TUESDAY 9 MARCH 1999

MR YAMAN AKDENIZ, PROFESSOR CLIVE WALKER, DR BRIAN GLADMAN AND MR NICHOLAS BOHM

495  Good morning. May I welcome you to the Committee this morning. Perhaps you would be kind enough to introduce your colleagues to us, Mr Akdeniz?

  (Mr Akdeniz) I am the Director of Cyber-Rights and Cyber-Liberties (UK). It is a pleasure to introduce you to Mr Nicholas Bohm, Electronic Commerce Policy Adviser for my organisation; Professor Clive Walker, Deputy Director; and Dr Brian Gladman, Technology Policy Adviser. We have been working on these issues since early 1998.

496  I would like to talk this morning about a number of the issues and will start with the privacy question. How satisfied are you that the protection of privacy has a high place or is central to the Government's

e-commerce agenda?

  (Mr Akdeniz) We are not totally satisfied. Since early June 1996 we have been following the encryption debate and the DTI policy making process. We believe that the issue of privacy has not been fully addressed by the Government policy.
  (Professor Walker) With the advent of the Human Rights Act I think there are perhaps a number of principles which have come to the fore, or will at least have come to the fore once the Act is in force. The Act, as mentioned by the previous witness, incorporates a statutory duty for public authorities to observe the individual rights in the European Convention, including the right to privacy, and this expressly includes privacy in correspondence including electronic correspondence. I think the incorporation in this way of Article 8 of the European Convention will have two principled effects. The first is that privacy becomes an explicit of value which cannot be overridden by default—it can only be overridden by law, and by the word "law", in a sense, I am using that technically within the context of the European Convention to mean law which is clear and open. This has been canvassed and is being considered in a number of cases before the European Court of Human Rights in connection with electronic surveillance of various kinds—cases such as the Malone case in 1984[43], where the Court has said quite clearly that forms of intervention based on things like circular and secretive procedures are not sufficient to comply with European Convention standards. I think that in itself gives a signal related broadly to the idea of the rule of law that any regulations, which allow for access to communications, must be clear and open. I think the second principle is one of proportionality, that privacy interests must be considered as an important value within a democratic society. The European Convention talks about any infringement or curtailment being necessary in a democratic society. I think some of the factors following from that consideration: are that there must be clear evidence that there is a need to curtail privacy interest; privacy is not absolute, and may be curtailed for interests such as the prevention of crime, but those other interests should be clear; and that the way in which the curtailment is brought about is properly managed. I think increasingly the European Court is looking for judicial oversight and judicial authorisation as the way to properly manage the curtailment of privacy. There have been a number of cases2[44], particularly against France, which have pointed in this direction, and which I submit have implications for legislation such as the Interception of Communications Act 1985, and also the Police Act of 1997 Part III. I suggest that these are the principled approaches which ought to be considered, and I do not see them reflected in the various documents which have been issued by the DTI—including the most recent DTI document, which I think relies too heavily on the forms of executive intervention rather than judicial warrant.

497  What about the Human Rights act; has that had any impact on this?

  (Professor Walker) I think the Human Rights Act is the conduit by which these concerns under the European Convention will have impact within the English courts; that it will allow for individual complainants (who feel their privacy within their communications has been infringed) not simply to complain to the remote body in Strasbourg, but to complain within any level of English court. So, I think it will produce the immediacy for these concerns of privacy which has not hitherto been there. Privacy has from time to time been said to be a right of English law, not least by Lord Denning so it must have some authority; but like a lot of Lord Denning's aphorisms it is not entirely true. The case of Malone v. Metropolitan Police Commission no. 2, 1979[45] suggests very strongly that privacy cannot be a cause of action in English law, and I think that particular decision has been followed ever since. Privacy is recognised as a rather vague value lurking somewhere behind the curtains, but is not out there in front as a decisive factor in any case. The Human Rights Act can make it decisive and can make it a cause of action.

498  You say your own research has shown that encryption has not really been a particular problem in detecting criminal and terrorist activity. Can you tell us a bit about your research and how you have arrived at those conclusions?

  (Mr Akdeniz) We heavily rely on publicly available data and research. We relied on a recent NCIS press release of January 1999, and that outlined four cases where the law enforcement claimed to have problems with the use of encryption. However, when we examined those cases we realised that in those four cases the law enforcement was successful to prosecute and to detect crimes because of various reasons. In one particular case the private encryption key was found in one of the computers[46]. We also looked at Professor Dorothy Denning within the United States and her research into the criminal use of encryption[47]. Again, examples given in that paper were suggesting that encryption was not a great problem for law enforcement. There is an assumption that it will create problems. It is assumed if criminals have access to these tools then they will use them; but many cases show, in one way or another that law enforcement is capable of dealing with these cases. If they are not capable of dealing with these cases we advocate they should develop new techniques, and they should be more computer-friendly and not afraid of the use of these technologies.

499  NCIS are saying to us, quite clearly, that they think encryption is a problem, an existing problem, and one they are very fearful about for the future. They think we should be putting into place now the necessary safeguards to prevent it becoming a very widespread problem. Do you not agree we ought to be shutting the stable door before the horse has bolted?

  (Mr Akdeniz) I think it is one of the tools, encryption is one of the tools which are available to criminals and at that point I will pass to Dr Brian Gladman.
  (Dr Gladman) Can I perhaps use an analogy because I think it is quite important to get an analogy in here. Fingerprints are actually very important for the police; there is no doubt about that. They can do an awful lot of detection if we have fingerprints, so an obvious thing for them to come to you to do is to ban gloves. If you ban gloves, you can actually have jolly good fingerprints, so why do you not ban gloves? The answer is you do not ban gloves because they are actually useful for people. Now, encryption is exactly the same. This is not an absolute argument, but it is an argument about the balance between the good uses of encryption and the bad uses of encryption and I am very committed to the view that there will be much less crime if we actually deploy cryptography than if we actually restrict it, and you are being asked to actually achieve a balance of argument. Now, the second major point is what would happen if you did ban gloves? The answer is that the criminals would still have gloves, but the good people would not and this is the same with encryption. There is not a power on earth that is going to stop encryption getting into place and the damaging position that we are now in is that the police and the Government are relying on false hopes for controlling this technology rather than developing the expertise to cope with it. We really have to stop relying on these false hopes and actually recognise that this is an issue of expertise of the criminal versus expertise of the police and if the police do not develop the expertise, the criminals will and what we have to have is a police force in this country that is better in the cyber-world than the criminals and if we do not have that, we are not going to solve this.

44   See paragraph 5 of the CRCL written submission. Back

45   See [1979] ZALLERR 620. Back

46   See paragraph 12 of CRCL written submission. Back

47   IBID. Back