From prunesquallor@proproco.co.uk Mon, 1 Nov 1999 07:55:42 -0000 Date: Mon, 1 Nov 1999 07:55:42 -0000 From: John R T Brazier prunesquallor@proproco.co.uk Subject: FIPR Consultation Library Submissions This is a multi-part message in MIME format. ------=_NextPart_000_0001_01BF243E.878250A0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear Gus, Please find attached my submission (sorry for the delay, one damn thing after another!). It's in HTML format, but generated by MS Office so it will be horrible if you look at the code. By the way, how are things? Saw you at SFS3.5, but I had to flee early and couldn't stay. Hope things are going well. All the best, John B -----Original Message----- From: owner-ukcrypto@maillist.ox.ac.uk [mailto:owner-ukcrypto@maillist.ox.ac.uk] On Behalf Of Gus Hosein Sent: 09 October 1999 11:49 To: ukcrypto@maillist.ox.ac.uk Subject: FIPR Consultation Library Submissions Call for Submissions to the Draft Electronic Commerce Bill 1999 Library by the Foundation for Information Policy Research (http://www.fipr.org) In line with previous consultation initiatives, the Foundation for Information Policy Research is offering its web site as a library of submissions to the UK Draft Electronic Commerce Bill 1999. Previous archiving has resulted in 11 responses to the IOCA review consultation paper (library can be reviewed at http://www.fipr.org/ioca/library.html); and 40 responses to the April "Building Confidence in Electronic Commerce" consultation report (available at http://www.fipr.org/library/library.html). In continuing its efforts to promote openness and discourse in developing policies that may affect the landscape for electronic commerce, and technology policy in general, FIPR welcomes the opportunity to publish the contributions of individuals, organisations, and companies to the government consultation process. If you are interested in submitting your own response, we request that the submitted document is in ascii text or html format (but we can also accept Postscript, PDF, and MS-Word), and sent to Gus Hosein, at ecomm99@fipr.org. If you would prefer us to link to a document on your own site, just send us the URL. Relevant Links: FIPR Draft E-Commerce Bill Call for Submissions (this message): http://www.fipr.org/ecomm99/call.html FIPR Draft E-Commerce Bill Library: http://www.fipr.org/ecomm99/library.html Analysis of the (draft) Electronic Communications Bill 1999 -- A summary of opinions from UKCrypto and elsewhere, by Richard Clayton: http://www.fipr.org/ecomm99/index.html gus. ~~~~~~~~~~~~~~~~~~~~~~~~~~~ PGP ElGamal 2048/1024-bit key ID: 0x35502083 PGP RSA 2048-bit key ID: 0x6019F689 ~~~~~~~~~~~~~~~~~~~~~~~~~~~ Gus Hosein Tutorial Fellow Department of Information Systems The London School of Economics and Political Science Houghton Street, London WC2A 2AE ~~~~~~~~~~~~~~~~~~~~~~~~~~~ -----BEGIN PGP SIGNATURE----- Version: PGP Personal Edition 6.0.2 iQA/AwUBOB1HfTYZ46XY1JH9EQKH+wCgiu8vUNEjv8FXRyRGxJ6J1byQwwsAoLCP FrZGzZz37hYC2oCG2Px0k69c =SROJ -----END PGP SIGNATURE----- ------=_NextPart_000_0001_01BF243E.878250A0 Content-Type: text/html; name="Electronic Communications Bill.htm" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="Electronic Communications Bill.htm" TITLE

RESPONSE TO THE = DRAFT LEGISLATION

=91ELECTRONIC = COMMUNICATIONS BILL=92

 

Date:=A0=A0=A0=A0=A0=A0=A0=A0 7 October = 1999

Version:=A0=A0 1.0

 

John R T = Brazier

Professional = Projects Co Ltd

19 Barttelot = Rd

Horsham

West = Sussex

RH12 = 1DQ

 

Table of = Contents

 

Summary.................................................................= .........................................................................= ................................ 3

Introduction.................................................................= .........................................................................= ..................... 4

Acknowledgements.................................................................= .........................................................................= ...... 4

1.=A0=A0=A0=A0=A0=A0=A0=A0=A0 Process = Overview.................................................................= ...................................................................... = 5

2.=A0=A0=A0=A0=A0=A0=A0=A0=A0 The = Registration of Approved Suppliers and Their Regulation................................ 5

a)=A0=A0=A0=A0=A0=A0 = There is not a need for this legislation (at present).......................................................... = 5

b)=A0=A0=A0=A0=A0=A0 = The voluntary scheme will not be used.................................................................= ..................... 5

c)=A0=A0=A0=A0=A0=A0 = The powers taken are too extensive and ill-defined......................................................... = 5

d)=A0=A0=A0=A0=A0=A0 = Recommendations.................................................................= ..................................................................... = 5

3.=A0=A0=A0=A0=A0=A0=A0=A0=A0 = Facilitation of Electronic Commerce.................................................................= ........................ 5

a)=A0=A0=A0=A0=A0=A0 = Electronic signatures should be identical to normal written

=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 signatures in law.................................................................= ...................................................................... = 6

b)=A0=A0=A0=A0=A0=A0 = The facilitation of electronic documents should be more radical...................... 6

c)=A0=A0=A0=A0=A0=A0 = Recommendations.................................................................= ..................................................................... = 6

4.=A0=A0=A0=A0=A0=A0=A0=A0=A0 The = Investigation of Protected Electronic Data................................................................ = 6

a)=A0=A0=A0=A0=A0=A0 = Part III is inappropriate for the Bill.................................................................= ............................. 6

b)=A0=A0=A0=A0=A0=A0 = There is an attack on civil liberties within the Bill.......................................................... = 7

c)=A0=A0=A0=A0=A0=A0 = Recommendations.................................................................= ..................................................................... = 8

5.=A0=A0=A0=A0=A0=A0=A0=A0=A0 The = Miscellaneous and Supplemental Provisions............................................................... = 8

6.=A0=A0=A0=A0=A0=A0=A0=A0=A0 The Effects = of Technology.................................................................= .................................................. 8

a)=A0=A0=A0=A0=A0=A0 = The development of concealment.................................................................= .................................. 8

b)=A0=A0=A0=A0=A0=A0 = The enhancement of key management.................................................................= ........................ 8

c)=A0=A0=A0=A0=A0=A0 = Perfect systems.................................................................= .........................................................................= . 9

d)=A0=A0=A0=A0=A0=A0 = Conclusions.................................................................= .........................................................................= .......... 9

7.=A0=A0=A0=A0=A0=A0=A0=A0=A0 Other = Ideas.................................................................= .........................................................................= ............. 9

a)=A0=A0=A0=A0=A0=A0 = Tax reduction incentives.................................................................= ..................................................... 9

b)=A0=A0=A0=A0=A0=A0 = Government use of electronic commerce.................................................................= ................. 9

c)=A0=A0=A0=A0=A0=A0 = Review.................................................................= .........................................................................= ....................... 9

d)=A0=A0=A0=A0=A0=A0 = Recommendations.................................................................= ................................................................... = 10

8.=A0=A0=A0=A0=A0=A0=A0=A0=A0 = Conclusions.................................................................= .........................................................................= ....... 10

 

Summary

 

This document is a response to a request for = comments to the Electronic Communications = Bill, a piece of draft legislation that is expected to appear before Parliament = in the near future. This is the latest in a series of responses that aim to = support the DTI and the Government in meeting their target to make the UK the = best place for electronic commerce in the world while meeting the needs of = law enforcement.

