Electronic Communications Bill 1999 - Part III
This is an outline, with some additional notes and corrections, of a talk I gave at Pinsent Curtis, Leeds, on September 7th 1999. The paper discusses the provisions of Part III of the Electronic Communications Bill 1999. The Bill was eventually amended, and this part of the Bill withdrawn. It did however re-emerge with some limited amendments in the Regulation of Investigatory Powers Bill 2000, and eventually did become law.
It may be updated from time to time, but I hope that they will be changed beyond recognition!
This HTML document has been created for me automatically by PowerPoint. Please do not blame me for the code.
Please also now see the text of an article I wrote, covering similar ground available from the Law Society Gazette. The article appeared in the edition for 6 October 1999. It is in the Focus section, where it resides as the last of four articles. I think it is worth a read, but I would ...
Society For Computers and Law
- Northern Group
- At Pinsent Curtis, Leeds
- 7 September 1999
- Richard Abbott
- Parts I and II
- David Swarbrick
- Part III
Electronic Communications Bill
- Consultation Paper
- For replies by October 8th 1999
- Extracts from the Bill and IOCA
- Sources on Web
- http://www.swarb.co.uk/lawb/cpuecbill-le.html (This Paper)
- Spies, Spivs, Diplomats and Bankers
- Cryptography has always been seen as the property of the intelligence services.
- Played a major part in the second world war through Bletchley Park, and the cracking of the Enigma codes.
- Treated as a 'dual-use' weapon in arms export control legislation.
In fact the arms control legislation is seen as the real method of preventing the widespread use of encryption by ordinary users.
- Privacy is a right, but how much of one?
We must not apologise for taking privacy. Law -enforcement has its own proper interests, but, on balance, much less crime would take place if we all communicate securely.
There would be some criminals who took advantage, but the question is whether more crime will be prevented by privacy, than will be detected by the destruction of privacy.
- Underdeveloped in English law.
This is almost a constitutional issue. Government has always seen itself as having the right, simpliciter, to enter the private lives of its citizens and poke around at will. Restraints have been slowly and reluctantly applied.
- Seen as a quiet timorous right, which keeps itself to itself. But the law of confidence is being asserted more and more regularly and in ever newer situations.
- Data Protection Act 18984 was intended to be an assertion of privacy as a right. It was side-tracked to become a matter of administration.
- Interception of Communications Act 1985 - was an opportunity to protect privacy. It was in fact a pure attempt to support continuance of existing practices.
In practice it has proved to be a dud. The statistics produced are misleading, and the protection has been utterly incomplete.
- The new Human Rights Act will do much to extend the use of the rights of privacy in UK law.
- Echelon system.
The British Government has out-sourced its interception of the communications of its own citizens. History has shown that such resources have been used in commercial espionage.
It is difficult to believe the extent of the interception undertaken. Enough to say that 40 billion dollars a year are not spent on 2000 wiretaps.
Since the British Government denies the existence of Echelon, and we know it exists, every statement they make on the subject follows a blatant and simple lie. If we know that their opening is such a simple and deliberate falsehood, how much value can be attached to the statements which follow? Each must be falsified to whatever extent is necessary to protect the original untruth, and how are we to know where such a conflict exists?
The only possible correct attitude is a hearty scepticism about whatever is said by governments in this area.
- DTI Consultations
Several, and unconvincing. Have improved as law enforcement has been left to the Home Office.
- Key Escrow/ Licensing
Gone but not forgotten. The Bill does nothing to suggest that it will not be re-introduced as part of the system of approvals.
- Select Committee / Cabinet Responses
Single/Dual Key Cryptography
- Dual Key Public/Private Key Cryptography
- Invented in seventies
- Understand and remember this bit.
- Is fundamental to the whole discussion.
- All security in e-commerce depends in one way upon public-key cryptography.
Single Key Cryptography
- We all understand it - childrens games
- Same key is used to encrypt and decrypt.
- Must share one secret in order to share a second.
- Works well within small close-knit groups
- Drug Traffickers
Single key cryptography depends upon the parties first having a secure means of communication (to exchange the secret key), in order then to exchange a secret - the message. If the first exists, why is the second needed?
One Time Pad
- Only cryptography truly secure is a one time pad Random sequence of characters of the same length as the message, used once only.
- Used in the last war by our agents in France.
- Each letter is added to the message text in turn, and subtracted in turn to decrypt the message.
- This same technique can be used to turn any message into any other message of the same length.
- Makes the entire procedure academic. There is no inherent way of proving or challenging the relation between the plain text delivered and the cipher-text.
Dual Key Cryptography
- One Key in Two parts
- Private key absolutely private
- Public as public as can be
- Person not message
- Is reversible.
- The mechanism is precisely the same.
- Only not so, if dumbed down to achieve this.
- You find my public key, from a public register, and
- encrypt your message with it,
- send me the message and
- know that only I can read the message
- You cannot decrypt the message you just sent
- Cannot be proper subject of a s10 notice.
