TUESDAY 9 MARCH 1999

MR YAMAN AKDENIZ, PROFESSOR CLIVE WALKER, DR BRIAN GLADMAN AND MR NICHOLAS BOHM

500  What they are saying to us of course is that criminals will use whatever is available to them. One of the reasons they have been successful is that criminals have not been terribly clever in the use of some of these things and they think that in the future they will become naturally more sophisticated. Obviously you have some concern about areas of national security and terrorism, and international terrorism sadly in this world seems to be a growing activity. Do you think it has a proper place in the prevention of terrorism?

  (Dr Gladman) I absolutely think that if the police forces of this country and the police forces of the world do not actually develop better expertise so that they are better in cyber-space than the criminals, then we are dead and it is desperately important that they do that. The problem with this debate is that it is deflecting the police and the Government on to solutions that will not work and that dependence on solutions that will not work is detracting from their investment in the expertise they need to actually develop solutions that will work.

501  How can they do that if they do not have control over encryption?

  (Dr Gladman) But the argument is actually that you need control, if I can go back to the analogy of gloves, but that is not the issue. The issue is actually that there are all sorts of other ways that criminals could train themselves. The best encryption in the world, 90 per cent of people actually do not use it very well and it is quite feasible and quite easy to actually get round. You cannot break the encryption any longer, but 95 per cent of people will actually leave their keys in silly places, they will actually leave them where you can get at them, and if the police have expertise, encryption is not going to be a significant problem, in my view, but the issue is expertise. If they actually depend on these solutions which are not going to work, then they will not develop the expertise they need to solve this and if we try and control encryption in this country, I can tell you for sure that the criminals will get it elsewhere.
  (Mr Bohm) The reason why the NCIS expectation is misguided is because they compare it with things like the use of the telephone. I am quite sure they are right in saying that criminals say things on the telephone that they should know better than to say if they applied their mind to the risk of interception, but they are careless, as Mr Abbott, NCIS is reported as saying, greedy and lazy, and I am sure one can accept that evidence. The problem with encryption is that it is not like the telephone because with the telephone, there is scarcely any choice. With encryption, there is a choice. The choice is between getting it free off the World Wide Web and generating your own encryption keys and keeping them to yourself at no cost and, on the other hand, using the imaginary key ESCROW system, which is the proposed alternative, which will not be cheap. I think Dr Gladman can probably tell you from a background of his own experience in the field that it is extremely expensive and difficult to construct a system of this kind and it is inconceivable that it will not be expensive for its users to use. Mr Abbott is asking us to imagine greedy, lazy criminals going out of their way to use expensive systems for the purpose of giving law enforcement a benefit when they have a cheap, easy system available to them everywhere. It is simply not a plausible expectation. It is conceivable that somebody somewhere will make a mistake with it, but that is really very marginal. You have to look at the price of that theoretical low probability. The price, as the Government is at the moment bent on extracting it, is to skew the whole of electronic commerce by building a key ESCROW and certification system designed to promote key ESCROW because they cannot see any other way to do it, and the more their system promotes key ESCROW, the less trust they can possibly expect to build in it, so they are frustrating the possible benefits for a remote and implausible advantage and I could not agree more with Dr Gladman's view that they should be diverted from this pot of gold at the end of the rainbow into pursuing serious useful objectives which we all want them to be able to pursue and there is no issue on that at all.

502  Perhaps, Dr Gladman, you could put a price on what you would think would be the cost of the pot of gold or the journey towards it. I am talking in financial terms here, not just civil liberties or things like that.

