PIU report and human rights
Duncan Campbell
duncan at gn.apc.org
Tue, 15 Jun 1999 17:14:32 +0100
15 June 1999
The caped crypto-liberty crusaders, Yaman (Akdeniz), Brian (Gladman) and
Nick (Bohm) have written a pretty fine letter to
Blair http://www.cyber-rights.org/reports/blair-letter.htm which I assume
will arrive on this list shortly.
A central point they make relates to the PIU (Performance and Innvation
Unit) report
http://www.cabinet-office.gov.uk/Innovation/1999/encryption/index.htm on
"Encryption and UK Law Enforcement". In endorsing the DTI suggestion for
a power to demand encryption keys, the PIU add the suggestion that the
burden of proof be reversed such that the recipient of a key disclosure
order has to prove that that they do not possess they keys sought.
It is trite to point out that this is logically absurd and rather more
significant to point out that it is legally untenable. Article 6 of the
European Convention outlaws any requirement for the defendant to a criminal
action to prove their innocence. It is always be for the prosecution to
show that the defendant does possess the keys and will not hand them over.
Lawyers among us may care to note and find out about an Article 6 case that
is going through the Appeal Courts as we speak. This is happening AFAIK
because UK judges are already treating the Human Rights Act as though it
were in force, for the very sensible reason that it will have retrospective
effect once it is in force. The case in issue is R v Kebilene and others,
where the defendants do not dispute possession of material relevant to bomb
construction which may have been passed to others fighting for civil rights
in Algeria. Under recent amendments to the Prevention of Terrorism Acts,
they have to prove that their intention was not to bring about terrorist
offences. This law appears clearly to breach Article 6, and if this
contention is upheld on appeal, the charges will be dismissed.
Re crypto : my own view is that that flaw in the PIU notion that breaches
Article 6 will be spotted on day one and would never actually have to be
taken out of the Bill in Parliament. But it is another indication of how
completely flustered HMG are over this entire issue. After the drubbing
from the T&I Select Committee and given the confusion that PIU has shown up
over the proposed crypto key disclosure law, surely the right thing to do
is ditch the e-commerce bill entirely and put the crypto issue into the
IOCA review, which is where it belongs all along. Any takers?
Blair should take a hint from the Germans, and just watch what happens with
liberalised crypto over a couple of years. No-one disputes that law
enforcement will start to face real problems, but how bad will they really
be. And what solutions will work best? The last three years has shown
the catastrophic effects of running a secret agenda and thinking that
authoritarian solutions are the answer to everything. Society will not
collapse between now and 2002 if a few crimes are committed with
crypto. Why not wait and see?
Duncan Campbell
At 15/06/99 14:30 , you wrote:
>Cyber-Rights & Cyber-Liberties (UK) Press Release
>
>"Critical letter on the UK Encryption policy sent to the Prime
>Minister"
>
>15 June, 1999
>
>LEEDS - In a letter sent to the Prime Minister, the Board Members of
>Cyber-Rights & Cyber-Liberties (UK) criticised the recently published
>Cabinet Office Report entitled Encryption and Law Enforcement. The
>letter states that "while we welcome this report as an initial step,
>we are concerned to find that it places too much emphasis on the value
>of encryption in support of business interests whilst giving
>insufficient attention to the interests and concerns of consumers and
>private citizens."
>
>The letter (which is available through
>http://www.cyber-rights.org/reports/blair-letter.htm) also stated that
>the board members of Cyber-Rights & Cyber-Liberties (UK) are surprised
>and concerned about the legislative proposals that the Cabinet Office
>report contains, which seem to propose steps that could remove
>important civil rights and protections.
>
>Dr. Brian Gladman, Technology Policy Adviser for Cyber-Rights &
>Cyber-Liberties (UK) stated that:
>
>"The absence of any coverage of cryptography export controls and their
>detrimental impact on electronic commerce is a surprising and serious
>omission. This appears to be an attempt on the part of Government to
>divert attention from an area where their ongoing actions are totally
>inconsistent with their stated aim of promoting electronic commerce."
>
>Mr. Nicholas Bohm,E-Commerce Policy Adviser for Cyber-Rights &
>Cyber-Liberties (UK) added that:
>
>"It would be a grave embarrassment, both for the Government and for
>Britain's position in the world of electronic commerce, for the
>Government's E-Commerce Bill to be found inconsistent with the Human
>Rights Act."
>
>Mr. Yaman Akdeniz, Director of Cyber-Rights & Cyber-Liberties (UK)
>concluded that:
>
>"The joint government industry forum is a step in the right direction.
>However, it will only succeed if representation is widened to include
>representatives from consumer, civil liberties and public interest
>bodies in order to ensure that the interests of UK citizens are fully
>recognised, represented, and protected. Public accountability,
>openness and transparency will also be essential if such a forum is to
>command the trust and confidence of the UK public."
>
>Notes for the Editors
>
>The Cyber Rights & Cyber-Liberties (UK) letter has been sent to The
>Right Honourable Tony Blair, PC, MP, The Prime Minister on Monday,
>June 14, 1999.
