US Plans for Decryption Orders

Brian Gladman gladman at seven77.demon.co.uk
Mon, 2 Aug 1999 14:52:42 +0100 

From: Peter Mitchell <pete@dmed.demon.co.uk>
To: <ukcrypto@maillist.ox.ac.uk>
Sent: 02 August 1999 9:59 AM
Subject: Re: US Plans for Decryption Orders


[snip]
>
> Brian: I have been puzzled by the correspondence on UK-crypto about the
> decryption order provisions of the draft UK bill. Some people seem to be
> objecting to *any* police access to encrypted documents.
>
> Could you, just very briefly and when you have time, explain how you
> think they represent GAK? Do you just mean that the bill would give the
> police the right to demand that a suspect decrypts any relevant
> documents in his possession? That power (limited by due process etc etc)
> seems essential to me, pace the burden-of-proof issue which is clearly
> unacceptable as it stands.

Lets have a go, first the acronyms:

GAK = Government Access to Keys
LEAK = Law Enforcement Access to Keys

The Bill as drafted will give the government the right to obtain my
decryption keys.  Although it says I ***might*** be allowed to provide plain
text instead, this is not possible if an order specifies that keys are
required.  The government would hence acquire the power to force me to
reveal keys which might well protect my entire privacy, safety and security
(i.e. not just the information being targetted).

Although there is a tendency to associate GAK with key-escrow, the latter is
just one of many ways in which the Government can legislate to gain forced
access to decryption keys.  And we now have the somewhat bizarre situation
where we have got rid of key-escrow only to find that it has been replaced
by GAK in another form.

I see a sharp distinction between GAK and a 'requirement to decrypt'. In the
former case I am forced to give up control of my safety, privacy and
security whereas in the latter case I remain in control.  In a 'requirement
to decrypt' situation the Government has to supply what is to be decrypted
and I can decide if I don't want them to see particular messages that they
wish to see.  I might have to go to jail to stop them seeing something but
at least I have this choice - if I feel strongly enough that they should not
see something I can make this decision and take the consequences.

But if I am forced to give up my long term personal keys then the Government
is in control not only of my privacy and security and also that of all the
other people with whom I exchange (or have exchanged) email using the keys
concerned.  IMHO this tips the balance too far towards the State.

We will all 'draw the line' at different places - some will not want to see
even a an 'obligation to decrypt' but I feel that this is something that
will benefit law enforcement without placing an unreasonable obligation on
individuals.  Giving up keys, however, is too great an infringement of the
rights of individuals for my liking.

I hope this helps - if not get back to me.

         Brian