U.K. seeks voluntary key recovery

[Yaman Akdeniz]

http://www.news.com/News/Item/Textonly/0,25,21538,00.html?pfv

U.K. seeks voluntary key recovery
By Courtney Macavinta
Staff Writer, CNET NEWS.COM
April 27, 1998, 4:40 p.m. PT

New encryption legislation coming down the pike in the United
Kingdom calls for the voluntary licensing of entities that supply data
security products and carves out room for law enforcement to get the
keys that unscramble private communication.

The United Kingdom's Department of Trade & Industry proposal
released today aims to foster e-commerce by promoting the use of
encryption, which is expected to bolster consumer confidence in
the security of their online transactions.

But similar to a policy being developed in the United States, the
British plan would institute a voluntary encryption key-recovery
system in which licensed authorities could help retrieve lost keys for
corporations and citizens or for law enforcement officials during an
investigation.

But the tradeoff for voluntarily including key recovery is not
clear. It appears that the governments that favor these plans are
dangling the hope that they will relax--or remove--export controls on
strong encryption if a critical mass of companies support voluntary
key recovery. As reported earlier, the Americans for Computer Privacy
is working on draft legislation that would encourage voluntary key
recovery but would overturn a federal mandate for such systems in
exported products.

But it also is unclear what specific incentives the British
government will give for instituting the key recovery.

"Licensed service providers that provide encryption services will,
therefore, be required to make recovery of keys or other information
protecting the secrecy of the information possible through suitable
storage arrangements," Barbara Roche, undersecretary of state at the
Department of Trade and Industry, stated in a letter to Parliament.

"The government intends to introduce legislation to enable law
enforcement agencies to obtain a warrant for lawful access to
information necessary to decrypt the content of communications
or stored data, in effect the encryption key," she added. "They
will be exercisable only when appropriate authority has been
obtained--for example, a judicial warrant for the purpose of a
criminal investigation or, in the case of interception of
communications, a warrant issued by a Secretary of State--and
will be subject to strict controls and safeguards."

Although some U.S. companies favor voluntary key recovery
systems, on the whole the crypto industry here objects to
government mandates--which now are tied to export rules--on
grounds that it hinders the ability to compete with global
manufacturers that face no export controls.

Along with privacy advocates, the private sector is hankering to
overturn the Clinton administration's current policy, which
requires the licensing of strong encryption export products and
mandates that companies submit proof of their plans to build
key-recovery features into their products after next year. Even
high officials within the administration are now admitting that the
policy isn't working.

White House advisers now are overseeing heated negotiations to
balance the requests of law enforcement with industry. Some
observers say the final proposal will look a lot like the British
proposal submitted today.

The move in the United Kingdom alarmed some civil liberties
watchdogs here in the United States, who charge that consumers
won't trust products that give law enforcement the ability to break
the strong crypto codes that protect private digital discourse.

"The United States is influencing the U.K. [Department of
Trade]," said Dave Banisar, legal counsel for the Electronic
Privacy Information Center (EPIC). "They seem to be ignoring
the problems and more than 260 public comments submitted on
this issue."

In February, the Global Internet Liberty Campaign (GILC)--of
which EPIC is a member--warned the British government that
key storage systems are not secure.

"Inevitably, key recovery or 'trusted third party' schemes
introduce vulnerabilities into cryptographic systems, creating
opportunities for insider abuse and criminal attack," stated the
letter to U.K. Home Secretary Jack Straw, who reportedly
endorsed broad access to crypto keys for law enforcement.

"Key recovery agents will hold in centralized databases the keys
to the information and communications their individual and
corporate customers most value; and this key recovery
infrastructure will become a highly attractive target for criminals,"
the GILC added. "Leading computer security experts have warned that
building the secure computer communication infrastructures necessary
to support government-specified key recovery is far beyond the
experience and current competency of the field."

The effectiveness of key-recovery also was taken to task by a
U.S. National Security Agency report that was leaked this month
to various high-tech trade associations and civil liberties groups.

"The rogue user is interested in circumventing the [key-recovery]
system so that his messages cannot be read by law enforcement or any
other authority which has been granted that privilege by the
key-recovery system," the report states. "Note that if the sender and
receiver both collaborate to defeat key recovery, there is no
technical method from preventing this. So the design threshold for a
key-recovery system should take this fact into account."
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Yaman Akdeniz <lawya@leeds.ac.uk>
Cyber-Rights & Cyber-Liberties (UK) at:
http://www.leeds.ac.uk/law/pgs/yaman/yaman.htm

Read CR&CL (UK) Report, 'Who Watches the Watchmen'
http://www.leeds.ac.uk/law/pgs/yaman/watchmen.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~