>
>The Cyber-Rights & Cyber-Liberties (UK) letter is available at
>http://www.cyber-rights.org/reports/blair-letter.htm
>
>A PDF version of this letter is available at
>http://www.cyber-rights.org/reports/blair-letter.pdf
>
>The Cabinet Office report entitled Encryption and Law Enforcement is
>at:
>
>
>This press release will be available at
>http://www.cyber-rights.org/crypto
>
>For a list of Cyber Rights & Cyber-Liberties (UK) reports and papers
>see http://www.cyber-rights.org/reports.
>
>Contact Information
>
>Dr Brian Gladman, Technology Policy Adviser,
>Cyber Rights & Cyber-Liberties (UK)
>Telephone: 01905 748990, dial +44 1905 748990 if you are abroad.
>E-mail: brg@cyber-rights.org
>
>Mr Nicholas Bohm, E-Commerce Policy Adviser,
>Cyber Rights & Cyber-Liberties (UK)
>Telephone: 01279 871272, dial +44 1279 871272 if you are abroad.
>E-mail: nbohm@cyber-rights.org
>
>Mr Yaman Akdeniz, Director of Cyber-Rights & Cyber-Liberties (UK)
>Telephone: 0498-865116, dial +44 498 865116 if you are abroad. E-mail:
>lawya@cyber-rights.org
>
>===============================
>
>This is a copy of the letter sent to the PM but the more detailed
>version of this letter with the annexe is available through the web
>pages:
>
>Open Letter to:
>The Right Honourable Tony Blair, PC, MP, The Prime Minister
>10 Downing Street
>London SW1
>
>The Cabinet Office PIU Paper on Encryption and Law Enforcement
>
>Dear Prime Minister,
>
>1. This is a response from the Board Members of Cyber-Rights &
>Cyber-Liberties (UK) to the Cabinet Office Paper entitled "Encryption
>and Law Enforcement" published in May 1999 by the Performance and
>Innovation Unit.
>
>2. We should say at the outset that we are pleased to see that the
>Cabinet Office is now considering the Government's policy on
>encryption. It has been clear for several years that such a change
>was needed in order to reconcile the different interests of the many
>departments that are involved.
>
>3. The objectives of the study and the report as set out in your
>introduction are most welcome. The promotion of electronic commerce
>promises to bring significant benefits for UK citizens and encryption
>services, used effectively, can provide the safety, security and
>privacy that citizens need if they are to have trust in the
>information handling that is involved. We warmly welcome the
>Government's commitment to these aims and hope that the outline
>approach set out in this report can be further developed to provide
>encryption policies that meet Government aims whilst also commanding
>the support of industry and private citizens.
>
>4. However, while we welcome this report as an initial step, we are
>concerned to find that it places too much emphasis on the value of
>encryption in support of business interests whilst giving
>insufficient attention to the interests and concerns of consumers and
>private citizens.
>
>Privacy
>
>5. A significant failing of the report is that it does not adequately
>recognise the value of encryption for maintaining and improving the
>privacy of UK citizens by ensuring that their communications and
>stored personal data are protected from access by others. Although
>the use of information technology in electronic commerce will offer
>major new services for consumers, it will also create many new
>avenues through which the privacy and personal safety of UK citizens
>could be undermined. If citizens are to have confidence in
>electronic commerce and in the electronic information handling that
>this involves it is vital that their privacy is adequately ensured.
>The use of encryption is now universally seen as a primary way in
>which this can be achieved.
>
>6. We are concerned that privacy issues are not sufficiently covered
>in the PIU report and feel that this is the result of an unbalanced
>view of the value of encryption. In large measure the report is
>written from a perspective which sees encryption use as a threat to
>law enforcement rather than a way of improving the safety, security
>and privacy of law abiding citizens.
>
>7. In an ideal world it would be possible to provide encryption for
>lawful use whilst denying its benefits to criminals and others with
>malign intent. In the real world, however, effective encryption of
>the kind needed to protect the interests of law abiding citizens
>cannot be provided in a form that prevents criminals also deriving
>advantages from its use. In this situation Government policy cannot
>prevent criminal use and should instead aim to ensure that encryption
>provides net overall benefits for society. The requirement set out
>at the end of part four of the report that "the development of
>electronic communications, which promises many benefits to businesses
>and individuals, should not also give assistance to those who are
>engaged in serious crime" is hence an ideal but unrealistic policy
>objective. If such a requirement had been applied to other ex-isting
>technologies, none could ever have been used for the benefit of
>society, since they have all provided benefits for criminals as
>well. (The private car is just one of innumerable examples.) We
>therefore urge the Government to give an assurance that its
>encryption policy objectives are designed to ensure a net benefit for
>society and not to deny encryption use by law abiding citizens simply
>be-cause it can also be used by criminals.
>
>Involvement and Consultation
>
>8. In many areas it is possible to have a dialogue between
>Government and industry without giving separate consideration to the
>interests of the UK public. This will be true, for example, where
>either the Government or industry has a clear alignment with public
>interests to an extent that ensures that these are adequately
>protected in the processes of policy development.