  (Dr Gladman) First, let me point out that the more people you share a secret with, the less secure that secret is and if these things are going to be profitable, they are going to have to store the keys of probably thousands of clients. Now, you know what happens when half a dozen people share a secret and what the chances of it remaining secret are, and the same principle applies, so I think there is a very big question mark over whether these things can be built. My personal view is that they cannot and that they will be insecure, but certainly after 30 years of trying to build these things for MoD, we are talking about facilities that are going to be costing in the hundreds of millions of pounds per single facility to do this for one of the TTP suppliers, they are not going to be small figures, so they are going to be very large, and I agree very much with what Nicholas has said, that we are talking about very, very significant numbers, and I personally do not think that they will come into use because of that cost. People will actually say, "Well, we have got better ways of actually matching our security", and if you have a secret with someone else and you do not need a third party, anyone who is logical is not going to introduce a third party into that process, and there are perfectly adequate two-party solutions to secrecy.

503  Now we can take the gloves off! You say in your submission that "not providing an encryption key may result in judges commenting on the accused's behaviour and juries drawing inferences under the Criminal Justice and Public Order Act 1994". Do you think it is reasonable that inferences about guilt should be drawn if the suspect will not decrypt or will not provide a password to allow decryption?

  (Professor Walker) There have not been any cases of this kind yet, so our point there is admittedly one of supposition. What is reasonable in the circumstances and what juries actually draw as an inference in the circumstances is always going to be rather difficult to predict. What I think we were saying in our paper is that, as a matter of law, the question could conceivably arise either in a police station or in the court that a person is asked about the evidence found in their possession and fails to answer and the failure to answer could then be taken, I think, as a matter which becomes an adverse inference against any defence they may later put forward. There are circumstances also, as was mentioned earlier, under terrorism legislation where under the Prevention of Terrorism Act actually has wider provisions that in effect manufacture evidence from the failure to answer or failure to give information per se without it simply being a matter of adversity to the believability of the defence. I understand that provision has indeed been used and is currently also the subject of a complaint under the European Convention under Article 6 because it is felt to infringe the right to silence and the fairness of the trial.

504  But leaving aside that point, are you praying these provisions in aid of your own argument and saying the fact that these provisions exist helps your argument?

  (Professor Walker) I think it goes to the totality of the investigation which was mentioned before, in other words, to see the key as the only key is a mistake. The investigation should rely on various pieces of evidence and it could indeed rely on various pieces of evidence without the key to unlock the encrypted message or whatever it might be. In reality, as has been mentioned, in virtually all of the cases which we have seen cited, in fact encryption has been unlocked in some sense or other, but if not, then what we are saying is that there are other forms of evidence that can arise. One such piece of evidence, inter alia, will be the silence of the accused, and this arises from legislation which has been passed very recently and is frequently used. As these methods, it is alleged, increase, that is the reliance upon encryption and the failure to answer questions about the encryption techniques which are being used, then no doubt the Criminal Justice and Public Order Act 1994 can come more into play and the Prevention of Terrorism Act 1989, Schedule 7 as well.

505  You also say that "third parties are of course normally willing to assist law enforcement authorities", but obviously this does not happen in every case. What conditions do you think should apply to the authorities getting secret access to stored, encrypted data? There is also one comment you make about the application to the Home Secretary rather than a judge and I was not quite clear on reading that whether that is a criticism of that particular suggestion and, if so, can you explain what your criticism is?

  (Mr Bohm) I think this was a point which may have originated from me in the draft. I think what the courts do is in principle public and accessible to review and based on evidence that is accessible to review and there was a reported case fairly recently where warrants granted to the Serious Fraud Office were, subsequent to their execution, challenged and found to have been granted on a completely unjustified basis. There was serious criticism of the Serious Fraud Office in that case and remedies were afforded. Now, that is a virtue of the judicial process, firstly, that you can take that kind of action under it and, secondly, that it generates a record from which others can learn and other judges can learn to be good in their scrutiny. It is much more difficult with applications to Secretaries of State where they do not leave the same kind of trail, but they leave only very vague and surreptitious evidence of their passing. The rest of us do not learn anything about it and I do not know whether Home Secretaries learn very much about the effectiveness of the use of their powers and the adequacy of the justification after the event. We would lean, as I think you heard the Data Protection Registrar lean, towards judicial control because of those virtues.

