"Critical letter on the UK Encryption policy sent to the Prime M
Yaman Akdeniz
lawya at lucs-01.novell.leeds.ac.uk
Tue, 15 Jun 1999 13:47:41 +0000
Cyber-Rights & Cyber-Liberties (UK) Press Release
"Critical letter on the UK Encryption policy sent to the Prime
Minister"
15 June, 1999
LEEDS - In a letter sent to the Prime Minister, the Board Members of
Cyber-Rights & Cyber-Liberties (UK) criticised the recently published
Cabinet Office Report entitled Encryption and Law Enforcement. The
letter states that "while we welcome this report as an initial step,
we are concerned to find that it places too much emphasis on the value
of encryption in support of business interests whilst giving
insufficient attention to the interests and concerns of consumers and
private citizens."
The letter (which is available through
http://www.cyber-rights.org/reports/blair-letter.htm) also stated that
the board members of Cyber-Rights & Cyber-Liberties (UK) are surprised
and concerned about the legislative proposals that the Cabinet Office
report contains, which seem to propose steps that could remove
important civil rights and protections.
Dr. Brian Gladman, Technology Policy Adviser for Cyber-Rights &
Cyber-Liberties (UK) stated that:
"The absence of any coverage of cryptography export controls and their
detrimental impact on electronic commerce is a surprising and serious
omission. This appears to be an attempt on the part of Government to
divert attention from an area where their ongoing actions are totally
inconsistent with their stated aim of promoting electronic commerce."
Mr. Nicholas Bohm,E-Commerce Policy Adviser for Cyber-Rights &
Cyber-Liberties (UK) added that:
"It would be a grave embarrassment, both for the Government and for
Britain's position in the world of electronic commerce, for the
Government's E-Commerce Bill to be found inconsistent with the Human
Rights Act."
Mr. Yaman Akdeniz, Director of Cyber-Rights & Cyber-Liberties (UK)
concluded that:
"The joint government industry forum is a step in the right direction.
However, it will only succeed if representation is widened to include
representatives from consumer, civil liberties and public interest
bodies in order to ensure that the interests of UK citizens are fully
recognised, represented, and protected. Public accountability,
openness and transparency will also be essential if such a forum is to
command the trust and confidence of the UK public."
Notes for the Editors
The Cyber Rights & Cyber-Liberties (UK) letter has been sent to The
Right Honourable Tony Blair, PC, MP, The Prime Minister on Monday,
June 14, 1999.
The Cyber-Rights & Cyber-Liberties (UK) letter is available at
http://www.cyber-rights.org/reports/blair-letter.htm
A PDF version of this letter is available at
http://www.cyber-rights.org/reports/blair-letter.pdf
The Cabinet Office report entitled Encryption and Law Enforcement is
at:
http://www.cabinet-office.gov.uk/Innovation/1999/encryption/index.htm
This press release will be available at
http://www.cyber-rights.org/crypto
For a list of Cyber Rights & Cyber-Liberties (UK) reports and papers
see http://www.cyber-rights.org/reports.
Contact Information
Dr Brian Gladman, Technology Policy Adviser,
Cyber Rights & Cyber-Liberties (UK)
Telephone: 01905 748990, dial +44 1905 748990 if you are abroad.
E-mail: brg@cyber-rights.org
Mr Nicholas Bohm, E-Commerce Policy Adviser,
Cyber Rights & Cyber-Liberties (UK)
Telephone: 01279 871272, dial +44 1279 871272 if you are abroad.
E-mail: nbohm@cyber-rights.org
Mr Yaman Akdeniz, Director of Cyber-Rights & Cyber-Liberties (UK)
Telephone: 0498-865116, dial +44 498 865116 if you are abroad. E-mail:
lawya@cyber-rights.org
This is a copy of the letter sent to the PM but the more detailed
version of this letter with the annexe is available through the web
pages:
Open Letter to:
The Right Honourable Tony Blair, PC, MP, The Prime Minister
10 Downing Street
London SW1
The Cabinet Office PIU Paper on Encryption and Law Enforcement
Dear Prime Minister,
1. This is a response from the Board Members of Cyber-Rights &
Cyber-Liberties (UK) to the Cabinet Office Paper entitled "Encryption
and Law Enforcement" published in May 1999 by the Performance and
Innovation Unit.
