27 March 1998
From: "Yaman Akdeniz" <lawya@lucs-01.novell.leeds.ac.uk> To: ukcrypto@maillist.ox.ac.uk Date: Fri, 27 Mar 1998 10:24:49 GMT0BST Subject: Police Access to Encrypted Messages - BNA Electronic Commerce an Dear All, The following piece is very interesting and mentions a secret policy paper which at least we were aware of when we released the initial warning with a Cyber-Rights & Cyber-Liberties (UK) press release which was followed by a Global Internet Liberty Campaign Statement on what has been reported in the media. Now the following BNA report mentions an anonymous UK officialtalking about this internal paper. Comments by David Hendon of DTI is also included in the coverage. Maybe David would like to explain us all about this internal policy paper which was issued to the EU ministers during the Birmingham summit. Of course we will never be able to see that internal policy paper as there are no laws on Freedom of Information in this country but soon that will change as well! All the best. Yaman --------------------------------------------------------------------- BNA Electronic Commerce and Law Report March 25, 1998. ----- Cryptography U.K. President of EU Kicks Off Debate on Police Access to Encrypted Messages BRUSSELS-The United Kingdom, in its capacity as the current holder of the European Union presidency, has prepared a policy paper calling for law enforcement authorities to have access to encrypted electronic communications under certain circumstances. The document, submitted to an EU police working group at the end of February, states that "where an encryption key is used for confidentiality purposes, it may be necessary for law enforcement agencies to have lawful access in certain circumstances. This access may need to be either overt or covert," a U.K. official told BNA, speaking on the condition of anonymity. Exactly which circumstances would require access have not been determined, said the U.K. official. The paper was drawn up after an informal meeting of EU justice and home affairs ministers at the end of January when the ministers concluded that there was a "need for possibilities of interception by law enforcement authorities." The U.K. paper is further evidence that, as in the United States, there is a split between law enforcement agencies and industryrelated government departments and industry itself over the encryption issue. The British government also argued in the policy paper that under what it calls a "backdoor key" approach, law enforcement agencies must be allowed fast access to encrypted messages in order to combat the increasingly sophisticated communications methods used by criminal organizations and terrorists, the U.K. official said. But another official, David Hendon of the U.K.'s Department of Trade and Industry, said it would be wrong to surmise that the United Kingdom is about to pursue a mandatory key escrow policy. "Of course to be 100 percent sure of getting keys, you would need to have mandatory escrow. But we don't think this is realistic or in any way attainable and so it would be wrong to make a connection that the U.K. is about to announce such a thing-which, to be clear, we are not," said Hendon. Hendon explained that the paper's reference to "overt" and "covert" does not imply a call for "back door keys." By overt, he said, "we were referring to a search warrant that is served on the owner of a PC," for example. "By covert, we were referring to encryption related to interception of realtime communications. Obviously in this case, if the suspect knows his communications are being bugged, he won't say anything that helps the investigators." This, said Hendon, is a significant point because U.K. law does not permit interceptions to be used as evidence. Rather, an interception enables evidence gathering. Covert access is also necessary in terrorism investigations because the goal there is to step the terrorist act before it occurs, he said. Rift With E Commerce Boosters. "There seems to be widespread support among the member states for the report," added the anonymous U.K. official. She also stated that some European Commission officials would like to think that the U.K. "was out on a limb with this approach," but they were wrong. Indeed, both Telecommunications Commissioner Martin Bangemann and Internal Market Commissioner Mario Monti have argued over the course of the past year that there is no need for a system where law enforcement agencies must be given a key to encryption codes. "If the current trend continues there will likely be a showdown in the EU with those in favor of promoting a single market for electronic commerce against access to encryption codes versus those who believe law enforcement agencies need to have access to encryption," said the U.K. official. As part of research compiled before presenting the report, the Netherlands conducted a survey on the status of encryption legislation and the socalled "trusted third party" concept where the keys are deposited with a neutral body. Twelve of the 15 EU member states responded and some of the results, which the U.K. presidency used in its report, were as follows: * One member state (France) has a law requiring the public or companies to surrender encryption keys to crime detection or state security services while the United Kingdom and the Netherlands require this only under certain circumstances. * In five member states (Spain, the United Kingdom Sweden, the Netherlands, and France) there is either new or revised legislation under discussion. * In four member states (the United Kingdom, Denmark, the Netherlands, and Greece) trusted third parties (TTPs) are in use. *No experience in any member state has been gained from the TTPs by crime detection and state security services. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Yaman Akdeniz <lawya@leeds.ac.uk> Cyber-Rights & Cyber-Liberties (UK) at: http://www.leeds.ac.uk/law/pgs/yaman/yaman.htm Read CR&CL (UK) Report, 'Who Watches the Watchmen' http://www.leeds.ac.uk/law/pgs/yaman/watchmen.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~