Cryptome DVDs are offered by Cryptome. Donate $25 for two DVDs of the Cryptome 12-years collection of 46,000 files from June 1996 to June 2008 (~6.7 GB). Click Paypal or mail check/MO made out to John Young, 251 West 89th Street, New York, NY 10024. The collection includes all files of cryptome.org, jya.com, cartome.org, eyeball-series.org and iraq-kill-maim.org, and 23,000 (updated) pages of counter-intelligence dossiers declassified by the US Army Information and Security Command, dating from 1945 to 1985.The DVDs will be sent anywhere worldwide without extra cost.

Google
 
Web cryptome jya.com eyeball-series.org cryptome.cn

24 July 1999 

Thanks to CB.

FOUNDATION FOR INFORMATION POLICY RESEARCH
==========================================
News Release - Friday 23rd July 1999
Published Bill available at http://www.dti.gov.uk/cii/elec/ecbill.html

Contact: 	Caspar Bowden - Director of FIPR
		0171 354 2333
		cb@fipr.org

ELECTRONIC COMMUNICATIONS BILL WILL HARM UK INDUSTRY,
HOLD BACK GROWTH OF ECOMMERCE, UNDERMINE CONSUMER PROTECTION,
AND VIOLATE EUROPEAN CONVENTION ON HUMAN RIGHTS

Since the early 1990s, civil service policy advice to Conservative and
Labour Ministers has advocated draconian legislation restricting the use of
encryption on the Internet. The Conservatives proposed compulsory licensing
of encryption in Government, but recanted in opposition. Labour opposed
controls in Opposition, but now propose "decryption notices" which overturn
basic principles of human rights and civil liberties.

Today the Government published an Electronic Communications Bill that will
give ministers broad powers to control the use of encryption in electronic
commerce. Although some of the more objectionable aspects of previous
proposals have been dropped from primary legislation, the bill gives
ministers the power to introduce them later as regulations.

Caspar Bowden (Director of FIPR) said:
	"Electronic businesses can trade from anywhere in the world. Threatening a
mountain of red tape will cause e-business to move to places with a more
supportive climate such as Ireland or Canada."
	"The Home Office argues that being asked to produce a decryption key is
like being asked to provide a DNA sample. But innocent people might lose a
key to stored data, or never know the key to data that is e-mailed to them -
and unless the court is convinced, it means jail"

Overwhelmed by resistance from industry and users, the government has been
forced to abandon a succession of elaborate but futile frameworks for
regulation, wasting three years in which UK e-commerce could have
established a world lead.

Big Bureaucracy
---------------
Compulsory licensing with mandatory key escrow subsequently became
"voluntary" licensing linked to key escrow, and now the terminology has
metamorphosed again into a "register of approved providers". Despite a
fiercely critical Trade and Industry Select Committee report, the DTI has
ignored the spirit of their findings and appears still to want to keep open
options for strict regulation. Six pages of impenetrably worded legislation
could see the return of key escrow through secondary powers which would
allow the Secretary of State to make escrow a condition of approval.

Businesses already deterred by vacillation and delay, will have little idea
of what to expect until the regulations are eventually published. Different
regulations can be published by different departments, no timescales are set
out, and businesses will face constant debilitating uncertainty about
whether electronic products and services may in future face much stricter
regulation.

FIPR wishes to see cast-iron curbs on secondary powers which could require
(or coerce) without further primary legislation: (a) operation of key escrow
by approved providers, (b) linkage of weight or validity of signatures to
being an approved provider, (c) use of approved provider of certificates or
encryption for dealings with Government

Big Brother
-----------
There are also serious civil liberties concerns. The bill will give police
the power to demand decryption keys from anyone they suspect of possessing
them, and failure to hand keys over can lead to a two year jail sentence.
The defence will be presumed guilty of withholding a key unless they can
prove otherwise (a likely contravention of the European Convention on Human
Rights), and decryption notices will be secret, so it will be impossible to
complain effectively if they are used in an oppressive way.