2. We should say at the outset that we are pleased to see that the
Cabinet Office is now considering the Government's policy on
encryption. It has been clear for several years that such a change
was needed in order to reconcile the different interests of the many
departments that are involved.
3. The objectives of the study and the report as set out in your
introduction are most welcome. The promotion of electronic commerce
promises to bring significant benefits for UK citizens and encryption
services, used effectively, can provide the safety, security and
privacy that citizens need if they are to have trust in the
information handling that is involved. We warmly welcome the
Government's commitment to these aims and hope that the outline
approach set out in this report can be further developed to provide
encryption policies that meet Government aims whilst also commanding
the support of industry and private citizens.
4. However, while we welcome this report as an initial step, we are
concerned to find that it places too much emphasis on the value of
encryption in support of business interests whilst giving insufficient
attention to the interests and concerns of consumers and private
citizens.
Privacy
5. A significant failing of the report is that it does not adequately
recognise the value of encryption for maintaining and improving the
privacy of UK citizens by ensuring that their communications and
stored personal data are protected from access by others. Although
the use of information technology in electronic commerce will offer
major new services for consumers, it will also create many new avenues
through which the privacy and personal safety of UK citizens could be
undermined. If citizens are to have confidence in electronic commerce
and in the electronic information handling that this involves it is
vital that their privacy is adequately ensured. The use of encryption
is now universally seen as a primary way in which this can be
achieved.
6. We are concerned that privacy issues are not sufficiently covered
in the PIU report and feel that this is the result of an unbalanced
view of the value of encryption. In large measure the report is
written from a perspective which sees encryption use as a threat to
law enforcement rather than a way of improving the safety, security
and privacy of law abiding citizens.
7. In an ideal world it would be possible to provide encryption for
lawful use whilst denying its benefits to criminals and others with
malign intent. In the real world, however, effective encryption of
the kind needed to protect the interests of law abiding citizens
cannot be provided in a form that prevents criminals also deriving
advantages from its use. In this situation Government policy cannot
prevent criminal use and should instead aim to ensure that encryption
provides net overall benefits for society. The requirement set out
at the end of part four of the report that "the development of
electronic communications, which promises many benefits to businesses
and individuals, should not also give assistance to those who are
engaged in serious crime" is hence an ideal but unrealistic policy
objective. If such a requirement had been applied to other ex-isting
technologies, none could ever have been used for the benefit of
society, since they have all provided benefits for criminals as well.
(The private car is just one of innumerable examples.) We therefore
urge the Government to give an assurance that its encryption policy
objectives are designed to ensure a net benefit for society and not to
deny encryption use by law abiding citizens simply be-cause it can
also be used by criminals.
Involvement and Consultation
8. In many areas it is possible to have a dialogue between
Government and industry without giving separate consideration to the
interests of the UK public. This will be true, for example, where
either the Government or industry has a clear alignment with public
interests to an extent that ensures that these are adequately
protected in the processes of policy development.
9. Sadly in the field of encryption policy such an approach is
certain to fail since neither the Government nor industry commands the
full trust of the public in this area.
10. Successive UK Governments have maintained a long-standing but
largely covert policy of protecting the ability of intelligence
agencies to freely collect information with scant regard for the
impact of such a policy on the safety, security or privacy of UK
citizens. This emphasis may have been justified during the Cold War
period, but the reaction of informed public opinion to the growing
volume of published information about that policy now suggests that it
no longer commands widespread public sup-port.
11. A serious consequence of this lack of balance in the formulation
of UK Government encryption policy is that many UK citizens do not see
the Government as truly acting in their interests - in short they no
longer trust the Government in this respect. And in the case of your
own Government this lack of trust was greatly reinforced by the sudden
and unexplained change of policy on encryption that occurred soon
after the last election.
