House of Commons - Trade and Industry

Select Committee on Trade and Industry Seventh Report

VIII LAW ENFORCEMENT

80. The Government has stated that "a number of recent investigations into a variety of serious criminal offences in the UK have been hampered by the discovery that material which might otherwise assist the investigation, or be used in evidence, has been encrypted".[252] The National Criminal Intelligence Service (NCIS) cited the recent Operation Cathedral, an investigation into a global paedophile ring, as an example of the difficulties caused to law enforcement agencies by criminals' use of the internet and encryption.[253] Several witnesses contended that such examples were few and far between, had generally not prevented prosecutions being successfully pursued and were, therefore, not sufficient to require legislative remedy.[254] NCIS warned us that "this generation of criminals is not as computer literate as we anticipate the next generation to be"; that, in future, encryption facilities would increasingly be standard components of computer hardware rather than sophisticated software packages; and that, consequently, encryption would gradually undermine law enforcement agencies' abilities to deal with serious crime.[255] We are persuaded that encryption will increasingly be a source of advantage to criminals with which law enforcement agencies are, at present, inadequately prepared to deal.

81. During their oral evidence before the Committee we pressed NCIS not just for anecdotal evidence of individual cases in which encryption had posed law enforcement agencies with problems, but for statistics about the incidence of encryption on stored material seized by law enforcement agencies and in relation to intercepted data traffic in the UK. NCIS told us that, because of the fragmentary nature of law enforcement in the UK, "it is difficult to get an overall picture of where individual [forces] are encountering different aspects of encryption".[256] We suggest that those organisations involved in electronic commerce will be much more willing to help the law enforcement agencies if there are reliable means to assess the extent of the problems posed by encryption, and that there would be advantage in Parliament having a fuller picture of the perceived threat.

82. The Government has put forward a number of proposals aimed at extending law enforcement agencies' capabilities to deal with encryption. These are:[257]

encouraging the deployment of key escrow and key recovery technologies
updating existing statutory powers to take account of the widespread use of encryption
working with industry and others to find ways of mitigating the effects of the use of encryption by criminals.

Key Escrow and Key Recovery

83. The previous Administration's policy on cryptographic services proposed a licensing criterion on TSPs that they retain a copy of users' private encryption keys which could be made available in a timely fashion to law enforcement agencies when appropriate authorisation was provided. The mandatory nature of the licensing regime thus made key escrow a condition of the various attractive services TSPs could offer, particularly the certification of electronic signatures.[258] Customers could have evaded this policy by choosing to use foreign TSPs. The previous Government anticipated this by suggesting the development of an international key escrow regime, based on existing arrangements for cooperation between law enforcement agencies or new bilateral agreements.[259]

84. The previous Government's policy was thus conditional upon other countries, particularly major trading partners in Europe and the US, implementing key escrow policies in step with the UK. The 1997 consultation document reported that key escrow policies were in place in the US and France, that a European Commission initiative was likely in the near future, and that various international fora, not least the OECD, were examining cryptographic policy.[260] Over the last two years, however, there has been a worldwide retreat from support for key escrow. The Clinton administration has abandoned its proposals for mandatory key escrow (the Clipper Chip initiative) and focussed instead on incentives to promote the development of key escrow and key recovery products by industry, primarily through changes to export controls.[261] The French Government announced on 19 January 1999 a "fundamental change of direction" on cryptography policy which included an end to mandatory key escrow.[262] Several other states have examined key escrow and decided against implementing it.[263] The European Commission has ran a European Trusted Services programme,[264] one aim of which was to examine the practicalities of key escrow and key recovery, but has not yet sought to bring forward a draft directive in this area.[265] The OECD Guidelines on Cryptography Policy, drawn up in 1997, state that "national cryptography policies may allow lawful access to plaintext, or cryptographic keys, of encrypted data" but that users should be free to use any cryptographic product they wish and that the development of cryptography should be market led".[266]

