New encryption legislation coming down the pike in the United Kingdom calls for the voluntary licensing of entities that supply data security products and carves out room for law enforcement to get the keys that unscramble private communication.
The United Kingdom's Department of Trade & Industry proposal released today aims to foster e-commerce by promoting the use of encryption, which is expected to bolster consumer confidence in the security of their online transactions.
But similar to a policy being developed in the United States, the British plan would institute a voluntary encryption key-recovery system in which licensed authorities could help retrieve lost keys for corporations and citizens or for law enforcement officials during an investigation.
However, it is unclear what specific incentives the British government will give for instituting the key recovery. Governments pushing such plans seem to be dangling the hope that they will relax--or remove--export controls on strong encryption if a critical mass of companies support voluntary key recovery. As reported earlier, the Americans for Computer Privacy is working on draft legislation that would encourage voluntary key recovery but would overturn a federal mandate for such systems in exported products.
"Licensed service providers that provide encryption services will, therefore, be required to make recovery of keys or other information protecting the secrecy of the information possible through suitable storage arrangements," Barbara Roche, undersecretary of state at the Department of Trade and Industry, stated in a letter to Parliament.
"The government intends to introduce legislation to enable law enforcement agencies to obtain a warrant for lawful access to information necessary to decrypt the content of communications or stored data, in effect the encryption key," she added. "They will be exercisable only when appropriate authority has been obtained--for example, a judicial warrant for the purpose of a criminal investigation or, in the case of interception of communications, a warrant issued by a Secretary of State--and will be subject to strict controls and safeguards."
Although some U.S. companies favor voluntary key recovery systems, on the whole the crypto industry here objects to government mandates--which now are tied to export rules--on grounds that it hinders the ability to compete with global manufacturers that face no export controls.
Along with privacy advocates, the private sector is hankering to overturn the Clinton administration's current policy, which requires the licensing of strong encryption export products and mandates that companies submit proof of their plans to build key-recovery features into their products after next year. Even high officials within the administration are now admitting that the policy isn't working.
White House advisers are overseeing heated negotiations to balance the requests of law enforcement with industry. Some observers say the Americans for Computer Privacy's draft bill looks a lot like the British proposal submitted today.
The move in the United Kingdom alarmed some civil liberties watchdogs here in the United States, who charge that consumers won't trust products that give law enforcement the ability to break the strong crypto codes that protect private digital discourse.
"The United States is influencing the U.K. [Department of Trade]," said Dave Banisar, legal counsel for the Electronic Privacy Information Center (EPIC). "They seem to be ignoring the problems and more than 260 public comments submitted on this issue."
In February, the Global Internet Liberty Campaign (GILC)--of which EPIC is a member--warned the British government that key storage systems are not secure.
"Inevitably, key recovery or 'trusted third party' schemes introduce vulnerabilities into cryptographic systems, creating opportunities for insider abuse and criminal attack," stated the letter to U.K. Home Secretary Jack Straw, who reportedly endorsed broad access to crypto keys for law enforcement.
"Key recovery agents will hold in centralized databases the keys to the information and communications their individual and corporate customers most value; and this key recovery infrastructure will become a highly attractive target for criminals," the GILC added. "Leading computer security experts have warned that building the secure computer communication infrastructures necessary to support government-specified key recovery is far beyond the experience and current competency of the field."
The effectiveness of key-recovery also was taken to task by a U.S. National Security Agency report that was leaked this month to various high-tech trade associations and civil liberties groups.
"The rogue user is interested in circumventing the [key-recovery] system so that his messages cannot be read by law enforcement or any other authority which has been granted that privilege by the key-recovery system," the report states. "Note that if the sender and receiver both collaborate to defeat key recovery, there is no technical method from preventing this. So the design threshold for a key-recovery system should take this fact into account."