God Save the Keys

Putrefied Cow waste at zor.hut.fi
Fri, 4 Jun 1999 17:34:47 +0300 (EEST) 

   God Save the Keys
   June 03, 1999
   
   The United States may have been the first country to guarantee its
   citizens freedom of speech, but when it comes to guaranteeing private
   speech in the digital age, jolly old England may be one step ahead.
   
   Unlike its U.S. Justice Department counterpart, the United Kingdom's
   Home Office recently softened its position on requiring companies that
   use strong encryption to deposit a copy of their "keys" with an agency
   of the government or a "trusted" third party.
   
   Last week, while in London, I was briefed by a Home Office
   representative about the agency's change of heart in this classic battle
   between law enforcement's desire to catch bad guys and British subjects'
   right to communicate in privacy.
   
   Just as in the United States, British law-enforcement officials and
   businesses have locked horns over the issue of encryption. Companies
   that do business over the Internet insist they must be able to use the
   strongest encryption available and that they--not any government--should
   decide who keeps the keys to unlock that data. The Clinton
   administration and its counterparts in the United Kingdom have long
   argued that the government needs the ability to access a "key" to
   privately encrypted messages. They argue that this allows
   warrant-wielding law-enforcement officials to fight crime by breaking
   the encrypted code of terrorists, pedophiles and other criminals.
   
   The FBI remains steadfast in its pursuit of the right to peer into your
   data, regardless of whether you're suspected of breaking the law. But
   the U.K.'s Home Office is expected to announce later this week that it
   has given up in its efforts to require British subjects--even suspected
   criminals--to turn over their encryption keys to the government, third
   parties or law-enforcement officials.
   
   The new proposal is an amendment to a March proposal disseminated by the
   Department of Trade and Industry. Under the March proposal, users
   weren't required to deposit keys into escrow, but they would be forced
   to turn over keys when so ordered by a court. Even that somewhat more
   liberal procedure, however, could jeopardize a company's security,
   because it could reveal codes that could be used to decipher other
   encrypted data that wasn't the subject of the court order.
   
   The new proposal, which has not yet been presented to Parliament,
   wouldn't require any disclosure of encryption keys, just a legible copy
   of encrypted material. Rather than ask for the combination to a
   suspected criminal's safe, the government would require the criminal to
   open the safe and turn over a copy of whatever the government wanted to
   see. Failure to comply with a lawful order could result in a two-year
   prison sentence. It will call for penalties to individuals who refuse to
   turn over legible copies of suspected data when presented with a warrant
   or court order.

   Cyberlibertarians 
   
   Although the proposal falls short for cyberlibertarians on both sides of
   the Atlantic, it's a move in the right direction from British officials'
   previous demands and the tactics promulgated by the Clinton
   administration.
   
   Shari Steele, Staff Counsel for the Electronic Frontier Foundation
   agrees that the British proposal is a "step in the right direction" but
   feels that it falls short of what is needed to assure secure
   communications in the digital age. "We don't like the idea of making
   encryption a greater crime," she says. Today, even if you're handed a
   search warrant in the United States or Britain, "you're not required to
   open the safe." If the police want to break it open, that's one thing,
   but with encryption, "they want their job to be easier."
   
   Steele's arguments are consistent with the EFF's strong support of civil
   liberties in cyberspace, yet I can understand where law enforcement is
   coming from in its desire to have tools that can break down the digital
   safes of suspected criminals. Cops (and bobbies) are afraid criminals
   will gain the upper hand if they are able to use encryption to make it
   virtually impossible for law enforcement to gather the evidence needed
   to prosecute crimes.
   
   Yet, one of the greatest crimes I can imagine is one that would
   undermine freedom of speech. True, the First Amendment is a U.S.
   ordinance, but the British adopted many of the same concepts once they
   became a constitutional monarchy.
   
   I've always felt that if one is to err, it's better to err on the side
   of freedom. Nevertheless, the Brits may be onto something. By focusing
   on the data of suspected criminals rather than the keys of legitimate
   businesses, they are at least putting the onus where it belongs. While
   it may not be enough, it's a significant step in the right direction.