Dutch government puts Trusted Third Parties under pressure
Intelligence agencies and police want to get access to encrypted messages
Dutch law enforcement authorities are forcing Trusted Third Parties (TTP's) to use key escrow or key recovery techniques, which make it possible for law enforcement to decrypt encrypted messages. The law enforcement authorities want to get access to encrypted Internet messages, according to secret documents revealed by the Dutch digital rights movement Bits of Freedom.
Trusted Third Parties (TTP's) are independent organisations, which offer services to enhance the security and reliability of electronic communication. TTP's, for instance banks, accountants, telecommunication companies or public notaries, use cryptography to prove the authenticity of communication and secure the confidentiality of communication.
The Dutch Ministries of Traffic and Waterways and Economical Affairs started in 1998 the national TTP project to regulate in co-operation with industry the founding of TTP's. In a policy paper of March 1999 the Ministries pointed at the need of 'lawful access' and announced that, if voluntary agreements on this subject were not possible, the government would introduce legislation that would force them to do so.
"If industry does not want to cooperate in an active way in the development of the possibility of lawful access, the government will consider legislative initiatives to fulfil the need of lawful access." (From a document obtained by BOF)
In a secret policy paper (January 2001) of the 'Technical Working Group Lawful Access', which is part of the National TTP Project, an analysis is made of the needs of intelligence services and law enforcement and the different forms of TTP's. According to the document, law enforcement and intelligence services want to get access to the communication in 'clear language'. They don't want to get hold of the encryption keys, unless 'it is the only way to get access to encrypted communication'. The agencies also want to listen in to encrypted communication in real-time. Access has to be possible without the co-operation or knowledge of the user.
The Technical Working Party then analyses different forms of TTP architectures and concludes that only two types will make lawful access possible: when a TTP has a copy of the encryption key, or when the TTP is technically able to use key recovery. This is, according to the working party, a problem: 'The question that has to be answered is if it is desirable that forms of TTP's will exist that cannot fulfil the demands of the intelligence services and law enforcement.' In the minutes of the co-ordinating committee of the National TTP Project of March 2001, the question is formulated more strongly:
'According to the law, TTP's which do not posses encryption keys, are not obliged to co-operate. But the aim is to prevent TTP's from claiming this position, by making it an obligation to organise their services in a way that makes lawful access possible.'
The coordinating committee recognises that TTP's have problems with providing lawful access. It is doubtful if TTP's are willing to give lawful access, as companies and consumers will have little faith in their services if they know the TTP is able to read their communications and deliver it to government. Companies have already indicated that the founding of a good TTP infrastructure in the Netherlands is not possible if Dutch TTP's are forced to give lawful access, while other TTP's don't have this obligation. Clients will take a foreign TTP.
But the Technical Working Party decided to recommend nevertheless that TTP's must choose architecture, which make lawful access possible. It is called 'obligatory self regulation'. They also recommend making a study on the economic impact of this solution. If the study makes clear the obligation to give lawful access is economically not feasible, it may change the decision.
The companies, which are involved in the National TTP Project, were not amused. 'What is the use of this exercise, if the technical working group has already decided that lawful access is one of the criteria TTP's have to fullfilll to get their certification,' a member of the telco KPN asked according to the minutes.
But a representative of the Ministry of Economic Affairs assured that it is still possible to change the recommendations. 'If the study shows that Dutch consumers will choose foreign TTP's as a result of this, the proposed recommendation is no longer effective.' He adds that there is a huge clash of interest between the different ministries involved.
Dutch government tried for several years to regulate the use of cryptography. Proposals to forbid cryptography, regulate the use of cryptography or force suspects to decrypt their encrypted data all were withdrawn after huge protest. This seems to be another attempt of the intelligence services and law enforcement to get grip on the use of encryption.
After publishing the secret documents, Bits of Freedom was treathened by the National TTP Project with a lawsuit. Reason: Bits of Freedom infringed the copyright of the documents and the minutes. The TTP Project also threatened to close down the website of Bits of Freedom. Bits of Freedom wasn't impressed by the threats and told the National TTP Project they were more than happy to meet in court. After that, the threats were withdrawn.