Feeds

Sun sets on UK encryption regulation powers

Digital rights activists celebrate

  • alert
  • submit to reddit

The Essential Guide to IT Transformation

Digital rights activists are celebrating this week with the expiry of powers in the UK's Electronic Communications Act of 2000 that gave the Government the right to regulate companies selling encryption services.

The Foundation for Information Policy Research (FIPR), an independent body that studies the interaction between IT and society, said the expiry of the rights marks the end of the "crypto wars". The FIPR says these wars began in the 1970s when the US government started treating cryptographic algorithms and software as munitions and interfering with university research in cryptography.

In the early 1990s, the Clinton administration tried to get industry to adopt the US government's own encryption system – the so-called Clipper chip – an encryption chip for which the government had a back-door key. When this failed, they tried to introduce key escrow – a policy that all encryption systems providers should leave a spare key with a 'trusted third party'. The third party would have to hand the key over to the FBI on demand. They tried to crack down on encryption products that did not contain key escrow.

When software developer Phil Zimmermann developed PGP, the free mass-market encryption product for emails and files, the US Government even began a prosecution against him. The FIPR says the crypto wars were eventually won in the US when Al Gore, the most outspoken advocate of key escrow lost the presidential election of 2000.

Despite a number of proposals to introduce a compulsory key escrow system in the UK, the Government finally conceded in 1999 that controls would be counterproductive. But the intelligence agencies remained nervous about his decision, and in the Electronic Communications Act passed in May 2000 the Home Office left in a vestigial power to create a registration regime for encryption services. That power was subject to a five year "sunset clause", whose clock finally ran out on 25 May 2005.

Ross Anderson, chair of the FIPR and a key campaigner against government control of encryption, commented: "We told government at the time that there was no real conflict between privacy and security. On the encryption issue, time has proved us right. The same applies to many other issues too – so long as lawmakers take the trouble to understand a technology before they regulate it."

Phil Zimmermann, an FIPR Advisory Council member and the man whose role in developing PGP was crucial to winning the crypto wars in the US, commented, "It's nice to see the last remnant of the crypto wars in Great Britain finally laid to rest, and I feel good about our win. Now we must focus on the other erosions of privacy in the post-9/11 world."

Gavin McGinty, an IT lawyer with Pinsent Masons, the law firm behind OUT-LAW.COM, also welcomed today's expiry of the provisions for regulating the industry. But he warns that this does not mean that there are no controls on the use of encryption software.

"There are still licensing requirements for the transfer of encryption software, which could include encrypted material, to other countries," he said.

While the UK's Export Control Act sets out the procedures for transfer out of the UK, McGinty says it is important to also consider the import restrictions in the country into which the software or material is being transferred.

He also points to the powers potentially available to the security services, the Police, the Courts and others under the Regulation of Investigatory Powers Act, better known as RIPA.

"RIPA grants a power which allows certain authorities to force the disclosure of information that is stored in an encrypted form," said McGinty, "and in certain circumstances it can force the disclosure of the encryption key itself."

He added: “Although the relevant sections of RIPA have not been brought into force, the existence of these powers will have given the Government confidence to decide against enforcing the regulatory measures in Part 1 of the Electronic Communications Act."

© Pinsent Masons 2000 - 2005

See: The Electronic Communications Act

Related stories

Crypto regs still tricky
UK gov't reveals Big Brother bill
The maths prof., free speech and encryption

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Tor attack nodes RIPPED MASKS off users for 6 MONTHS
Traffic confirmation attack bared users' privates - but to whom?
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.