85. Key escrow and key recovery have been almost universally opposed by businesses, cryptographic experts and academics and civil liberties groups both in evidence to us and in their representations to the Government.[267] The technical practicalities of key escrow systems and the cost of developing and operating such facilities have been questioned. Mr. Thomas of APACS, drawing on his experience of a French key recovery system, warned of the difficulties of testing such systems and of the costs associated with the trained personnel needed to operate them. He told us that "the additional cost of building key recovery into...one small system was about £40,000" with further costs anticipated for setting up the key recovery service and operating it thereafter.[268] Dr. Gladman of Cyber-Rights and Cyber-Liberties (UK) thought that individual key escrow facilities would cost "hundreds of millions of pounds" to build.[269] The cost of implementing key escrow or key recovery throughout the US has been estimated at $10 billion.[270] DTI's 1997 and 1998 key escrow proposals appear to have been based on an assumption that industry would bear costs arising from the implementation of this policy.[271]

86. Critics of key escrow have also focussed on the civil liberties and privacy aspects of the policy. There has been a perception that key escrow, especially if compulsory, would give law enforcement agencies the ability to intercept and monitor citizens' and firms' communications to an unacceptable degree.[272] Several witnesses called for key escrow and key recovery only to be allowed under judicial warrant, rather than by application to the executive.[273] Cyber-Rights and Cyber-Liberties (UK) commented that "privacy was not one of [DTI's] prime concerns" and warned that key escrow might contravene the provisions of the Human Rights Act 1998.[274] The Data Protection Registrar expressed concern at the possibility that covert key escrow would lead to a private key being compromised without the owner ever realising. She has suggested that law enforcement agencies receive plain text rather than a private key in that situation.[275] A connected issue concerns liability for instances where a private key is compromised, including in connection with law enforcement access, which DTI considered at length in its 1997 consultation document.[276]

87. A further range of issues was raised in connection with the likely reaction of criminals to the implementation of a key escrow policy. Witnesses were sceptical about the chances of criminals entrusting their private encryption keys to organisations with a statutory duty to hand keys over to the law enforcement agencies on demand, particularly if TTPs which were not required to cooperate with law enforcement agencies existed in the UK or abroad.[277] NCIS argued that even a voluntary licensing scheme with key escrow would be used by some criminals, many of whom are "lazy, greedy and make mistakes", and drew an analogy with criminals' use of the telephone network, even though it is common knowledge that telephones can be tapped.[278] Mr. Bohm of Cyber-Rights and Cyber-Liberties (UK) argued that it was conceivable that some criminals might mistakenly use a TTP involved with key escrow, but such instances would be "very marginal". He disputed the possibility of "greedy, lazy criminals going out of their way to use expensive systems for the purpose of giving law enforcement a benefit when they have a cheap, easy system available to them everywhere".[279] Rather than be used by criminals, Dr. Anderson warned that TTPs would be attractive targets for criminal activity. He told us that "if you force all TTPs to have a common mechanism for access to private keys then that is of course the mechanism that criminals will attack...insofar as you centralise all the keys and the access to the keys in one place you create a horrendous vulnerability".[280]

88. Finally, witnesses warned of the impact a mandatory or voluntary key escrow system could have on the competitiveness of the UK economy. Some questioned whether a market for TTPs existed and argued that, if Government provided incentives to use TTPs, then firms would be faced with cost burdens which would have a detrimental impact on their economic performance.[281] Dr. Gladman argued that "there are perfectly adequate two-party solutions to secrecy" which firms might prefer to implement, if left to themselves to decide, without turning to a third party.[282] ICL cautioned that key escrow might deter investment by firms in the UK.[283] It was suggested that, if key escrow was introduced in the UK, then firms would turn to foreign TSPs for their cryptographic requirements.[284] Several witnesses mentioned the positive benefits that encryption might bring to firms, including countering crime such as fraud and suggested that the Government should promote the use of strong encryption by firms, and the development of UK encryption products, rather than continually emphasise the potential negative effects of widespread use of encryption.[285]

