VIII LAW ENFORCEMENT
80. The Government has stated that "a number
of recent investigations into a variety of serious criminal offences
in the UK have been hampered by the discovery that material which
might otherwise assist the investigation, or be used in evidence,
has been encrypted".
The National Criminal Intelligence Service (NCIS) cited the recent
Operation Cathedral, an investigation into a global paedophile
ring, as an example of the difficulties caused to law enforcement
agencies by criminals' use of the internet and encryption.
Several witnesses contended that such examples were few and far
between, had generally not prevented prosecutions being successfully
pursued and were, therefore, not sufficient to require legislative
NCIS warned us that "this generation of criminals is not
as computer literate as we anticipate the next generation to be";
that, in future, encryption facilities would increasingly be standard
components of computer hardware rather than sophisticated software
packages; and that, consequently, encryption would gradually undermine
law enforcement agencies' abilities to deal with serious crime.
We are persuaded that encryption will increasingly be a source
of advantage to criminals with which law enforcement agencies
are, at present, inadequately prepared to deal.
81. During their oral evidence before the Committee
we pressed NCIS not just for anecdotal evidence of individual
cases in which encryption had posed law enforcement agencies with
problems, but for statistics about the incidence of encryption
on stored material seized by law enforcement agencies and in relation
to intercepted data traffic in the UK. NCIS told us that, because
of the fragmentary nature of law enforcement in the UK, "it
is difficult to get an overall picture of where individual [forces]
are encountering different aspects of encryption".
We suggest that those organisations involved in electronic
commerce will be much more willing to help the law enforcement
agencies if there are reliable means to assess the extent of the
problems posed by encryption, and that there would be advantage
in Parliament having a fuller picture of the perceived threat.
82. The Government has put forward a number of proposals
aimed at extending law enforcement agencies' capabilities to deal
with encryption. These are:
- encouraging the deployment of key escrow and
key recovery technologies
- updating existing statutory powers to take account
of the widespread use of encryption
- working with industry and others to find ways
of mitigating the effects of the use of encryption by criminals.
Key Escrow and Key Recovery
83. The previous Administration's policy on
cryptographic services proposed a licensing criterion on TSPs
that they retain a copy of users' private encryption keys which
could be made available in a timely fashion to law enforcement
agencies when appropriate authorisation was provided. The mandatory
nature of the licensing regime thus made key escrow a condition
of the various attractive services TSPs could offer, particularly
the certification of electronic signatures.
Customers could have evaded this policy by choosing to use foreign
TSPs. The previous Government anticipated this by suggesting the
development of an international key escrow regime, based on existing
arrangements for cooperation between law enforcement agencies
or new bilateral agreements.
84. The previous Government's policy was thus conditional
upon other countries, particularly major trading partners in Europe
and the US, implementing key escrow policies in step with the
UK. The 1997 consultation document reported that key escrow policies
were in place in the US and France, that a European Commission
initiative was likely in the near future, and that various international
fora, not least the OECD, were examining cryptographic policy.
Over the last two years, however, there has been a worldwide retreat
from support for key escrow. The Clinton administration has abandoned
its proposals for mandatory key escrow (the Clipper Chip initiative)
and focussed instead on incentives to promote the development
of key escrow and key recovery products by industry, primarily
through changes to export controls.
The French Government announced on 19 January 1999 a "fundamental
change of direction" on cryptography policy which included
an end to mandatory key escrow.
Several other states have examined key escrow and decided against
The European Commission has ran a European Trusted Services programme,
one aim of which was to examine the practicalities of key escrow
and key recovery, but has not yet sought to bring forward a draft
directive in this area.
The OECD Guidelines on Cryptography Policy, drawn up in 1997,
state that "national cryptography policies may allow lawful
access to plaintext, or cryptographic keys, of encrypted data"
but that users should be free to use any cryptographic product
they wish and that the development of cryptography should be market
85. Key escrow and key recovery have been almost
universally opposed by businesses, cryptographic experts and academics
and civil liberties groups both in evidence to us and in their
representations to the Government.
The technical practicalities of key escrow systems and
the cost of developing and operating such facilities have
been questioned. Mr. Thomas of APACS, drawing on his experience
of a French key recovery system, warned of the difficulties of
testing such systems and of the costs associated with the trained
personnel needed to operate them. He told us that "the additional
cost of building key recovery into...one small system was about
£40,000" with further costs anticipated for setting
up the key recovery service and operating it thereafter.
Dr. Gladman of Cyber-Rights and Cyber-Liberties (UK) thought that
individual key escrow facilities would cost "hundreds of
millions of pounds" to build.
The cost of implementing key escrow or key recovery throughout
the US has been estimated at $10 billion.
DTI's 1997 and 1998 key escrow proposals appear to have been based
on an assumption that industry would bear costs arising from the
implementation of this policy.
86. Critics of key escrow have also focussed on the
civil liberties and privacy aspects of the policy.
There has been a perception that key escrow, especially if compulsory,
would give law enforcement agencies the ability to intercept and
monitor citizens' and firms' communications to an unacceptable
Several witnesses called for key escrow and key recovery only
to be allowed under judicial warrant, rather than by application
to the executive.