506  On the question of interception, what outcome would you like to see from the review of the Interception of Communications Act 1985? I know what your views were earlier on adopting that, but what about for the purposes of this discussion?

  (Mr Bohm) I think that it follows from my last remarks that we would like to see judicial rather than political control. As regards powers to demand the decryption of intercepts, I think we would pick a particular quarrel with the suggestion that because an intercept has been obtained under a Home Secretary's warrant, that by itself should justify an obligation to decrypt. We regard that as unsatisfactory because it does not provide the special procedure material safeguards that the Police and Criminal Evidence Act provides where you are dealing with special procedure material, for example, legally privileged material, journalistic sources, medical information. Now, it is very difficult of course to provide that protection for instantaneous interception because you do not know who your target is going to ring up next, so it is understandable that you cannot satisfactorily apply that protection to real-time interception, but if what you intercept is encrypted and you are compelled to go to somebody else and obtain the keys, by then you do know who it was a communication with and those safeguards ought to slot in in any event even if the original intercept was not subject to those safeguards. One of the results of the review of the whole system is preferably make the whole thing judicial and, secondly, do not treat the existing regime quite as neutral as it is portrayed and, lastly, one of the things that is most seriously lacking in the existing regime is that when somebody has been subject to an interception, they may never know anything about it and in a good many regimes in other Continental countries, the regime provides that the authorities must within some period of the closure of the investigation inform people that they have been subject to it. That is widely regarded on the Continent as a requirement of civil liberty and it is one that I think we should emulate here.

507  How do you think it could be regulated then?

  (Mr Bohm) If there is a right of a person to have information after the event and if the warrant has been granted in the judicial system, then there is an adequate record upon which a check can be made as to whether there has been a subsequent disclosure. Indeed, I would expect the disclosure to be automatic within a time period from issue of the warrant unless those who have obtained it have applied for extensions and obtained judicial authority for them, so I would say an automatic system with power to obtain extensions.

508  What response have you had from ISPs to your "privacy letter" initiative?

  (Mr Akdeniz) We have been dealing with this issue since November 1998 and we developed a privacy letter from the users' perspective and I would like to bring to the attention of the Committee a document recently issued by the Council of Europe. It is recommendation number 99/05 and I would like to leave a copy with you. This is very much along the lines of what we said in our privacy letter and it encourages the issue of privacy for both users and it explains the duties and responsibilities of Internet service providers and it also encourages governments to distribute this document and, therefore, we would like you to add this short document as an appendix to our submission and publish it for wider circulation. There has been a major development on that issue with the Internet service providers and we have been approached by LINX, the London Internet Exchange, only last Friday and there will be a new forum which includes public interest groups to develop an Internet privacy code which will eventually be taken into account by the Internet service providers in this country. This is in response to our claims that the recently established ACPO/ISPs government forum was not including public interest groups and they were having what we call "secret", what they call "private" meetings about these issues. We said in various statements that such issues should be discussed openly and that the regulatory environment should be transparent and accountable as required by the Nolan Committee principles in public life, so we believe in an open discussion.

509  So what response did you get from the ISPs?

  (Mr Akdeniz) The Forum said that we should cease our campaign even thought we never advocated a campaign. We developed this privacy letter for the use of individual Internet users and they did not properly address the legitimate questions that we asked. One of them was, for example, whether the Internet service provider in question is registered under the Data Protection Act and this is a simple yes or no situation and we have not received any comments on that. Quite a few users contacted us, complaining that ISPs are not willing to respond to such legitimate questions and, therefore, a dialogue up until last Friday has not been established. We believe that this is now a good step in the right direction and we hope that this will eventually lead into a privacy code which will be taken into account by the Internet service providers.
  (Mr Bohm) I think it is a very welcome move. A number of individual ISPs have responded to letters raising these questions and, so far as I am aware, they have mostly responded favourably and have mostly said that they would not provide information except under lawful authority, but these have been rather few responses and it has not been very willing. The individual service providers have, I think, been somewhat put off by the Service Providers' Association's reaction to the campaign. I am hoping that with the convening of a public conference and the recognition that these are serious issues that do deserve serious public discussion, perhaps there will be slightly less negative views taken by Internet service providers. I am sure the Data Protection Registrar's views will push in the same direction and we would value that very much.