Authentication / Signatures
- I use my private key to
- Encrypt the message (or a digest)
- Send the message, and
- You know that only I can have created the message, and
- It has not been altered
Driving power behind e-commerce.
- The technology which makes it possible.
- No need for secret to be shared beforehand.
- Makes encryption usable for the masses.
- Shift of power between Individual and State
- Privacy not allowed by state, but taken by citizens.
- Taxation difficulties
- Law Enforcement
- The Powers
- S 10 Notice to decrypt
- S 13 Tipping Off offence
- The Protections
- Not Digital Signatures
- The Defences
- The Permission
- The Tribunal
- The Code of Practice
Definitions (Clause 19)
- Protected Information
- Information or data inaccessible without key
- Not just encryption - anything unintelligible
- That which makes the information unprotected
- Includes code, password, algorithm other data
- Circularity of definitions?
Cl. 10 Notice - Decrypt or ...
- Protected Information assumed to exist
- Appears that person to be served has key
- Form and time-scales chosen by server.
- Can require either plain-text or key.
- Future messages.
- Secretary of State or Judge not required
- 2 Years maximum sentence.
Clause 10 Defences
- I havent got a key. (Prove it!)
- I cant (Prove it!)
- Real practical and technical difficulties for non-experts (Prove it)
- No means of double-checking
- Code of Practice - Duties of Authorities
- Tribunal - ahem
Cl 10 Notices
- Will be very many more
- One warrant per telephone, but
- one Notice per correspondent.
- Served on
- Innocent - not on suspects
- Ordinary - not in commercial environment
- Need for Kafka-esque powers.
Clause 13 Tipping Off
- Optional for Clause 10 Notices
- Must not reveal
- to anyone
- Is Catching - affects anybody told
- Is Changing a Key Tipping Off?
- 5 years maximum sentence.
Clause 13 Situations
- Within family / employment
- Destruction of Trust. Creating Liars
- s 9 IOCA (notes at
- Responsibility for company networks?
- Between company and customers/clients
- A Public key is a promise
- Software development hindered? Whoever develops software for digital signature type purposes, must allow for the strange risk of a signature being compromised if a user might do anything else with the software other than sign something, or if part of what is protected within the certificate goes beyond the signature itself.
- False distinction? Local Software.
- Must suffer any and all damage to family and or business life in silence
The Notes to the Bill suggest that the only remedy is that provided by s 18.
- No mention in Civil or Criminal Proceedings
- Code of Practice - no affect on statute
There will be a code of Practice, no doubt, but the faults here are beyond remedy by a code of practice.
- Tribunal (clause 18)
The history of the comparable IOCA tribunal does nothing to suggest the slightest reason for confidence in such a tribunal.
- Only complaints on notices issued by SS
This is possibly the most egregious section in the whole bill. Only one in a hundred notices will come with any availability of compensation. Everybody else who suffers as a result of this process, must suffer both in silence, and without redress.
- Special Representatives?
Who are these lawyers? How are they to be paid? How can their work be subject to any sort of scrutiny, for example, by the Law Society.
IOCA Meets PACE
- Extension of old arrangements
- Go back to the case of Malone - European Court of Human Rights
- for Business and E-Commerce.
- Use against Ordinary Citizens
- Entire Purpose is to Build Confidence!!
- Self-incrimination. Statement or Search?
- Fair Trial
- Can I complain? Oops
- Respect for correspondence
- Family Life
Right to a Fair Trial
- May be situations when a defendant will need to mention the receipt of a notice
- Very unclear as to how a notice accompanied by a section 13 requirement could ever be mentioned in court.
Burden of Proof
- The rule is that it must be for the prosecution to prove the key elements of an offence.
- The arguments is that as regards clause 10, the rule is broken
- The prosecutions need only prove:
- Service of the notice
- Failure to comply
- In response the defence must show that he is unable to decrypt the message, that he does not have the key.
- The burden of proof on the prosecution has been reduced to a mere formality
- The burden thrown on the defendant is an impossibility
- See 1992 case
Search or Self-Incrimination?
- The right not to make the prosecutors case.
- Not a ECHR Convention right explicitly, but is in Universal Declaration on Human Rights
- A question of philosophy but an answer needed
- Does someone who provides a key to a safe
- Is it equivalent to a search?
Superficially attractive, but no element of search may be involved.
- The officer is just as likely to turn up with a copy of an intercepted e-mail, as to find it on a machine
- An officer having removed a computer for inspection is no longer executing a search. Exhaustion of Rights anyone?
- Something is created
When a file is decrypted, a new file which represents the contents of the encrypted file is created. Is certainly a new object for copyright purposes.
- Something which exists already, which is not privileged, and which I hand over seems to me not to be a breach.
- Requiring me to create something new does seem to be a breach it requires me to create, in effect a confession.
- This topic has been discussed already in the US, Australia and Holland.
- Thanks to :
- Pinsent Curtis and Society for Computers and Law
- Assessment / Training Points
- Meet up afterwards?
- Web Resources