What has really changed ...

Thu, 12 Aug 1999 12:00:13 +0100

At 05:05 PM 8/11/1999 +0100, Alistair Kelman wrote:

>I think we must really distinguish between electronic commerce type 
>activities and other activities. When a person uses encryption in 
>electronic commerce he/she is engaged in activities which are implicitly 
>or explicitly making use of an economic and legal framework (contracts, 
>binding representations, financial transactions, intellectual property 
>rights etc). The implicit or explicit use of this infrastructure requires 
>these transactions to be accessable by society.

No.  Not in general, only in particular cases for particular purposes.  

The mere fact that I make a contract does not oblige me to keep its
contents accessible to society, even though to enforce it I would have to
use mechanisms provided by society.  If there were any such obligation,
agreements made in private by word of mouth would not be legally binding.
There is simply no basis in fact for this bit of vague social philosophy.

When you come down to particular cases it can be different.  If my contract
is relevant to tax liability, or eligibility for social secirity benefits,
I may be obliged to provide information about it, for example.  But the
fact that the State has precisely delimited rights of access in particular
cases is enough to negative any general social right.

>Conversely when citizens are using encryption for social or political 
>purposes (such an Amnesty International) there is not need for these 
>transactions to be accessable to society.
>
>The third area is where citizens use encryption to hide criminality - 
>plotting a murder or a terrorist attack. 
>
>In my view Key Recovery is an essential component in the proper use of 
>encryption in Electronic Commerce. But it is totally unacceptable when 
>citizens are using encryption for social or political purposes. Also it is 
>pointless when encryption is used to hide criminality - since criminals 
>are not going to escrow their private encryption keys.

Of course, if I conceal information for the purposes of tax or social
security fraud, I become a criminal and fall out of the "Key Recovery
Essential" class into the "Key Recovery Pointless" class instead.  If I
don't conceal it, I presumably inhabit the "Key Recovery Unnecessary" class.

This all seems absurd to me at the level of theory.  When you go on to
consider the practicality of establishing systems that distinguish between
different categories of data in their use of encryption systems (especially
for those who do some work from home), the argument proceeds from the
absurd to the ridiculous.

All this entertaining disagreement, however, may overshadow Alistair's
important conclusion, which is that the Bill remains a potent vehicle for
the promotion of key escrow.  The NCIS campaign seems to have some life in
it (although it could be a timelag problem:  it took a very long time for
the NCIS clockwork to be wound up far enough to show visible action, and we
may just be watching the spring running slowly down again).

I do not feel there is much to be done with Part I of the Bill, other than
lament its pointlessness and observe that it is odd for a set of allegedly
reserve powers to begin "It shall be the *duty* of the Secretary of State
..." (my asterisks for emphasis) instead of "The Secretary of State may ..."

When it comes to clause 8, however, we need to look at limiting the powers
so as to prevent discrimination designed to promote key escrow, and indeed
to prevent unnecessary requirements for third party signature certification.

Regards,

Nicholas Bohm

Salkyns, Great Canfield,
Takeley, Bishop's Stortford CM22 6SX, UK

Phone		01279 871272	(+44 1279 871272)
Fax		01279 870215	(+44 1279 870215)
Mobile   	0860 636749  	(+44 860 636749)

PGP RSA 1024 bit public key ID: 0x08340015.  Fingerprint:
9E 15 FB 2A 54 96 24 37  98 A2 E0 D1 34 13 48 07
PGP DSS/DH 1024/3072 public key ID: 0x899DD7FF.  Fingerprint:
5248 1320 B42E 84FC 1E8B  A9E6 0912 AE66 899D D7FF