510  The consultative paper proposes specific legislation to impel decryption. How do you feel about that?

  (Mr Bohm) It is a tricky question because it is not very explicit what they think is the consequence of declining, nor is it at all obvious what their answer is if you say, "I practise forward secrecy. That message must have been a month old and I destroyed the keys after a month and I have not got one". I know of no very satisfactory technical means by which they can prove that is not true. I ignore simple excuses, like, "The cat ate my password", and even quite good excuses will be very difficult to deal with, so I think this echoes what we observed earlier: it is perfectly reasonable to have the power, but it is not a very effective solution and not likely to be.

511  What about the US situation where it is a crime knowingly to encrypt information in pursuit of a crime?

  (Mr Bohm) Well, there is nothing wrong with it in theory. It suffers from the same defect that you have to prove that it was in pursuit of a crime and you presumably have to convict for the crime and you merely add a little to the sentence on account of the use of encryption. Whether this will really produce a material effect in aid of law enforcement, I doubt. It is evading the issue that what are required are effective skills and technology which legal means are going to trail behind.

512  On a slightly different tack here, perhaps we could raise the question of intelligence agencies. How easy is it for them to monitor suspects' use of the Internet, for example, the sites they have visited, the news groups they subscribe to, the words they input into search engines? What control do you think there should be on Internet intelligence gathering?

  (Mr Bohm) I think my own reaction to it, and it is not an issue that we have focused on hugely, is that it is not really very effectively regulatable because the Internet is designed as an insecure network; it has redundant paths, people can use it from huge numbers of different points. It is both very difficult to monitor overall an individual's activity on it if he moves around and, on the other hand, very difficult to stop people getting at the contents of other people's computers on it. How much regulation is useful against determined, surreptitious information gathering is very much open to question. It is going to happen. It will be successful to a degree. I think I certainly see privacy-enhancing technologies and individuals' personal defence against intrusion of information gathering as a much more fruitful line to encourage than thinking that you can get at it top-down and regulate what effectively has to be the whole world for the protection of privacy. I am all for the development of different standards and codes of practice and I like the feeling if I buy a book from Amazon that they subscribe to a code of practice in which I have got confidence. I am not against it, but I would not put excessive faith and credit in it.

513  What about the other side of the coin, the kit that you use? The Intel Pentium III computer chip, apparently each one is going to be individually numbered. Now, there could be back-tracking opportunities there or is this just another outburst of paranoia? Admittedly most paranoia has an element of persecution in it.

  (Dr Gladman) The implementation of the serial number on the chip obviously can be used either way. It can be used to actually undermine anonymity, pseudonymity, on the one hand, and, on the other hand, corporate players can actually track their PCs and track their licences and actually in the corporate environment this has got some very good potential uses. Our attitude to this is that provided you are actually sure that it is under the firm and definitive control of the PC owner, it is a jolly good facility, but that is a big proviso because actually Intel have not done it that way and it is not under the control of the PC owner, but it is under the control of some vague industry out there called the software industry. So our attitude to this is that Intel have done it in the wrong way and the most important part of our attitude is that this is the start of an investment by these companies in security technology and if they are not open about it before they do this, we are going to get into a lot of trouble, and the fact is that although they have said to people that they have reacted to this and they have changed their plan, this is implemented at the chip level and the chip has been going through their fabrication plant for months and they have not made any changes at the chip level, they cannot change current chips at the chip level, and actually this cannot be cured unless changes are made at the chip level. Therefore, the real problem here is that they have consulted about this when it is already too late to do anything about the issues and that is the issue that we have put to them. We have said, "You cannot invest in security technology in private". The issue is that if these big companies are going to invest in security technology, it is you and I and everyone else, the public, that are going to be impacted if that security technology fails and, therefore, we have to have confidence in it and if we do not have confidence in it, we have a problem and they have a problem. So what we have said to them is, "You must learn from this. In future, you must consult much more openly and widely before you invest in security technology in your chips".