Cyber-Rights and Cyber-Liberties (UK) commented that "privacy
was not one of [DTI's] prime concerns" and warned that key
escrow might contravene the provisions of the Human Rights Act
The Data Protection Registrar expressed concern at the possibility
that covert key escrow would lead to a private key being compromised
without the owner ever realising. She has suggested that law enforcement
agencies receive plain text rather than a private key in that
A connected issue concerns liability for instances where a private
key is compromised, including in connection with law enforcement
access, which DTI considered at length in its 1997 consultation
87. A further range of issues was raised in connection
with the likely reaction of criminals to the implementation
of a key escrow policy. Witnesses were sceptical about the chances
of criminals entrusting their private encryption keys to organisations
with a statutory duty to hand keys over to the law enforcement
agencies on demand, particularly if TTPs which were not required
to cooperate with law enforcement agencies existed in the UK or
NCIS argued that even a voluntary licensing scheme with key escrow
would be used by some criminals, many of whom are "lazy,
greedy and make mistakes", and drew an analogy with criminals'
use of the telephone network, even though it is common knowledge
that telephones can be tapped.
Mr. Bohm of Cyber-Rights and Cyber-Liberties (UK) argued that
it was conceivable that some criminals might mistakenly use a
TTP involved with key escrow, but such instances would be "very
marginal". He disputed the possibility of "greedy, lazy
criminals going out of their way to use expensive systems for
the purpose of giving law enforcement a benefit when they have
a cheap, easy system available to them everywhere".
Rather than be used by criminals, Dr. Anderson warned that TTPs
would be attractive targets for criminal activity. He told us
that "if you force all TTPs to have a common mechanism for
access to private keys then that is of course the mechanism that
criminals will attack...insofar as you centralise all the keys
and the access to the keys in one place you create a horrendous
88. Finally, witnesses warned of the impact a mandatory
or voluntary key escrow system could have on the competitiveness
of the UK economy. Some questioned whether a market for TTPs existed
and argued that, if Government provided incentives to use TTPs,
then firms would be faced with cost burdens which would have a
detrimental impact on their economic performance.
Dr. Gladman argued that "there are perfectly adequate two-party
solutions to secrecy" which firms might prefer to implement,
if left to themselves to decide, without turning to a third party.
ICL cautioned that key escrow might deter investment by firms
in the UK.
It was suggested that, if key escrow was introduced in the UK,
then firms would turn to foreign TSPs for their cryptographic
Several witnesses mentioned the positive benefits that encryption
might bring to firms, including countering crime such as fraud
and suggested that the Government should promote the use of strong
encryption by firms, and the development of UK encryption products,
rather than continually emphasise the potential negative effects
of widespread use of encryption.
89. In the light of these developments, the Government
announced in March1999 that it would consult "on the basis
that the licensing scheme will not impose the requirement that
TSPs providing confidentiality services should have to provide
for law enforcement access to keys" by key escrow or key
Despite this statement, the Government also declared that it "remains
keen to promote key escrow and third party key recovery technologies".
We asked the Government to clarify how they proposed to promote
key escrow and key recovery technologies and were told that "some
form of key back-up/key recovery...can offer definite benefits
to both businesses and members of the public...the Department
will therefore highlight these benefits during the passage of
the Bill and as part of its ongoing work to spread awareness of
best practice in information security".
The law enforcement community proposed other means by which key
escrow and key recovery could be promoted by Government. Sussex
Police suggested that the licensing criteria for TSPs could be
helpful in the promotion of key escrow and key recovery.
NCIS thought that one way to encourage the take-up of key recovery
technologies would be to "highlight the requirements on directors
of companies for their liability for the actions of their employees.
This could be done through the regulations governing financial
services, consumer legislation, data protection etc".
90. The previous Government's key escrow proposals
would have mandated a costly and untested technology onto an emerging
market, harming the UK's prospects of being at the forefront of
the electronic commerce revolution, adversely affecting UK competitiveness
and disadvantaging UK firms and consumers, in order to achieve
what we judge to be rather limited law enforcement benefits. The
present Government's 1998 policy was little better. Voluntary
key escrow would have affected criminals even less than a mandatory
scheme, while still hindering firms and consumers intending to
engage in electronic commerce. By dropping key escrow as a
licensing condition for TSPs, the DTI's third attempt to formulate
an acceptable cryptography policy is a marked improvement on its
predecessors. We are disappointed, however, that the Government
should still hold a candle for key escrow and key recovery.
If these technologies are likely to be of benefit to firms and
consumers, perhaps because of the need to store vital private
keys or to facilitate law enforcement access to decrypted data,
then the market will provide for them.
We can foresee no benefits arising from Government promotion
of key escrow or key recovery technologies.
Changes to Legislation
91. The Government has proposed legislative
changes to take account of the exploitation of encryption by criminals.
- "a power to require any person, upon service
of a written notice, to produce specified material in a comprehensible
form or to disclose relevant material necessary for that purpose".
This power is intended to update the Police and Criminal Evidence
Act 1984 which facilitates the seizure by the police of material
held in computerised form.
