Should government have a right to monitor electronic communications? Ian Grayson looks at the debate over encryption and a DTI proposal that has some fearing a `surveillance state'
If someone demanded the right to open and read your private correspondence, the public outcry would be enormous. People have come to expect that personal communications remain personal. Yet legislation designed to give just that kind of power to law enforcement authorities is being considered by government and commercial groups in the UK.

The proposed law does not involve raiding Royal Mail post boxes and steaming open letters. It concerns the rapidly growing number of electronic communications between individuals, businesses and organisations. E-mail, electronic document transfers and online commerce are all under the microscope.

The reason for the proposed legislation, contained within a discussion document issued by the Department of Trade and Industry, is that law enforcers are being thwarted in their efforts to monitor electronic communications. Before sending transmissions over networks such as the Internet, more and more people are using sophisticated encryption software to keep it safe from prying eyes. Many see this trend as one that will continue.

"We are migrating our entire society into a digital medium," says Whit Diffie, an encryption expert and engineer at Sun Microsystems.

"No matter how important telecommunication seems today, it is going to be dwarfed by the significance of telecommunications in the future - the fabric of everyday life. And it is going to be essential that that fabric be protected by what I call honest security mechanisms. That is, security mechanisms that everybody around the world can trust."

The basis for secure communication in a digital world is encryption. Increasingly sophisticated methods of encoding information have been developed to allow it to be transmitted in confidence. Cryptographers around the world have been racing to develop systems that provide ever better levels of protection.

Researchers have concentrated on creating what are called encryption keys. Based on complex mathematical formula, encryption keys are used to scramble data before transmission and then unscramble it upon receipt. The security of the key is determined by its length.

Of course, as well as legitimate business practices, encryption is enticing for anyone involved in illegal activities. For this reason, governments are particularly keen to reserve the ability to monitor encoded communications if required. This desire has stirred considerable public debate.

In the UK, the DTI's consultation paper, currently under public discussion, outlines the former Tory government's desire to implement a system whereby users of encryption must deposit copies of their keys with a "trusted third party" (TTP). TTPs could be banks, telephone companies or organisations set up to fulfil the role. If required, a court order would allow a law enforcement agency access to the key and, therefore, to any encoded data.

This proposal mirrors an approach in the United States, where the government wants to retain the ability to de-encrypt communications should the need arise. This approach, know as "key escrow", has sparked strong opposition from privacy groups.

"I have no objection to government getting involved in the formulation of standards, but I am opposed to the creation of yet another arm of law enforcement," says Simon Davies of Privacy International, an organisation that monitors privacy issues.

"The problem is that, if you dig just slightly under the gloss of the DTI proposal, what you are talking about is the creation of an infrastructure for a surveillance state. That alone is enough to make people sit up and take notice."

Davies likens the proposal to legislation that would require everyone to deposit a copy of the key to their front door with their local police station. "That would be bad enough, but it goes further," he says. "The police could make copies of the keys and distribute them, or keep a central registry of where all keys are kept. The opportunity for misuse of those keys is then significantly greater."

Davies says a desire for privacy should not be confused with a desire to undertake criminal activities. "The DTI seems to feel that anyone who is against this proposal must be opposed to security of the nation. That is just ridiculous."

The Government has not yet declared its intentions regarding encryption legislation but is watching the debate with interest. According to a DTI spokesman, it is unlikely the subject will come before Parliament this session. But responses to the discussion paper will be monitored carefully.

Labour's pre-election position differed from that contained in the DTI paper. The party favoured giving authorities the power to demand subjects of an investigation decode any encrypted material. They were not, however, in favour of requiring organisations to deposit copies of keys with TTPs.

A driving force for encryption is a desire by commercial enterprises to make electronic commerce a reality. Now that the Internet has become an accepted part of modern life, many see the next step as using it to conduct business.

"Encryption is a pre-requisite for global electronic commerce to be able to develop with confidence," says Humphrey Polanen, the general manager of Sun Microsystems' security and electronic commerce group.

"The element that is missing from the Internet today is confidence and trust in its ability to maintain valuable information confidentially. Encryption is the only means by which communications can take place privately," he says.

These feelings are echoed by others with a keen eye on the trading potential of the Internet. "We expect electronic commerce to become an increasingly important delivery channel - a means for our customers to transact with us," says Graham Edwards, head of group information security for Barclays. "It's all underpinned by cryptography. The Internet is an extremely hostile environment and unless you overlay security through cryptography, it's not the place to be doing commerce."

Companies involved in developing and marketing encryption products have mixed views on the proposals. Some, such as IBM, see little point in arguing with governments and are content to build systems that operate under a TTP system. Others are not so sure.

"The idea of having trusted third parties is a complete non-starter," says Peter Cox, managing director of the European encryption software specialist Internet SmartWare. "Among the companies we are working with there is a universal hostility to the idea of anything like trusted third parties. They believe it would hinder international communication and slow the adoption of electronic commerce."

Cox says a further flaw in the proposals is the suggestion that it need not be compulsory for people to provide copies of encryption keys to TTPs. "If people don't have to do it, why would they?" he asks. "It really makes the whole thing a waste of time."

The official public response period for the DTI discussion paper ends on Friday. Many industry observers expect legislation based on it to be delayed because of the Government's busy parliamentary agenda.

Comments