http://www.techweb.com/wire/story/TWB2210S0005
E-Spying Bill Called 'Escrow By Intimidation'
(02/10/00, 12:58 p.m. ET) By Madeleine Acey, TechWeb
The British government published a bill Thursday to update law enforcement's
interception powers to include communications made via company networks and
ISPs.
The legislation was immediately slammed as threatening human rights and
labelled "key escrow through intimidation" by Internet think tank the
Foundation For Information Policy Research (FIPR). Key escrow is a failed
policy by which users of encryption software lodge copies of security keys
with third parties approved by government.
"This law could make a criminal out of anyone who uses encryption to protect
their privacy on the Internet," said FIPR director Caspar Bowden.
Following the recent liberalization of U.S. encryption software export laws,
as tens of thousands of ordinary computer users start to use encryption, a
test case looks inevitable.
Requiring someone to prove they did not possess a key would likely be a
breach of the European Convention of Human Rights, FIPR and civil rights
group Justice concluded.
"The DTI [Department of Trade and Industry] jettisoned decryption powers
from its E-communications Bill last year because it did not believe that a
law which presumes someone guilty unless they can prove themselves innocent
was compatible with the Human Rights Act," Bowden said. "The corpse of a law
laid to rest by [trade secretary] Stephen Byers has been stitched back up
and jolted into life by [home secretary] Jack Straw."
Straw insisted the Regulation of Investigatory Powers Bill ensure citizens'
privacy and comply with the European Court on Human Rights.
He said the interception methods of the past "sometimes led to serious
miscarriages of justice" and that the bill would more closely regulate law
enforcement and security agencies' activities.
Straw added that interception of telecommunications was only legislated for
in 1985.
"There was only one completely dominant [telecom] provider and only
landlines," he said. "No pagers, no mobiles, no e-mail, no Internet, no
encryption. The change in the telecom landscape in less than a generation
has been revolutionary. We have to ensure that the legislation keeps pace."
Straw said interception played a vital role in the fight against terrorists
and encryption "can be misused to devastating effect by criminals, not least
in attempts by pedophiles to conceal their activities on the Internet."
However, in submissions to the DTI last year, IT industry figures -- used as
expert witnesses by law enforcement -- said encryption had never thwarted
police attempts to crack encrypted files, and in some cases, the accused had
handed keys over voluntarily.
When asked at the time, security and police agencies, including the FBI,
were unable to show any case where encryption had been a barrier to
convicting a criminal.
FIPR's Bowden said the Bill incorporated some changes to draft legislation
to address previous criticisms. But, he said this was mere "window
dressing".
"To prove noncompliance with a notice to decrypt, the prosecution must prove
a person 'has or has had' the key," Bowden said. "This satisfies the
objection to the case where a person may never have had the key but leaves
unchanged the essential reverse-burden of proof for someone who has
forgotten or irreplaceably lost a key."