The Government is considering related changes to the law in Scotland
and Northern Ireland
- two new offences relating to the new power. An
"offence of failure to comply with the terms of a written
notice without reasonable excuse" and an "offence of
'tipping off' an individual about the existence of an authorisation
by the Secretary of State allowing lawful access to an encryption
NCIS argued that the former offence should be arrestable, primarily
to allow for a power to search to result from it
- a review of the Interception of Communications
Act 1985, including to take account of "profound changes
in the technology of electronic communications" since the
measure was passed.
92. The new power to produce material in a comprehensible
form is intended to apply to data found both during a police search
and seize operation and by the interception of communications.
Notice to decrypt is intended only to be served when the material
has been collected lawfully and only by the authority which decreed
the initial collection. Notice to decrypt data collected by the
interception of a communication can only be served by the Home
Secretary, therefore, while the decryption of data found during
a police search can be authorised by judicial warrant, or, in
some cases, a senior police officer.
Written notice can be served on a TSP, whether licensed or not,
a suspect, or any other party holding relevant keys. The notice
can specify whether a private key is required to be disclosed,
or simply the decrypted text of a document or communication. The
Government has stated that the new power "will not impose
any requirement on anyone to retain copies of private encryption
93. The proposed legislation will "contain strong
safeguards protecting the security and privacy of encryption keys
obtained under written notice", similar to section 6 of the
Interception of Communications Act 1985, as well as a Code of
Practice on the exercise of the new power.
The destruction of decrypted material obtained under written notice
after its retention is no longer necessary will be a statutory
requirement. The current interceptions' regime will also provide
the role model for a Commissioner and Tribunal to oversee the
issuance of written notices by the Home Secretary, to investigate
complaints and award compensation.
Current procedures in relation to search warrants and production
orders will be extended in the case of written notices served
on authorities other than the Home Secretary.
94. Witnesses and respondents to the Government's
consultation exercise raised a number of practical questions about
the effectiveness of the proposed new power to combat criminal
use of encryption. Mr. Bohm of Cyber-Rights and Cyber-Liberties
(UK) thought it "perfectly reasonable to have the power"
but described it as "not a very effective solution"
because it could prove simple for the organisation or individual
to whom written notice to decrypt data was served to claim that
the relevant private key had not been stored, or that a password
had been forgotten.
In cases where a request to decrypt material was ignored without
a good excuse being provided, the penalty associated with this
offence would be unlikely to be commensurate with the crime under
investigation - paedophilic abuse, for instance.
Numerous means by which criminals could adapt their use of encryption
to evade the proposed power were cited, including use of steganography,
the use of hidden or encrypted partitions on a disk drive or posting
encrypted or coded messages on newsgroups, thus obscuring from
whom the communication originated.
95. Other aspects of the implications of the proposed
power and the procedures by which it would be exercised were queried.
The Government's statement that requesting a private key or decrypted
data from a suspect would not constitute self-incrimination was
disputed by several respondents.
It was argued by some that the Home Secretary should always approve
the request to decrypt material and by others that the request
should always be made by judicial warrant.
The British Medical Association warned that the power might provide
"access to information far in excess of that which is necessary
to perform their functions" and the Government heard from
other organisations concerned that some privileged material should
be exempted from being decrypted by law enforcement agencies.
A number of witnesses and respondents to the Government, including
NCIS, emphasised the importance that it be a requirement for plain
text or decryption keys to be destroyed once an investigation
There was also support for a requirement that the subjects of
covert investigation be informed that the plain text of their
communications or their private keys had been intercepted by law
enforcement agencies, otherwise safeguards such as the Tribunal
would be irrelevant.
Concerns were expressed about the effect use of the new power
might have on firms whose operations were international.
Finally, it was hoped that the Government would make clear in
law that it did not wish to facilitate access to private keys
used solely for authentication purposes.
96. A point made frequently to the Government about
the proposed new power was that it allowed either plain text or
decryption keys to be requested by law enforcement agencies. Many
respondents insisted that, because the ultimate aim of the law
enforcement agencies was to see the plain text of encrypted communications,
the power should require the production of plain text but not
decryption keys or the production of decryption keys only as a
One difficulty with this approach in relation to stored data is
that, if plain text is to be admitted as evidence in court, then
it must be clearly linked with the encrypted communication and
only the decryption key may provide a conclusive link.
Some respondent suggested that the right to demand a decryption
key should be solely linked to the need for such verification.
This difficulty does not yet apply to intercepted traffic, which
can not be admitted in evidence, but the law enforcement agencies
reminded us of their need for timely access to decrypted data.
97. Some witnesses and respondents questioned whether
the police needed a new power to deal with encryption.
Skygate Technology told the Government that a police search would
often turn up a private key along with encrypted data, permitting
access to the relevant decrypted data. They also argued that,
during court proceedings, private keys or decrypted data could
be ordered before the court by means of a subpoena.
Cyber-Rights and Cyber-Liberties (UK) thought that a refusal to
decrypt material could lead a judge to draw adverse inferences,
under sections 34-7 of the Criminal Justice and Public Order Act
1994 or even the Prevention of Terrorism (Temporary Provisions)
ICL recommended that the Government review and amend existing
laws to take account of the growth of encryption rather than create
a new power.