 

The document proposes the following:

=B7           = ;     That Part I of the Bill should be dropped as the Government has no current intention of using it. Its powers are also = currently too wide.

=B7           = ;     Part II should be simplified and strengthened, = making electronic signatures and documents identical in law as rapidly as = possible.

=B7           = ;     Part III should also be removed, as it does not = belong in the Bill. After a number of issues have been dealt with the redraft = should be placed within the appropriate parts of the Police and Criminal = Evidence Act (PACE) and the Interception of Communications Act (IOCA).

=B7           = ;     It is believed that developments in technology = will undermine the aims of Part III in the Bill, so reinforcing the = suggestion that it should be removed.

=B7           = ;     It is suggested that Part IV may belong within = the Telecommunications Act, rather than this Bill.

=B7           = ;     It is proposed that electronic commerce could be further facilitated by adjustment in the taxation regime, by leadership = of the Government in its own use of electronic commerce, and by a review in = three years of the Bill=92s function.

 

We would like to thank the DTI for the opportunity = of responding to the Bill.

 

Introduction

 

This document is a response to the Electronic Communications Bill. It aims to assist the = Government in its aims of making the UK the world's best place to trade = electronically.

 

Acknowledgements

 

This document would not = have been possible without the help from a large number of people, especially at = FIPR and on the UKCRYPTO mail list, and we would like to take the opportunity of thanking them.

 

1.    = Process Overview

 

Before going into the detailed responses to the = Bill, of which there are a number, we would like to make the comment that the = process of development of the Bill has been a model of open democracy. This will = now be the third set of comments from this party going into the Bill=92s = formulation, and it is clear that the combined comments from all parties have had a significant effect on the contents of the Bill. Thus a true conversation = has been held with all interested groups, and such openness can only speak = well of our democratic systems. We earnestly hope that such openness will = continue.

 

2.    = The Registration of Approved Suppliers and Their Regulation

 

These comments refer to = Part I of the Bill, Clauses 1 to 5.

 

a)     = There is not a need for this legislation (at present)

The Government itself has stated that it is looking = to industry to provide self-regulation; thus powers are being taken which = are not intended to be used. It would seem better to leave such powers out of = the Bill, and legislate for them if and when they are needed =96 when it will also = be clearer what sort of powers will be required.

 

b)     = The voluntary scheme will not be used

The scheme will be voluntary. We believe that it is = unlikely that most service providers will register, because (i) they do not need = it, (ii) it will cost money for registration and (iii) many service = providers may feel that such a license will carry a stigma, and deter customers. This = is because of the history of this Bill; some customers may believe that = Government accreditation will in practical terms be a license to leak customer data = to assorted Governmental agencies (no doubt a misapprehension, but this = view may well exist).

 

These reasons will reduce the likelihood of uptake = of a voluntary licensing scheme. However, this is not a call for a mandatory = scheme: the Government should support all the steps taken to allow industry self-regulation.

 

c)      = The powers taken are too extensive and ill-defined

Because Part I is trying to cover all possible = future eventualities, the power it takes are far too wide. Thus Clause 5 = generally seems to give the Secretary of State powers to do almost anything under = this Bill for licensing purposes. (It should also be noted that Clauses 8, = 9.5 and 9.6 also seem to give Ministers generally considerable freedom of scope = under this Bill, extending the powers further.) For example, it would appear = that the Secretary of State could impose mandatory key escrow at any time under = this Bill =96 something that has been shown to be not workable by many past submissions from many groups.

 

This also has an effect of reducing the likelihood = of the voluntary scheme being used: how can anybody, as a service provider = seeking licensing, sign up to Clauses 2.3.b and 2.3.c, which require him or her = to meet any and all possible requirements that may come into existence in the = future?

 

d)     = Recommendations

It is recommended that Part I be removed from the = Bill, and appropriate powers taken if they are shown to be needed at some point in = the future.

 

3.    = Facilitation of Electronic Commerce

 

These comments refer to Part II of the Bill, = Clauses 7 to 9. This Part is =96 or should be =96 the core of the Bill, in that it = intends to facilitate Electronic Commerce.

 

a)     = Electronic signatures should be identical to normal written signatures in = law

Clause 7 discusses electronic signatures in terms = of their use for =91authentication=92 and confirmation of =91integrity=92. Whilst = electronic signatures do have such uses (which are extremely valuable), there is no mention of their use as =91signatures=92.

 

In general, a signature is used for many things, = such as giving approval, agreement or permission by the act of signing. Or = indicating the truth of some statement, such as in the signing of a witness = declaration. Clause 7 does not actually ascribe any of these uses to electronic = signatures.

 

In this case, it would appear that the simplest way = to deal with the issue is to redraft Clause 7 to state that anything that = purports to be an electronic signature is, at least, identical in law to anything = that purports to be a written signature. An electronic signature may then = have extra capabilities in terms of authentication and integrity, and these could = be covered by a slight modification of Clause 7.1, to indicate that these = are an extra property of electronic signatures.

 

This would clarify the definition and usage of = electronic signatures in law, although we believe that the Courts already have a = very good practical idea of what an electronic signature is, and how it should = function.

 

b)     = The facilitation of electronic documents should be more radical

Clauses 8 and 9 seem to be a method by which = Ministers will be allowed to move to electronic rather than paper documents by = statutory instrument, where those documents currently must exist and be dealt with = in paper form. The comment here is that whilst it does not have a = time-table (which although beneficial, might not have a place in legislation), = there does not seem to be any indication as to when the move will take place, if = ever.

 

Perhaps the Bill would have a more far-reaching = effect if it were to announce that all electronic documents were the same as paper = ones in law. It might say that the Ministers must define a format for an = electronic document where a format for a paper one exists, and might have to = provide rules for handling and recording of electronic documents where they exist for = paper ones. However, the date of enactment of this provision could be fixed in = the Bill (giving perhaps 12 months=92 grace). The onus would then be on the Ministries to drive through the required instruments as rapidly as = possible.

 

c)      = Recommendations

It is recommended that Clause 7 be clarified to = make electronic signatures identical to written ones, and the rest of this = part simplified to state that all electronic documents will be regarded in = law as equivalent to written ones within a twelve month period. The onus must = be placed on Ministries to bring in any required provisions for formatting = and handling in that time.

 

4.    = The Investigation of Protected Electronic Data

 

These comments cover Part III of the Bill, Clauses = 10 to 19. There are a large number of concerns about this section.

 

a)     = Part III is inappropriate for the Bill

This Part is dealing with matters that are not = appropriate for a Bill that is meant to be about the enhancement of electronic = commerce. In fact, given some of the somewhat Draconian provisions outlined below, it = is likely to hinder the development of such commerce.

 

This Part should be redrafted and placed into PACE = and IOCA (which is currently under review). This is because it deals with how = evidence is obtained (either by interception or entry =96 Clause 10.1), what = evidence may be obtained (Clauses 10 and 11), what offences exist in relation to such = evidence-gathering (Clauses 12 to 14) and what safeguards there are (Clauses 15 to 18, with = Clause 19 being definitions).

 

These points would seem better dealt with in PACE = and IOCA, both from general principles and because they can be better integrated = into the legislation that way.

