 |
|
|
Government Encryption Policy - Another About Turn Well, after many months of drafting, re-drafting, back-tracking and generally bungling, the Government has finally released its Electronic Commerce Bill – or has it? Eagle-eyed readers will note that the title has been revamped, and it will now go by the name of the Electronic Communications Bill. Should this worry us? Probably, since it seems to herald a shift in focus from something that was designed to promote e-commerce to something that is more about legislating encryption. This is a shame, since in order to promote e-commerce we need to separate legislation from encryption – along with all the nasty cross-border political wrangles that come with it�– and digital signatures. Although cryptography is clearly a requirement for effective e-commerce, it is increasingly obvious that the whole mess surrounding key size and key escrow will tend to get us bogged down for some time to come. In the mean time, we should be getting on with putting the framework in place for real e-commerce over the Internet by introducing some sensible legislation covering the use of digital signatures and digital certificates. In the real world, my signature is reasonably unique to me. If I sign a document in the presence of witnesses then it can be considered to be legally binding. However, the need to appear in person to effect this sort binding transaction is clearly unsuitable for the Internet age. How we handle the witnesses bit remains to be seen, but I do need to be able to electronically sign a document that can be transmitted via e-mail to another party. That signature should be equally unique to me, and equally binding. By checking the digital certificate of the party with whom I am dealing, I should also be able to ascertain that the party is genuine, and I have not just signed away my hard-earned dosh to some rip-off merchant who will bank it off-shore and move on to his next scam. In its document entitled “Promoting Electronic Commerce” dated July 1999, the Secretary of State for Trade and Industry promises great things – and I quote: “The Bill will be an essential enabling measure to spur on the growth of e-commerce in the UK. The Bill will support the Government’s targets for: ����� The UK to be the best environment for electronic business by 2002;� ����� 25% of Government services to be available electronically by 2002 (rising to 100% by 2008); and� ����� 90% of routine procurement of goods to be done electronically by 2001.� The draft Bill is designed to promote e-commerce in a number of ways:� ����� Through clarifying the status of electronic signatures;� ����� By removing legal barriers so that the option of communicating electronically can be offered instead of the use of paper; and� ����� By building confidence in the provision of cryptography services.� The draft Bill also contains measures designed to ensure that the effectiveness of existing law enforcement powers is not undermined by the criminal use of the very technologies (such as encryption) which the Bill seeks to promote.” Lofty ideals indeed. But it is that last paragraph that sounds the warning bells, isn’t it? After heavy business lobbying, the British government decided to drop its proposed requirement for encryption keys to be escrowed, which was to be part of the original Electronic Commerce Bill. However, it does seem to have built in a bunch of vague secondary legislation hooks, that mean that key escrow could be introduced any time without further parliamentary supervision. This led one wag to describe discovering the ultimate intent of the bill as “trying to guess what the building will look like by examining the foundations.” When will the Government realise that legislating against strong cryptography is like trying to stop crime by restricting the sale of balaclavas? It is the law-abiding citizens who suffer, whilst the criminals go down to the local mafia corner store and purchase 256 bit crypto software to encrypt their drug-running transactions. As an example of just how ridiculous legislation can get, you need look no further than the very document that Tony Blair promises will make us “the most e-commerce-friendly nation in Europe by 2002.” Our shiny new bill actually allows police to throw you in jail for two years if you refuse to hand over the keys to your encrypted computer files. Claiming that you do not have the key is no defence either. Some smart cookie at stand.org – a political Web site – has decided to show the powers-that-be just how unworkable this is by encrypting a signed criminal confession, destroying the key, and mailing the document to various citizens and politicians. Theoretically, all those innocent people could be jailed as they are now in possession of a document in which the law enforcement authorities should have a keen interest, yet they cannot possibly hand over the encryption key. If you allow the obvious defence of “I don’t have the key”, however, then the whole thing breaks down anyway.� Oh, and as a further incentive, if you should happen to reveal to someone that their key has been compromised by law enforcement, you are then liable to five years in jail. ISP’s will be wetting themselves over that one! How is that for an incentive for e-commerce?
|
|
Send mail to webmaster
with questions or�
|
