Liberty’s Response to Building Confidence in Electronic Commerce (URN 99/642)
Contents
Introduction
1 Key Escrow
2 Safeguard Mechanisms
3 Presumption of Innocence
4 Implications following the release of keys
Specific comments are provided on the following paragraphs of the consultation paper:
49-50
52 - 53
55
55 - 58
63 - 65
73 - 74
75
78
A (II)
April 1999
Introduction
Liberty, The National Council for Civil Liberties, is one of the UK’s leading civil liberties and human rights organisations. Liberty works to promote human rights and protect civil liberties through a combination of test case litigation, lobbying, campaigning and research. It is the largest organisation of its kind in Europe and is democratically run.
Liberty has considerable interest in the issues arising from new technologies and has previously responded to the consultation paper on the Licensing of Trusted Third Parties for the Provision of Encryption Services in 1997.
Liberty welcomes the opportunity to comment on the Government’s proposals in relation to Electronic Commerce. We have limited our comments to those aspects of the consultation paper that relate to civil liberties and human rights. General comments are provided on key escrow; safeguard mechanisms; the presumption of innocence; and implications following the release of keys.
These are followed by specific comments which are set out according to the paragraph numbers in the consultation paper.
1 Key Escrow
Liberty welcomes the fact that the Government is consulting on the basis that key escrow by TSPs of private keys will not be mandated as part of the proposed voluntary licensing regime. Liberty has considerable concerns about the privacy implications of such a scheme and we welcome the Government's response to the concerns raised by civil liberties groups and industry prior to the release of the Consultation Paper. Concerns remain, however, that the Consultation Paper still contains proposals which we would expect to have been removed following the decision to abandon proposals for mandatory key escrow.
In addition, we are concerned that the Government appears to be looking to industry to provide technical solutions to concerns regarding effective law enforcement in the face of widespread use of encryption. It is not clear that there is a technical solution to this problem short of banning encryption. Such a solution would, amongst other things, effectively prevent the development of electronic commerce in the UK. We would seek assurance that any failure on the part of industry to provide a ‘satisfactory’ solution would not be used as a reason to reintroduce the discredited idea of escrow. In addition, any solutions put forward by industry should not be considered solely on the basis of their technical merits. Technical issues in this area often have privacy and other human right implications and any proposals emerging from this consultation process should be the subject of further and wider consultation.
2 Safeguard Mechanisms
Liberty is concerned that the consultation paper is proposing mechanisms based on the Interception of Communications Act 1985 (IOCA) to offer safeguards in respect of keys obtained to decrypt intercepted communications. Liberty believes that the safeguards set out in IOCA do not comply with the UK’s international human rights obligations under the European Convention of Human Rights and do not provide sufficient protection against abuse. It would be unfortunate to prejudge the results of the imminent review of interception of communications legislation by using the IOCA model. We would therefore urge that the law enforcement aspects of the proposed legislation be delayed until the review is carried out. This would have the obvious advantage of ensuring that the mechanisms put in place are consistent with the outcome of the review. The consultation paper recognises that there is not currently a problem with accessing keys for the purpose of decrypting intercepted communications. From the perspective of law enforcement there would seem, therefore, to be no urgency in changes to the law at this stage.
3 Presumption of Innocence
Liberty is further concerned that it is unclear from the consultation paper whether the "rebuttable presumption that an electronic signature … correctly identifies the signatory it purports to identify" (para. 19) where there is a certificate, will only apply to aspects of the civil and commercial law. We believe that it should not extend to the criminal law or in any way undermine the fundamental principle of the presumption of innocence.
4 Implications following the release of keys
Although the consultation paper differentiates, rightly, between signature keys and confidentiality keys, it should be borne in mind that many encryption systems in current use allow the same key to be used for both purposes. This means that where a private key has been accessed by a third party, whether by the police or others, then the owner of that key must be able to revoke the key - a fundamental security provision relating to signature keys. In order to be able to revoke a key, the owner must know that it has been released. We therefore argue below (for this and other reasons) that where a key has been released by a TSP, then the owner of the key should be notified of the release as soon as such notification will no longer compromise any ongoing investigations.
In addition the release of keys - whether by the owner or by a TSP - should follow a minimalist model. In particular, where there is an option, a warrant should require that plaintext or a session key is released instead of the private key. An example of this is where a message is sent by a suspect to a third party company and the police wish to decrypt a copy of the message at a later date. Unless the suspect has kept a plaintext version, the police will have to require the recipient company either to provide its private key or provide a plaintext version. If the police were to require the release of the key, then they would incur considerable costs for the recipient of the message, for example, by the recipient having to revoke its key. Companies will not be encouraged to participate in electronic commerce if at any time their keys could be released to third parties (in this case the police) because they had been sent a message by the subject of an investigation.