 

b)     = There is an attack on civil liberties within the Bill

We believe that the Bill does form an attack on = civil liberties, in that it contravenes the European Convention on Human = Rights. Thus arrests and prosecutions carried out under Part III will lead to cases = coming before the European court: not something that is likely to enhance the = use of electronic commerce within the UK. The following are a number of = concerns (some of which are more clearly against the ECHR than others):

 

=B7           = ;     Clauses 10 and 12 may well be = self-incriminatory. Under Clauses 10.1.c and 10.1.d, encrypted material may well come into police possession. Divulgence of the key by operation of a Clause 10 notice may = lead to material being decrypted that is the sole basis of a case against the = person who owned the key; this may have nothing to do with the reason the = police came into possession of the encrypted material. The operation of Clause 12 = removes the protection against self-incrimination. There is no such provision as = in the case of fraud investigations, where a person may be compelled to give = evidence but gains immunity from the use of that evidence against him or her in = court.

=B7           = ;     Clauses 10 and 12 have the effect of reversing = the onus of proof, and so are against the presumption of innocence of the = accused. Under Clause 10.2 an appropriate person only needs a belief that one has a key = to serve a notice on that person. Under Clause 12 the person must prove = they do not have a key - a logical impossibility. All the prosecution has to = show in court is that a Clause 10 notice has been served, which is a mere matter = of form. Under clause 12, the simple serving of the notice criminalizes = someone who does not have a key. It would appear that Clause 13.8 is similar: a = third party needs to prove they do not know something; again impossible, and = reverses the burden of proof.

=B7           = ;     Clause 13 would appear to provide scope for a = large number of future problems. The =91tipping off=92 offence as defined has = no latitude in it at all. We can easily envisage the following four problems (representative of many possible cases), all of which will generate long drawn-out appeals that will not promote the cause of electronic = commerce:

=A7         As written, it would appear that the Clause = could force a person to commit perjury in court if evidence about information = leakage (as in the divulgence of a key) was pertinent to another case.

=A7         The Clause does not even allow a person to query = or challenge a Clause 10 notice, as the challenge would have to go to a = third party (and involve =91tipping off=92). This is likely to have unforeseen consequences, especially where a Clause 10 notice was, in fact, either fraudulent or served wrongfully.

=A7         When allied with Clauses 10 and 12, Clause 13 = could force Companies to dishonour commercial contracts involving = confidentiality, without even being able to warn their contractual partners about = information breaches.

=A7         The three Clauses could even directly contradict = other Government legislation: it is easy to envisage a situation where a Civil = Servant who had signed the Official Secrets Act being required to give up a key = under Clause 10 (and thus would breach one of the two laws). Under Clause 13, = this Civil Servant could not even go to his or her manager =96 or even = Minister =96 for help and advice.

Clause 13 needs to be rewritten, and = properly formed in relation to Clauses 10 and 12.

=B7           = ;     The safeguards are too weak. In fact, if the = Clause 10 notice has not been signed by the Secretary of State (Clause 18.1.a) = then there would appear to be no safeguards at all. The tribunal provisions do not = seem to be in force for Clause 10 notices served under 10.1.c and 10.1.d, and it = is unclear how a complaint could be made against a notice signed by a judge = (given the provisions in Clause 13). In addition, Clause 16 appears to remove = many of the safeguards, in that the Secretary of State may do anything he or she = wishes with the code of practice, and Clause 16.10 seems to undermine any = redress even against a flagrant contravention of any such code of practice.

=B7           = ;     Clause 11 should have much higher prominence. It = states that decrypted text may be provided instead of a key, where a Clause 10 = notice provides for this. In the real world, we believe that Clause 10 notices = will never provide for this, and will always insist on the key. This will = mean that innocent parties (see below) are likely to be placed in a position of considerable expense, once the notice has expired, in replacing all = their compromised keys. Section 11 should always allow for the provision of = text rather than the key.

=B7           = ;     It seems to have been missed that most of the = Clause 10 notices will be served on the innocent (especially if the operation of = public key cryptography is considered). Yet the whole thrust of Part III is to = deal with all recipients of Clause 10 notices effectively as criminals. This = does not seem a way to enhance the use of electronic commerce within the = UK.

 

c)      = Recommendations

It is recommended that this entire part be dropped = from the Bill. After a considerable piece of redrafting, it should be used to = make any required modifications to PACE and IOCA.

 

5.    = The Miscellaneous and Supplemental Provisions

 

We are not telecommunications providers, so have = little to say on this section except to observe that (1) the powers given to the = Director General seem to be quite extensive, and (2) perhaps this Part would be = more suitable as a modification to the Telecommunications Act.

 

One minor point is that the Bill may be helped by = having one location for definitions (i.e. there is no need for Clauses 19 and 23 to = be separate). Of course, this is subject to the considerable modifications proposed to the Bill elsewhere in this document.

 

6.    = The Effects of Technology

 

An extra comment should be made on the effects of technology. A number of the provisions in the Bill (especially Part III) = are liable to fail because of the considerable and continuing technological developments. The provisions are likely to foment this rapid = technological development to ensure that users of electronic commerce will not be open = to the severe provisions of Clause 14.

 

a)     = The development of concealment

Part III of the Bill will give considerable impetus = to concealment technologies such as steganography (for both storage and transmission). This technology effectively hides the encrypted = information so that it is not obvious; in fact, with the correct technologies it can be = hidden to be effectively undetectable. One cannot serve a Clause 10 notice if = one cannot detect the protected information.

 

b)     = The enhancement of key management

Improved Key management technologies are likely to = be incorporated into software and hardware products:

=A7         All systems will move to the use of session = keys, which are immediately destroyed on message reception. This means that the = session key will not be recoverable.

=A7         In public-key infrastructures, systems will = appear that immediately and automatically make public alerts on the compromise of = the person=92s private key (as envisaged in Clause 13.3.a).

=A7         In real-time systems, the use of key negotiation = (as in Diffie-Hellman) of the temporary key will come into greater use. Again, = this will mean that no key is ever recoverable.

=A7         Important keys will be part of threshold schemes = (where perhaps three out of five people must come together for the key to be divulged). This will undermine the point of the Clause 13 notice, as = people will be =91tipped off=92 to get the key. It should also be noted that a = person might cheat under such a scheme (deliver the wrong information so the = key is not, in fact, recovered), yet it would be impossible to show who cheated = or be able to prove conspiracy.

 

c)      = Perfect systems

Lastly, the use of one time pads may well become = more common, as they have two strengths: (1) they are theoretically = unbreakable, and (2) any text may be demonstrated as being produced by the ciphertext = (unless one can prove what was the original one time pad). In a legal sense, = they allow doubt to be thrown on any given decryption of any piece of =91protected information=92. Whilst their use will always be limited (even with the development of technologies like quantum cryptography, which allows for = one time pad generation without the parties meeting), they are the ultimate = defence against recovery and decryption.

 

d)     = Conclusions

All these technologies will have the effect of = reducing the value of the Part III provisions, and underline the fact that this Part = needs to be reconsidered (as a part of other Acts). In addition, it shows that = the law enforcement agencies need to rethink their strategies and accept = that the =91magic bullet=92 of covert interception may not be as readily = available any more, whatever legislation is passed. They need to tackle the problem of sophisticated criminals in depth, using multiple techniques and new ways = of approach.