Handing over a decryption key used for years on end would give the police
access to very much more information than they need. Decryption notices can
also be served on innocent correspondents of a suspected person, with an
indefinite obligation not to change keys and maintain secrecy.

FIPR believes that criminals should not be able hide behind encryption, but
the way in which the government intends to deal with this is completely
unsatisfactory and infringes basic human rights.

To obtain power to serve a decryption notice FIPR suggests that the
authorities should establish to a judge with reliable evidence that the:
- data in question contains a hidden or encrypted message
- person on whom the notice is served possesses a key
- data contains evidence of, or would assist in pursuit or detection of, a
serious criminal offence

Decryption Notices and Human Rights
===================================

- penalty of two years imprisonment for non-compliance
- can be served on a person who "appears" to have a key - there is no
requirement for any evidence to support this
- discretion to demand either keys or decrypted data - access to keys
destroys privacy of all past messages
- can be used to obtain private keys from innocent associates or
professional legal advisers of suspected persons
- do not even have to specify what encrypted data has to be decrypted - can
ask for any and all keys
- apply not just to data seized or intercepted under warrant, but also to
anything lawfully obtained without a warrant (including published or public
domain material)
- allows methods of incriminating innocent persons in ways against which it
will be impossible to defend reliably
- will deter Cryptography Service Providers who might operate key recovery
(which could assist law enforcement) from doing , by exposing them to strict
criminal penalties if (for some reason) they are unable to comply.

*) No presumption of innocence : burden of proof on defence to show they DO
NOT have a key
- how is it logically possible to PROVE non-possession of key?
- asking for a decryption key is not like asking for a DNA sample - innocent
people lose keys, or might never know the  key to data that is e-mailed to
them

*) "Tipping-off" condition - actually an indefinite obligation of secrecy of
excessive width
- can impose an indefinite obligation of secrecy on suspects, associates or
legitimate third-parties
- prevents innocent associates from complaining publicly, with a penalty of
five years imprisonment
- could actually be used against suspects themselves (prevent from
"tipping-off" themselves !)
- with a penalty of five years imprisonment.

*) Safeguards?
- Complainants only recourse is to a Tribunal, which can hold proceedings in
their absence
- Tribunal need not disclose reasons for decisions, and operate special
rules on burden of proof and admissibility of evidence - no "equality of
arms" between the prosecution and the defence.
- a Commissioner to "keep under review" exercise of powers
- abuse of powers breaching the Code of Practice would not "of itself"
create any criminal offence
- duty on authorities with access to keys to maintain only such safeguards
"as considered necessary"

Could key escrow return under secondary powers?
===============================================
The Trade and Industry Select Committee commented in their report:
(115): "A number of respondentsadvocated that statutory instruments should
be ratified by affirmative resolutionwe have been critical in the past of
Government's reliance on regulations which escape effective parliamentary
scrutiny."
(107). "Powers should not be taken in the forthcoming Bill to permit the
introduction of key escrow or related requirements at a later date".

Part I:  Register of Approved Cryptography Service Providers
------
Secondary powers
- could compel key-escrow/recovery as a condition for approval as a
Registered Cryptography Service Provider

Part II: Admissibility of E-Signatures and Powers to Amend Legislation
-------
Secondary powers
- could prescribe use of a Registered Provider for citizens or businesses to
deal electronically with Government.
- be ratified by affirmative or negative resolution at the discretion of the
government

QUOTES:
=======
The Director of the Foundation, Caspar Bowden, said:

"Civil servants have tried for years to get industry to buy into their
proposals for regulating electronic commerce. It's time they realised that
this is not going to happen, and that the world has moved on. Things are
very different now from what they were in 1996 when these ideas were first
floated"

"A signature is valid at present if you intended to make it. The government
is taking powers which could discriminate in favour of signatures certified
by organisations joining their approvals scheme. So in future if you
complain to your bank and say `I never signed that!' they could be able to
say: `tough luck, it's an approved signature - you're liable'. When frauds
start happening, the customer will be blamed"

"Electronic commerce is being seriously harmed by the attempt to tie
electronic snooping provisions in with this Bill. The proper place for
snooping regulations is in the new Interception of Communications Act.
Making wiretapping a condition of the licensing of electronic commerce will
just undermine confidence and drive business away.'

