Tuesday, March 2, 1999 Published at 17:18 GMT
Encryption key would lock up criminals
Dr Ross Anderson: "Big business can look after itself."
By Internet Correspondent Chris Nuttall
Cyber-criminals would be caught if the government introduced a system where the keys to coded e-mail were voluntarily lodged with licensed authorities, according to the UK National Criminal Intelligence Service (NCIS).
"Criminals are lazy, greedy and they make mistakes," John Abbott, NCIS Director General told Parliament's Trade and Industry Select Committee, which is hearing witnesses on electronic commerce issues.
"We are able to capitalise on this and we anticipate that a licensing scheme would allow us to have some successes," said Mr Abbott.
Civil liberties campaign
Civil liberties groups are campaigning against "key escrow" - the term used for lodging the keys to codes with a third party. They do not want it included in a forthcoming Electronic Commerce Bill.
A long-awaited consultation paper on the bill from the Department of Trade and Industry (DTI) is expected in the next few days.
Opponents argue the proposed voluntary licensing system where Trusted Third Parties (TTPs) would hold the keys to encrypted data being sent over the Internet would never be used by criminals.
But an NCIS spokesman, who declined to be identified, told the hearing that just as criminals used telephones at every level for their activities, so some would use the TTPs.
"We would prefer to have a mandatory licensing system because that would be more inclusive," Mr Abbott told MPs.
"I do recognise that we are moving into new territory, and this would not be a complete answer, and if all that is on offer is a voluntary scheme then that is better than no scheme at all."
Real time access
The Chief Investigations Officer of HM Customs & Excise, Richard Kellaway, told the hearing that real-time access was needed to encrypted data. Mr Abbott added that it was no use knowing three days afterwards where a consignment of drugs had been exchanged.
He admitted that key escrow would not solve the problem of crimes being committed on an international scale over the Internet.
"But I would urge the government to lead. Law enforcement agencies throughout the world are extremely concerned with developments. We anticipate the problem will grow over time and certainly the G8 law enforcement forum are constantly discussing this and looking for ways forward."
Businesses, as well as civil liberties campaigners, have voiced concern at the possible proposals on key escrow, and the Post Office stated its opposition at the hearing.
Jerry Cope, its managing director for strategy, said there were two areas of concern: "If people feel this system makes them less secure then they will not want to use it. We need to instil confidence.
"Then there is the additional cost of regulation and if it is greater than in France or Ireland then business will go elsewhere. It is as easy to send e-mail from London to Manchester via Paris as it is direct from London to Manchester."
Mr Cope said there had been a lack of dialogue between business and law enforcement agencies and he suggested a possible compromise. Agencies would bear the additional costs of being able to extract information from TTPs and would only exercise their powers when there was a threat to national security.
The Post Office will announce later this month that it is launching a Trusted Third Party service called ViaCode.
The final witness of the day, a leading encryption expert, Dr Ross Anderson of Cambridge University, compared key escrow to the red flag that had to be waved in front of the first motor cars to warn people of danger.
A week after the requirement was removed, there was the first road traffic fatality. But no-one would suggest we go back to the red flag today and the assumption is made by the police that 99% of those on the road are good guys, he said.
He added that the police had a long way to go with computers to match their current knowledge of the motor car. They had often had to call in outsiders such as himself to help with encryption cases.
"There are many, many ways of attacking computer systems and inevitably TTPs are going to be compromised," he said. "The role of government should be protecting the consumer - big business can look after itself."
He said the best way forward in terms of legislation was the Australian approach that simply recognised that electronic signatures had the same force as manuscript signatures.
"Key escrow would have to be global to achieve its stated purpose, and there is now no prospect of this," he said in an additional written submission to the committee.