The Law Society told the Government that "access to material
in a comprehensible form is already required in existing legislation...there
is therefore no need for the Consultation Document to cover this
Skygate were not alone in observing that, although encryption
might provide law enforcement agencies with difficulties, other
recent technological developments, such as the increasing use
of closed circuit television, had assisted law enforcement and,
thus, "there is probably an approximate balance".
98. The proposed new power may not prove a powerful
means of acquiring decrypted material from criminal suspects.
It would seem possible for a suspect to evade decryption lawfully
simply by claiming that a private key was lost; the penalty for
a wilful refusal to decrypt would be likely to be modest.
Nevertheless, we can envisage situations in which the new power
will be of benefit to law enforcement. Written notice to provide
encryption keys or plain text could be served profitably on telecommunications
operators, internet service providers and TSPs, particularly to
assist covert surveillance.
The power would let industry develop the best means of helping
law enforcement agencies, without mandating specific technological
solutions. The Minister told us that the question of how data
carriers could respond to requests to provide private keys or
clear data, when requested, was "one of the things the Cabinet
Office task force is looking at".
We think that the proposed new power to require decrypted data
or private encryption keys to be provided when appropriately authorised
will be a useful addition to the armoury of the law enforcement
agencies. We recommend that the Government quickly clarify the
situations in which it thinks this power will be likely to prove
most helpful. In particular, Parliament should be given an indication
of the criteria which will be used to decide against whom written
notices for the provision of information will be served and whether
it is proposed that the request should be for a private key or
99. The CBI expressed concern to us about the tipping-off
offence proposed by the Government.
They told us that several encryption products automatically change
keys if a stored private key is released, to a law enforcement
agency for instance. The change of keys might itself constitute
an offence under the new legislation, even though it would occur
without the specific instruction (or even knowledge) of the user.
DTI told us that this was another example of the "kind of
technology that is creating difficulties for the law enforcement
authorities" but that "we certainly would not want it
to be the case that someone got into trouble because this automatic
software tipping-off had taken place".
It is important that the new tipping-off offence is worded in
such a way as to avoid the sorts of instances described by the
CBI becoming illegal.
100. A number of other legislative changes which
could be made to deal with criminals' use of encryption include:
- amendment of part III of the Police Act 1997
to permit the deployment of a listening device to overhear telephone
conversations in cases where this would be the only means available
for law enforcement agencies to understand an encrypted communication
- making it an offence to use encryption to facilitate
commission of a criminal offence. Legislation has been proposed
in the US to achieve this aim.
Such measures do not help law enforcement agencies deal with encrypted
material when they come across it, but instead can add to the
sentences criminals may receive once convicted of having committed
- a new power to enable law enforcement agencies,
under warrant, to hack into criminals' computer systems, as proposed
by Australia's recent Walsh Report into policy relating to encryption
There would clearly be significant civil liberties implications
associated with such a power.
101. Another set of legislative changes is associated
with up-dating the law enforcement agencies' interception capabilities.
The Interception of Communications Act 1985 was passed prior to
the commercial development of the internet and electronic mail,
the emergence of internet service providers, and changes in the
telecommunications market, including a considerable increase in
the number of telecommunications firms and the deployment of new
technologies such as mobile telephony and ISDN. A number of changes
could be envisaged to the 1985 Act to reflect these developments,
which could be made in conjunction with the implementation of
the new power to request decryption of material, including intercepted
Although the Home Secretary announced that the review of the 1985
Act had commenced in September 1998, neither details of the terms
of reference of the review nor the options for change under consideration
were known at the time of the Government's consultation exercise
on "Building Confidence in Electronic Commerce".
The Government told us that its proposed new power to demand decryption
was necessary "to protect the effectiveness of the existing
interception regime", but we consider this a specious argument
considering that a major review of that regime is "imperative"
It is entirely unacceptable that the Government should announce
a major review of the Interception of Communications Act 1985
and then fail to publish any further details of the review for
over eight months, especially when the consultation exercise on
building confidence in electronic commerce explicitly refers to
the Act and the review. We recommend that the Government set out
the options for change to the interceptions regime, and how they
relate to the forthcoming Electronic Commerce Bill, before the
Bill is debated by Parliament.
102. The EU Council of Ministers passed a resolution
on 17 January 1995 setting out requirements of law enforcement
agencies relating to the lawful interception of communications.
These requirements relate to the information and assistance law
enforcement agencies would wish to have in relation to interceptions
and primarily relate to telecommunications service providers.
The 1995 Council resolution does not take account of the development
of new technologies, such as satellite and internet communications.
A draft Council resolution, known as Enfopol 98, extending the
requirements set out in the1995 resolution to these technologies,
was made public during 1998 and was the subject of some adverse
We asked a number of witnesses about the Enfopol proposals and
discovered some confusion about their status and potential implications.
The Internet Service Providers' Association, referring to reports
about the Enfopol proposals, raised significant concerns about
the cost and privacy implications of extending the interception
requirements of the law enforcement agencies to internet service
providers. They said such measures "will be opposed by the
ISP industry" and that there was a need for a "full
public debate on the issue".
The Government's explanatory memorandum on the Enfopol proposals
noted that Council resolutions are not legally binding; that the
1995 resolution had not been incorporated into UK law; and that,
although "the Government is sympathetic to the main purpose
of the [Enfopol] resolution...there is no statutory basis in the
UK for the Government (if it wished to do so) to apply these requirements
to Internet Service Providers or to providers of satellite telecommunications
We recommend that the Government give authoritative clarification
of the status of the Enfopol proposals and their potential implications
for relevant UK service providers.
