Feeds

Sun sets on UK encryption regulation powers

Digital rights activists celebrate

  • alert
  • submit to reddit

5 things you didn’t know about cloud backup

Digital rights activists are celebrating this week with the expiry of powers in the UK's Electronic Communications Act of 2000 that gave the Government the right to regulate companies selling encryption services.

The Foundation for Information Policy Research (FIPR), an independent body that studies the interaction between IT and society, said the expiry of the rights marks the end of the "crypto wars". The FIPR says these wars began in the 1970s when the US government started treating cryptographic algorithms and software as munitions and interfering with university research in cryptography.

In the early 1990s, the Clinton administration tried to get industry to adopt the US government's own encryption system – the so-called Clipper chip – an encryption chip for which the government had a back-door key. When this failed, they tried to introduce key escrow – a policy that all encryption systems providers should leave a spare key with a 'trusted third party'. The third party would have to hand the key over to the FBI on demand. They tried to crack down on encryption products that did not contain key escrow.

When software developer Phil Zimmermann developed PGP, the free mass-market encryption product for emails and files, the US Government even began a prosecution against him. The FIPR says the crypto wars were eventually won in the US when Al Gore, the most outspoken advocate of key escrow lost the presidential election of 2000.

Despite a number of proposals to introduce a compulsory key escrow system in the UK, the Government finally conceded in 1999 that controls would be counterproductive. But the intelligence agencies remained nervous about his decision, and in the Electronic Communications Act passed in May 2000 the Home Office left in a vestigial power to create a registration regime for encryption services. That power was subject to a five year "sunset clause", whose clock finally ran out on 25 May 2005.

Ross Anderson, chair of the FIPR and a key campaigner against government control of encryption, commented: "We told government at the time that there was no real conflict between privacy and security. On the encryption issue, time has proved us right. The same applies to many other issues too – so long as lawmakers take the trouble to understand a technology before they regulate it."

Phil Zimmermann, an FIPR Advisory Council member and the man whose role in developing PGP was crucial to winning the crypto wars in the US, commented, "It's nice to see the last remnant of the crypto wars in Great Britain finally laid to rest, and I feel good about our win. Now we must focus on the other erosions of privacy in the post-9/11 world."

Gavin McGinty, an IT lawyer with Pinsent Masons, the law firm behind OUT-LAW.COM, also welcomed today's expiry of the provisions for regulating the industry. But he warns that this does not mean that there are no controls on the use of encryption software.

"There are still licensing requirements for the transfer of encryption software, which could include encrypted material, to other countries," he said.

While the UK's Export Control Act sets out the procedures for transfer out of the UK, McGinty says it is important to also consider the import restrictions in the country into which the software or material is being transferred.

He also points to the powers potentially available to the security services, the Police, the Courts and others under the Regulation of Investigatory Powers Act, better known as RIPA.

"RIPA grants a power which allows certain authorities to force the disclosure of information that is stored in an encrypted form," said McGinty, "and in certain circumstances it can force the disclosure of the encryption key itself."

He added: “Although the relevant sections of RIPA have not been brought into force, the existence of these powers will have given the Government confidence to decide against enforcing the regulatory measures in Part 1 of the Electronic Communications Act."

© Pinsent Masons 2000 - 2005

See: The Electronic Communications Act

Related stories

Crypto regs still tricky
UK gov't reveals Big Brother bill
The maths prof., free speech and encryption

The essential guide to IT transformation

More from The Register

next story
One HUNDRED FAMOUS LADIES exposed NUDE online
Celebrity women victimised as Apple iCloud accounts reportedly popped
Rubbish WPS config sees WiFi router keys popped in seconds
Another day, another way in to your home router
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NZ Justice Minister scalped as hacker leaks emails
Grab your popcorn: Subterfuge and slur disrupts election run up
HP: NORKS' cyber spying efforts actually a credible cyberthreat
'Sophisticated' spies, DIY tech and a TROLL ARMY – report
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?