U.K Crypto Bill Could Make Crypto Users Criminals
A Crypto bill proposed in the United Kingdom requires people with
encrypted data to either provide law-enforcement with the key, or prove they'd either never had it or had it but
have lost or forgotten it.
By Bruce Tober
February 21, 2000
U.K. users with encrypted data could be forced to provide law-enforcement
officials with the key -- or else prove they'd never had the key, or if they had, prove they have forgotten or
lost it, if a bill recently proposed in the United Kingdom becomes law.
The United Kingdom's Home Office (somewhat similar to the U.S. Attorney General's office) recently
introduced in the House of Commons, the "Regulation of Investigatory Powers (RIP) Bill". The bill is intended to
regulate investigatory powers in three areas: Interception of Communications, Intrusive Investigative Techniques,
and Access to Encrypted Data.
Immediately Internet civil-rights activists and crypto experts began a campaign opposing the
bill, especially its proposals on the third area of regulation, encryption. They'd been following the government's
efforts to severely restrict use of encryption and to implement some form of key escrow scheme for several years.
Caspar Bowden, director of Internet policy think-tank FIPR (Foundation for Information Policy
Research A Home Office representative said, the U.K. government "disputes the claim" by Bowden that the
bill "leaves unchanged the essential reverse-burden-of-proof for someone who has forgotten or irreplaceably
lost a key." The bill was introduced by Home Secretary (somewhat akin to the Attorney General in the United
States), Jack Straw.
Clause 49 in Part III of the bill says to prove non-compliance with a legitimate notice to decrypt,
the prosecution must prove a person "has or has had" possession of the key. This, FIPR says, "satisfies
the objection to the case where a person may never have had possession of the key, but leaves unchanged the essential
reverse-burden-of-proof for someone who has forgotten or irreplaceably lost a key. It is logically impossible for
the defense to show this reliably."
Asked if this bill could be applied to non-UK citizens or companies who exchange encrypted data
with U.K. citizens/companies, Bowden said, "You bet. No question about it. And Britain is the only country
doing this as far as I know."
(Editor's Note: For a rundown on encryption laws throughout the world see The Crypto Law Survey.)
But, he said, it's unlikely the law would let non-U.K. organizations force U.K users to provide
their keys. "I think it would have to be a U.K. organization, but the types of U.K organizations that could
do it is very broad. Any public authority, all the way down to the local traffic warden, could make such a request."
The Home Office representative said, "What we're saying with this bill is when the hard
drive is obtained legitimately with a warrant, there's not much point having obtained the hard drive if we can't
read what's on it. So we'd require the key or plain text of what's there to be served up as part of the investigation."
Asked if he realized that "possession of the key is one thing, but memory of the passphrase
to 'operate' the key is another," he reiterated "there are statutory defenses that it's the burden on
the prosecution to prove that you haven't deliberately forgotten it." Reminded that changing keys and/or passphrases
every few months is something many people do for security purposes, he cut short the interview by asking, "Do
you have another question because this is becoming circular."
>>>Next Page