514  Do you think that they invested in that technology unbeknownst to the authorities or were they working hand in glove, or am I being naive even asking that?

  (Dr Gladman) I have not a shadow of a doubt that there was very significant and substantial consultation between Intel and the US Government, if that is what you are asking.

515  So it is unlikely that we will see nice Mr Gates in court on this issue?

  (Dr Gladman) I answered your question very precisely and very accurately, but I do not wish you to take from that that I consider there is a conspiracy here. I think Intel are very genuine in wanting to improve security and I am totally committed to the view that they are very genuine. I think they did not understand the nature of what they were doing and I personally think that they will do the next set of steps, which are much more significant more carefully—the impact of this on privacy and security is relatively small compared to what they will do in the next step.

516  So it is cock-up one, conspiracy nil at the moment?

  (Dr Gladman) I think that is personally my view and I think the next time round, or I hope they will do it differently and do it better, but we have to be sure that they do because actually they are putting everyone's security at risk if they do not.

517  Lastly, we had the Customs & Excise here last week and they said to us that they would be happy to have a go on any offence that carried more than a three-year sentence. Now, our understanding was that there were quite correct concerns about terrorism, about drug trafficking, paedophilia and the like, but it does seem that they are almost assuming to themselves a blanket power which would take them over the three-year threshold and not all of the crimes are of the gravity and seriousness of the three I have mentioned. How do you feel about the granting of powers of that character to the Customs & Excise?

  (Professor Walker) I think the figure of three years probably comes from the Interception of Communications Act 1985 which defines very strangely serious crimes, being offences for which the penalty is three years or more, and I know that that is a different definition from that in the Police and Criminal Evidence Act 1984 where a serious arrestable offence is five years or more, so I think they are assuming that the exceptional model in the 1985 Act should continue for the future. Therefore, it would be one of our further calls for reform of the 1985 Act, the Interception of Communications Act, that that definition of serious crime be substantially narrowed and be at least made comparable to that in the Police and Criminal Evidence Act which deals with a far wider range of crimes, after all. So I think that is a substantial problem and it relates to the starting point in 1985.

518  Just one last question, if I may, just so we know exactly where you are coming from. Who funds your organisation? How do you get your resources?

  (Mr Akdeniz) No one funds it. We are a voluntary organisation and none of us works full-time on these issues. We have all got different jobs and we communicate by using the Internet.
  (Professor Walker) Not always secretly!
  (Mr Akdeniz) From time to time we use the encryption technology, depending on the matter. We do not have an office, but if you check our website, you will find out that we are up to date with all the national and international issues. We produced a report on the Intel issue following serious discussions with Intel representatives in February, but we believe we were contacted too late. However, Dr Brian Gladman produced a report which is available through our website.

519  So you are just a group of interested persons and you do not have any own resources?

  (Mr Akdeniz) Yes, we are a pressure group and we are taken quite seriously by the media, by the regulators and we believe we are moving in the right direction. I think we have had an impact on some of the issues like the Internet service providers and the privacy issue and that is an excellent development so far, and we deal with other matters, like the Internet Watch Foundation and their accountability to the public as well.

520  So you are a virtual pressure group, but today you are in real-time?

  (Professor Walker) Yes.

  Chairman: Well, I think I have to say that your time has now run out, but thank you very much for your help.