 

7.    = Other Ideas

 

The purpose of this Bill is to enhance electronic = commerce, as stated by the Government. Aside from the suggestions already made, = there are offered here a couple of suggestions that we believe would help to = develop such commerce:

 

a)     = Tax reduction incentives

If the Government were to allow, for a start-up = period of perhaps five years, complete tax relief on the profits from all new = electronic transactions, there would be an extraordinarily large uptake in = electronic commerce usage. The deflationary effect of such a policy would also be beneficial to the economy as a whole.

 

This would be a distortion on the economy, but all = tax regimes distort their economies to a greater or lesser extent. Tax = adjustment is perhaps the most effective way Governments can provide incentives to corporations; such a liberal policy would bring electronic = commerce-based businesses to the UK in droves, and would probably pay for itself in the expansion of the economy and the derived increase in other taxes.

 

b)     = Government use of electronic commerce

The Government has now an =91E-Minister=92 and = there is also an =91E-Envoy=92 becoming active next year (although the delay in the = appointment and uptake of this post is disappointing). However, the Government should be = much more proactive in this area, and actually take leadership in everything = it can do itself.

 

It should be seen to be exploiting electronic = commerce. Government departments should preferentially use electronic commerce in purchasing. All government business should be moved to electronic = systems within a period of twelve months. In 1998 the Government had a gross = disposable income of almost exactly =A3146 billion (www.statist= ics.gov/stats/ukinfigs/natac.htm): how it uses this income can have huge effects on the uptake of = electronic commerce in the UK.

 

c)      = Review

If this Bill were to be pruned of the inappropriate = sections (and perhaps effectively become just Part II, in an improved form), then = it would be worthwhile for a provision to be added to the Bill for a review = after three years. This would see if further incentives could be provided for = the development of electronic commerce in the UK and would also allow = Parliament to gauge what the effects of the Bill had been.

 

d)     = Recommendations

The recommendations may be stated that the = Government should allow tax incentives for all electronic commerce transactions, use = electronic commerce to the maximum effect itself and allow for a review of the Bill = in Parliament.

 

8.    = Conclusions

 

A number of recommendations have been made with = regard to the Bill. In essence, they attempt to remove inappropriate sections, and clarify and strengthen those provisions that will support electronic = commerce. Some other ideas have also been presented on how to support electronic commerce, and we look forward to the development of the legislation with interest.

 

 

