22 September 1997: Link to related exchange

19 September 1997
Source: Mail list ukcrypto@maillist.ox.ac.uk

To: ukcrypto@maillist.ox.ac.uk
Subject: Latest words from DTI
Date: Fri, 19 Sep 1997 14:25:29 +0100
From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk>

Yesterday I shared a platform with Nigel Hickson at Cambridge's annual 
white collar crime conference, whose theme this year was `The Globalisation 
of Crime - The Electronic Dimension' (for a copy of the programme, see


This conference typically attracts about 1,000 people from round the world
- mostly cops of some kind or another; in addition to `proper' policemen,
there are lots of prosecutors and interior ministry types. There are also
some criminal lawyers and a few technologists: there is an exhibition of
police systems, typically databases into which you can drop a country's
itemised phone bills and get out a pretty colour picture of all the
networks of contacts in which your target of investigation is involved.

Anyway, as in previous years, the escrow sessions attracted only about
60 people, and the only real policeman I spotted there was Mike Dixon, a 
local detective constable who is one of the organisers. This all goes to 
show the priority that real working policemen place on wiretapping!

I kicked off and described the bad effects that crypto policy has had 
over the years on a number of products from Sesame through alarm systems 
to DVD; I revealed that the UK patent office has been ordered by GCHQ to
use only 256 bit RSA in securing its communications with the European
patent office im Munich and with other national offices in Europe, and
pointed out that this would enable the NSA to get details of British
patents for its economic intelligence clients at the time they were filed
rather than three years later when they were published. 

I also pointed out that police communications intelligence relies on
traffic analysis rather than access to content - which would be clear to
anyone looking at the systems being demonstrated in the foyer and which
I have been pointing out for years (see `Crypto in Europe - Markets, Law
and Policy' on my web page). I quoted DI John Austen from Scotland Yard
who at a seminar in Cambridge in 1993 said that in the 12 years he had
been responsible for warrants at the Yard, communications intercepts (as
opposed to data on who had called whom) had made a difference to only
one conviction.

Jack Lang of ESI then summarised the likely business impact of the DTI 
policy (expensive and ineffectual).

Then it was Nigel's turn to speak for the UK government. The points that 
he made were:

* he denied that there had been government influence over the designers
  of car and burglar alarms (but hey - the burglar alarm supplier I had
  referred to is also a GCHQ crypto supplier)

* he didn't accept that there was little law enforcement requirement for
  access to content. He expressed surprise that a police officer would have
  said what John Austen did and claimed that statistics collected by
  Dorothy Denning showed a growing number of cases in which encryption had
  been encountered

* the outcome of the DTI consultation exercise is that business wants trust,
  and that there was not much opposition to the idea of licensing: indeed
  `most thought licensing a good thing'. The goals of licensing were trust,
  common standards and liability; the focus was on small to medium sized
  enterprises; and the vision was that a small firm on Cornwall could do
  business with a small firm in a Russian village

* the hope was to separate out digital signatures from encryption, with its
  law enforcement interest, with UK and EU legislation

* while the licensing aspects of digital signatures were easy, the law
  enforcement aspects were hard

* the responses to the DTI proposals on this `clearly stated difficulties with
  people's perception'

* he predicted a public backlash when it became known that some notorious
  crime might have been prevented had it not been for decryption

* we had better accept that `key recovery is going to be a reality whether we
  like it or not, and probably in the very near future'.

John Leach then spoke for TIS, and Alastair Kelman ended up; he remarked
inter alia that in 20 years practice at the criminal bar, doing largely
computer crime cases, he had yet to come across a case in which wiretaps
made, or could have made, a difference.

What struck me with particular force was the lack of qualification in 
Nigel's comments. At the `Scrambling for Safety' conference on May 19th 
(http://elj.warwick.ac.uk/jilt/confs/97_2cryp/), both he and his boss 
David Hendon took pains to say that the policy they were describing was 
one laid down by the previous government, and that it was open to change 
once ministers got round to considering the matter. That qualification was 
conspicuously absent this time.

So what's going on? Maybe ministers have indeed considered the matter,
and we are being softened up for a pro-spook U-turn that's already been
decided in secret. Maybe on the other hand the civil servants reckon
that they have ministers in the bag, and so the risk of Labour actually
adhering to its pre-election commitments against key escrow is now so
low that it can be safely ignored. 


Date: Fri, 19 Sep 1997 18:54:00 +0100 From: Hendon David <David.Hendon@CIID.dti.gov.uk> (Tel 0171 2151779) To: UKcrypto-outgoing@maillist.ox.ac.uk (Receipt Notification Requested) (Non Receipt Notification Requested) Subject: Re: latest words from the DTI To save a lot of speculation, I thought I would let you know what is happening at the DTI. At the moment, officials are working through what recommendations to put to Ministers in the light of the comments we received on our consultative document. The fact it is taking a long time might give a hint to you that it is not just a question of dusting off the last Government's policy and re-presenting it. We are trying to find a new policy that respects what people have told us and still meets the law enforcement policy objective. This is a challenge! And it takes time. To pick up one comment of Nigel's at Cambridge that was quoted in one of the UKcrypto postings in the thread, when Nigel said words to the effect that "Key recovery systems were coming to the UK whether we liked it or not", the "we" was "DTI", not any other readers of this group and "Key Recovery" meant products emerging in the US from the Key Recovery Alliance, not TTPs and key escrow. Or to put it another way, the remark was us recognising reality rather than a dark hint of some wicked intention. Nigel was making the point that in putting forward a UK policy, the Government had to recognise that there would be all manner of stuff in the UK market, including in particular, key recovery products. I hope this helps. David Hendon DTI
Date: Fri, 19 Sep 1997 14:48:48 -0400 From: Nigel Hickson <100633.3176@compuserve.com> Subject: Re: Latest words from DTI To: <ukcrypto@maillist.ox.ac.uk> Ross (and others) I return (from abroad) on a Friday night to these greetings! No time at present to go through all Ross's comments on what I said (many of which appear correct) but I must correct an impression he may have given with one of the quotes. When I said "key recovery is coming.........." I was simply refering to the US Administration licesning of key recovery products for use in the UK. I have, for some time, been trying to indicate the consequencies of the use of these products outside of the US. In my talk I mentioned this as the next speaker was John Leach from TIS, a leading manufacturer of such products. I was not at all referring to future UK policy, which, as I indicated, is for Ministers to decide upon. Regards Nigel PS I agree with Ross about the importance of this Conference.