28^th June 2000 Analysis of effects of Government amendments to the RIP Bill

GAK (Government Access to Keys) is Alive and Dangerous

Alternate contact – today only – Richard Clayton +44 (01306) 732302

see also RIP Information Centre at www.fipr.org/rip, now updated with Part.III of RIP Bill marked-up to show effect of government amendments (and hyperlinked version of Third Marshalled list)

The government package of RIP Bill amendments offers two significant concessions, but overall the Bill remains likely to cause critical damage to business confidence. Despite cosmetic re-wording, completely discretionary powers for any public authority to demand keys instead of plaintext (including long-term keys to future information) remain unaltered – as does the Kafka-esque secrecy clause ("tipping-off").

Caspar Bowden, director of FIPR commented:

"These new clauses take RIP beyond the complexity pain barrier. Individuals cannot know where they stand, companies cannot know what is at risk, and the law cannot be enforced. RIP's house of cards is collapsing, and the problem is Government Access to Keys – GAK must go."

Conceded

Burden-of-proof issue for keys/passwords conceded – prosecution now have to show accused had PANTS (Possession At Notice Time of Serving) beyond reasonable doubt if "sufficient evidence adduced to raise the issue" – this wording needs clarification in debate (see Appendix A). At least people who forget their passwords will get a fair trial, but RIP will still face human rights challenges on self-incrimination and proportionality.

Decryption notices must now be served on company directors and not on junior employees (unless this would "defeat the purpose" of the notice)

Unaltered Sticking Points

Government Access to Keys remains for undefined "special" circumstances - NC(3)(c). There have been a lot of cosmetic adjustments to do with "disclosure requirements", but actually nothing of substance has changed and there is no requirement on authorities to supply ciphertext that would enable plaintext to be supplied instead of a key.

Keys to information that "is likely to" come into the possession of the authorities – future data, can be demanded (see amendments 139, 139WA, 139XA, 139YA, 139ZA). Obviously this must be a long-term key - plaintext and session keys do not yet exist!
S.50 ("Tipping-off") - Powers can prohibit forever disclosing fact that keys have been demanded.

No time-limit, very general grounds ("the protection of investigative methods generally")
It is ILLOGICAL, because "key-revocation" - announcing to the world that a particular key should no longer be used to send one information is permitted (!), providing that the serving of a S.46 notice is not given as the reason. It thus cannot work as a means of keeping a sequestered key in use by a ring of conspirators. Do the police or Ministers realise this?
The residual case is that someone supplying plaintext shouldn't warn someone else - but there are many similar circumstances where there is no parallel offence. Much the same thing could be done with a one-liner - "interfering with the course of justice", without risking business confidence (especially in conjunction with the "key to future data" issue).

S.49(2)b(ii) – decryption notices can be served "if likely to be of value for purposes connected with the exercise or performance by any public authority of any statutory power or statutory duty". The IoD has pointed out that this includes the car park attendant of the Home Office.
Signature keys that may also be used for encryption, can be demanded (Technical!)

(See Amendment 157 & 158) Many encryption systems allow keys used to create signatures, also to be used to decrypt communications. If someone sends you a communication encrypted under your public signature-verification key - even the police ! - through no fault of your own your signature key becomes vulnerable to a S.46 notice, and thus your signature on any past documents becomes legally worthless. (This is complex and needs understanding of commutative property of assymmetric encryption)

Wait and see (until Report Stage – 10^th July)

· New definition of communications data – how will it apply to :

o clickstreams indicating individual webpages and search engine requests – govt. says this was a drafting mistake – how will they rectify ?

o log of websites visited – still much more intrusive than a log of telephone numbers dialled

o "IP numbers" – the addressing system for packets of Internet data

· Will the govt. make it unlawful to control "black-boxes" directly without serving a warrant (for interception) or a Pt.I Ch.II Notice (for communications data) on the ISP?

· Sleeper issue: completely new procedure for "trawling" mass-surveillance of domestic Internet messages - S.15(3) – issue raised in debate on 19^th July - written answer awaited.

· Strategy for imposing interception requirements and structure of costs on ISP industry

Appendix A – Reasons for not having Possession At Notice Time of Serving

1. I still keep that encrypted data on my hard-disk because although I forgot the password several years ago, I might remember it suddenly (as one does), and it contains important records.

2. That's a key from a key-server when I first tried encryption. I've forgotten the password so can't "revoke” it (and it cannot otherwise be deleted from a globally replicating network of key directories), and people still send me things occasionally with it - which I can't read.

3. I just changed keys three days ago - I meant to record the passphrase in my organizer but forgot it before I did

4. It's a perfect-forward-secrecy/ephemeral-key system that automatically destroys/never-retains a decryption key.

5. My organizer "glitched" and I lost all the data in it, including passphrases

6. I never wrote it down because I've never forgotten it before

7. I assumed that the manufacturer had a backdoor to get the data back

Appendix B – Technical Glossary

ISP and CSP	Internet Service Provider (company providing connection to the Internet) and Communications Service Provider (Home Office term for telephone company or ISP). ISPs generally will NOT possess keys to customer communications that are encrypted – they merely act as a conduit
Encrypt/Decrypt	The process of scrambling/unscrambling information into a jumbled form, by means of a mathematical cipher, which cannot be understood without a key
Key	A long number which acts like the combination of a lock with an astronomical number of permutations. Keys are chosen to be sufficiently long that they cannot be guessed by trial-and-error, even by the most powerful computers that can be reasonably foreseen.
Session Key	A key uniquely generated for each message. A session key can only decrypt a single message
Long-term key	Used to protect session keys. If a long-term key is revealed ALL messages can be read
Password/Passphrase	Because people cannot remember numbers with several hundred digits, keys are themselves protected with encryption. A password, or preferably a pass phrase that cannot be guessed by machine, is typed in every time to prepare the actual key for use.
Plaintext	Data in its original unscrambled form (may in fact be data representing sound/pictures/voice)