Specific Comments
Our numbering follows that of the consultation paper.
49-50 We note that all the given examples relate to difficulties in accessing materials on computers and none illustrate problems with reading intercepted encrypted communications. It is also noteworthy that in most of the examples the police managed finally to access the encrypted materials.
52/53 It is not clear what the consequences are of a law enforcement agency abusing a key by, for example, accessing illegally intercepted communications. Although paragraph 53 refers to "strong safeguards to prevent unauthorised access to encryption keys", it does not indicate what these are.
55
Liberty urges that, particularly in the context of Electronic Commerce, the interception of communications should not be based on the concept of "safeguarding the economic well-being of the United Kingdom". The wide definition of this concept leaves it open to abuse.55-58 In light of the forthcoming review of interception of communications legislation, any new powers to allow decryption of communications will inevitably prejudge the review. In addition, none of the examples given in the consultation paper demonstrates law enforcement problems arising from failure to read, in real-time, encrypted communications. Liberty does not, therefore, agree that there is an urgent need for new powers of access at this stage. We are also concerned that many of the safeguards proposed in the consultation paper follow those set out in the existing interception legislation. We do not support the proposal that these safeguards should form the model in respect of access to keys when they are clearly insufficient and are about to be reviewed. We explain below why we consider these safeguards to be insufficient and incompatible with the rights set out in the European Convention of Human Rights.
Notwithstanding this, we would make the following comments about specific issues raised by the interception of communications.
We consider that it will be rare for law enforcement agencies to be able to access keys used in communication without the parties to that communication being aware that the keys have been released. The release of keys is therefore likely to occur in two possible situations.
The first is where one party to the communication agrees to provide the details of the communication to the relevant law enforcement agency. Such cases are detailed in paragraphs 86 and 87. In these circumstances, such a party may well have a contractual or common law duty of confidentiality to the target of the surveillance and thus may not be in a position to release the key. In these circumstances, it would be appropriate to seek a judicial warrant so that the co-operating party does not accrue liabilities to the target.
Where the law enforcement agencies are not able to rely on one party to an encrypted communication providing access to the contents of the communication, then access will depend on a third party holding the relevant keys. This will be extremely unlikely in practice, even if key escrow had been brought in. We do not believe that many people, given a choice, would escrow their confidentiality keys with TSPs and this is especially the case where the person has any reason to think that they might be subject to surveillance. Notwithstanding this, if there are cases where TSPs hold keys needed to read warranted intercepted communications, then access to these keys should only be on the basis of a judicially authorised warrant. In addition it is essential that the owners of the keys in question are informed, as soon as possible following the surveillance ending, that their keys have been released. As discussed above, keys will often be used for both signature and confidentiality uses, and people need to have the opportunity to revoke keys. In addition, as we discuss below, the interception safeguards do not provide significant protection because it is rare that the subject of communication interception knows that their communications are being monitored. No complaints mechanism will be effective, unless people who might have legitimate complaints are aware that they have a basis for a complaint.
The additional protections set out in the Police and Criminal Evidence Act 1984 (PACE) relating, for example, to legally privileged communications are of also of relevance to warrants for keys to access intercepted communications. Whereas interception warrants are directed at, for example, particular telephone numbers, the release of keys will often relate to messages sent by the target of the surveillance to particular individuals (although this will not be the case for messages received by the target of the surveillance). Where a warrant requires the release of a lawyer’s private key to allow decryption of messages sent to that lawyer by a suspect, then this should be subject to higher legal tests than are set out in PACE (sections 8, 9, 10, 14) when a judge is considering whether to grant the warrant.
63-65 In respect of the example in the box, the police are not merely requesting the key to one safe, they are potentially requesting the key which can be used to open many other safes. Encryption keys can be used for many purposes, including for signature and confidentiality purposes.
The consultation paper does not make clear under what circumstances keys will be demanded instead of plaintext. Nor does it explain what happens if keys are abused by law enforcement agencies or are released by them. For example, if a key that is used for both signature and confidentiality purposes is acquired by law enforcement agencies, and this key is released because of a security breach of that agency, then will the holder of the key be entitled to claim on an indemnity basis for all losses suffered as a result? In addition, the consultation paper does not make clear what the implications are of a law enforcement agency using an encryption key to decrypt illegally obtained messages. Clearly a robust audit trail is required to allow any supervisory bodies to check how keys which have been released under warrant are used.