89. In the light of these developments, the Government announced in March1999 that it would consult "on the basis that the licensing scheme will not impose the requirement that TSPs providing confidentiality services should have to provide for law enforcement access to keys" by key escrow or key recovery.[286] Despite this statement, the Government also declared that it "remains keen to promote key escrow and third party key recovery technologies".[287] We asked the Government to clarify how they proposed to promote key escrow and key recovery technologies and were told that "some form of key back-up/key recovery...can offer definite benefits to both businesses and members of the public...the Department will therefore highlight these benefits during the passage of the Bill and as part of its ongoing work to spread awareness of best practice in information security".[288] The law enforcement community proposed other means by which key escrow and key recovery could be promoted by Government. Sussex Police suggested that the licensing criteria for TSPs could be helpful in the promotion of key escrow and key recovery.[289] NCIS thought that one way to encourage the take-up of key recovery technologies would be to "highlight the requirements on directors of companies for their liability for the actions of their employees. This could be done through the regulations governing financial services, consumer legislation, data protection etc".[290]

90. The previous Government's key escrow proposals would have mandated a costly and untested technology onto an emerging market, harming the UK's prospects of being at the forefront of the electronic commerce revolution, adversely affecting UK competitiveness and disadvantaging UK firms and consumers, in order to achieve what we judge to be rather limited law enforcement benefits. The present Government's 1998 policy was little better. Voluntary key escrow would have affected criminals even less than a mandatory scheme, while still hindering firms and consumers intending to engage in electronic commerce. By dropping key escrow as a licensing condition for TSPs, the DTI's third attempt to formulate an acceptable cryptography policy is a marked improvement on its predecessors. We are disappointed, however, that the Government should still hold a candle for key escrow and key recovery. If these technologies are likely to be of benefit to firms and consumers, perhaps because of the need to store vital private keys or to facilitate law enforcement access to decrypted data, then the market will provide for them.[291] We can foresee no benefits arising from Government promotion of key escrow or key recovery technologies.

Changes to Legislation

91. The Government has proposed legislative changes to take account of the exploitation of encryption by criminals. These are:

"a power to require any person, upon service of a written notice, to produce specified material in a comprehensible form or to disclose relevant material necessary for that purpose".[292] This power is intended to update the Police and Criminal Evidence Act 1984 which facilitates the seizure by the police of material held in computerised form.[293] The Government is considering related changes to the law in Scotland and Northern Ireland[294]
two new offences relating to the new power. An "offence of failure to comply with the terms of a written notice without reasonable excuse" and an "offence of 'tipping off' an individual about the existence of an authorisation by the Secretary of State allowing lawful access to an encryption key".[295] NCIS argued that the former offence should be arrestable, primarily to allow for a power to search to result from it[296]
a review of the Interception of Communications Act 1985, including to take account of "profound changes in the technology of electronic communications" since the measure was passed[297].

92. The new power to produce material in a comprehensible form is intended to apply to data found both during a police search and seize operation and by the interception of communications. Notice to decrypt is intended only to be served when the material has been collected lawfully and only by the authority which decreed the initial collection. Notice to decrypt data collected by the interception of a communication can only be served by the Home Secretary, therefore, while the decryption of data found during a police search can be authorised by judicial warrant, or, in some cases, a senior police officer.[298] Written notice can be served on a TSP, whether licensed or not, a suspect, or any other party holding relevant keys. The notice can specify whether a private key is required to be disclosed, or simply the decrypted text of a document or communication. The Government has stated that the new power "will not impose any requirement on anyone to retain copies of private encryption keys".[299]