------=_NextPart_000_0001_01BF243E.878250A0-- From Q.G.Campbell@newcastle.ac.uk Mon, 1 Nov 1999 08:00:08 +0000 (GMT) Date: Mon, 1 Nov 1999 08:00:08 +0000 (GMT) From: Quentin Campbell Q.G.Campbell@newcastle.ac.uk Subject: The Evils of MLS (Was: Another online service misleads) On Sat, 30 Oct 1999, David Hansen wrote: [snip] > > If someone involved in say social security was to ask for details of > security systems protecting a relatively minor military figure then > they may well have an appropriate security clearance to obtain the > information, but they would not do so without providing a very > convincing explanation. > The problem is that this does not operate with the same rigour in both directions. A "minor military figure" in MI5 can obtain information from Social Security but not vice-versa. This situation is even more serious if the access is illegal and in breach of normal security practices. Quentin -- PHONE: +44 191 222 8209 Computing Service, University of Newcastle FAX: +44 191 222 8765 Newcastle upon Tyne, United Kingdom, NE1 7RU. ------------------------------------------------------------------------- "Any opinions expressed above are mine. The University can get its own." From Postmaster@scientia.com Mon, 01 Nov 1999 11:37:42 +0000 Date: Mon, 01 Nov 1999 11:37:42 +0000 From: System Administrator Postmaster@scientia.com Subject: The Evils of MLS (Was: Another online service misleads) At 15:26 30/10/99 +0100, David Hansen wrote: >On 30 Oct 99, at 10:05, Ross Anderson wrote: > >> Classifying information the way the civil service does - top secret, >> secret, confidential and so on - is usually a grievous error. > >It is if it is implemented in a rigid way. If common sense is used in >the implementation then it works reasonably well. The problem is that if it is an automatic retrieval system then implementing "common sense" in software is way beyond current AI technology. Security in automated system is more or less by definition "rigid". Ian From roger.hird@argonet.co.uk Mon, 01 Nov 1999 10:30:52 +0000 (GMT) Date: Mon, 01 Nov 1999 10:30:52 +0000 (GMT) From: Roger Hird roger.hird@argonet.co.uk Subject: The Evils of MLS (Was: Another online service misleads) On 01 Nov, Quentin Campbell wrote: > The problem is that this does not operate with the same rigour in both > directions. A "minor military figure" in MI5 can obtain information from > Social Security but not vice-versa. Oh dear - do they really think, up there at Newcastle University, that MI5 is a military organisation ? RogerH -- Roger Hird roger.hird@argonet.co.uk Running Voyager 2.01 and RISCOS 3.70 on an Acorn StrongARM RiscPC From Q.G.Campbell@newcastle.ac.uk Mon, 1 Nov 1999 17:41:33 +0000 (GMT) Date: Mon, 1 Nov 1999 17:41:33 +0000 (GMT) From: Quentin Campbell Q.G.Campbell@newcastle.ac.uk Subject: The Evils of MLS (Was: Another online service misleads) On Mon, 1 Nov 1999, Roger Hird wrote: > On 01 Nov, Quentin Campbell wrote: > > > The problem is that this does not operate with the same rigour in both > > directions. A "minor military figure" in MI5 can obtain information from > > Social Security but not vice-versa. > > Oh dear - do they really think, up there at Newcastle University, that MI5 > is a military organisation ? > > RogerH > > -- > Roger Hird Roger I am sorry that you do not understand irony and figures of speech. Read the original message and you will see where the quoted text came from and why it was used. Cheers Quentin -- PHONE: +44 191 222 8209 Computing Service, University of Newcastle FAX: +44 191 222 8765 Newcastle upon Tyne, United Kingdom, NE1 7RU. ------------------------------------------------------------------------- "Any opinions expressed above are mine. The University can get its own." From cb@fipr.org Mon, 1 Nov 1999 19:43:31 -0000 Date: Mon, 1 Nov 1999 19:43:31 -0000 From: Caspar Bowden cb@fipr.org Subject: FT 27/10/99: "Government U-turn on e-commerce bill" Financial Times, 27-Oct-1999 ] NATIONAL NEWS: Government U-turn on e-commerce bill The government is set to strip from the electronic communications bill controversial clauses giving the police powers to unscramble encoded e-mail. Instead, the measures are expected be tagged on to a Home Office bill updating existing law regulating phone tapping by the police and security services. Stephen Byers, the trade and industry secretary, is concerned that the contentious measures would overshadow the more positive elements of the bill designed to promote the development of e-commerce. Industry and the Conservatives have lobbied strongly for the latest move. Leading human rights lawyers this week argued that the powers given to law enforcement agencies could breach the European Convention on Human Rights. Alan Duncan, the Conservatives' e-commerce spokesman, said the proposed powers of intrusion were "obscene" and should not be in the electronic communications bill. "I have been demanding that this sort of provision should be totally excised from the bill and stuck into a new Interception of Communications Act if that is what they really want to do." The government has already been forced to water down the bill after lobbying from business. It dropped a proposal requiring users of encryption technology to lodge decryption keys with third parties after the industry demonstrated it was unworkable. The government had been proposing a licensing scheme for companies providing encryption services. Instead, it agreed to support an industry accreditation scheme, but reserved the right to introduce a statutory regime if this proved inadequate. The changes mean the bill is limited largely to measures giving legal status to electronic signatures. The government's e-commerce strategy also came under attack in a critical report by the Commons trade and industry select committee in August. In its response to the committee yesterday, the government agreed UK internet charges, including telephone call rates, had to fall further if e-commerce was to take off. Editorial Comment, Page 22 Procurement on web 'must rise' UK companies are lagging behind their overseas rivals in exploiting an expected Dollars 360bn (216.8bn) global boom in internet procurement, according to a survey by A T Kearney, the management consultancy, writes Carlos Grande. The report estimates that by 2001, 20 per cent of all external business supplies worldwide - some Dollars 400bn in orders - will be bought via the internet, compared with less than 2 per cent now. But it warns that over the next two years the top 100 UK businesses are planning to increase internet procurement by only 400 per cent - well below its estimated global average rise of 1,100 per cent From cb@fipr.org Mon, 1 Nov 1999 19:44:20 -0000 Date: Mon, 1 Nov 1999 19:44:20 -0000 From: Caspar Bowden cb@fipr.org Subject: FT 27/10/99: "LEADER: Cybercops" LEADER: Cybercops Financial Times, 27-Oct-1999 Big Brother is watching your e-mails. At least, he wants to be able to read them if he suspects you are up to no good. The obvious defence against intrusion is to encrypt internet transactions. The authorities want to make complete privacy impossible. It is true that the US and other western governments have abandoned proposals to restrict the sale of encryption software and to require keys to the code to be lodged in an official escrow file. Quite apart from the libertarian objections, new technologies could quickly outflank such measures. Serious criminals would refuse to co-operate or avoid the internet. But governments are still looking for ways to give the police the right to access encrypted material where crimes are suspected. Such powers must be strictly controlled. Under the UK's draft electronic communications bill, it would be an offence to refuse a police demand for an encryption key. Anyone who resisted in order to protect material that was confidential for personal, political or commercial reasons could become a criminal even if they were otherwise innocent. If the police were all-wise and incorruptible, the danger might not be great. But in an imperfect world, citizens need to be armed against the intrusions of the state. That is why the objections of human rights lawyers must be taken seriously. They believe the UK draft bill may conflict with the European Declaration of Human Rights. The government must ensure that there is no question of such a conflict. And the police powers must be more narrowly defined. The proposed restrictions on decoding follow broadly those on phone tapping and searching properties. In addition, the police must be required to get court authority for decryption of material obtained by other means, such as internet searches. Excessive police snooping could undermine legitimate use of the internet. But it will catch few crooks: they will sell their modems and buy more runners. From cb@fipr.org Mon, 1 Nov 1999 19:47:22 -0000 Date: Mon, 1 Nov 1999 19:47:22 -0000 From: Caspar Bowden cb@fipr.org Subject: FT reports decryption powers to be dropped from E-Comms Bill (30/10/99) Financial Times 30-Oct-1999 NATIONAL NEWS: Internet minister sets example: E-COMMERCE GOVERNMENT COLLEAGUES URGED TO USE NEW ONLINE CHAT ROOM: Patricia Hewitt talks to Rosemary Bennett and David Wighton on her first 'year' in office "Patricia Hewitt, promoted to minister for e-commerce in July, has just finished her first "internet year" in the job. .... (snip) Regarding the electronic communications bill, Ms Hewitt confirmed she was in discussions about removing controversial clauses giving the police powers to unscramble encoded e-mail. These measures would be tagged on to a Home Office bill updating existing law regulating phone tapping." From roger.hird@argonet.co.uk Mon, 01 Nov 1999 20:05:37 +0000 (GMT) Date: Mon, 01 Nov 1999 20:05:37 +0000 (GMT) From: Roger Hird roger.hird@argonet.co.uk Subject: The