Interesting People mailing list archives
IP: UK government policy announcement re cryptography
From: Dave Farber <farber () cis upenn edu>
Date: Mon, 27 Apr 1998 12:37:10 -0400
Date: Mon, 27 Apr 1998 17:35:21 +0100 To: farber () cis upenn edu From: Brian Randell <Brian.Randell () newcastle ac uk> Dave: Here FYI are the sections of the text of a (long-awaited) UK government policy statement released today that relate to cryptography. The full document is entitled "Secure Electronic Commerce Statement", and was submitted to parliament by Barbara Roche MP as a written answer to House of Commons Parliamentary Question Q150. Cheers Brian =3D=3D=3D=3D=3D=3D Cryptography 6. There are, however, a number of different characteristics of cryptography, which make it a complex issue. These range from its benefit to electronic commerce and privacy, as noted above, to the concerns strong encryption raises for law enforcement. Thus cryptography policy must take account of the needs of the user (whether an individual or a business), the government and the international community. For the former, issues of trust and confidence are paramount. Whether the requirement is for the integrity of data (vital in many forms of electronic commerce) or its confidentiality (important for business and the citizen) the cryptography mechanism needs to be robust and reliable. Encryption keys protecting the information must be strong enough to deter industrial espionage and hacking. For the Government there are also good reasons why cryptographic services should be robust; they help to protect economic and intellectual assets and enable new services to be delivered to the public (such as electronic tax returns); as well as reducing IT fraud and hacking. 7. The measures the Government plan to introduce take account of these differing aspects of cryptography and also the responses to the consultation process on the licensing of Trusted Third Parties initiated by the previous Administration. In respect of the latter, the Government has responded to business concerns and criticisms of the previous "mandatory" approach to licensing. Thus, as will be explained below, the new proposals will neither oblige service providers to obtain licences nor to use any particular encryption products or technologies. In addition there is now a clear policy differentiation between digital signatures and encryption; another concern of industry during the consultation process. The Department in conjunction with this Statement is publishing an independent summary of the responses from the consultation exercise. International Aspects 8. In recognising the international nature of electronic commerce the Government has, of course, been concerned that policies on encryption should, where appropriate, be consistent with the emerging international consensus. The measures announced today are, therefore, fully compatible with the OECD Guidelines on Cryptography Policy which were agreed in March last year; and, as far as possible, consistent with the developments taking place in UNCITRAL on electronic signatures. 9. The Government has also been working closely with the European Commission, especially in respect of our current tenure of the EU Presidency, to ensure that our policy development is compatible with that outlined in the Commission's Communication on Encryption and Electronic Signatures released last October. We look forward to working with the Commission and member States on the proposed Electronic Signature Directive which will, we believe, foster the development of a pan-European framework for cryptography services. In respecting these developments the Government recognises the clear differences in approach that need to be afforded to the development of electronic and digital signature services (for integrity) on the one hand, and to encryption (or confidentiality) services on the other. 10. In our efforts to promote the use of electronic signature and encryption services we are also working with our international colleagues to update and streamline the export controls on encryption products. Such controls, we believe, need to reflect the commercial requirements for robust and trusted encryption products whilst also taking account of national security. Legislation 11. We therefore intend to introduce legislation to license those bodies providing, or facilitating the provision of cryptography services. Principally these will be Trusted Third Parties (the generic term for bodies that provide one, or a variety of cryptography services to their clients), Certification Authorities (bodies which mainly issue certificates for electronic signatures) and Key Recovery Agents (responsible for facilitating the "recovery" of encrypted data). Such licensing arrangements will be voluntary, as business has requested, although we would hope that organisations providing services to the public will see the benefit of adhering to a high standard, and the public confidence that this will bring. We intend that licensed Certification Authorities - conforming to the procedural and technical standards which such licensing will confer - would be in a position to offer certificates to support electronic signatures reliable enough to be recognised as equivalent to written signatures; an essential ingredient of secure electronic commerce. Licensed Certification Authorities offering secure electronic signature services will, we believe, make a significant contribution to electronic commerce. They will provide trust that the authentication process is reliable (ie an owner of an electronic or digital signature certificate is who they say they are) and consumer and business confidence that the signature mechanism employed is robust and secure. 12. Organisations facilitating encryption services (for example through offering key recovery or providing key management services for confidentiality) will also be encouraged to seek licences. Such bodies can offer sound business benefits to their clients. Increasingly organisations are recognising the necessity of being able to recover critical data, which their staff may have encrypted, or the text of the messages they have sent to clients. In such circumstances the permanent loss of an encryption key - perhaps because an employee has left - could be very damaging. Licensed service providers that provide encryption services will, therefore, be required to make recovery of keys (or other information protecting the secrecy of the information) possible through suitable storage arrangements. 13. In developing its policy on encryption, the Government has given serious consideration to the risk that criminals and terrorists will exploit strong encryption techniques to protect their activities from detection by law enforcement agencies. Encryption might be used to prevent law enforcement agencies from understanding electronic data seized as the result of a search warrant or communications intercepted under a warrant issued by a Secretary of State. This would have particularly serious implications for the fight against serious crime and terrorism. For example, during 1996 and 1997, lawful interception of communications played a part - often the crucial part - in operations by police and HM Customs which led to 1,200 arrests; the seizure of nearly 3 tonnes of Class A drugs, and 112 tonnes of other drugs, with a combined street value of over =A3600 million; the seizure of over =A3700 million in cash and property; and the seizure of over 450 firearms. During this period, around 2600 interception warrants were issued by the Home Secretary. (In line with the practice of the Interception Commissioner, this figure relates to all warrants issued by the Home Secretary, not just those for the Police and Customs.) 14. In response to these concerns, the Government intends to introduce legislation to enable law enforcement agencies to obtain a warrant for lawful access to information necessary to decrypt the content of communications or stored data (in effect, the encryption key). This does not include cryptographic keys used solely for digital signature purposes. The new powers will apply to those holding such information (whether licensed or not) and to users of encryption products. They will be exercisable only when appropriate authority has been obtained (for example, a judicial warrant for the purpose of a criminal investigation or, in the case of interception of communications, a warrant issued by a Secretary of State) and will be subject to strict controls and safeguards. 15. The purpose of the proposed powers is solely to maintain the effectiveness of existing legislation in response to new technological developments. The powers apply only to information which itself has been, or is being, obtained under lawful authority. The Home Office will bring forward detailed proposals in due course. Dept. of Computing Science, University of Newcastle, Newcastle upon Tyne, NE1 7RU, UK EMAIL =3D Brian.Randell () newcastle ac uk PHONE =3D +44 191 222 7923 FAX =3D +44 191 222 8232 URL =3D http://www.cs.ncl.ac.uk/~brian.randell/
Current thread:
- IP: UK government policy announcement re cryptography Dave Farber (Apr 27)