Memorandum by Members of the Global Internet Liberty Campaign to the House of Commons Trade and Industry Committee February 1999   This memorandum has been written by the Members of the Global Internet Liberty Campaign ("GILC") listed in Appendix A. GILC is a group of human rights, civil liberties, and Internet advocacy organisations which favours the unrestricted use of cryptography to protect personal privacy. Synopsis Indications have been made that the Secure Electronic Commerce Bill will contain provisions that will allow government access to encrypted communications and documents. Such a plan will compromise privacy; will not enhance detection of crime; will increase opportunities for crime; and will hinder or halt the development of online commerce. Cryptography experts have stated that any cryptography system in which a third party has the ability to view the original communication is inherently insecure. Introduction Encryption has a long tradition in military defence. However, encryption technologies are increasingly integrated into commercial systems and applications and the exclusive character of encryption belongs to the past. Any prohibition or limitation of the use of encryption will not only have a terrible effect on online computer security - a national security issue itself - and electronic commerce, but will also directly affect the right to privacy. According to a recent European Commission Communication paper most of the few criminal cases given as examples of the need for regulating cryptography are "professional" uses that are unlikely to be controllable by regulation. We also find no evidence that criminal rings cannot be broken through more traditional means such as examination of the evidence, use of informers, and so on. Inevitably, key recovery or "trusted third party" schemes introduce vulnerabilities into cryptographic systems, creating opportunities for insider abuse and criminal attack. Any key recovery infrastructure will become a highly attractive target for criminals. Moreover, the adoption of key recovery to meet law enforcement specifications will result in greatly increased costs to end users. Leading computer security experts have warned that building the secure computer communication infrastructures necessary to support government-specified key recovery is far beyond the experience and current competency of the field. The Internet Privacy Coalition stated that they do not object to government conducting lawful investigation, but that no government has the right to restrict its citizens use of tools to protect their privacy, nor should government put crime investigation before prevention. A similar point has also been made by Gerard Walsh, a former deputy director-general of the Australian Security Intelligence Service, in "Review of policy relating to encryption technologies" made for the Australian Government. The review takes a balanced look at the issues and casts strong doubts on the workability and desirability of key recovery policies. If encryption is no longer secure, criminals will no longer use licensed systems. Regulating the use of encryption could prevent the law-abiding from protecting themselves against criminal attacks, but would not prevent criminals from using unregulated encryption. (see EU Communication paper, 1997)   UK Encryption Proposals are in contrast with recent global initiatives   The government's encryption proposals are in clear contrast with the recent policy change in France with the French government announcing that it will remove all controls over the domestic use of encryption. The proposals are also in contrast with the European Commission's Communication paper titled "Towards A European Framework for Digital Signatures And Encryption". In contrast to the UK initiatives, and despite years of US attempts to push the "government access to keys" idea overseas, this paper finds key escrow and key recovery systems to be inefficient and ineffective. The EU communication stated that "the European Union simply cannot afford a divided regulatory landscape in a field so vital for the economy and society." According to the Commission's paper (noted above): Problems caused by encryption to crime investigation and the finding of evidence are currently limited, but they may increase in the future. As with any new technology, there will be abuse of encryption and criminal investigations will be hindered because data was encrypted. However, widespread availability of encryption can also prevent crime. Already today, the damage caused by electronic crime is estimated in the order of billions of ECUs (industrial espionage, credit card fraud, toll fraud on cellular telephones, piracy on pay TV encryption). Therefore, there are considerable economic and legal benefits associated with encryption. Furthermore, the UK proposals are in contrast with the OECD Guidelines on cryptography. A recent OECD report stated: "National cryptography policies may allow lawful access to plaintext, or cryptographic keys, of encrypted data," but immediately reiterated that "these policies must respect the other principles contained in the guidelines to the greatest extent possible" and, "this principle should not be interpreted as implying that governments should, or should not, initiate legislation that would allow lawful