed by:

Mr Yaman Akdeniz,
Cyber-Rights & Cyber-Liberties (UK)


Notes for the Media

Department of Trade and Industry, "Proposals For Secure Electronic
Commerce Bill Published," PN/98/320, 27 April, 1998 at
http://www.coi.gov.uk/coi/depts/GTI/coi0803e.ok

Cyber-Rights & Cyber-Liberties (UK), "First Report on UK Encryption
Policy" is available at
<http://www.leeds.ac.uk/law/pgs/yaman/ukdtirep.htm>.

Cyber-Rights & Cyber-Liberties (UK) advises Jack Straw, the UK Home
Secretary, on the issue of encryption, press release, 02 February,
1998, at <http://www.leeds.ac.uk/law/pgs/yaman/crclukpr-3.html>.

British and Foreign Civil Rights Organisations Oppose Encryption
Paper, 9 April 1997. See
<http://www.leeds.ac.uk/law/pgs/yaman/crypto_b.htm>.

Akdeniz, Y et al, "Cryptography and Liberty: Can the Trusted Third
Parties be Trusted? A Critique of the Recent UK Proposals," 1997 (2)
The Journal of Information, Law and Technology (JILT).
<http://elj.warwick.ac.uk/jilt/cryptog/97_2akdz/>.

Total figures for warrants issued in England and Wales 1989-1995:
1989- 458, 1990 - 515, 1991 - 732, 1992 - 874, 1993 - 998, 1994 - 947,
1995 - 997. See `UK: Phone-tapping doubles in 5 years', Statewatch
Bulletin, Vol 6 no 3, May-June 1996, and also the Report of the
Commissioner for 1995, Interception of Communications Act 1985. Cm
3254, HMSO, Report of the Commissioner for 1994, Security Service Act
1989, for 1995. Cm 3253, HMSO, Intelligence Services Act 1994, for
1995. Cm 3288, HMSO, MI5 The Security Service, 2nd edition, HMSO.

Akdeniz, Yaman and Bowden, Caspar, "Cryptography and Democracy:
Dilemmas of Freedom," in Jonathan Cooper eds., Liberating Cyberspace:
Civil Liberties, Human Rights, and the Internet, London: Pluto Press,
April 1998. See http://www.leeds.ac.uk/law/pgs/yaman/cryptdem.htm

Akdeniz, Y., "No Chance for Key Recovery: Encryption and International
Principles of Human and Political Rights," (1998) Web Journal of
Current Legal Issues 1. See
http://webjcli.ncl.ac.uk/1998/issue1/akdeniz1.html

Abelson, Anderson, et al., "The Risks of Key Recovery, Key Escrow, and
Trusted Third Party Encryption," 1997, at
<http://www.crypto.com/key_study/>.

Global Internet Liberty Campaign Member Statement: New UK Encryption
Policy criticised, February 1998, is available at
http://www.leeds.ac.uk/law/pgs/yaman/crypto-uk.html. The press release
for this statement is available at:
http://www.leeds.ac.uk/law/pgs/yaman/crypto-ukpress.html

GILC, Cryptography and Liberty: An International Survey of Encryption
Policy, February 1998, at
<http://www.gilc.org/crypto/crypto-survey.html>. A world survey of
crypto policies released in February  has found that most countries do
not restrict the use of encryption. 

The Labour Party Policy on Information Superhighway before the May
1997 elections, "Communicating Britain's Future,"
<http://www.labour.org.uk/views/info%2Dhighway/content.html>.

European Commission Communication, "Towards A European Framework for
Digital Signatures And Encryption," Communication from the Commission
to the European Parliament, the Council, the Economic and Social
Committee and the Committee of the Regions ensuring Security and Trust
in Electronic Communication, COM (97) 503, October 1997, at
<http://www.ispo.cec.be/eif/policy/97503toc.html>.

OECD Cryptography Policy Guidelines: Recommendation of the Council
Concerning Guidelines for Cryptography Policy, 27 March 1997, at
<http://www.oecd.org/dsti/sti/it/secur/prod/e-crypto.htm>.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Yaman Akdeniz <lawya@leeds.ac.uk>
Cyber-Rights & Cyber-Liberties (UK) at:
http://www.leeds.ac.uk/law/pgs/yaman/yaman.htm

Read CR&CL (UK) Report, 'Who Watches the Watchmen'
http://www.leeds.ac.uk/law/pgs/yaman/watchmen.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~