The offence of not providing decryption of keys without reasonable excuse must make it clear that there are a number of situations when it is entirely reasonable not to provide a key. For example:
(a)it is reasonable to use an encryption system that allows, for example, forward secrecy. The original choice of encryption system should not have to be justified if a prosecution is brought under this proposed new offence. In other words, it should inevitably be a reasonable excuse not to provide plaintext or a key where such provision is technically impossible.
(b)it is reasonable to forget a password. For criminal sanctions to apply, the prosecution should be required to prove that the password had not been forgotten. Whilst this would often be difficult, the reverse of having to prove as your defence that you had forgotten your password would be impossible. It is quite common for people to forget a PIN or other password and this should not be criminalised.
In respect of the warrant itself, even more so in relation to PACE than in relation to IOCA (discussed elsewhere), Liberty is unable to see why, after a computer or computer files have been seized, no provision should be made for any warrant for the decryption of seized material to be issued by a judge. Once the material has been seized, any ‘urgency’ is removed and any (minimal) delay in access to a judge cannot justify a weakening of safeguards available for the protection of the individual’s civil liberties.
73/74 We would request that detailed consultation be undertaken regarding the proposed safeguards, which are not set out in the existing paper. For example, the consultation paper does not make any mention of the safeguards envisaged to ensure that the destruction of such material does in fact occur.
.
75 It is important to re-iterate that the existing remedies available under the Interception of Communications Act (the Commissioner and the Tribunal) are inadequate and do not comply with the requirement to provide an effective remedy (Article 13 ECHR). For a more recent and more appropriate remedy, reference is made to the Special Immigration Appeals Commission Act 1997, which was enacted following the European Court of Human Rights’ judgment in Chahal v United Kingdom [1997] EHRR 413, which found inter alia a violation of Article 13. Liberty would also draw attention to the remedies, in the context of interception of communication, upheld by the European Court of Human Rights in Klass v Germany 2 EHRR 214 (judgment of 6 September 1978). In that case, the Court held that:
"… this does not mean that the Contracting States enjoy an unlimited discretion to subject persons within their jurisdiction to secret surveillance. The Court, being aware of the danger such a law poses of undermining or even destroying democracy on the grounds of defending it, affirms that the Contracting States may not, in the name of the struggle against espionage and terrorism, adopt whatever measure they deem appropriate."(para. 49)
"The Court considers that, in a field where abuse is potentially so easy in individual cases and could have such harmful consequences for democratic society as a whole, it is in principle desirable to entrust supervisory control to a judge." (para. 56)
The German G10 legislation satisfied the requirements of the Convention because it provided adequate and effective guarantees The safeguards upheld as sufficient in that case included the following:
(a) the implementation of the surveillance was supervised by a judicial officer who would examine the information before it was transmitted to the service that obtained the warrant, checking on compliance with the requirements of the legislation and destroying any other intelligence gathered;
(b) there was provision for subsequent control and review (i.e. a 6 monthly report to a Parliamentary Board, made up of members from all parties) and a monthly account of measures ordered by the minister to the G10 Commission. (In practice he sought the prior consent of the Commission, which was made up of three members, one person qualified for judicial office and two assessors)
(c) a person affected could complain to the G10 Commission and the Constitutional Court;
(d) where the individual was subsequently notified of the interception, the individual could bring an action for judicial review in the administrative courts; bring an action for damages in the civil courts. According to a judgment of the Federal Constitutional Court, the individual "must be informed after the termination of the surveillance measures as soon as notification can be made without jeopardising the purpose of the restriction." (para. 58)
The cases of Halford v United Kingdom (1997) 24 EHRR 523 and Kopp v Switzerland (1999) 27 EHRR 91 are two recent examples where the European Court of Human Rights has found the interception of communication by the police to be in breach of the ECHR. This is of particular importance to the present consultation paper in that the Minister will have to make a statement of compatibility with the UK’s obligations under the ECHR under section 19 of the Human Rights Act 1998.
Liberty would endorse the statement of the Court that supervisory control and, it is submitted, initial authorisation should be entrusted to a judge and not left in the hands of the minister.
Without further detail being available, Liberty is concerned that the safeguards proposed in para. 75 are insufficient to satisfy the requirements under Article 8(2) ECHR.
78 We argue above that it is essential that holders of keys are notified if the key is released to law enforcement agencies, once it will not compromise ongoing investigations. This offence should be qualified accordingly.
A(II) Content of Certificate. We do not understand why the requirement for certificates to contain a statement that the certificate (we assume that this should be certified key) is not used to certify confidentiality keys has been included. This appears to relate to the previous policy of key escrow and we presume that it will not be included in the Bill.
Liberty would like to thank Tim Eicke, Barrister, Francis Taylor Building, for his assistance in the preparation of this submission.
Go back to the start of this document.
Go to the library of current responses.
Last Revised: May 7 1999