103. The third strand of the Government's proposals
to help law enforcement agencies deal with encryption is "a
partnership with industry to identify ways of meeting law enforcement
requirements while promoting the growth of electronic commerce".
Those requirements are primarily for timely access to information
about the communications between criminals and corporate organisations
- for instance, banks - as well as decryption of stored data "in
accordance with best practice on computer forensic evidence".
The new partnership approach reflects a growing awareness that
there is no one single answer (such as key escrow) to the problems
posed to law enforcement agencies by encryption and that a range
of partial solutions must be devised.
Following the publication of the Government's consultation document,
a Cabinet Office task force was set up, with private sector input,
to examine how firms could best meet the requirements of the law
104. DTI emphasised in their oral evidence to us
the extent to which they had been "very open indeed"
in consulting widely with the private sector on cryptographic
issues for many months.
Computer Weekly, however, in their submission to us, noted "a
serious lack of communication and effective dialogue between the
various parties: industry, law enforcement agencies, government
departments" which had delayed the development of policy
APACS told the Government that "little effort had been made
to utilise the security expertise available within the banking
The Federation of the Electronics Industry gave us details of
their recent contacts with Government, including several offers
to place the services of their member companies' experts at the
request of Government.
Several other organisations emphasised the extent to which they
would be willing to assist Government satisfy the needs of law
enforcement, including by providing lists of priority areas for
105. If, after three years of considering its
policy on cryptography, the Government should announce the need
for a partnership with industry, then that would suggest failure
in the past to create such a partnership. We consider that the
fault for failing to create such a partnership lies not with industry,
which would appear to have been ready and willing to help, but
with Government. Although DTI has been willing to listen to what
industry and others have had to say about cryptography, we have
gained the impression that they have not, until recently, taken
much notice of what has been said to them. From now on, we expect
the Government to work with all interested parties to devise a
cryptography policy which is best for the UK as a whole, rather
than one which is geared towards satisfying law enforcement concerns
at the expense of Britain's economic competitiveness.
106. The Cabinet Office task force, which embodies
the Government's new partnership approach, is expected to deal
with the operation of the new power to request decryption as well
as other issues, some of which may not be reflected in the forthcoming
Its membership and precise remit are unpublished. It is not yet
clear whether the task force will continue after the Bill has
been published, or whether a new standing body will replace it.
Parliament has a legitimate interest in the task force's remit,
membership and length of service. It would be helpful to know,
for instance, whether consumers are represented on it.
We recommend that the Government keep Parliament informed of
the remit and membership of the Cabinet Office task force dealing
with law enforcement aspects of electronic commerce and of any
body established in its place.
107. The new power proposed by Government and the
output of the new partnership approach between Government, industry
and law enforcement agencies might not prove sufficient to tackle
the problems caused to the law enforcement agencies by encryption
in future. Although the Minister told us that "key escrow
may well not be the right way forward" it has clearly not
been dismissed by the Government altogether.
NCIS recommend to the Government that the forthcoming Electronic
Commerce Bill "could also include provision to permit the
Secretary of State to introduce mandatory data recovery features
through secondary legislation if the promised cooperation does
not bear fruit".
If the Government consider it necessary in future to introduce
key escrow, key recovery or a related requirement on TSPs then
we recommend that they do so only after stating precisely the
reasons why such a change would be necessary as part of a full
public consultation exercise. Powers should not be taken in the
forthcoming Bill to permit the introduction of key escrow or related
requirements at a later date.
108. The law enforcement agencies established a working
group with the internet service providers (ISPs) in 1997 in order
to more effectively intercept communications carried across the
The working group was necessitated by the inadequacy of the Interception
of Communications Act 1985 to deal with communications other than
over public telephone networks, referred to above. Law enforcement
agencies can use sections 18 and 19 of the Police and Criminal
Evidence Act 1984 and section 28 of the Data Protection Act 1984
to request information from the ISPs, but neither piece of legislation
was intended for that purpose and neither offers the safeguards
against abuse of the 1985 Act.
NCIS assured us that every effort was made to ensure that the
police did not abuse their powers to request information from
ISPs but that reform might be appropriate.
There have been numerous press articles on the secretive nature
of the ISPs' cooperation with the law enforcement agencies, suggesting
that the civil liberties of e-mail users are at threat.
Nevertheless, we agree with the Internet Service Providers' Association
that the relationship established between ISPs and the police
represents a "mature and responsible" reaction by the
industry to the legitimate needs of the law enforcement agencies.
We suggest that the experience of the relationship between
ISPs and the law enforcement agencies underlines the need for
openness and transparency in the new partnership between industry
and Government on law enforcement aspects of encryption, so as
to avoid confidence in electronic commerce being undermined.
109. A frequent comment from witnesses, particularly
those who disputed the need for legislation to assist law enforcement
agencies deal with encryption, was that the police needed more
resources, including skilled personnel to tackle computer crime.
The Internet Service Providers' Association commented that they
had "experienced very variable levels of knowledge when discussing
crime, such as hacking, with local police forces" and would
"prefer that a central specialist and knowledgeable team
be set up".