Evils of MLS (Was: Another online service misleads) On 01 Nov, Quentin Campbell wrote: > I am sorry that you do not understand irony and figures of speech. I think I did. > Read the original message and you will see where the quoted text came > from and why it was used. I had - but I guess I must just be quite incredibly thick and stupid and quite incapable of using the English language. Sigh. Perhaps I should have gone to newcastle.ac. -- Roger Hird roger.hird@argonet.co.uk Running Voyager 2.01 and RISCOS 3.70 on an Acorn StrongARM RiscPC From Ross.Anderson@cl.cam.ac.uk Mon, 01 Nov 1999 20:46:23 +0000 Date: Mon, 01 Nov 1999 20:46:23 +0000 From: Ross Anderson Ross.Anderson@cl.cam.ac.uk Subject: Serpent John Young asks: > Bruce Schneier says in a SlashDot interview yesterday: > > http://slashdot.org/interviews/99/10/29/0832246.shtml > > I like designs that have long and detailed documents > that discuss how the designers have attacked their > own design. You can see this in the submissions for > Twofish, and for Mars, RC6, and E2. I worry about a > cipher like Serpent that does not come with any > analysis. Either the designers didn't do any, which is > bad -- or they did it and are hiding it, which is worse. > > If the Serpent designers have answered this we'd appreciate > a pointer. Any comment here on Bruce's tough talk? Serpent was the first of the AES candidates to be published, at FSE 98; our paper there has a bit over four pages of cryptanalysis (proceedings pp 227-231; online version pp 7-11). This set the standard of cryptanalysis expected of the other candidates. The full specification which we submitted to NIST has got over five pages of cryptanalysis (pp 7-12). List members may check for themselves via the Serpent home page: http://www.cl.cam.ac.uk/~rja14/serpent.html One reason why our paper is not as long as some other submissions is that our design is simpler and more transparent, which makes analysis easier. Once we have shown that none of the currently known attacks work against Serpent, there is nothing more to add. In fact, after Eli and I came up with the first version of Serpent in September 1997, we asked Lars to join us specifically so that we would have a fresh mind to do nothing but attack it. I don't think any of the other teams did this. Lars's contributions have been significant - the most obvious being the improved S-boxes. He also did a lot of work on tying down the differential and linear bounds. So the comment attributed to Bruce is wierd. But I have been misquoted so often myself by journalists that I'm not going to assume that he actually said it. Ross From gladman@seven77.demon.co.uk Mon, 1 Nov 1999 22:32:04 -0000 Date: Mon, 1 Nov 1999 22:32:04 -0000 From: Brian Gladman gladman@seven77.demon.co.uk Subject: Serpent From: Ross Anderson To: Cc: John Young Sent: Monday, November 01, 1999 8:46 PM Subject: Serpent > John Young asks: > [snip] > > Twofish, and for Mars, RC6, and E2. I worry about a > > cipher like Serpent that does not come with any > > analysis. Either the designers didn't do any, which is > > bad -- or they did it and are hiding it, which is worse. > > > > If the Serpent designers have answered this we'd appreciate > > a pointer. Any comment here on Bruce's tough talk? It would be truly amazing if Bruce had said this since the Serpent AES paper itself contains several pages of analysis. If Bruce had said 'insufficient analysis' instead of 'any analysis' he might have had a point (although Ross's post answers this) but if he really did say the words as given above then I fear that he has let his bias show through in a major way. If these really are Bruce's words they can only mean that he has either not bothered to read the Serpent AES paper or, alternatively, that he is trying to cast Serpent in a bad light in public. Sadly, the latter seems more likely since it is very hard to believe that he is unaware of the content of the paper. But I share Ross's hope that this report will prove to be inaccurate. Brian From jya@pipeline.com Mon, 01 Nov 1999 20:03:31 -0500 Date: Mon, 01 Nov 1999 20:03:31 -0500 From: John Young jya@pipeline.com Subject: Serpent Bruce's remarks on Serpent are still at the slashdot URL provided: http://slashdot.org/interviews/99/10/29/0832246.shtml We've excerpted the particular Q&A in which Serpent is mentioned: http://cryptome.org/bruce-bite.htm And, yes, it's possible Bruce did not write what he there appears to have written: it was an online interview, with him answering e-mail questions by e-mail, I believe, along with other ruminations on the state of cryptography. It's quite possible he was speaking and someone was transcribing his comments for forwarding to slashdot. It was a combative statement, got my attention. And made me wonder why. Bruce is usually a level-headed gent toward his peers. As, to be sure, is Ross. Ross's response only mesmers the gentlemen's enigma. We've forwarded Ross's counterhex to Bruce. And dread getting savagely voodooed by both. From donald@ramsbottom.co.uk Tue, 02 Nov 1999 06:44:57 +0000 Date: Tue, 02 Nov 1999 06:44:57 +0000 From: Donald Ramsbottom donald@ramsbottom.co.uk Subject: Snippets From, "Bytes n Briefs", for those that do not know the Bernstein case is to be re heard, in view of the "New regulations" ( to be published circa 15th Dec 1999). There is a URL for the pleadings for those that want a peek. >NINTH CIRCUIT WILL REHEAR BERNSTEIN ENCRYPTION CASE > >On September 30th, the Ninth Circuit Court of Appeals granted >the government's request to rehear the case of Bernstein v. >U.S. Department of Justice en banc. Previously, the case had >been decided in Professor Bernstein's favor by a three-judge >panel of the court. By granting the government's request, the >court has withdrawn the panel's earlier decision and has >agreed to have all 21 members of the court rehear the case. >The government filed a motion seeking to push forward any >rehearing of the case in light of the new federal regulations >loosening the encryption rules. The motion was granted on >October 28th and oral arguments were rescheduled for March 21, >2000. Both parties are to file supplemental briefs addressing >the impact of revised encryption export regulations 21 days >after they are issued. Currently, the revisions are expected >to be issued on December 15, 1999. The pleadings in the >Bernstein case may be found at http://www.eff.org/bernstein/ And some more from the same publication >U.S. SUGGESTS FOREIGN Y2K FIXES MAY COMPROMISE SECURITY > >Throughout October, reports have been circulating that Israel >and India may have used the Y2K crisis to make malicious >modifications in U.S. computer program codes. Officials in >both countries have denied the allegations. The FBI's number >one cybercop, Michael Vatis, reported to Reuters that >malicious code changes under the guise of Y2K modifications >had begun to surface in some U.S. work undertaken by foreign >contractors, representing possible economic and security threats. >Vatis heads the National Infrastructure Protection Center. >Indian firms have done more than $2 billion worth of Y2K >remediation coding work and Vadis expressed concern that >malicious coding could expose a company to denial of service >attacks or leave it vulnerable to the altering of data. Further >information may be found at: >http://www.herald.com:80/content/tue/news/national/digdocs/ >058182.htm and finally some privacy issues >FTC SUED FOR ACCESS TO PRIVACY COMPLAINTS > >On October 12th, the Electronic Privacy Information Center >(EPIC) filed suit against the FTC to force it to disclose >records of privacy complaints it has received. The suit was >filed in the U.S. District Court in Washington, and alleges >that the FTC has failed to act upon many privacy complaints >that it has received from consumers. EPIC filed an initial >information request under the Freedom of Information Act >(FOIA) on June 10,1999, requesting "copies of all records >concerning the FTC's investigation of privacy complaints." >EPIC said the FTC has responded only informally by telephone, >though the Freedom of Information Act requires government >agencies to respond to requests within 20 working days. EPIC >said it has been told by the FTC that it doesn't have a system >in place for tracking privacy complaints, making it difficult >to respond to the FOIA request. A copy of the complaint may be >found, in PDF format, at >http://www.epic.org/privacy/internet/ftc_foia_comp.pdf > Donald Ramsbottom LL.B, BA (Hons). RAMSBOTTOM & Co. Solicitors Internet Law & Global Cryptology Law Specialists From donald@ramsbottom.co.uk Tue, 02 Nov 1999 07:23:59 +0000 Date: Tue, 02 Nov 1999 07:23:59 +0000 From: Donald Ramsbottom donald@ramsbottom.co.uk Subject: Regina V DPP ex Parte Kebilene I posted the first instance hearing (report) of this case some months ago. That decision has now been reversed. Read S:16A CJaPO Act (below) with S10-13 EC Bill Report from Times Law Reports >Regina v Director of Public Prosecutions, Ex parte > Kebilene and Others > > Before Lord Slynn of Hadley, Lord Steyn, Lord Cooke > of Thorndon, Lord Hope of Craighead and Lord > Hobhouse of Woodborough > > [Speeches October 28, 1999] > > A decision by the Director of Public Prosecutions to > consent to the prosecution of persons suspected of > involvement with terrorism was not, in the absence of > dishonesty, bad faith, or some exceptional circumstance, > amenable to judicial review. > > The House of Lords so held in allowing an appeal by the > DPP from the order of the Queen's Bench Divisional > Court (Lord Bingham of Cornhill, Lord Chief Justice, > Lord Justice Laws and Mr Justice Sullivan) (The Times > March 31, 1999; [1999] 3 WLR 175) to grant > declaratory relief on applications by Sofiane Kebilene, > Ferine Boukemiche and Sofiane Souidi