Feeds

Sun sets on UK encryption regulation powers

Digital rights activists celebrate

  • alert
  • submit to reddit

Beginner's guide to SSL certificates

Digital rights activists are celebrating this week with the expiry of powers in the UK's Electronic Communications Act of 2000 that gave the Government the right to regulate companies selling encryption services.

The Foundation for Information Policy Research (FIPR), an independent body that studies the interaction between IT and society, said the expiry of the rights marks the end of the "crypto wars". The FIPR says these wars began in the 1970s when the US government started treating cryptographic algorithms and software as munitions and interfering with university research in cryptography.

In the early 1990s, the Clinton administration tried to get industry to adopt the US government's own encryption system – the so-called Clipper chip – an encryption chip for which the government had a back-door key. When this failed, they tried to introduce key escrow – a policy that all encryption systems providers should leave a spare key with a 'trusted third party'. The third party would have to hand the key over to the FBI on demand. They tried to crack down on encryption products that did not contain key escrow.

When software developer Phil Zimmermann developed PGP, the free mass-market encryption product for emails and files, the US Government even began a prosecution against him. The FIPR says the crypto wars were eventually won in the US when Al Gore, the most outspoken advocate of key escrow lost the presidential election of 2000.

Despite a number of proposals to introduce a compulsory key escrow system in the UK, the Government finally conceded in 1999 that controls would be counterproductive. But the intelligence agencies remained nervous about his decision, and in the Electronic Communications Act passed in May 2000 the Home Office left in a vestigial power to create a registration regime for encryption services. That power was subject to a five year "sunset clause", whose clock finally ran out on 25 May 2005.

Ross Anderson, chair of the FIPR and a key campaigner against government control of encryption, commented: "We told government at the time that there was no real conflict between privacy and security. On the encryption issue, time has proved us right. The same applies to many other issues too – so long as lawmakers take the trouble to understand a technology before they regulate it."

Phil Zimmermann, an FIPR Advisory Council member and the man whose role in developing PGP was crucial to winning the crypto wars in the US, commented, "It's nice to see the last remnant of the crypto wars in Great Britain finally laid to rest, and I feel good about our win. Now we must focus on the other erosions of privacy in the post-9/11 world."

Gavin McGinty, an IT lawyer with Pinsent Masons, the law firm behind OUT-LAW.COM, also welcomed today's expiry of the provisions for regulating the industry. But he warns that this does not mean that there are no controls on the use of encryption software.

"There are still licensing requirements for the transfer of encryption software, which could include encrypted material, to other countries," he said.

While the UK's Export Control Act sets out the procedures for transfer out of the UK, McGinty says it is important to also consider the import restrictions in the country into which the software or material is being transferred.

He also points to the powers potentially available to the security services, the Police, the Courts and others under the Regulation of Investigatory Powers Act, better known as RIPA.

"RIPA grants a power which allows certain authorities to force the disclosure of information that is stored in an encrypted form," said McGinty, "and in certain circumstances it can force the disclosure of the encryption key itself."

He added: “Although the relevant sections of RIPA have not been brought into force, the existence of these powers will have given the Government confidence to decide against enforcing the regulatory measures in Part 1 of the Electronic Communications Act."

© Pinsent Masons 2000 - 2005

See: The Electronic Communications Act

Related stories

Crypto regs still tricky
UK gov't reveals Big Brother bill
The maths prof., free speech and encryption

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Hackers thrash Bash Shellshock bug: World races to cover hole
Update your gear now to avoid early attacks hitting the web
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
Ello? ello? ello?: Facebook challenger in DDoS KNOCKOUT
Gets back up again after half an hour though
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.