Spy agencies' "key escrow" plan is dead, buried and reviled

British government and parliamentary experts have condemned the campaign for key escrow and found planned e-commerce bill of little value.

The long campaign by British and American intelligence agencies to force their own and other countries' citizens to accept "key escrow" systems for cryptographic privacy has been scathingly condemned as a disaster which has "severely damaged" the reputation of British industry.

In the last month, separate reports by British government and parliamentary experts have condemned the campaign for key escrow as a "blind alley" which would, if it had been pursued further, have isolated British business from Europe and the rest of the world. A planned new law on electronic commerce which had originally been devised in order to disguise the intelligence agencies' plans to control cryptography should be abandoned, the government has been warned.

Under the "key escrow" or "key recovery" systems still being pushed by the US government, keys to confidentiality codes have to be copied to a so-called "trusted third party". This system enables the electronic listening agencies NSA and GCHQ to access the secret codes through the third parties, and would thus let them continue their extensive surveillance of private and business communications around the world (see STOA Report).

The British reports coincide with decisions this year by the French and German governments to abandon restrictions on cryptography and with the European Commission's intention to drop all restrictions on cryptographic products sold within the EU. Taken together, the decisions mean that the campaign for compulsory key escrow systems pushed by the US government for more than seven years is now dead and buried.

According to the British Parliament's Select Committee on Trade and Industry, the result of the key escrow campaign was that "UK electronic commerce policy was for so long entrapped in the blind alley of key escrow that ... the UK's reputation...for electronic commerce is now severely damaged".

The proposals would have mandated a costly and untested technology onto an emerging market, harming the UK's prospects of being at the forefront of the electronic commerce revolution, adversely affecting UK competitiveness and disadvantaging UK firms and consumers.

British Parliament's Select Committee on Trade and Industry

The Committee reported that three successive plans from two different British governments had, in effect, been trojan horse legislation whose real purpose was "to control cryptography rather than to encourage the development of electronic commerce". The report was published last month.

Not fit to be written into law

In February, British Prime Minister Tony Blair admitted to internet businessmen that the government would have to drop key escrow. According to the MPs, this meant that what was left of the proposed new e-commerce law was of little or no value.

"Now that key escrow has been dropped by the Government, the rationale for an electronic commerce bill is open to question. We recommend that the Government think twice about the content of its forthcoming Electronic Commerce Bill", the Committee warned. If the government was to continue, they should "include in the Bill measures which will promote electronic commerce, rather than measures discarded from the previous key escrow policy which are concerned with controlling, not facilitating, electronic commerce".

The committee told the government that what was left in the Bill was so badly written and illogical that it was "not fit to be written into law. Unless [it is] improved, then the licensing system will be a damaging and embarrassing failure. We invite the Government to inform Parliament how it intends to work with electronic commerce providers and users to design more suitable criteria".

Reinforcing their view, the MPs added:

A specious argument

The main purpose of the so-called "Electronic Commerce Bill" now appears to be to introduce a law requiring anyone whose home or business is searched by the police or security officials to hand over the keys used to encrypt their stored data. Under the new law, someone who is searched by the police and found to have stored encrypted data would face imprisonment if they did not decrypt it on demand.

This new power had been requested by Britain's National Criminal Intelligence Service (NCIS) who claimed that uncontrolled encryption was a menace to public safety and to law enforcement. But when MPs asked for details of the problems the police had been facing, NCIS said that they had no statistics. It was "difficult to get an overall picture of where individual [forces] are encountering different aspects of encryption", the police intelligence agency said.

The committee told them that they would be "much more willing to help" law enforcement if they could prove that they were facing a real problem.

The government had claimed that the proposed new power to demand decryption was necessary "to protect the effectiveness of the existing interception regime". The MPs told them that this was a "specious argument". It was suspected that the new decryption law was simply a sop given to the intelligence agencies after key escrow was abandoned.

Unaccountable policy failures

According to Caspar Bowden of the Foundation for Information Policy Research (FIPR), the Parliamentary report was "a relentless castigation of squandered opportunities, loss of political control, and unaccountable policy failures in the face of near unanimous public and industry opposition."

The committtee also investigated and highlighted its concern with the ENFOPOL and ILETS interception proposals, first exposed by Telepolis six months ago (see Enfopol Papers). Britain's Internet Service Providers' Association (ISPA) told the MPs that the ENFOPOL plan "will be opposed by the ISP industry". They called for a "full public debate on the issue".

The committee told the government that it should "give authoritative clarification of the status of the Enfopol proposals and their potential implications for relevant UK service providers". According to the committee chairman Martin O'Neill MP, the ENFOPOL plans were not a "realistic proposition". The government has yet to reply.

Unworkable and damaging

As IF these criticisms were not enough, two weeks later another team of government and business experts buried key escrow plans even deeper. The second report, called "Encryption and UK Law Enforcement" was prepared by the Performance and Innovation United (PIU), a top level organisation answering directly to the Prime Minister. (Encryption and UK Law Enforcement (PDF)).

PIU also concluded that key escrow was unworkable and damaging. "Licensed providers should not be required to retain 'decryption keys' or to deposit them with third parties (i.e. no mandatory 'key escrow')", they said. To do otherwise "would significantly impair the ability of the UK to become the leading environment in the world in which to trade electronically", they said:

Nor would it do law enforcement any good. "Key escrow as a condition of licensing would not deliver to law enforcement agencies even a reasonable amount of assured access to decrypted communications".

The PIU called for co-operation between law enforcement agencies and industry bodies, "to ensure that the needs of law enforcement agencies are taken into account by the market". In particular, there should be a new "Technical Assistance Centre" to help law enforcement agencies "derive intelligence from lawfully intercepted encrypted communications and lawfully retrieved stored data".

The proposed Technical Assistance Centre would also be responsible for gaining access to decryption keys, and deciphering stored or intercepted messages. This proposal was also supported by the MPs who said that the government should set up a " law enforcement resource unit for dealing with computer crime, including encryption" (sic).

More controversially, the government report suggested that suspects who did not produce decryption keys when they were ordered to do so should have to "prove to the authorities" that the requested keys or plain text were not in this possession. The proposal was immediately criticised as being contrary to the Charter of Human Rights, which prohibits laws requiring suspects to prove their innocence instead of the state having to prove their guilt.

The critizisers are being critizised

But the PIU report also came under attack. Industry experts and academics criticised the report for claiming that there had been "remarkably little [international] co-ordination of policy on encryption matters".

According to former British government cryptographer Brian Gladman, this statement was one of a series of "deliberate and shameful lies in a document with a preface signed by the Prime Minister".

I have been so taken aback by this that I have been at a loss about how best to react to it - it is hard to know where UK citizens can turn when there is such deliberate dishonesty and lack of ethics right at the heart of government.

Brian Gladman

Gladman and his colleagues cited seven organisations through which the British government had systematically subverted the use of encryption by other governments and their companies and citizens. These were the OECD; the Wassenaar agreements; an informal G5 organisation consisting of Britain, France, Germany, Sweden and the Netherlands; multilateral negotiations led by the US "Ambassador for cryptography"David Aaron; the European industry group ETSI; the EU Senior Officers Group on Information Security; and the EU Cryptography Working Group.

Gladman's concerns about the infiltration of the two EU groups were confirmed by sources in Brussels. It was believed that a senior GCHQ official who had been attached to the Commission for five years was a "British spy" whose job had been to impede the development of effective cryptographic security in Europe as much as possible.

The British government claim that international policy on cryptography was unco-ordinated was "barefaced lies", said Mr Gladman. "There is no other word [for it]."