Legal key to E-mail

Legal key to E-mailElectronic commerce over the Internet could get a massive boost from a new legal framework put in place by the government, which will also benefit network suppliers. Peter Mitchell reports Last week the government announced its plan for a new legal framework to support secure E-mail on the Internet. If successful, the increased traffic due to electronic commerce could redouble the Internet’s success in Britain – with huge spin-offs in the form of upgrades of the telecoms network and of business users’ computer equipment. But most cryptography experts criticise the policy as giving in to law enforcement ‘snooping’, and of creating more security problems than it solves. The new laws will recognise public key cryptography (PKC) – a mathematical technique for encoding documents so that only the recipient can read them. With PKC, each user owns a private key that only they know, and a public key that they can disclose to everyone. To send a secret message to this user, you encrypt it with the public key; only the owner of the corresponding private key can decrypt it. PKC also allows someone to ‘stamp’ a message with a digital signature, so that recipients know it could only have come from him. Both functions are vital to commercial deals, and the Department of Trade and Industry says firms are waiting for these safeguards before they take the plunge into ‘electronic commerce’. But current law does not recognise digital signatures as forming a binding contract between buyer and seller – though the EU recently agreed that would have to come. Nor has there been a way of encrypting a document – such as a contract or invoice – ready for sending to other businesses, because there was no way to find out the recipient’s correct public encryption key. Hence the need for new legislation. The DTI made a first stab at an electronic commerce policy in February1997, under the last government. At that time, it said that commercial users of PKC would have to hand over control of their encryption keys to firms called trusted third parties or TTPs. These TTPs would have to get operating licenses from government, in the same way that banks do (in fact they mostly would be banks). But the 1997 policy insisted that TTPs would have to hand over their customers’ encryption keys to the police, when presented with a warrant – thus enabling the authorities to secretly read supposedly secure E-mail. This is because the Home Office fears PKC will destroy its power to bug telephone conversations – under which it says it issued 2600 legal warrants during 1996-97, leading to1200 arrests. But this demand for ‘back door’ surveillance of E-mail proved highly unpopular with the cryptography – and business – communities, already very wary of similar legislative moves in the US [particularly the infamous Clipper chip]. Many suspect the authorities of aiming for widespread snooping on E-mail. They also point out that a TTP’s database of private keys would be an enormously valuable target for penetration by both criminals and government ‘spooks’. So in the new policy, the DTI has conceded that TTPs will not need to be licensed. But there is a new catch: the law will only recognise digital signatures if they are backed by the word of a licensed TTP. Almost all businesses will therefore want to deal with licensed TTPs. The government will also insist that a licensed TTP must have access to its customers’ private encryption (confidentiality) keys, and must turn them over to the police under warrant. So is the new policy any better? One improvement is that it specifically states that the police cannot obtain keys used only for signatures. Also, users will be able to avoid the risk of police surveillance by using two different private keys – one for digital signatures and the other for confidentiality. But, according to experts, that wipes out a lot of popular cryptography software packages, including the best-known, Phil Zimmerman’s PGP. Ross Anderson, a security expert at Cambridge University Computer Laboratory, called the proposal a “significant push in the wrong direction”. He warned it would have a “chilling effect” on the uptake of messaging and other telematic services – by destroying the confidence of users, and forcing them to adopt non-standard software and systems. Brian Gladman, a consultant designer of secure defence systems, called the statement a “considerable disappointment”. The proposal will, he says, undermine trust in licensed services to no purpose, since there is no evidence that criminals really are using PKC to any great extent. And Carl Ellison, a senior executive at the US electronic commerce company Cybercash, commented “If a criminal organisation wants to use strong cryptography, it will. A policy truly aimed at improving the lot of law enforcement would drop the fantasy of mandated back doors”.
The devil, as they say, will be in the details. These will not emerge until a draft bill is published. And later in the year, the government is to undertake a wide-ranging review of the impact of “digital convergence” on the law as a whole. It is clear that the legal echoes of the Internet explosion will take a long time to settle.

Leave a Reply

Your email address will not be published. Required fields are marked *