Dr. Anderson commended a US proposal for a "network centre"
which would be "a body of 50 or 100 technical experts linked
with the FBI which would help the police break into computer systems
ICL recommend to Government the establishment of a new Forensic
110. We questioned NCIS and HM Customs and Excise
closely about the resources available to them at present to deal
with computer crime. They argued that the potential redundancy
of their interceptions capability was a more significant problem
at present than constraints created by a lack of resources.
Nevertheless, NCIS argued in their submission to Government that
more resources were required to deal with encryption, including
to establish a decryption facility separate from that provided
Their comments were endorsed by a number of police forces.
NCIS did admit to us that no mechanism exists for automatically
notifying a discovery of encryption by a local police force, or
other law enforcement agency, in the UK.
Mr. Abbott, Director General of NCIS, agreed with us that "it
is very important we have a single national focal point"
for the fight against computer crime.
We were disappointed at the extent to which law enforcement agencies
and different police forces appear to share relevant information.
We see merit in NCIS being notified whenever a local law enforcement
agency encounters encryption during the course of a criminal investigation.
We also recommend that the Government consider the establishment
of a law enforcement resource unit for dealing with computer crime,
252 Consultation 99 para 49; Q522; various police
forces reported specific examples in their responses to Government
- for instance, Cheshire Constabulary and Lincolnshire Police Back
Q315; Ev, pp183-4 paragraphs 11-12; Consultation 99 paragraph
50; "Encryption and Evolving Technologies as Tools of Organised
Crime", D. E. Denning and W. E. Baugh junior, US National
Strategy Information Center's Working Group on Organised Crime,
15 May 97, on the internet at www.cs.georgetown.edu/denning/crypto/oc-abs.html
; also responses to Government from British Computer Society p8,
Durham Constabulary, Avon and Somerset Constabulary and several
other police forces Back
instance, Qq264, 463, 498, 500-1; Ev, p165, p183 paragraph 11,
p251 paragraph 3.3; responses to Government from Liberty p2, Justice
paragraphs 11-14, Dr. B. Gladman pp5-6 Back
Qq 313, 320, 361; also responses to Government from various police
forces and from Vodafone paragraph 32 on embedded encryption;
ICL [first submission - alternatives to key escrow p1], in their
response to Government, warned of the dangers of overstating criminals'
computer expertise Back
Qq321, 324, 328, 330-5; and see paragraph 110 Back
Consultation 99, paragraph 51 Back
See paragraph 51 and footnote 136; see Consultation 97
paragraph 42 Back
See paragraphs 20, 27, 32 and Consultation 97, Annex B Back
Consultation 97, paragraph 27 Back
See Ev, p165; Bowden, C. and Akdeniz, Y., "Cryptography and
Democracy: Dilemmas of Freedom" in Liberty eds., Liberating
Cyberspace: Civil Liberties, Human Rights, and the Internet,
1999, pp81-125, on the internet at www.fipr.org/publications/cryptfree.pdf Back
See paragraph 24 Back
For instance Australia - Walsh Report paragraph 1.2.1;
Canada - see footnote 53; Denmark - Report by the Expert Committee
on Cryptography, Apr 97, Summary paragraph 4; Ireland - Department
of Public Enterprise Press Notice 24 Jun 98 Back
See internet site www.cordis.lu/infosec/src/ets.htm Back
Com(97)503 esp III 2.3, 3; IV 2, annex IV Back
Document OCDE/GD(97)204; on the internet at www.oecd.org/dsti/sti/it/secur/prod/GD97-204.htm Back
For a comprehensive assessment of the objections to key escrow
and related techniques se The Risks of Key Recovery, Key Escrow,
Trusted Third Party and Encryption, H. Abelson et al, 1998,
on the internet at www.cdt.org/crypto/risks98 Back
Qq29-5; also on cost Ev, p9 appendix 3 section 2, p81 paragraph
1.3, p109, p153 section 2, p216; and see response to Government
from Hewlett Packard (second submission) p2 Back
Q294; and see Qq26-7, 429; Ev, p81 paragraph 1.4; and response
to Government from ICL (first submission) Appendix A Back
Ev, p9 annex 3 section2, p216, pp231-2, p251 paragraph 4.6; and
see Bowden, C. and Akdeniz, Y., "Cryptography and Democracy:
Dilemmas of Freedom" in Liberty eds., Liberating Cyberspace:
Civil Liberties, Human Rights, and the Internet (1999), pp81-125,
on the internet at www.fipr.org/publications/cryptfree.pdf Back
See footnote 208 Back
Q496; Ev, p182 paragraph 5; and response to Government from Justice
paragraph 5 Back
Ev, p173 paragraph 19; response by the Data Protection Registrar
to Consultation 97, paragraph 3.6, on the internet at www.open.gov.uk/dpr/ttpfinal.htm;
and see paragraph 96 Back
Consultation 97, paragraphs 86-93; and see paragraph 96 Back
