FIPR News Release on UK ELECTRONIC COMMUNICATIONS BILL

[Caspar Bowden]

Please link any story to Web Press Release at
http://www.fipr.org/ecommpr.html

Regards
--
Caspar Bowdenhttp://www.fipr.org
Director, Foundation for Information Policy Research
Tel: +44(0)171 354 2333  Fax: +44(0)171 827 6534

FOUNDATION FOR INFORMATION POLICY RESEARCH
==
News Release - Friday 23rd July 1999
Published Bill available at http://www.dti.gov.uk/cii/elec/ecbill.html

Contact:Caspar Bowden - Director of FIPR
+44 171 354 2333
[EMAIL PROTECTED]

ELECTRONIC COMMUNICATIONS BILL WILL HARM UK INDUSTRY,
HOLD BACK GROWTH OF ECOMMERCE, UNDERMINE CONSUMER PROTECTION,
AND VIOLATE EUROPEAN CONVENTION ON HUMAN RIGHTS

Since the early 1990s, civil service policy advice to Conservative and
Labour Ministers has advocated draconian legislation restricting the use of
encryption on the Internet. The Conservatives proposed compulsory licensing
of encryption in Government, but recanted in opposition. Labour opposed
controls in opposition, but now propose "decryption notices" which overturn
basic principles of human rights and civil liberties.

Today the Government published an Electronic Communications Bill that will
give ministers broad powers to control the use of encryption in electronic
commerce. Although some of the more objectionable aspects of previous
proposals have been dropped from primary legislation, the bill gives
ministers the power to introduce them later as regulations.

Caspar Bowden (Director of FIPR) said:
"Electronic businesses can trade from anywhere in the world. Threatening a
mountain of red tape will cause e-business to move to places with a more
supportive climate such as Ireland or Canada."

"The Home Office argues that being asked to produce a decryption key is like
being asked to provide a DNA sample. But innocent people might lose a key to
stored data, or never know the key to data that is e-mailed to them - and
unless the court is convinced, it means jail"

Overwhelmed by resistance from industry and users, the government has been
forced to abandon a succession of elaborate but futile frameworks for
regulation, wasting three years in which UK e-commerce could have
established a world lead.

Big Bureaucracy
---
Compulsory licensing with mandatory key escrow subsequently became
"voluntary" licensing linked to key escrow, and now the terminology has
metamorphosed again into a "register of approved providers". Despite a
fiercely critical Trade and Industry Select Committee report, the DTI has
ignored the spirit of their findings and appears still to want to keep open
options for strict regulation. Six pages of impenetrably worded legislation
could see the return of key escrow through secondary powers which would
allow the Secretary of State to make escrow a condition of approval.

Businesses already deterred by vacillation and delay, will have little idea
of what to expect until the regulations are eventually published. Different
regulations can be published by different departments, no timescales are set
out, and businesses will face constant debilitating uncertainty about
whether electronic products and services may in future face much stricter
regulation.

FIPR wishes to see cast-iron curbs on secondary powers which could require
(or coerce) without further primary legislation: (a) operation of key escrow
by approved providers, (b) linkage of weight or validity of signatures to
being an approved provider, (c) use of approved provider of certificates or
encryption for dealings with Government

Big Brother
---
There are also serious civil liberties concerns. The bill will give police
the power to demand decryption keys from anyone they suspect of possessing
them, and failure to hand keys over can lead to a two year jail sentence.
The defence will be presumed guilty of withholding a key unless they can
prove otherwise (a likely contravention of the European Convention on Human
Rights), and decryption notices will be secret, so it will be impossible to
complain effectively if they are used in an oppressive way.

Handing over a decryption key used for years on end would give the police
access to very much more information than they need. Decryption notices can
also be served on innocent correspondents of a suspected person, with an
indefinite obligation not to change keys and maintain secrecy.

FIPR believes that criminals should not be able hide behind encryption, but
the way in which the government intends to deal with this is completely
unsatisfactory and infringes basic human rights.