access." Conclusion Strong encryption technology without "key escrow" or "key recovery" offers the fundamental protection to those who seek to bring official abuses of power to light. Any restrictions on the use of encryption would create possibilities for the violation of free expression for individuals in countries where dissent is punished. It is critical and vital for human rights activists, political dissidents, and whistle blowers throughout the world to be able to use confidential communications free from government or any other intrusion. Strong encryption is the only answer for this kind of sensitive communications. Encryption has the power to authenticate the identity of these authors to their partners abroad, and protect their identity from despots at home. Any "key escrow" mechanism will result in loss of confidence among groups and individuals, mostly based in repressive regimes. This would mean a tremendous blow to international efforts to support the cause of human rights. GILC Members have urged national governments not to adopt controls on cryptography technology on several occasions. In 1998, we released "Cryptography and Liberty: An International Survey of Encryption Policy" which showed that most countries in the world do not have controls on the use of cryptography. The GILC report concluded that recent trends in cryptography policy suggest greater liberalisation in the use of this technology, which was originally controlled during the Cold War for reasons of national security. We believe that policies concerning cryptography should be based on the fundamental right to engage in private communication. We oppose efforts that would lead to the development of communications infrastructure designed for mass surveillance. To conclude, we state that key escrow policies would make Britain a second-class nation in the Information Age.   Signed by Mr Yaman Akdeniz Director, Cyber-Rights & Cyber-Liberties (UK)   on behalf of Members of the Global Internet Liberty Campaign CyberLaw Research Unit, Faculty of Law, University of Leeds, Leeds LS2 9JT +44 113 2335033 Appendix A - GILC Members Who Wrote This Memorandum This memorandum was written by the following Members of the Global Internet Liberty Campaign. American Civil Liberties Union, http://www.aclu.org Bulgarian Institute for Legal Development, http://www.bild.acad.bg Canadian Journalists for Free Expression, http://www.cjfe.org Center for Democracy and Technology, http://www.cdt.org CommUnity UK, http://www.community.org.uk Computer Professionals for Social Responsibility, http://www.cpsr.org/ Cyber-Rights & Cyber-Liberties (UK), http://www.cyber-rights.org Derechos Human Rights, http://www.derechos.org Digital Citizens Foundation Netherlands (DB-NL), http://www.db.nl Electronic Frontier Canada, http://www.efc.ca/ Electronic Frontier Foundation, http://www.eff.org Electronic Frontiers Texas, http://www.eftexas.org Electronic Privacy Information Center, http://www.epic.org FITUG, http://www.fitug.de/ Fronteras Electrónicas España (FrEE), http://www.arnal.es/free Human Rights Watch, http://www.hrw.org Index on Censorship, http://www.indexoncensorship.org/index.html Internet Freedom, http://www.netfreedom.org IRIS (Imaginons un reseau Internet solidaire - France), http://www.iris.sgdg.org NetAction, http://www.netaction.org Privacy International, http://www.privacyinternational.org Quintessenz e-zine, http://www.quintessenz.at/ Appendix B - Further Information For further information see: French Interministerial Committee on the Information Society, Build a legislative framework to protect exchanges and privacy, 19 January 1999, <http://www.internet.gouv.fr/english/textesref/cisigb/fiche1gb.htm> Global Internet Liberty Campaign Member Statement: New UK Encryption Policy criticised, February 1998, <http://www.gilc.org/crypto/uk/gilc-dti-statement-298.html>. GILC, Cryptography and Liberty: An International Survey of Encryption Policy, February 1998, <http://www.gilc.org/crypto/crypto-survey.html> GILC Member Statement, "Human Rights and the Internet," January 1998, <http://www.gilc.org/news/gilc-ep-statement-0198.html>. GILC Member Resolution in Support of the Freedom to Use Cryptography, September 1996, <http://www.gilc.org/crypto/oecd-resolution.html>. European Commission Communication, "Towards A European Framework for Digital Signatures And Encryption," Communication from the Commission to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions ensuring Security and Trust in Electronic Communication, COM (97) 503, October 1997, at <http://www.ispo.cec.be/eif/policy/97503toc.html> OECD Cryptography Policy Guidelines: Recommendation of the Council Concerning Guidelines for Cryptography Policy, 27 March 1997, <http://www.oecd.org/dsti/sti/it/secur/prod/e-crypto.htm>. Cyber-Rights & Cyber-Liberties (UK), "First Report on UK Encryption Policy", <http://www.leeds.ac.uk/law/pgs/yaman/ukdtirep.htm>. Abelson, Anderson, et al., "The Risks of Key Recovery, Key Escrow, and Trusted Third Party Encryption," 1998, <http://www.crypto.com/key_study/>. IRIS Report, "Cryptography : on the necessity of totally liberalising the French law", <http://www.iris.sgdg.org/documents/rapport-ce/annexe7.html>. The Walsh Report, "Review of policy relating to encryption technologies", <http://www.efa.org.au/Issues/Crypto/Walsh/>.