Ev, p9 annex 3 section 2, p216, pp231-2 and response to Government
from ICL (first submission - the alternative to key escrow p1) Back
Qq339, 363-5 Back
Q501; Ev, p236, p250 paragraph 3.1 Back
Qq456-7, 502; Ev, pp109, 229, 231-2, p241 paragraph 3.4.2, p250
paragraphs 2.4, 3.2 Back
Ev, p 220 paragraph 21, p251 paragraph 4.7 Back
Ev, p100 paragraph 2.2.1, p251 paragraph 4.4; also responses to
Government from ICL (1st submission) Appendix A, Hewlett Packard
(second submission) p2 Back
Ev, p153 section 2, p251 paragraph 4.5, p260 Back
Q499; Ev, p164, p239 paragraph 2.4; responses to Government from
IBM p1, British Telecommunications p4, London Stock Exchange p2,
Alliance for Electronic Business paragraph 4.6, Staffordshire
Police p1; for a practical example see Guardian, 21 Jan
99, Online section p5 Back
99 paragraph 82 Back
99 paragraphs 81-2; also
Q540; and see paragraph 107 Back
Ev, p327 question 1 Back
Response to Government from Sussex Police; and also from Cheshire
Response to Government from NCIS paragraph 25 Back
Some organisations in their responses to Government, for instance
APACS p14, doubted whether firms would see merit in storing private
keys with third parties; others, including Visa p6, thought such
storage might prove popular. Also see Ev, p240 paragraph 3.8,
p241 paragraph 3.2.3, p325 paragraph 4.3.4(b) Back
Consultation 99, paragraph 64 Back
Consultation 99, paragraphs 59-62; sections 19-20, Police
and Criminal Evidence Act 1984 - see Qq345, 355 Back
Consultation 99, paragraph 71; see response to Government
from Royal Ulster Constabulary on this point Back
Consultation 99, paragraph 77; also response to Government
from AOL Compuserve p5 which bemoaned the lack of debate on these
new offences Back
Response to Government from NCIS paragraph 10, Wiltshire Constabulary Back
Consultation 99, paragraph 57; and HC Deb 2 Sep 98 c749 Back
Consultation 99, paragraphs 65-67; response to Government
from NCIS paragraph 14 Back
Consultation 99, paragraph 68-9 Back
Responses to Government from Piers Buckley of BBC Online warned
that the Code of Practice may not be legally binding; Liberty,
pp2,4, commented on the lack of detail as to what constituted
the safeguards; also see responses from David Goodenough Associates,
CACIB p5, Reuters p4 Back
Response to Government from Justice paragraph 4 questioned these
Consultation 99, paragraphs 73-6 Back
Q510; "session" keys might not be routinely stored in
any circumstances anyway, see paragraph 16 Back
Consultation 99, paragraph 77; the responses to Government
from Royal Ulster Constabulary p3 and Greater Manchester Police
p1argued that the sentences available under the proposed new power
should be commensurate with the sentences applicable to the offences
under investigation Back
Steganography is an obsolete sixteenth-century term for "secret
writing", which is now used to refer to the art of writing
or inserting a secret message within an otherwise innocent communication Back
Response to Government from P. Johnson pp5-8 Back
Consultation 99, paragraph 70; responses to Government
from Herald Information Systems section 10.ii, Richard Hill, Demon
Internet and Scottish Power section 8, Dr. B. Gladman p6, de Montfort
Response to Government from C. Clack argued in favour of Home
Secretary approving all decryptions; Qq465, 482, 496, 505; Ev,
p172 paragraph 18, p252 paragraph 5.3; also see responses to Government
from PriceWaterhouseCoopers p9, CommerceNet UK p12, Law Society
section IV.2, Liberty pp3,4, QWMC paragraph 4.4, MacRoberts p24,
Society of Justices' Clerks p2, Burkhard Kloss, FIPR p6 Back
Responses to Government from British Medical Association, Barclays
p6, Law Society section IV.2, Liberty p3, Charles Waudby, Newspaper
Society, Magistrates' Association Back
Responses to Government from NCIS paragraph 16, David Vinograd;
and see response from Baltimore paragraph 3.1.3; the response
from Consumer Communications for England envisaged circumstances
where material would be required to be returned intact, paragraph
Ev, p252 paragraph 5.5; response to Government from Mr. Beckley
BBC Online, CACIB p6, CommerceNet UK p12, Liberty paragraph 4
and pp3, 5, Roger Haxby Back
Eg Response to Government from Merrill Lynch Mercury Asset Management Back
99, paragraph 68; response
to Government from C. Clack Back
Q482; Ev, p173 paragraph 19, p219 paragraph 20, p303; Responses
to Government from Barclays p6, BBA p4, LIBA p4, British Telecommunications
paragraph 34, NatWest p4, Vodafone paragraphs 3, 27, Dr. B. Gladman
p6, Alliance and Leicester p3, CACIB p4, Liberty paragraph 4,
Charles Lindsey paragraph 2.3, David Vinograd Back
Response to Government from Herald Information Systems section
10.iii; and see response from Vodafone paragraph 31 Back
Eg response to Government from Demon Internet and Scottish Power
section 8 Back
Qq314, 329, 346, 351 Back
Eg response to Government from Zeneca p5, de Montfort p5, Burkhard