that the continuing > decision of the DPP in each case under section 19(1)(aa) > of the Prevention of Terrorism (Temporary Provisions) > Act 1989, as amended by the Criminal Justice and Public > Order Act 1994, to continue their prosecutions under > section 16A of the 1989 Act, as inserted by section 82 of > the Criminal Justice and Public Order Act 1994, was > unlawful > > Section 16A, as inserted, provides: "(1) A person is guilty > of an offence if he has any article in his possession in > circumstances giving rise to a reasonable suspicion that the > article is in his possession for a purpose connected with > the commission ... of acts of terrorism... > > "(3) It is a defence for a person charged with an offence > under this section to prove that ... the article in question > was not in his possession for such a purpose..." > > Mr John Morris, QC, Mr David Pannick, QC, Mr > Ronald Weatherup, QC of the Northern Ireland Bar, Mr > Philip Sales, Mr David Perry and Miss Jane Mulcahy for > the prosecution; Lord Lester of Herne Hill, QC, Mr Ben > Emmerson and Mr Gordon Nardell for the applicants. > > LORD STEYN said that in 1997 officers of the > anti-terrorist squad arrested the applicants, who were all > Algerian nationals, and charged them with offences under > section 16A. > > Section 16A was directed to the possession of articles > innocent in themselves but capable of forming part of the > paraphernalia or operational intelligence of the terrorist. > > The purpose of requiring the DPP's consent [under > section 19(1)(aa)] to prosecutions under section 16A was > to ensure that the decision to prosecute was taken at a > very senior level following a careful consideration of all > relevant matters including the public interest, and to > protect defendants from the risk of oppressive > prosecutions. > > At the applicants' trial, at the close of the case for the > prosecution, the defence sought a ruling from the judge > that section 16A reversed the burden legal of proof and > was therefore in breach of article 6(2) of the Convention > for the Protection of Human Rights and Fundamental > Freedoms (1953)(Cmd 8969): "Everyone charged with a > criminal offence shall be presumed innocent until proved > guilty according to law". > > The judge ruled that section 16A was in conflict with > article 6(2). The DPP, after taking legal advice, indicated > that it was his intention to proceed with the prosecution. > > The jury was subsequently discharged because the > prosecution had not fully complied with its disclosure > obligations. A new trial date had to be fixed. > > The applicants sought a declaration that "the decision of > the DPP to give his continued consent to the prosecution > ... involves an error of law, namely an erroneous > conclusion that the prosecution is compatible with article > 6(2)". > > The Divisional Court granted the declaration, taking the > view that section 16A undermined in a blatant and > obvious way the presumption of innocence. > > The Lord Chief Justice held that section 29(3) of the > Supreme Court Act 1981 did not preclude the granting of > relief. He accepted that it was not for the DPP to disapply > legislative provisions which Parliament had enacted but > held that it was appropriate for the court to review the > soundness of the legal advice on which the DPP had > acted. > > Parliamentary sovereignty > > The Human Rights Act 1998 would, when its substantive > provisions came into force on October 2, 2000, give > effect to Convention rights in domestic law. > > Section 3 provided: "(1) So far as it is possible to do so, > primary legislation ... must be read and given effect in a > way which is compatible with the Convention rights." > > It was crystal clear that the carefully and subtly drafted > 1998 Act preserved the principle of parliamentary > sovereignty. In a case of incompatibility, which could not > be avoided by interpretation under section 3(1), the courts > could not disapply the legislation but could merely issue a > declaration of incompatibility. > > It had been submitted that the effect of the Divisional > Court judgment was to invite the DPP to disapply primary > legislation. That failed to do justice to the reasoning of the > Divisional Court. > > The Lord Chief Justice had pointed out that in the present > case the DPP had wished to know where he stood on the > issue of compatibility of the legislation. He had sought and > relied on legal advice on that issue. > > The Lord Chief Justice said that if the advice was wrong, > the DPP should have the opportunity to reconsider the > confirmation of his advice on a sound legal basis. There > was no infringement of the principle of parliamentary > sovereignty. > > Legitimate expectation > > The applicants had submitted that they had a legitimate > expectation that pending the coming into force of the > central provisions of the 1998 Act, the DPP would not > give his consent to a prosecution which would violate > article 6. > > The Divisional Court had rejected that submission and > counsel for the applicants did not press it in oral argument. > > His Lordship said that there was a clear statutory intent to > postpone the coming into effect of central provisions of > the Act. A legitimate expectation which treated > inoperative statutory provisions as having immediate effect > was contradicted by the language of the statute. The > argument had to be rejected. > > Section 29(3) of the 1981 Act > > Section 29 provided: "(3) In relation to the jurisdiction of > the Crown Court, other than its jurisdiction in matters > relating to trial on indictment, the High Court shall have all > such jurisdiction to make orders of mandamus, prohibition > or certiorari as the High Court possesses in relation to the > jurisdiction of an inferior court." > > The purpose of section 29(3), as explained in In re > Smalley ([1985] AC 622, 642-643), was that to allow > "judicial review of any decision affecting the conduct of a > trial on indictment, whether given in the course of the trial > or by way of pre-trial directions ... might ... seriously > delay the trial..." > > His Lordship said that the plain language of the subsection > was only apt to exclude the High Court's jurisdiction in > respect of orders directed to and affecting the crown > court's exercise of its jurisdiction in matters relating to trial > on indictment. > > However, Mr Pannick had argued that if section 29(3) > was not applicable, the matter was covered by a common > law principle which limited the High Court's exercise of > discretion to entertain judicial review proceedings of a > decision to prosecute. > > The starting point had to be the analogical force of the > statute which excluded the High Court's power to review > decisions of the crown court. > > The policy underlying the statute would be severely > undermined if it could be outflanked by framing the case > as a challenge to the prosecutor's decision to enforce the > law rather than as a challenge to the decision of the crown > court judge to apply the law. > > Given that reverse legal burden provisions appeared in > other legislation, the entertaining of such challenges outside > the trial and appeal process might seriously disrupt the > criminal justice system. > > The applicants were free to submit when the trial was > continued that section 16A should not be interpreted as > reversing the legal burden, but as placing only an evidential > burden on a defendant. > > His Lordship expressed no view on the likely outcome of > any such arguments, but it was not right to say that the > applicants were entirely without remedy in the criminal > process. > > There was also an implausibility at the heart of the > applicants' case. They had sought judicial review on the > ground that the DPP's consent involved an error of law. > But the DPP might sometimes not have a concluded view > of any kind. > > He might nonetheless be persuaded that, despite some > uncertainty about the law, a prosecution was justified as > being in the public interest. There could then be no > question of reviewing his decision for error of law. > > His Lordship would rule that absent dishonesty or mala > fides or an exceptional circumstance, the decision of the > DPP to consent to the prosecution of the applicants was > not amenable to judicial review. The present case fell on > the wrong side of that line. > > While the passing of the 1998 Act marked a great > advance for our criminal justice system it was vitally > important that, so far as the courts were concerned, its > application in our law should take place in an orderly > manner which recognised the desirability of all challenges > taking place in the criminal trial or on appeal. > > The effect of the judgment of the Divisional Court was to > open the door too widely to delay in the conduct of > criminal proceedings. Such satellite litigation should rarely > be permitted in our criminal justice system. > > Interpretation and compatibility of section 16A with > article 6(2) > > Given the conclusion his Lordship had arrived at it would > be wrong to express concluded views on the question > whether, as a matter of interpretation, section 16A > created a reverse legal burden and, if so, whether the > reverse legal burden was incompatible with article 6(2). > > But he regarded the issues as arguable. The effect was > that those issues were undecided and entirely open at all > levels in the criminal proceedings. > > Lord Cooke and Lord Hope delivered opinions > concurring with Lord Steyn and Lord Slynn agreed. > > LORD HOBHOUSE said that the Divisional Court > should have held that section 29(3) was applicable, either > expressly or inferentially, that judicial review was not > available and that the applicants should exercise the > remedies open