IP: UK government policy announcement re cryptography

[Dave Farber <farber () cis upenn edu>]

Date: Mon, 27 Apr 1998 17:35:21 +0100
To: farber () cis upenn edu
From: Brian Randell <Brian.Randell () newcastle ac uk>




Dave:


Here FYI are the sections of the text of a (long-awaited) UK government
policy statement released today that relate to cryptography. The full
document is entitled "Secure Electronic Commerce Statement", and was
submitted to parliament by Barbara Roche MP as a written answer to House of
Commons Parliamentary Question Q150.


Cheers


Brian


=3D=3D=3D=3D=3D=3D


Cryptography


6.  There are, however, a number of different characteristics of
cryptography, which make it a complex issue.  These range from its benefit
to electronic commerce and privacy, as noted above, to the concerns strong
encryption raises for law enforcement.  Thus cryptography policy must take
account of the needs of the user (whether an individual or a  business),
the government and the international community.   For the former, issues of
trust and confidence are paramount.  Whether the requirement is for the
integrity of data (vital in many forms of electronic commerce) or its
confidentiality (important for business and the citizen) the cryptography
mechanism needs to be robust and reliable.  Encryption keys protecting the
information must be strong enough to deter industrial espionage and
hacking.  For the Government there are also good reasons why cryptographic
services should be robust; they help to protect economic and intellectual
assets and enable new services to be delivered to the public (such as
electronic tax returns); as well as reducing IT fraud and hacking.


7.  The measures the Government plan to introduce take account of these
differing aspects of cryptography and also the responses to the
consultation process on the licensing of Trusted Third Parties initiated by
the previous Administration.  In respect of the latter, the Government has
responded to business concerns and criticisms of the previous "mandatory"
approach to licensing.   Thus, as will be explained below, the new
proposals will neither oblige service providers to obtain licences nor to
use any particular encryption products or technologies.  In addition there
is now a clear policy differentiation between digital signatures and
encryption;  another concern of industry during the consultation process.
The Department in conjunction with this Statement is publishing an
independent summary of the responses from the consultation exercise.




International Aspects


8.  In recognising the international nature of electronic commerce the
Government has, of course, been concerned that policies on encryption
should, where appropriate, be consistent with the emerging international
consensus.  The measures announced today are, therefore,  fully compatible
with the OECD Guidelines on Cryptography Policy which were agreed in March
last year; and, as far as possible, consistent with the developments taking
place in UNCITRAL  on electronic signatures.


9.  The Government has also been working closely with the European
Commission, especially in respect of our current tenure of the EU
Presidency, to ensure that our policy development is compatible with that
outlined in the Commission's Communication on Encryption and Electronic
Signatures  released last October.   We look forward to working with the
Commission and member States on the proposed Electronic Signature Directive
which will, we believe, foster the development of a pan-European framework
for cryptography services.  In respecting these developments the Government
recognises the clear differences in approach that need to be afforded to
the development of electronic and digital signature services (for
integrity) on the one hand,  and to encryption  (or confidentiality)
services on the other.


10.  In our efforts to promote the use of electronic signature and
encryption services we are also working with our international colleagues
to update and streamline the export controls on encryption products.   Such
controls, we believe, need to reflect the commercial requirements for
robust and trusted encryption products whilst also taking account of
national security.






Legislation


11.  We therefore intend to introduce legislation to license those bodies
providing, or facilitating the provision of cryptography services.
Principally these will be Trusted Third Parties (the generic term for
bodies that provide one, or a variety of cryptography services to their
clients), Certification Authorities (bodies which mainly issue certificates
for electronic signatures) and Key Recovery Agents (responsible for
facilitating the "recovery" of encrypted data).  Such licensing
arrangements will be voluntary, as business has requested, although we
would hope that organisations providing services to the public will see the
benefit of adhering to a high standard, and the public confidence that this
will bring.   We intend that licensed Certification Authorities -
conforming to the procedural and technical standards which such licensing
will confer - would be in a position to offer certificates to support
electronic signatures reliable enough to be recognised as equivalent to
written signatures; an essential ingredient of secure electronic commerce.
Licensed Certification Authorities offering secure electronic signature
services will, we believe, make a significant contribution to electronic
commerce.  They will provide trust that the authentication process is
reliable  (ie an owner of an electronic or digital signature certificate is
who they say they are) and consumer and business confidence that the
signature mechanism employed is robust and secure.


12.  Organisations facilitating encryption services (for example through
offering key recovery or providing key management services for
confidentiality) will also be encouraged to seek licences.  Such bodies can
offer sound business benefits to their clients.  Increasingly organisations
are recognising the necessity of being able to recover critical data, which
their staff may have encrypted, or the text of the messages they have sent
to clients.  In such circumstances the permanent loss of an encryption key
- perhaps because an employee has left  - could be very damaging.  Licensed
service providers that provide encryption services will, therefore, be
required to make recovery of keys (or other information protecting the
secrecy of the information) possible through suitable storage arrangements.




13.  In developing its policy on encryption, the Government has given
serious consideration to the risk that criminals and terrorists will
exploit strong encryption techniques to protect their activities from
detection by law enforcement agencies. Encryption might be used to prevent
law enforcement agencies from understanding electronic data seized as the
result of a search warrant or communications intercepted under a warrant
issued by a Secretary of State.  This would have particularly serious
implications for the fight against serious crime and terrorism.  For
example, during 1996 and 1997, lawful interception of communications played
a part - often the crucial part - in operations by police and HM Customs
which led to 1,200 arrests; the seizure of nearly 3 tonnes of Class A
drugs, and 112 tonnes of other drugs, with a combined street value of over
=A3600 million; the seizure of over =A3700 million in cash and property; and
the seizure of over 450 firearms.  During this period, around 2600
interception warrants were issued by the Home Secretary. (In line with the
practice of the Interception Commissioner, this figure relates to all
warrants issued by the Home Secretary, not just those for the Police and
Customs.)


14.  In response to these concerns, the Government intends to introduce
legislation to enable law enforcement agencies to obtain a warrant for
lawful access to information necessary to decrypt the content of
communications or stored data (in effect, the encryption key). This does
not include cryptographic keys used solely for digital signature purposes.
The new powers will apply to those holding such information (whether
licensed or not) and to users of encryption products. They will be
exercisable only when appropriate authority has been obtained (for example,
a judicial warrant for the purpose of a criminal investigation or, in the
case of interception of communications, a warrant issued by a Secretary of
State) and will be subject to strict controls and safeguards.


15. The purpose of the proposed powers is solely to maintain the
effectiveness of existing legislation in response to new technological
developments. The powers apply only to information which itself has been,
or is being, obtained under lawful authority.  The Home Office will bring
forward detailed proposals in due course.






Dept. of Computing Science, University of Newcastle, Newcastle upon Tyne,
NE1 7RU, UK
EMAIL =3D Brian.Randell () newcastle ac uk   PHONE =3D +44 191 222 7923
FAX =3D +44 191 222 8232  URL =3D http://www.cs.ncl.ac.uk/~brian.randell/