Re: RE: GTAC to cost £25m - Home Office 27/3/2000

[Brian Gladman]

From: "Roland Perry" <roland@linx.net>
To: <ukcrypto@maillist.ox.ac.uk>
Sent: Thursday, March 30, 2000 8:40 AM
Subject: Re: RE: GTAC to cost £25m - Home Office 27/3/2000


> In article <002401bf9a09$27a28a10$0100a8c0@DIRECTOR>, Caspar Bowden
> <cb@fipr.org> writes
> >"PUBLIC SECTOR FINANCIAL COST AND PUBLIC SECTOR MANPOWER EFFECTS
>
> [....]
>
> >Overall extra costs are estimated at £750,000."
>
> I've mentioned this before (see our handout at SfS for example)
>
> "Paragraph 354 of the Explanatory Notes estimates the overall Public
> Sector Financial costs arising from the Bill to be £750,000. The costs
> to Public Sector CSPs in implementing the Bill do not appear to have
> been considered."
>
> Of course, those Public Sector CSPs won't have any costs, if the SoS
> coughs up (but presumably only to the tune of £20M for all CSPs as per
> the RIA). It's cost the Americans an order of magnitude more, but they
> do have more of this kind of industry over there.
>
> No doubt there is some understanding that the financial costs of Bills
> do *not* include the money spent by Law Enforcement agencies, CPS,
> Courts, and so on. GTAC escapes by a whisker ?
> --
>             Roland Perry | tel: +44 1733 705000 | roland@linx.org
>       Regulation Officer | fax: +44 1733 353929 | http://www.linx.net/
> London Internet Exchange | mbl: +44 7050 604080 |
>

An interesting feature of the Standing Committee transcripts is the rapidity
with which several MPs have taken up the 'industry viewpoint' by saying that
'if government wants it government should pay' when the real issue is
actually 'if taxpayers want it taxpayers should pay'. I hope that people on
this list who happen to live in constituencies whose MPs are on the Standing
Committee will take a careful look at the way their MPs are prepared to
spend taxpayers money without first asking whether the measures proposed
justify the expenditure involved.

I find the use of the term 'government' in this context objectionable
because those using the term are doing so in the knowledge that (a) they
really mean taxpayers and (b) if they said 'taxpayers' they would find it a
lot more difficult to justify what they were saying.

What we need is not a passing of the buck from industry onto taxpayers but a
recognition that neither government nor industry will pay  - its is UK
citizens that will pay either in taxes or in higher access charges. What we
hence need is an alliance between industry and citizens that says 'we want
to be confident that these measures are justified before we pay for them'.

We have just seen the £25 million for GTAC and a parallel statement by Mr
Clarke that keys will 'almost never' be required.  Looking at the number of
interceptions conducted (10,000 per year?), guessing the proportion of these
where encryption is encountered (10%?) and guessing the small number where
keys will be sought (< 1%?) we get 10 keys per year. Assuming that 10% of
the initial GTAC spend is an ongoing cost of GTAC key protection and that
50% of the 'up front' GTAC costs should be spread over, say, 5 years
(equipment and infrstructure amortisation) we get a figure of £5 million for
10 keys or £500,000 per key seized. Of course this estimate may be way out
but we can see the cost per key seized seems likely to be in the £100,000 to
£1,000,000 range.

So, Simon, in your next set of answers could you please explain the sort of
keys you expect to seize where decryption notices without GAK are
insufficient and for which you believe it will be worthwhile to spend
between £100,000 and £1,000,000 of taxpayers money to obtain the keys in
question.  I hope you will accept that taxpayers have a right to know that
their money is being spent in a sensible and fully justified way.  Please
also remember Nicholas Bohm's question - if you value the keys this much, so
will their owners and they will hence be revoked as soon as you seize them.
Any justification cannot therefore be based on the use of the key to decrypt
any future communications.

If you consider that the figures I have used above to be incorrect, could
you please provide and justify some figures of your own.   Could you please
also give an indication of when we will see the GTAC proposals for key
protection published in sufficient detail to allow independent scrutiny of
their effectiveness and their cost?

Again I hope you will agree that, since it is our keys that are being
protected, we have a right to know how this is to be achieved.

In your previous statements (SFS2000 and here) you gave one example of the
sort of keys you envisage seizing:  those which are split into several
components.  I responded by pointing out that such measures are very rare
and only applied to keys of truly extreme sensitivity and significance.  The
consequences of the seizure of the components of such a split key for its
owner(s) would be very serious and could easily put them out of business
entirely.  Could you please confirm, for the benefit of the industry people
present on this list, that you do envisage the possibility of seizing such
split keys.

   Brian Gladman