To obtain power to serve a decryption notice FIPR suggests that the
authorities should establish to a judge with reliable evidence that the:
- data in question contains a hidden or encrypted message
- person on whom the notice is served possesses a key
- data contains evidence of, or would assist in pursuit or detection of, a
serious criminal offence

Decryption Notices and Human Right

Security Lab To Certify Banking Applications (was Re: ECARM NEWSfor July 23,1999 Second Ed.)

[Robert Hettinga]

At 2:00 PM -0400 on 7/23/99, [EMAIL PROTECTED] wrote:


> Title: Security Lab To Certify Banking Applications
> Resource Type: News Article
> Date: Jul 22, 1999 (6:15 AM)
> Source: InternetWeek
> Author: Tischelle George
> Keywords: BANKING INDUSTRY,ONLINE SERVICES ,SECURITY,SOFTWARE VERIFY
>
> Abstract/Summary:
> A lack of security standards is holding back online banking and
> financial services. Or so says the Banking Industry Technology
> Secretariat, a technology consortium of the nation's biggest banks.
> Next week, BITS will open a security laboratory to certify security
> software for use in commercial banking applications.
>
> The Financial Services Security Laboratory will open July 28 in
> Reston, Va. The facility will be used to test software packages against
> a set of standards for securing e-commerce and bill-payment
> applications, as well as browsers and operating software.
>
> Original URL: http://www.techweb.com/wire/story/TWB19990722S0004
>
> Added: Fri  Jul  23 9:45:52 -040 1999
> Contributed by: Keeffee

-
Robert A. Hettinga 
The Internet Bearer Underwriting Corporation 
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

Re: symmetry group

[Jitze Couperus]

Mike Stay asked


>
>Given a basis for a group, can one calculate in polynomial time how far
>apart two states are?  How about finding a shortest path between two
>states?  Does anyone know good search terms to find papers on this sort
>of thing?
>--


Not sure if this is what you are looking for, but a specific variant
of this problem is computation of the so-called "Levenstein Distance".

If you go (for example) to www.google.com and use that to search
on this phrase, you will be pointed to a number of pages that talk
about it.

Use of this algorithm is mainly in the context of seeing
"how close" one alpha string is to another (see
http://w3.nai.net/~rvdi/lDistance/index.html for example) although
this has then been used as an underpinning to measure "distance"
between finger-prints and so forth.

On further thought - I doubt that this is what you are looking
for, but it might serve as a jumping point for references to
other work related to the more general problem.

Jitze

UK to impose yet more nasty interception laws...

[Perry E. Metzger]

>From "The Guardian" in the U.K.

 Straw insists on e-mail
 interception powers 
 
 Links, reports and background on the
 Freedom of Information debate 
 
 David Hencke, Westminster Correspondent 
 Friday July 23, 1999 
 
 Draconian powers to jail anybody for up to two
 years who discloses that their company's encrypted
 e-mails or electronic documents are being
 intercepted by the police, Customs or the security
 services are to be announced by the government
 today. 

http://www.newsunlimited.co.uk/AC/setguestcookie.cgi?section=News&host=www%2Enewsunlimited%2Eco%2Euk&uri=%2Fpolitics%2Fstory%2F0%2C3604%2C67849%2C00%2Ehtml&userid=4G9Dbb01

Re: Wireless Networking Encryption...

[Mike Brodhead]

> BTW, if anybody ever finds a strong-crypto wireless LAN solution let me
> know. [To save time: yes, I am aware of IPSEC, SSL, etc. No, that's not what

you might want to take a look at Ricochet from Metricom.

http://www.metricom.com/individuals/description.htm

while their main line of business is as a wireless ISP, they also
claim to be able to sell you a point-to-point service.  their hype
states that they use RC4, but they don't mention a keylength.  since
it's a domestic-only product, i wouldn't be surprised to see 128 bits.
then again, the same document contains the sentence "You can't find
better security" which is a pretty bad sign.

if you are able to find out more of their crypto details, please share
them.

--mkb

---
Michael Kennedy Brodhead
Security - Design - Development
<[EMAIL PROTECTED]>

reputation

[Robert Hettinga]

--- begin forwarded text


Date: Thu, 22 Jul 1999 17:12:26 -0400 (EDT)
From: 
To: [EMAIL PROTECTED]
Subject: reputation


Bob - would you pass on this question anonymously: I'm interested in
pointers to reputation and escrow services and theory.  Any pointers
to someone starting out?

