Interesting People mailing list archives
IP: Stewart Baker's thoughts on British encryption policy
From: Dave Farber <farber () central cis upenn edu>
Date: Sat, 18 May 1996 18:07:08 -0400
Date: Sat, 18 May 96 15:58:27 EST From: "Stewart Baker" <sbaker () mail steptoe com> To: farber () central cis upenn edu I enclose a shortened version of my (somewhat personal) take on British encryption plans. I would welcome corrections and elaborations from more knowledgeable sources. A longer version of the piece is posted on the Steptoe "Law and the Net" page: www.us.net/~steptoe/pubtoc.htm#net According to sources within the British government, plans to implement "trusted third party" encryption services are fairly far along, although it is unlikely that any legislation would be introduced prior to the election that will occur within the next nine months. Since the polls suggest that the election will bring Labour to power for the first time in a decade and a half, it is uncertain what the Labour Government will do about the encryption issue. But, in the absence of firm policy guidance from political leaders, the permanent UK government seems to be reaching consensus on a plan to encourage but not mandate use of trusted third party encryption services. In examining their options, it appears that British policymakers have ruled out either a flat ban on the use of encryption, or an effort to license encryption products, hardware, and software, sold to the public. Similarly, the government seems uninterested in efforts to control the length of encryption keys. British authorities appear to be contemplating a trusted third party encryption system that would be given a jumpstart by tying it to a wide variety of government services and programs, such as the National Health Service. There is no plan to regulate encryption products. Mass-market software producers would be free (as at present) to offer strong over-the-counter encryption. Makers of personal computers and PC cards could apparently do the same. The British government would apparently prefer to encourage escrowed encryption by "bundling" a variety of trusted third party services together. Like other European governments, the British have seized on the observation that digital commerce requires an infrastructure of digital signatures, certification authorities, and assorted other services such as time-stamping. They evidently hope to limit this role to companies that are also prepared to offer encryption and key management services and that are prepared to provide keys to the government when presented with a warrant. Although billed as a trusted third party approach, it seems that the British government is not planning to insist that all parties escrow their keys with a third party. The plan will allow a significant amount of "self escrow," at least on the part of large companies that are willing to establish special escrow units that can be walled off from the rest of the company in the event of a criminal investigation of corporate higher-ups. I talked to British government sources about the plan and raised questions about its details. Some simply have not been worked out. The effort to create trusted third party services without regulating products is understandable. Regulating products would mean picking a fight with the large and aggressive retail software industry, as well as directly affecting purchases by individuals. It would also expose regulators to the criticism that they are regulating software sold in stores but are unable to prevent downloading of free and unescrowed encryption software from anonymous sites in Finland and the like. Nonetheless, free competition between unescrowed products and escrow services may raise problems for the government plan. The UK government will likely have to bear some of the costs of maintaining a trusted third party infrastructure, or encryption users and providers will have an incentive to avoid escrowed encryption and instead use encryption products in order to minimize costs. It is not clear how the government plans to deal with that possibility other than to note that products cannot provide up-to-date certification and other services. Even with respect to third-party services, it is not clear how the government will deal with "unbundling." Certification services probably have fewer infrastructure costs than trusted third party encryption. There may be a temptation, therefore, on the part of consumers (and service suppliers) to use (and provide) only certification rather than encryption services. It is not clear whether the British government intends to prohibit unbundling, discourage it through regulatory action, or simply hope that it doesn't happen.
Current thread:
- IP: Stewart Baker's thoughts on British encryption policy Dave Farber (May 18)