93. The proposed legislation will "contain strong safeguards protecting the security and privacy of encryption keys obtained under written notice", similar to section 6 of the Interception of Communications Act 1985, as well as a Code of Practice on the exercise of the new power.[300] The destruction of decrypted material obtained under written notice after its retention is no longer necessary will be a statutory requirement. The current interceptions' regime will also provide the role model for a Commissioner and Tribunal to oversee the issuance of written notices by the Home Secretary, to investigate complaints and award compensation.[301] Current procedures in relation to search warrants and production orders will be extended in the case of written notices served on authorities other than the Home Secretary.[302]

94. Witnesses and respondents to the Government's consultation exercise raised a number of practical questions about the effectiveness of the proposed new power to combat criminal use of encryption. Mr. Bohm of Cyber-Rights and Cyber-Liberties (UK) thought it "perfectly reasonable to have the power" but described it as "not a very effective solution" because it could prove simple for the organisation or individual to whom written notice to decrypt data was served to claim that the relevant private key had not been stored, or that a password had been forgotten.[303] In cases where a request to decrypt material was ignored without a good excuse being provided, the penalty associated with this offence would be unlikely to be commensurate with the crime under investigation - paedophilic abuse, for instance.[304] Numerous means by which criminals could adapt their use of encryption to evade the proposed power were cited, including use of steganography,[305] the use of hidden or encrypted partitions on a disk drive or posting encrypted or coded messages on newsgroups, thus obscuring from whom the communication originated.[306]

95. Other aspects of the implications of the proposed power and the procedures by which it would be exercised were queried. The Government's statement that requesting a private key or decrypted data from a suspect would not constitute self-incrimination was disputed by several respondents.[307] It was argued by some that the Home Secretary should always approve the request to decrypt material and by others that the request should always be made by judicial warrant.[308] The British Medical Association warned that the power might provide "access to information far in excess of that which is necessary to perform their functions" and the Government heard from other organisations concerned that some privileged material should be exempted from being decrypted by law enforcement agencies.[309] A number of witnesses and respondents to the Government, including NCIS, emphasised the importance that it be a requirement for plain text or decryption keys to be destroyed once an investigation was completed.[310] There was also support for a requirement that the subjects of covert investigation be informed that the plain text of their communications or their private keys had been intercepted by law enforcement agencies, otherwise safeguards such as the Tribunal would be irrelevant.[311] Concerns were expressed about the effect use of the new power might have on firms whose operations were international.[312] Finally, it was hoped that the Government would make clear in law that it did not wish to facilitate access to private keys used solely for authentication purposes.[313]

96. A point made frequently to the Government about the proposed new power was that it allowed either plain text or decryption keys to be requested by law enforcement agencies. Many respondents insisted that, because the ultimate aim of the law enforcement agencies was to see the plain text of encrypted communications, the power should require the production of plain text but not decryption keys or the production of decryption keys only as a last resort.[314] One difficulty with this approach in relation to stored data is that, if plain text is to be admitted as evidence in court, then it must be clearly linked with the encrypted communication and only the decryption key may provide a conclusive link.[315] Some respondent suggested that the right to demand a decryption key should be solely linked to the need for such verification.[316] This difficulty does not yet apply to intercepted traffic, which can not be admitted in evidence, but the law enforcement agencies reminded us of their need for timely access to decrypted data.[317]

97. Some witnesses and respondents questioned whether the police needed a new power to deal with encryption.[318] Skygate Technology told the Government that a police search would often turn up a private key along with encrypted data, permitting access to the relevant decrypted data. They also argued that, during court proceedings, private keys or decrypted data could be ordered before the court by means of a subpoena.[319] Cyber-Rights and Cyber-Liberties (UK) thought that a refusal to decrypt material could lead a judge to draw adverse inferences, under sections 34-7 of the Criminal Justice and Public Order Act 1994 or even the Prevention of Terrorism (Temporary Provisions) Act 1989.[320] ICL recommended that the Government review and amend existing laws to take account of the growth of encryption rather than create a new power.[321] The Law Society told the Government that "access to material in a comprehensible form is already required in existing legislation...there is therefore no need for the Consultation Document to cover this issue".[322] Skygate were not alone in observing that, although encryption might provide law enforcement agencies with difficulties, other recent technological developments, such as the increasing use of closed circuit television, had assisted law enforcement and, thus, "there is probably an approximate balance".[323]