--- end forwarded text


-
Robert A. Hettinga 
The Internet Bearer Underwriting Corporation 
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

It's to be expected (crypto laws)

[Russell Nelson]

I just read _The Incredible Bread Machine_, by R. W. Grant.  A Fox &
Wilkes book, available from Laissez-Faire Books.  I think a quote from 
page 241, on The Limits of Political Action, is appropriate in re the
recent "I told you so" observation by Lucky Green:

Government is force, and politics is simply the means of deciding
who gets to use it at whose expense.  By its nature, then,
politics will inexorably represent the interests of those who seek
the favors of government.  Hence the bewilderment of voters who
find that no matter who wins the election, government continues to
grow bigger and more intrusive.  At best, transient reforms can be
accomplished, but the underlying dynamic of politics is constantly
to expand the role of the state.

Accordingly, those seeking to limit the role of political force
[aka crypto export laws] in our society are quite literally
disenfranchised.  You can vote for ruler A or ruler B, but you
can't vote for no ruler.  Political action can possibly be
helpful for educational purposes, or as a rear-guard effort, but
its effectiveness as an influence for less government is
limited. [as we've seen.]

What to do?  Attack the state at the source of its power: our
cooperation.  It can be noisy civil disobediance.  It can be simply
ignoring an unenforcable law.  It can be challenging the power of the
state in its own institution, as in the Bernstein, Karn, and Junger
cases.

I highly encourage all [EMAIL PROTECTED] readers to read The
Incredible Bread Machine.  It puts together a comprehensive attack on
the legitimacy of the state.

-- 
-russ nelson <[EMAIL PROTECTED]>  http://crynwr.com/~nelson
Crynwr sells OSI Certified(tm) Open Source Sware| PGPok | Government schools are so
521 Pleasant Valley Rd. | +1 315 268 1925 voice | bad that any rank amateur
Potsdam, NY 13676-3213  | +1 315 268 9201 FAX   | can outdo them. Homeschool!

RE: Wireless Networking Encryption...

[Lucky Green]

Ricochet is too slow. I don't consider something that does well below 56kpbs
a LAN product.

--Lucky Green <[EMAIL PROTECTED]>

> -Original Message-
> From: Mike Brodhead [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, July 22, 1999 16:39
> To: Lucky Green
> Cc: K. M. Ellis; Thomas P. Hallaran; [EMAIL PROTECTED]
> Subject: Re: Wireless Networking Encryption...
>
>
>
> > BTW, if anybody ever finds a strong-crypto wireless LAN solution let me
> > know. [To save time: yes, I am aware of IPSEC, SSL, etc. No,
> that's not what
>
> you might want to take a look at Ricochet from Metricom.
>
> http://www.metricom.com/individuals/description.htm
>
> while their main line of business is as a wireless ISP, they also
> claim to be able to sell you a point-to-point service.  their hype
> states that they use RC4, but they don't mention a keylength.  since
> it's a domestic-only product, i wouldn't be surprised to see 128 bits.
> then again, the same document contains the sentence "You can't find
> better security" which is a pretty bad sign.
>
> if you are able to find out more of their crypto details, please share
> them.
>
> --mkb
>
> ---
> Michael Kennedy Brodhead
> Security - Design - Development
> <[EMAIL PROTECTED]>
>
>

symmetry group

[staym]

There's no real concept of "distance" between elements of a group, and
yet if you were to consider operations on, say, a rubix cube, it's
obvious that some states are further from "solved" than others.  That's
because we can't "do" a general operation on the rubix cube in just one
step; we have to generate it from a subset of the group elements that
span the group.  

Given a basis for a group, can one calculate in polynomial time how far
apart two states are?  How about finding a shortest path between two
states?  Does anyone know good search terms to find papers on this sort
of thing?
-- 
Mike Stay
Cryptographer / Programmer
AccessData Corp.
mailto:[EMAIL PROTECTED]