to them within the criminal justice system. > > His Lordship stated that criminal statutes which in certain > circumstances partially reversed the burden of proof were > not uncommon, nor were they confined to the United > Kingdom. > > The judgments and decisions of the European Court of > Human Rights and the Commission showed that they were > not necessarily incompatible with the Convention. > > Similarly, there were clearly arguable questions as to the > breadth to be ascribed to the construction of statutes > which would be required of the courts by section 3(1). > > These were not matters which it was necessary or proper > to enter upon on the present appeal. But the position was > not as clear cut as the Divisional Court seem to have > thought. > > Solicitors: Treasury Solicitor; Birnberg & Co. > Donald Ramsbottom LL.B, BA (Hons). RAMSBOTTOM & Co. Solicitors Internet Law & Global Cryptology Law Specialists From Postmaster@scientia.com Mon, 01 Nov 1999 11:37:42 +0000 Date: Mon, 01 Nov 1999 11:37:42 +0000 From: System Administrator Postmaster@scientia.com Subject: The Evils of MLS (Was: Another online service misleads) At 15:26 30/10/99 +0100, David Hansen wrote: >On 30 Oct 99, at 10:05, Ross Anderson wrote: > >> Classifying information the way the civil service does - top secret, >> secret, confidential and so on - is usually a grievous error. > >It is if it is implemented in a rigid way. If common sense is used in >the implementation then it works reasonably well. The problem is that if it is an automatic retrieval system then implementing "common sense" in software is way beyond current AI technology. Security in automated system is more or less by definition "rigid". Ian From cb@fipr.org Mon, 1 Nov 1999 19:43:31 -0000 Date: Mon, 1 Nov 1999 19:43:31 -0000 From: Caspar Bowden cb@fipr.org Subject: FT 27/10/99: "Government U-turn on e-commerce bill" Financial Times, 27-Oct-1999 ] NATIONAL NEWS: Government U-turn on e-commerce bill The government is set to strip from the electronic communications bill controversial clauses giving the police powers to unscramble encoded e-mail. Instead, the measures are expected be tagged on to a Home Office bill updating existing law regulating phone tapping by the police and security services. Stephen Byers, the trade and industry secretary, is concerned that the contentious measures would overshadow the more positive elements of the bill designed to promote the development of e-commerce. Industry and the Conservatives have lobbied strongly for the latest move. Leading human rights lawyers this week argued that the powers given to law enforcement agencies could breach the European Convention on Human Rights. Alan Duncan, the Conservatives' e-commerce spokesman, said the proposed powers of intrusion were "obscene" and should not be in the electronic communications bill. "I have been demanding that this sort of provision should be totally excised from the bill and stuck into a new Interception of Communications Act if that is what they really want to do." The government has already been forced to water down the bill after lobbying from business. It dropped a proposal requiring users of encryption technology to lodge decryption keys with third parties after the industry demonstrated it was unworkable. The government had been proposing a licensing scheme for companies providing encryption services. Instead, it agreed to support an industry accreditation scheme, but reserved the right to introduce a statutory regime if this proved inadequate. The changes mean the bill is limited largely to measures giving legal status to electronic signatures. The government's e-commerce strategy also came under attack in a critical report by the Commons trade and industry select committee in August. In its response to the committee yesterday, the government agreed UK internet charges, including telephone call rates, had to fall further if e-commerce was to take off. Editorial Comment, Page 22 Procurement on web 'must rise' UK companies are lagging behind their overseas rivals in exploiting an expected Dollars 360bn (216.8bn) global boom in internet procurement, according to a survey by A T Kearney, the management consultancy, writes Carlos Grande. The report estimates that by 2001, 20 per cent of all external business supplies worldwide - some Dollars 400bn in orders - will be bought via the internet, compared with less than 2 per cent now. But it warns that over the next two years the top 100 UK businesses are planning to increase internet procurement by only 400 per cent - well below its estimated global average rise of 1,100 per cent From davidh@spidacom.co.uk Tue, 2 Nov 1999 15:34:56 -0000 Date: Tue, 2 Nov 1999 15:34:56 -0000 From: David Hansen davidh@spidacom.co.uk Subject: The Evils of MLS (Was: Another online service misleads) On 1 Nov 99, at 11:37, System Administrator wrote: > The problem is that if it is an automatic retrieval system then > implementing "common sense" in software is way beyond current AI > technology. Security in automated system is more or less by definition > "rigid". The difference between computerised and manual file retrieval is even more complex than that. For instance stealing information from somewhere else with a paper system involves walking in and taking the file, there are social protections and so on against that. With computers different means are needed to achieve the same result. Not easy; but then why should it be, that's what the implementors are being paid for:-) David Hansen | davidh@spidacom.co.uk | PGP email preferred Edinburgh | CI$ number 100024,3247 | key number F566DA0E From chl@clw.cs.man.ac.uk Tue, 2 Nov 1999 17:06:33 +0000 (GMT) Date: Tue, 2 Nov 1999 17:06:33 +0000 (GMT) From: Charles Lindsey chl@clw.cs.man.ac.uk Subject: Regina V DPP ex Parte Kebilene On Tue, 02 Nov 1999 07:23:59 +0000 Donald Ramsbottom said... > > Section 16A, as inserted, provides: "(1) A person is guilty > > of an offence if he has any article in his possession in > > circumstances giving rise to a reasonable suspicion that the ^^^^^^^^^^ > > article is in his possession for a purpose connected with > > the commission ... of acts of terrorism... > > > > "(3) It is a defence for a person charged with an offence > > under this section to prove that ... the article in question > > was not in his possession for such a purpose..." The operative word there is "reasonable". If that word had appeared in the corresponding place in the EC Bill, then we should have been arguing in a wholly different ballpark. Charles H. Lindsey ---------At Home, doing my own thing------------------------ Email: chl@clw.cs.man.ac.uk Web: http://www.cs.man.ac.uk/~chl Voice/Fax: +44 161 437 4506 Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K. PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5 From 101544.3054@compuserve.com Tue, 2 Nov 1999 12:29:12 -0500 Date: Tue, 2 Nov 1999 12:29:12 -0500 From: Rainer Fahs 101544.3054@compuserve.com Subject: The Evils and MLS Whoever has sent this message to the list, The part: is definately misleading and is judjing the book by its cover. Yes, Ross was at the conference, but he was not present when I presented my paper. What he does not seem to know, is the fact, that I have recommended to leave the Titanic (MLS) where it is and do more research to find solution= s that can be applied to contemporary environments - and the paper does in deed give some examples. B. t. w. I am the autor and it is not a DERA paper. Simon Wisman (though from DERA) is co-author. Rainer Fahs = From albert@achtung.com Tue, 2 Nov 1999 13:22:08 -0800 Date: Tue, 2 Nov 1999 13:22:08 -0800 From: Albert Yang albert@achtung.com Subject: Serpent in Feistel form My basic question was if Serpent in a Feistel form was considered. (Ross' reply to me below...) Now I ask you all, has anybody else considered Serpent in a Feistel form? I am particularly interested in the speed gain, and possible savings due to not having to invert everything as in SP-network.. Albert. "As for your question as to whether there isn't a Feistel version of Serpent, the answer is in the early (FSE98) version of our paper: we considered it, as a means of supporting 256 and 512 bit block sizes. However it didn't appear in the final submission, and the reason was that we just didn't have the time to devote to analysing it properly and providing all the reference implementations, test data and so on that would have been needed. So a Feistel Serpent is a definite possibility - some time in the future.." From schneier@counterpane.com Tue, 02 Nov 1999 08:00:43 -0600 Date: Tue, 02 Nov 1999 08:00:43 -0600 From: Bruce Schneier schneier@counterpane.com Subject: Serpent At 05:58 PM 11/1/99 -0600, you wrote: > > John Young asks: > > >[snip] > > > Twofish, and for Mars, RC6, and E2. I worry about a > > > cipher like Serpent that does not come with any > > > analysis. Either the designers didn't do any, which is > > > bad -- or they did it and are hiding it, which is worse. > > > > > > If the Serpent designers have answered this we'd appreciate > > > a pointer. Any comment here on Bruce's tough talk? > >It would be truly amazing if Bruce had said this since the Serpent AES paper >itself contains several pages of analysis. If Bruce had said 'insufficient >analysis' instead of 'any analysis' he might have had a point (although >Ross's post answers this) but if he really did say the words as given above >then I fear that he has let his bias show through in a major way. You pegged the problem exactly. And it was my fault. I wrote the words above, although you are definitely correct in what I meant to write. I didn't proofread as carefully as I should have. It's unfortunate, to make an understatement. Ross was right to be annoyed. >If these really are Bruce's words they can only mean th