12. UK citizens have even more to fear from an alignment between
Government and industry in which their own interests are not
independently represented. Historically, telecommunications
companies have co-operated `behind the scenes' with Governments to
ensure that agencies of Government can access the private
communications of their customers without their consent. Such abuses
have been commonplace in telecommunications generally and have even
been pursued through international standards bodies, where governments
have obtained the support of industry for seriously weakening the
encryption provided for telecommunications in order to ensure that it
is possible to infringe the privacy of users.
13. For these reasons we are deeply dismayed to find that the study
team has, in the main, consulted precisely those organisations that
are implicated in such activities. As far as can be seen, no attempt
was made to consult or involve civil liberties or public interest
organisations. Moreover, the study team has quite consciously
excluded such interests during its work, an action that does much to
undermine public confidence in its conclusions and recommendations.
14. In our view this major weakness in the policy formulation
process must be remedied if the Government is to restore full public
confidence in its encryption policies and the way in which they are
formed.
A New Approach
15. We welcome, with two major reservations, the proposal for a `new
approach' based on co-operation between Government and industry.
16. Our first reservation is that the activities of the proposed
forum and its subordinate bodies will need to be subject to clear
lines of public accountability if they are to command the support and
confidence of the UK public.
17. Our second reservation is that the forum must be extended to
include representation from consumer organisations, civil liberties
and public policy review bodies and from lay members of the public.
Without such wider involvement, the forum and its supporting bodies
could easily develop into a conspiracy between Government and industry
to undermine the interests of private citizens as has occurred in the
past (this has happened, for example, in the European
Telecommunications Standards Institute, where encryption standards
have been deliberately weakened so that the privacy of users could be
infringed without their consent).
18. We hence emphasise that our support for the approach now being
advocated is conditional on changes being introduced to meet these
concerns. In the form currently advocated we could never have
confidence in the operation of the bodies envisaged in these
proposals.
Legislative Issues
19. We are surprised and concerned about the legislative proposals
that the report contains, which seem to us to propose steps that could
remove important civil rights and protections.
20. With public key cryptography only message recipients have
decryption keys and this means that a guilty party can compromise an
innocent party's key by sending them an encrypted message that causes
law enforcement authorities to seek access. The key needed for this
belongs to the recipient and is almost certain to protect not only the
targeted message but many other messages as well. In such
circumstances it is surely unjust to impose a requirement to reveal
keys on an entirely innocent party who is not involved in any
wrongdoing. It should be sufficient for this party to offer a
decrypted copy of the targeted message if they are able to do so. The
creation of a situation in which a guilty party can put an entirely
innocent party at risk in this way is surely not a step that any
democratic Government would consciously take.
21. Worse even than this, a guilty party can use a random key to
send a message to an innocent party for which the latter has never
possessed any decryption key. If faced with a requirement to decrypt
this message, or to provide the decryption key, this innocent party
would have to prove that they do not possess such a key. For all
practical purposes such a proof would never be possible.
22. To impose such an impossible burden of proof on an accused must
amount to an infringement of the presumption of innocence embodied
under article 6 of the European Convention on Human Rights. This
would be contrary to the recently enacted Human Rights Act 1998 and
would create a miscarriage of justice by seriously infringing the
right to a fair trial because the accused may not be in a position to
provide evidence at all.
23. We cannot support such proposals, which we believe would be a
serious curtailment of important and well-established civil rights.
Other Concerns
24. In addition to these concerns we also have a number of more
detailed observations on these and other points that are set out in
the Annex to this letter.
25. We remain ready to work constructively with the Government to seek
further evolution of the proposals set out in the PIU report to meet
the reservations expressed here.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mr. Yaman Akdeniz,
Director, Cyber-Rights & Cyber-Liberties (UK)
URL: http://www.cyber-rights.org
E-mail: lawya@cyber-rights.org
Read the CR&CL (UK) Reports at:
http://www.cyber-rights.org/reports/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~