http://news.bbc.co.uk/hi/english/sci/tech/newsid_638000/638041.stm
UK publishes 'impossible' decryption law
At issue is the burden of proof
The UK Government came under fire on Thursday from the internet community
after it published a Bill to regulate covert surveillance.
The critics say the legislation, if passed, could lead to innocent people
being sent to jail simply because they have lost their data encryption
codes.
The Regulation of Investigatory Powers Bill covers the monitoring and the
interception of communications by law enforcement and security agencies. It
will, for example, lay down the legal rules that must be followed by the
police and security services when they tap someone's phone.
It also regulates the authorities' access to the codes that encrypt data
sent over the net. Such encryption will increasingly become a routine tool
of e-commerce, built into ordinary e-mail and browser software. But the Home
Office is deeply concerned that criminals, such as paedophiles, will use
encryption to hide their activities.
And, as a result, the Bill proposes that the police or the security services
should have the power to force someone to hand over decryption keys or the
plain text of specified materials, such as e-mails, and jail those who
refuse.
The government believes it has built sufficient safeguards into the
legislation. But Caspar Bowden, from the Foundation for Information Policy
Research, said the law as drafted was "impossible" and accused the
government of ignoring all the advice and lobbying it had received from the
net community over the past year.
Net privacy
At issue is the burden of proof. Critics of the legislation say someone
might go to jail unless they could prove they did not have a requested key -
an impossible defence for someone who has lost the software code.
"This law could make a criminal out of anyone who uses encryption to protect
their privacy on the internet," Mr Bowden said.
"The Department of Trade and Industry jettisoned decryption powers from its
e-Communications Bill last year because it did not believe that a law which
presumes someone guilty unless they can prove themselves innocent was
compatible with the Human Rights Act.
"But the corpse of a law laid to rest by Trade Secretary Stephen Byers has
been stitched up and jolted back into life by Home Secretary Jack Straw."
Under the new legislation, the police would have to have "reasonable grounds
to believe" someone suspected illegal activity had a key. Previous attempts
to draft the legislation had only used the word "appear".
Human rights
Caspar Bowden acknowledged that the change replaced a subjective test with
one requiring some objective evidence. The prosecution would have to show
that someone receiving encrypted e-mail has or had a key. However, he said
the presumption of guilt remained for those who had genuinely lost or
forgotten their keys.
"It's clear we are heading for the courts with a human rights test case," Mr
Bowden told BBC News Online. "The legislation could be amended, but it's
obvious the government is not going to take that course."
However, the Home Secretary, Jack Straw, is clearly confident about the
legal advice he has received.
"The Human Rights Act and rapid change in technology are the twin drivers of
the new Bill," he said.
"None of the law enforcement activities specified in the Bill is new. Covert
surveillance by police and other law enforcement officers is as old as
policing itself; so too is the use of informants, agents, and undercover
officers.
"What is new is that for the first time the use of these techniques will be
properly regulated by law, and externally supervised, not least to ensure
that law enforcement operations are consistent with the duties imposed on
public authorities by the European Convention on Human Rights and the Human
Rights Act.
