Unravelling encryption

Last week I wrote about the UK's anti-encryption legislation and now everyone wants to know what it's all about - especially since our own government seems to be veering towards a similar position.

Once again I seem to have stumbled into a bit of a minefield. Last week I wrote about the UK's anti-encryption legislation, the Regulation of Investigatory Powers (RIP) Bill, and now everyone wants to know what it's all about - especially since our own government seems to be veering towards a similar position.

Here's the thing: Western governments view encryption as being on a par with military-grade weapons. If you export strong encryption - that is, any encryption level governments can't break - you're an arms trafficker.

That's not new. What's new is the UK government's latest move to clamp down on people using encryption. The US first introduced its ban on the export of strong encryption in the belief that people outside the US can't count and so wouldn't be able to develop encryption products.

This produced, not surprisingly, something of a boom in encryption technologies from countries like Finland, Ireland, Israel and even Australia and New Zealand.

Now the US allows the export of somewhat stronger encryption - 128-bit key lengths - and the UK has changed tack away from the export of encryption to its use. Sure, you can have encryption, but if you don't provide the government with the key, you'll be put in jail for two years.

RIP works like this: Andrew tells constable Bob that Charlie has encrypted files on his PC. Bob, being a policeman, tells Charlie to hand over the key or else.

Charlie says, "You've got nothing on me copper" and gets his collar felt. Charlie ends up doing two years' porridge and feels somewhat put out by this and instructs his lawyer to go to the press and tell his sorry tale.

"I can't do that," says his lawyer, who has read the RIP bill and knows he would himself be in breach of the law for telling anyone that Charlie was being investigated by the police.

That's right - you can't tell anyone if you've been required to provide a key. No one. Not even your employer. So if you're an IT manager or administrator who looks after the email for a UK company you can't tell your boss why those large flat-footed fellows in ill-fitting suits are wandering around the server room without yourself risking jail.

The easiest way to annoy someone in the UK will be to email them an encrypted file, then tell the authorities and sit back and watch the fireworks.

On top of that, the UK will require all ISPs to install black box devices that will forward every single email passing through UK jurisdiction to a specially built centre to be run by the GCSB (Government Communications Security Bureau - the UK equivalent of the US NSA).

This centre will sift through all the email looking for nasty things. Of course, it won't do anything with those valuable corporate secrets that it uncovers, or those intimate personal details that individuals may not want the world to know about.

Of course not. That the UK and the US are being sued by the French government for allegedly using intelligence gathered by the Echelon system to help Boeing win a contract shouldn't even be considered in this context.

This is, quite clearly, absurd. Forget the abuse of law (presumed innocent until found guilty, remember?) or the invasion of privacy and just think about the incredible waste of time, money and effort that will go into a centre like this one, and you'll get the idea.

I'm all in favour of giving police the same kind of access to email as they have to voice calls. If they can convince a high court judge to issue a wire tap then they are supposed to have a certain level of evidence to begin with.

Of course, if the emails are encrypted then the police will have to decrypt them, but that's a separate issue; at the moment they can't even intercept them in the first place.

Recently I spoke to the minister responsible for raising this ruckus. Paul Swain is a reasonable guy and he completely ruled out a RIP system in New Zealand. The level of debate we have at the moment is exactly what Swain is looking for.

Without public input it really will be a law drafted by politicians for the police so we have to have our say. We in the IT industry should certainly put our point of view forward. If the RIP bill is anything to go by, our UK colleagues weren't involved in the process at all. We at least have that opportunity.

Send email to Computerworld journalist, Paul Brislen.

Join the newsletter!

Error: Please check your email address.
Show Comments
[]