Encryption: Should the RIP bill rest in peace?

2000-06-08

The debate over the Regulation of Investigatory Powers (RIP) bill rages on, according to Silicon.com, but at the end of last week a lone voice appeared on the scene to welcome its measures. At the heart of the bill is the issue over encryption keys, or access to them: as it mentions on Silicon.com, individuals could be jailed if they cannot produce an encryption key for data sent over the Net. This measure does appear a bit harsh, considering that flushing non-electronic evidence down the toilet as the Police hammer down the door is not yet treated as a jailable offence.

The lone voice in question was Frank Coyle, IT director at John Menzies. To quote: "We cannot underestimate the threat to businesses from organised crime using the Internet. I think we have to try it. At the moment we have nothing, and that puts the initiative in the hands of organised crime. If the government did nothing it would be accused of being inept."

So – where does the truth lie? So far an impressive array of organisations have lined up against the bill. Specifically, the British Chamber of Commerce, the Data Protection Commission and the Institute of Directors, not to mention numerous civil rights groups and seventy percent of respondents to a recent Silicon.com poll. Facing these massed ranks are the UK government (specifically, the Home Office) and Mr Coyle (not to mention the remaining 30% of Silicon.com pollsters).

Organisations against the bill are pretty clear in expressing their worries. Business organisations fear the damage that the encryption key measure might do to UK business, particularly in the light of Britain’s attemopts to become an eCommerce hub for Europe, if not the world. Other organisations are expressing concerns about the disregard for the basic human right of innocence until guilt can be proved. Possession of an encryption key is not a criminal act, it is argued. The third argument is that the measures, draconian as they appear, will have little or no effect on cybercrime.

Meanwhile, the government’s fears about patrolling an encrypted Internet also appear to be well-founded. What with the European Union relaxing export restrictions on encryption technology, there is a real danger (in the eyes of the government) that existing surveillance methods will become inadequate or worse. In Japan, for example, 1024-bit keys are now de rigeur: even the current generation of supercomputers would take months to crack the simplest of messages encoded in this way.

The issue of encryption is fraught with hazards. It is undoubtedly true that strong encryption would hamper attempts to track down criminals that use the Internet to communicate. What is also true, however, is that even today, technology is providing workarounds for such criminals, such as the (legal) practice of steganography which involves hiding encrypted communications in other files such as video clips.

Whilst it may be true that new laws are required to deal with new types (and means) of crime, we must not throw the legal baby out with the bathwater. The organisations that are crying out for this bill to be repealed (or at least, amended) are not just local pressure groups, but national organisations which represent our industries and our rights as individuals. It may well be true that strong encryption prevents surveillance, even to the extent that a tried-and-tested law enforcement technique becomes relegated to history. True or not, this is no time for the government to panic and implement a law that fails to achieve its objectives and causes a great deal of damage in the process.

(First published 8 June 2000)