Banks Slam Snoops, Reject Key Escrow

26 March 1998
Date: Thu, 26 Mar 1998 05:28:24 -0500
From: John R T Brazier <Prunesquallor@compuserve.com>
Subject: Computing Article: Banks & Keys Recovery
To: <ukcrypto@maillist.ox.ac.uk>

Dear All,

26th March Issue of Computing (computingnet.co.uk), lead article below. Also
on the front page the Post Office is starting up as a digital signature
certifier.

Cheers,

John B


-----------------------------------------
Banks slam snoops

Major users split over government's attempt to regulate cyberspace 

Europe's banks have rejected a controversial key recovery encryption scheme
on the eve of an expected government announcement imposing the policy on
the UK, writes Dan Sabbagh.

Computing has learned that the European Committee on Banking Standards
(ECBS) - a powerful consortium of financial institutions - has filed a
submission with the European Commission arguing against key recovery. The
committee's stance is backed by the UK's banks, which are represented by
industry body APACS.

It is understood that the submission, which will not be made public, says
that many European banks are 'fundamentally opposed' to the introduction of
statutory regulations for key recovery in Europe. Financiers, it maintains,
'cannot see any benefit for European banks and their customers'.

Key recovery schemes require individuals and companies that use encryption
to deposit a copy of their encryption keys with a 'trusted third party'.
These keys are then made avail- able to law enforcement agencies, on
production of a warrant, allowing them access to encrypted private
transmissions.

The Department of Trade and Industry is thought to be close to unveiling a
key recovery scheme for UK encryption users in the face of opposition from
civil liberties campaigners and a growing number of corporates, including
Microsoft.

The ECBS' argument has been broadly endorsed by NatWest. Tim Jones,
managing director of retail banking services at NatWest, said: 'Key
recovery is a brutal and expensive way to achieve law enforcement.' 

Jones said that he believed there were simpler ways to allow access to
encrypted data. He added that, in his opinion, medium-strength encryption -
64-bit DES - should not necessitate key recovery because codes could be
cracked 'with a couple of Crays and a following wind'.

Steve Thomas, head of security at APACS, outlined the objections of
Europe's banks. 'If key recovery is so good for business, as its supporters
argue, then we don't need a statutory framework to introduce it. Giving up
any keys to a third party must reduce the security of any system,' he said.