>
>9. Sadly in the field of encryption policy such an approach is
>certain to fail since neither the Government nor industry commands
>the full trust of the public in this area.
>
>10. Successive UK Governments have maintained a long-standing but
>largely covert policy of protecting the ability of intelligence
>agencies to freely collect information with scant regard for the
>impact of such a policy on the safety, security or privacy of UK
>citizens. This emphasis may have been justified during the Cold War
>period, but the reaction of informed public opinion to the growing
>volume of published information about that policy now suggests that
>it no longer commands widespread public sup-port.
>
>11. A serious consequence of this lack of balance in the formulation
>of UK Government encryption policy is that many UK citizens do not
>see the Government as truly acting in their interests - in short they
>no longer trust the Government in this respect. And in the case of
>your own Government this lack of trust was greatly reinforced by the
>sudden and unexplained change of policy on encryption that occurred
>soon after the last election.
>
>12. UK citizens have even more to fear from an alignment between
>Government and industry in which their own interests are not
>independently represented. Historically, telecommunications
>companies have co-operated `behind the scenes' with Governments to
>ensure that agencies of Government can access the private
>communications of their customers without their consent. Such abuses
>have been commonplace in telecommunications generally and have even
>been pursued through international standards bodies, where
>governments have obtained the support of industry for seriously
>weakening the encryption provided for telecommunications in order to
>ensure that it is possible to infringe the privacy of users.
>
>13. For these reasons we are deeply dismayed to find that the study
>team has, in the main, consulted precisely those organisations that
>are implicated in such activities. As far as can be seen, no attempt
>was made to consult or involve civil liberties or public interest
>organisations. Moreover, the study team has quite consciously
>excluded such interests during its work, an action that does much to
>undermine public confidence in its conclusions and recommendations.
>
>14. In our view this major weakness in the policy formulation
>process must be remedied if the Government is to restore full public
>confidence in its encryption policies and the way in which they are
>formed.
>
>A New Approach
>
>15. We welcome, with two major reservations, the proposal for a `new
>approach' based on co-operation between Government and industry.
>
>16. Our first reservation is that the activities of the proposed
>forum and its subordinate bodies will need to be subject to clear
>lines of public accountability if they are to command the support and
>confidence of the UK public.
>
>17. Our second reservation is that the forum must be extended to
>include representation from consumer organisations, civil liberties
>and public policy review bodies and from lay members of the public.
>Without such wider involvement, the forum and its supporting bodies
>could easily develop into a conspiracy between Government and
>industry to undermine the interests of private citizens as has
>occurred in the past (this has happened, for example, in the
>European Telecommunications Standards Institute, where encryption
>standards have been deliberately weakened so that the privacy of
>users could be infringed without their consent).
>
>18. We hence emphasise that our support for the approach now being
>advocated is conditional on changes being introduced to meet these
>concerns. In the form currently advocated we could never have
>confidence in the operation of the bodies envisaged in these
>proposals.
>
>Legislative Issues
>
>19. We are surprised and concerned about the legislative proposals
>that the report contains, which seem to us to propose steps that
>could remove important civil rights and protections.
>
>20. With public key cryptography only message recipients have
>decryption keys and this means that a guilty party can compromise an
>innocent party's key by sending them an encrypted message that
>causes law enforcement authorities to seek access. The key needed
>for this belongs to the recipient and is almost certain to protect
>not only the targeted message but many other messages as well. In
>such circumstances it is surely unjust to impose a requirement to
>reveal keys on an entirely innocent party who is not involved in any
>wrongdoing. It should be sufficient for this party to offer a
>decrypted copy of the targeted message if they are able to do so.
>The creation of a situation in which a guilty party can put an
>entirely innocent party at risk in this way is surely not a step
>that any democratic Government would consciously take.
>
>21. Worse even than this, a guilty party can use a random key to
>send a message to an innocent party for which the latter has never
>possessed any decryption key. If faced with a requirement to
>decrypt this message, or to provide the decryption key, this
>innocent party would have to prove that they do not possess such a
>key. For all practical purposes such a proof would never be
>possible.
>
>22. To impose such an impossible burden of proof on an accused must
>amount to an infringement of the presumption of innocence embodied
>under article 6 of the European Convention on Human Rights. This
>would be contrary to the recently enacted Human Rights Act 1998 and
>would create a miscarriage of justice by seriously infringing the
>right to a fair trial because the accused may not be in a position
>to provide evidence at all.
>
>23. We cannot support such proposals, which we believe would be a
>serious curtailment of important and well-established civil rights.
>
>Other Concerns
>
>24. In addition to these concerns we also have a number of more
>detailed observations on these and other points that are set out in
>the Annex to this letter.
>
>25. We remain ready to work constructively with the Government to
>seek further evolution of the proposals set out in the PIU report to
>meet the reservations expressed here.
>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>Mr. Yaman Akdeniz,
>Director, Cyber-Rights & Cyber-Liberties (UK)
>URL: http://www.cyber-rights.org
>E-mail: lawya@cyber-rights.org
>
>Read the CR&CL (UK) Reports at:
>http://www.cyber-rights.org/reports/
>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~