Notes for editors
-----------------
1. FIPR is an independent non-profit organisation that studies the
interaction between information technology and society, with special
reference to the Internet; we do not (directly or indirectly) represent the
interests of any trade-group. Our goal is to identify technical developments
with significant social impact, commission research into public policy
alternatives, and promote public understanding and dialogue between
technologists and policy-makers in the UK and Europe. The Board of Trustees
and Advisory Council (http://www.fipr.org/trac.html) comprise some of the
leading experts in the UK.

2.  Chronology
--------------
10 Jun 1996     DTI paper on "regulatory intent concerning use of encryption on
                open networks".

17 Mar 1997	DTI Consultation "Licensing of Trusted Third Parties for the
                Provision of Encryption Services"

27 Apr 1998	DTI "Secure Electronic Commerce Statement"

19 Oct 1998     DTI Consultation paper postponed

24 Nov 1998     Queen's Speech announces "Electronic Commerce Bill" this
                Parliamentary session

3 Dec 1998	Trade and Industry Select Committee announces inquiry into
                E-Commerce

19 Jan 1999	France abandons key escrow

4 Mar 1999	PIU study announced at No.10 meeting for industry leaders,
                key-escrow "not the answer"

5 Mar 1999 	DTI Consultation "Building Confidence In Electronic Commerce"

23 Mar 1999	"Scrambling for Safety III" conference: first public discussion
                of encryption policy by Home Office

1 Apr 1999 	26 day response period of DTI Consultation ends: FIPR
                accumulates submissions on website

19 May 1999	T&I Sel.Ctee Report "Building Confidence In Electronic Commerce:
                The Government's Proposals"

26 May 1999	Cabinet Office Performance and Innovation Unit Report,
                "Encryption and Law Enforcement"

22 Jun 1999	Home Office Consultation "Interception of Communications in the
                United Kingdom"

8 Jul 1999	Conservatives refuse to allow introduction of Bill under
                "carry-over" procedure this session

23 Jul 1999	Draft "Electronic Communications Bill" published

3. References
-------------
Cryptography and Democracy: Dilemmas of Freedom, a paper by Caspar Bowden,
and Yaman Akdeniz, in Liberty eds., Liberating Cyberspace: Civil Liberties,
Human Rights, and the Internet, London: Pluto Press, 1999, 81-125 -

http://www.fipr.org/publications/cryptfree.pdf

"Regulatory intent concerning use of encryption on open networks", DTI
Jun 1996 - http://www.dti.gov.uk/cii/ENCRYPT/regpap1.htm

"Building Confidence In Electronic Commerce: The Government's Proposals",
Trade and Industry Select Committee Report May 1999 -

http://www.parliament.the-stationery-office.co.uk/pa/cm199899/cmselect/
cmtrdind/187/18702.htm

"Encryption and Law Enforcement", Performance and Innovation Unit Report,
Cabinet Office, May 1999 -

http://www.cabinet-office.gov.uk/innovation/1999/encryption/index.htm

"Building Confidence In Electronic Commerce", DTI Consultation, March
1999 - http://www.dti.gov.uk/cii/elec/elec_com.html

"Interception of Communications in the United Kingdom", Home Office
Consultation June 1999 - http://www.homeoffice.gov.uk/oicd/ioca.pdf

"Licensing of Trusted Third Parties for the Provision of Encryption
Services",  DTI Consultation March 1997

"Secure Electronic Commerce", DTI Statement April 1998 -

http://www.dti.gov.uk/cii/c8/ana27p.htm

STAND Website http://www.stand.org.uk/

-- ends --


[] FIPR E-Communications Bill press release.doc