Sun sets on UK encryption regulation powers
Digital rights activists celebrate
Digital rights activists are celebrating this week with the expiry of powers in the UK's Electronic Communications Act of 2000 that gave the Government the right to regulate companies selling encryption services.
The Foundation for Information Policy Research (FIPR), an independent body that studies the interaction between IT and society, said the expiry of the rights marks the end of the "crypto wars". The FIPR says these wars began in the 1970s when the US government started treating cryptographic algorithms and software as munitions and interfering with university research in cryptography.
In the early 1990s, the Clinton administration tried to get industry to adopt the US government's own encryption system – the so-called Clipper chip – an encryption chip for which the government had a back-door key. When this failed, they tried to introduce key escrow – a policy that all encryption systems providers should leave a spare key with a 'trusted third party'. The third party would have to hand the key over to the FBI on demand. They tried to crack down on encryption products that did not contain key escrow.
When software developer Phil Zimmermann developed PGP, the free mass-market encryption product for emails and files, the US Government even began a prosecution against him. The FIPR says the crypto wars were eventually won in the US when Al Gore, the most outspoken advocate of key escrow lost the presidential election of 2000.
Despite a number of proposals to introduce a compulsory key escrow system in the UK, the Government finally conceded in 1999 that controls would be counterproductive. But the intelligence agencies remained nervous about his decision, and in the Electronic Communications Act passed in May 2000 the Home Office left in a vestigial power to create a registration regime for encryption services. That power was subject to a five year "sunset clause", whose clock finally ran out on 25 May 2005.
Ross Anderson, chair of the FIPR and a key campaigner against government control of encryption, commented: "We told government at the time that there was no real conflict between privacy and security. On the encryption issue, time has proved us right. The same applies to many other issues too – so long as lawmakers take the trouble to understand a technology before they regulate it."
Phil Zimmermann, an FIPR Advisory Council member and the man whose role in developing PGP was crucial to winning the crypto wars in the US, commented, "It's nice to see the last remnant of the crypto wars in Great Britain finally laid to rest, and I feel good about our win. Now we must focus on the other erosions of privacy in the post-9/11 world."
Gavin McGinty, an IT lawyer with Pinsent Masons, the law firm behind OUT-LAW.COM, also welcomed today's expiry of the provisions for regulating the industry. But he warns that this does not mean that there are no controls on the use of encryption software.
"There are still licensing requirements for the transfer of encryption software, which could include encrypted material, to other countries," he said.
While the UK's Export Control Act sets out the procedures for transfer out of the UK, McGinty says it is important to also consider the import restrictions in the country into which the software or material is being transferred.
He also points to the powers potentially available to the security services, the Police, the Courts and others under the Regulation of Investigatory Powers Act, better known as RIPA.
"RIPA grants a power which allows certain authorities to force the disclosure of information that is stored in an encrypted form," said McGinty, "and in certain circumstances it can force the disclosure of the encryption key itself."
He added: “Although the relevant sections of RIPA have not been brought into force, the existence of these powers will have given the Government confidence to decide against enforcing the regulatory measures in Part 1 of the Electronic Communications Act."
© Pinsent Masons 2000 - 2005
See: The Electronic Communications Act