98. The proposed new power may not prove a powerful means of acquiring decrypted material from criminal suspects. It would seem possible for a suspect to evade decryption lawfully simply by claiming that a private key was lost; the penalty for a wilful refusal to decrypt would be likely to be modest.[324] Nevertheless, we can envisage situations in which the new power will be of benefit to law enforcement. Written notice to provide encryption keys or plain text could be served profitably on telecommunications operators, internet service providers and TSPs, particularly to assist covert surveillance.[325] The power would let industry develop the best means of helping law enforcement agencies, without mandating specific technological solutions. The Minister told us that the question of how data carriers could respond to requests to provide private keys or clear data, when requested, was "one of the things the Cabinet Office task force is looking at".[326] We think that the proposed new power to require decrypted data or private encryption keys to be provided when appropriately authorised will be a useful addition to the armoury of the law enforcement agencies. We recommend that the Government quickly clarify the situations in which it thinks this power will be likely to prove most helpful. In particular, Parliament should be given an indication of the criteria which will be used to decide against whom written notices for the provision of information will be served and whether it is proposed that the request should be for a private key or decrypted data.

99. The CBI expressed concern to us about the tipping-off offence proposed by the Government.[327] They told us that several encryption products automatically change keys if a stored private key is released, to a law enforcement agency for instance. The change of keys might itself constitute an offence under the new legislation, even though it would occur without the specific instruction (or even knowledge) of the user.[328] DTI told us that this was another example of the "kind of technology that is creating difficulties for the law enforcement authorities" but that "we certainly would not want it to be the case that someone got into trouble because this automatic software tipping-off had taken place".[329] It is important that the new tipping-off offence is worded in such a way as to avoid the sorts of instances described by the CBI becoming illegal.

100. A number of other legislative changes which could be made to deal with criminals' use of encryption include:[330]

amendment of part III of the Police Act 1997 to permit the deployment of a listening device to overhear telephone conversations in cases where this would be the only means available for law enforcement agencies to understand an encrypted communication[331]
making it an offence to use encryption to facilitate commission of a criminal offence. Legislation has been proposed in the US to achieve this aim.[332] Such measures do not help law enforcement agencies deal with encrypted material when they come across it, but instead can add to the sentences criminals may receive once convicted of having committed an offence
a new power to enable law enforcement agencies, under warrant, to hack into criminals' computer systems, as proposed by Australia's recent Walsh Report into policy relating to encryption technologies.[333] There would clearly be significant civil liberties implications associated with such a power.

101. Another set of legislative changes is associated with up-dating the law enforcement agencies' interception capabilities. The Interception of Communications Act 1985 was passed prior to the commercial development of the internet and electronic mail, the emergence of internet service providers, and changes in the telecommunications market, including a considerable increase in the number of telecommunications firms and the deployment of new technologies such as mobile telephony and ISDN. A number of changes could be envisaged to the 1985 Act to reflect these developments, which could be made in conjunction with the implementation of the new power to request decryption of material, including intercepted communications.[334] Although the Home Secretary announced that the review of the 1985 Act had commenced in September 1998, neither details of the terms of reference of the review nor the options for change under consideration were known at the time of the Government's consultation exercise on "Building Confidence in Electronic Commerce".[335] The Government told us that its proposed new power to demand decryption was necessary "to protect the effectiveness of the existing interception regime", but we consider this a specious argument considering that a major review of that regime is "imperative" and "underway".[336] It is entirely unacceptable that the Government should announce a major review of the Interception of Communications Act 1985 and then fail to publish any further details of the review for over eight months, especially when the consultation exercise on building confidence in electronic commerce explicitly refers to the Act and the review. We recommend that the Government set out the options for change to the interceptions regime, and how they relate to the forthcoming Electronic Commerce Bill, before the Bill is debated by Parliament.