Kloss p1, David Herson, Neil Barrett p5 Back
Response to Government from Skygate Technology p4 Back
Qq503-4; Ev, p185 paragraph 18; responses to Government from Skygate
Technology p5, British Medical Association; NCIS paragraph 12],
Wiltshire Constabulary and the Royal Ulster Constabulary pp3-4
argued that the possibility of an inference being drawn should
become law, perhaps by amendment to the Criminal Justice and Public
Order Act 1994 Back
Response to Government from ICL (1st submission - alternatives
to key escrow p3) Back
Response to Government from the Law Society section IV.2, referring
to paragraphs 5 (a) and (b) of the Police and Criminal Evidence
Act 1984 Back
Response to Government from Skygate Technology p5 Back
See footnote 304 Back
See response to Government from Post Office paragraph 7.3 Back
See paragraph 91 above Back
Qq63-4; Ev, p27 paragraph 7, p38 section C, p153 section 2, p158
annex 1 paragraphs 3.1-3.2; also response to Government from EEMA
p2, Post Office paragraph 7.12, Alliance for Electronic Business
paragraph 4.7, Hewlett Packard (main submission) p10; CACIB p5
argued against the offence being introduced Back
See also response to Government from SAP(UK)Ltd paragraph 3.5.6 Back
Response to Government from NCIS, paragraph 7 Back
Q511; on the US Safety and Freedom through Encryption Act, see
responses to Government from Justice paragraph 21, and also from
Hewlett Packard (full submission) p2 Back
Walsh Report paragraph 6.2.22, footnote 52 for reference Back
Qq480, 506-7, 517; Ev, pp81-2paragraph 2.1, p172 paragraph 18,
pp185-6; responses to Government from Justice paragraph 6, British
Telecommunications paragraph 39, Law Society section IV.2, CACIB
HC Deb, 2 Sep 98, c749 Back
Ev, p328 question 2; and see responses to Government from Liberty
paragraph 2, Justice paragraph 4, ABI paragraph 3.14; and also
from Demon Internet/Scottish Power section 8, Vodafone paragraph
EU Official Journal, No. C329, 04/11/1996
P. 0001-0006; also located on the internet at
Copies of Enfopol 98 and its first revision were deposited with
the House of Commons European Scrutiny Committee on 14 December
1998; a second revised version was deposited with the Committee
on 8 February 1999; for latest progress see European Scrutiny
Committee, Seventeenth Report, 1998-99, HC34-xvii ; press articles
include Observer, 6 Dec 98, p8, Computing, 10 Dec
98 and 17 Dec 98 Back
Qq206, 356, 450 Back
Q206; Ev, pp293-4 question3; and see responses to Government from
Justice paragraphs 7-8, AOL Compuserve pp4-5, UUNet p5 Back
Explanatory Memorandum on Justice and Home Affairs Matters,
"Interception of Telecommunications - draft Council resolution
on new technologies", submitted by the Home Office to the
House of Commons European Scrutiny Committee, 8 February 1999,
European Scrutiny Committee, Eleventh Report, Session 1998/99,
HC 34-xi Back
Consultation Document, paragraph 84 Back
Consultation Document, paragraphs 85-90 Back
Ev, pp37-8 section B; see responses to Government from ICL (first
submission) p2, IBM p1 Back
Q522, 525, 540, 543; see Q337 for NCIS' comments on partnership
with industry in this field; and also Home Office Press Notice
450/98, Cybercrime Crackdown, 12 Nov 98 Back
Ev, pp257-8 paragraphs 3.8, 5.3; and response to Government from
IMIS p7 Back
Response to Government from APACS; also see Qq65, 428 Back
Ev, p66 section 5, pp290-1; also Qq141, 149-52 Back
Ev, pp37-8 section B, p110, p258 paragraph 5.2, p260, p288; see
responses to Government from IMIS p7, APACS pp11-15, Barclays
p7, CBI p1, Alliance for Electronic Business paragraph 1.7, SAP
(UK) Ltd paragraph 3.5.4, Energis paragraph 2.6, Corporation of
London p3, Intel p4 Back
The response to Government from Computer Weekly stated that "we
remain disturbed by the lack of representation for users on the
Task Force", p1 Back
Responses to Government from NCIS, paragraph 22, and also from
various police forces, particularly Durham Constabulary; but see
comments to Government by Computer Weekly p2 Back
Qq202, 353; Ev, pp81-2 paragraph 2.1, pp186-7 paragraphs 24-5,
33; and see internet site www.cyber-rights.org/privacy/Watchman-iii.htm Back
Qq354, 355; 204; Ev, p186 paragraph 23 Back
Computing 30 Sep 98, 7 Oct 98, 19 Oct 98 Back
Qq207, 447-8, 498, 500 Back
Q207; Ev, p81 paragraph 1.4; response to Government from IMIS
Q451; also Q56, Ev, p165 Back
Response to Government from ICL (1st submission - alternative
to key escrow pp2-3) Back
Q329; and response to Government from Dr. Ross Anderson Back
Qq319, 371-2 Back
Including responses to Government from West Mercia, Powys and
Wiltshire constabularies and the Metropolitan Police, as well
as responses by Dr. B. Gladman p2 and Computer Weekly pp5-6; also
calls for better police training, including from Staffordshire
and Avon and Somerset Constabularies Back
See paragraph 81; and Q387 Back