[ISN] UK Encryption Wars

From: mea culpa (jerichoat_private)
Date: Thu May 28 1998 - 23:27:43 PDT

  • Next message: mea culpa: "[ISN] Programmer faces Crypto Probe"

    [Moderator: Back in town from a 4 day trip, expect some traffic again. :)]
    Forwarded From: Kjell Wooding <kwoodingat_private>
    UK Encryption Wars
    by Yaman Akdeniz 
    4:04am  25.May.98.PDT
    Britain's postal service has announced plans to offer public key recovery
    services later this year, in an effort to overcome criticism of the
    government's previously proposed "trusted third party"  cryptography
    The UK government has been struggling for two years to find a policy that
    balances privacy concerns against those of law enforcement agencies.
    Indeed, Royal Mail's announcement on 19 May comes in the wake of the
    British government's April introduction of a new encryption policy, the
    Secure Electronic Commerce Statement. This policy is the third in a series
    of widely criticized Department of Trade and Industry key recovery
    Unlike the government's first two plans, this latest policy favors
    voluntary rather than mandatory licensing of so-called "trusted third
    parties." But the requirement that third parties be government-approved
    leaves British privacy advocates jittery about the Royal Mail's
    In describing the new plan on Tuesday, Jim Pang, director of Royal Mail)'s
    Electronic Services, took a conventional -- and unimpeachable -- line on
    the need for encryption. "Users of the Internet do not have a guarantee of
    privacy and confidentiality, source of origin, or proof of receipt," he
    said. "At the moment it is relatively easy either to read someone else's
    Internet email or to pretend to be someone else sending email."
    Ian Walker, technical director of Entrust Technologies, which is supplying
    the software, continued down the same path in an interview:  "[Encryption]
    is a straightforward commercial need, regardless of government desires. It
    is a separate issue to key escrow."
    Maybe so, say privacy advocates, but the heart of the Royal Mail proposal
    is the use of key recovery systems. Critics the world over voice the same
    concerns: Voluntary or not, third party keys raise unprecedented privacy
    risks and governments should not be so easily granted a technical
    capability for mass surveillance.
    Pang has attempted to pre-empt such fears about privacy by saying that
    "using advanced cryptographic technology ... will be the electronic
    equivalent of sending a signed document in a sealed Royal Mail Special
    Delivery envelope" and "will enable anyone to send and receive data on the
    Internet in the knowledge that their messages are totally secure."
    Some privacy advocates, however, remain skeptical. "None of the trusted
    third parties -- including the very reputable Royal Mail -- will be able
    to provide confidentiality and privacy of communications with key recovery
    systems unless their relationships with the law enforcement authorities
    are clarified and subjected to due process," argues Clive Walker of the
    CyberLAW Research Unit at the University of Leeds.
    Other critics, moreover, note that the Royal Mail and Entrust may be
    promising a service they cannot deliver. Brian Gladman, a former Minister
    of Defense and technical director for NATO believes that the technical
    security challenges posed by such a large-scale project well beyond the
    current state of the art. 
    "These plans will impact on the security and safety of the British
    public," says Gladman. "It will be important that the Royal Mail provides
    ... a commitment to support independent, publicly visible scrutiny of
    their approach." 
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:54:21 PDT