102. The EU Council of Ministers passed a resolution on 17 January 1995 setting out requirements of law enforcement agencies relating to the lawful interception of communications.[337] These requirements relate to the information and assistance law enforcement agencies would wish to have in relation to interceptions and primarily relate to telecommunications service providers. The 1995 Council resolution does not take account of the development of new technologies, such as satellite and internet communications. A draft Council resolution, known as Enfopol 98, extending the requirements set out in the1995 resolution to these technologies, was made public during 1998 and was the subject of some adverse press comment.[338] We asked a number of witnesses about the Enfopol proposals and discovered some confusion about their status and potential implications.[339] The Internet Service Providers' Association, referring to reports about the Enfopol proposals, raised significant concerns about the cost and privacy implications of extending the interception requirements of the law enforcement agencies to internet service providers. They said such measures "will be opposed by the ISP industry" and that there was a need for a "full public debate on the issue".[340] The Government's explanatory memorandum on the Enfopol proposals noted that Council resolutions are not legally binding; that the 1995 resolution had not been incorporated into UK law; and that, although "the Government is sympathetic to the main purpose of the [Enfopol] resolution...there is no statutory basis in the UK for the Government (if it wished to do so) to apply these requirements to Internet Service Providers or to providers of satellite telecommunications services".[341] We recommend that the Government give authoritative clarification of the status of the Enfopol proposals and their potential implications for relevant UK service providers.

Partnership Approach

103. The third strand of the Government's proposals to help law enforcement agencies deal with encryption is "a partnership with industry to identify ways of meeting law enforcement requirements while promoting the growth of electronic commerce".[342] Those requirements are primarily for timely access to information about the communications between criminals and corporate organisations - for instance, banks - as well as decryption of stored data "in accordance with best practice on computer forensic evidence".[343] The new partnership approach reflects a growing awareness that there is no one single answer (such as key escrow) to the problems posed to law enforcement agencies by encryption and that a range of partial solutions must be devised.[344] Following the publication of the Government's consultation document, a Cabinet Office task force was set up, with private sector input, to examine how firms could best meet the requirements of the law enforcement agencies.[345]

104. DTI emphasised in their oral evidence to us the extent to which they had been "very open indeed" in consulting widely with the private sector on cryptographic issues for many months.[346] Computer Weekly, however, in their submission to us, noted "a serious lack of communication and effective dialogue between the various parties: industry, law enforcement agencies, government departments" which had delayed the development of policy on cryptography.[347] APACS told the Government that "little effort had been made to utilise the security expertise available within the banking industry".[348] The Federation of the Electronics Industry gave us details of their recent contacts with Government, including several offers to place the services of their member companies' experts at the request of Government.[349] Several other organisations emphasised the extent to which they would be willing to assist Government satisfy the needs of law enforcement, including by providing lists of priority areas for cooperation.[350]

105. If, after three years of considering its policy on cryptography, the Government should announce the need for a partnership with industry, then that would suggest failure in the past to create such a partnership. We consider that the fault for failing to create such a partnership lies not with industry, which would appear to have been ready and willing to help, but with Government. Although DTI has been willing to listen to what industry and others have had to say about cryptography, we have gained the impression that they have not, until recently, taken much notice of what has been said to them. From now on, we expect the Government to work with all interested parties to devise a cryptography policy which is best for the UK as a whole, rather than one which is geared towards satisfying law enforcement concerns at the expense of Britain's economic competitiveness.

106. The Cabinet Office task force, which embodies the Government's new partnership approach, is expected to deal with the operation of the new power to request decryption as well as other issues, some of which may not be reflected in the forthcoming Bill.[351] Its membership and precise remit are unpublished. It is not yet clear whether the task force will continue after the Bill has been published, or whether a new standing body will replace it. Parliament has a legitimate interest in the task force's remit, membership and length of service. It would be helpful to know, for instance, whether consumers are represented on it.[352] We recommend that the Government keep Parliament informed of the remit and membership of the Cabinet Office task force dealing with law enforcement aspects of electronic commerce and of any body established in its place.

107. The new power proposed by Government and the output of the new partnership approach between Government, industry and law enforcement agencies might not prove sufficient to tackle the problems caused to the law enforcement agencies by encryption in future. Although the Minister told us that "key escrow may well not be the right way forward" it has clearly not been dismissed by the Government altogether.[353] NCIS recommend to the Government that the forthcoming Electronic Commerce Bill "could also include provision to permit the Secretary of State to introduce mandatory data recovery features through secondary legislation if the promised cooperation does not bear fruit".[354] If the Government consider it necessary in future to introduce key escrow, key recovery or a related requirement on TSPs then we recommend that they do so only after stating precisely the reasons why such a change would be necessary as part of a full public consultation exercise. Powers should not be taken in the forthcoming Bill to permit the introduction of key escrow or related requirements at a later date.

108. The law enforcement agencies established a working group with the internet service providers (ISPs) in 1997 in order to more effectively intercept communications carried across the ISPs' networks.[355] The working group was necessitated by the inadequacy of the Interception of Communications Act 1985 to deal with communications other than over public telephone networks, referred to above. Law enforcement agencies can use sections 18 and 19 of the Police and Criminal Evidence Act 1984 and section 28 of the Data Protection Act 1984 to request information from the ISPs, but neither piece of legislation was intended for that purpose and neither offers the safeguards against abuse of the 1985 Act.[356] NCIS assured us that every effort was made to ensure that the police did not abuse their powers to request information from ISPs but that reform might be appropriate.[357] There have been numerous press articles on the secretive nature of the ISPs' cooperation with the law enforcement agencies, suggesting that the civil liberties of e-mail users are at threat.[358] Nevertheless, we agree with the Internet Service Providers' Association that the relationship established between ISPs and the police represents a "mature and responsible" reaction by the industry to the legitimate needs of the law enforcement agencies.[359] We suggest that the experience of the relationship between ISPs and the law enforcement agencies underlines the need for openness and transparency in the new partnership between industry and Government on law enforcement aspects of encryption, so as to avoid confidence in electronic commerce being undermined.

Police Resources

109. A frequent comment from witnesses, particularly those who disputed the need for legislation to assist law enforcement agencies deal with encryption, was that the police needed more resources, including skilled personnel to tackle computer crime.[360] The Internet Service Providers' Association commented that they had "experienced very variable levels of knowledge when discussing crime, such as hacking, with local police forces" and would "prefer that a central specialist and knowledgeable team be set up".[361] Dr. Anderson commended a US proposal for a "network centre" which would be "a body of 50 or 100 technical experts linked with the FBI which would help the police break into computer systems when necessary".[362] ICL recommend to Government the establishment of a new Forensic Cryptography Unit.[363]

110. We questioned NCIS and HM Customs and Excise closely about the resources available to them at present to deal with computer crime. They argued that the potential redundancy of their interceptions capability was a more significant problem at present than constraints created by a lack of resources.[364] Nevertheless, NCIS argued in their submission to Government that more resources were required to deal with encryption, including to establish a decryption facility separate from that provided by GCHQ.[365] Their comments were endorsed by a number of police forces.[366] NCIS did admit to us that no mechanism exists for automatically notifying a discovery of encryption by a local police force, or other law enforcement agency, in the UK.[367] Mr. Abbott, Director General of NCIS, agreed with us that "it is very important we have a single national focal point" for the fight against computer crime.[368] We were disappointed at the extent to which law enforcement agencies and different police forces appear to share relevant information. We see merit in NCIS being notified whenever a local law enforcement agency encounters encryption during the course of a criminal investigation. We also recommend that the Government consider the establishment of a law enforcement resource unit for dealing with computer crime, including encryption.