The Public Voice in Electronic Commerce
La place du citoyen dans le commerce électronique

Privacy and Personal Data Protection

by Caspar Bowden, Director of the Foundation for Information Policy Research (cb@fipr.org)

"I'd like to thank Marc (Rotenberg), Meryem (Marzouki), and John (Dryden) for the opportunity to address you today.

FIPR is an independent non-profit non-government organisation that studies the interaction between information technology and society, with special reference to the Internet; we do not (directly or indirectly) represent the interests of any trade-group. Our goal is to identify technical developments with significant social impact, commission research into public policy alternatives, and promote public understanding and dialogue between technologists and policy-makers in the UK and Europe. Our Advisory Council contain some of the leading authorities in the United Kingdom on computer security, cryptography, human rights and civil liberties, government use of IT, and privacy and data protection.

We're interested in a broad range of Information society issues, but I'm going to talk about privacy in the context of law-enforcement proposals for interception and regulation of cryptography.

We would like to inform you about some of the regulatory developments and legislative initiatives in the UK, so in what follows when I refer to "government" I will generally mean the UK government.

Three years after first announcing a policy to mandate key-escrow, the UK government confirmed a few months ago that there would be no compulsory key escrow requirement.

The Electronic Communications Bill - draft legislation which the Govt. wished to introduce last June, but was postponed because of a parliamentary technicality - was published in July for further public consultation. It is the second consultation this year, following the original proposals for mandatory key escrow consulted on in 1997. The consultation period has just ended, and the Government will be introducing the final bill this session in the Queen's Speech.

The Draft Bill contained very broad provisions for subordinate or secondary legislation, which would allow a future Government to re-introduce coercive key escrow or key recovery requirements, by means of regulatory incentives and penalties. We are not convinced that Ministers of affected departments yet fully understand the issues, and indeed some Agencies of Government believe it may be possible and desirable to introduce key escrow in future, if the international climate permits.

There are also broad and controversial powers to demand access to decryption keys, rather than plaintext.

Aside from issues of self-incrimination (such as those raised by the Saunders case at the Commission of Human Rights), if an individual genuinely lose a key, they will have to prove that they don't have the key, on penalty of two years imprisonment - a reversal of the normal burden of proof. We don't understand how this can be done, and questions on this point to the Home Office remain unanswered after two months.

There is also a provision to impose a total obligation of secrecy on persons served with a notice to disclose decryption keys. The notice need not (necessarily) have judicial or executive authorisation, and if any person divulges the existence of a secret decryption notice, the penalty is five years imprisonment. It is only possible to challenge a notice by recourse to a secret Tribunal, which can hear evidence in the absence of the complainant or their legal representative.

FIPR has commissioned a Queen's Counsel opinion that suggests that these proposals violate the European Convention on Human Rights. This will be available from our website (www.fipr.org) from October 20th.

The Home Office has also conducted a separate consultation on revising the Interception of Communications Act (IOCA 1985, see http://www.fipr.org/ioca/library.html) - it largely concerns "telephone tapping for the Internet".

Internet Serveice Providers (ISPs) must provide and pay for "reasonable interception facilities", but "interception" is not defined. "Reasonable" is also not defined, but is to be determined finally by the Executive - there is no independent, non-government, non-business component.

There is also a section dealing with law enforcement access to "traffic" or "communications" data: typically for the Internet this means logs of Web sites visited, address headers from e-mail, or user account details - as opposed to the "content" of e-mail. It appears that it is intended to abolish Data Protection safeguards which currently require the Data Controller to satisfy themselves that release of the data is necessary for the prevention or detection or crime. Instead there will merely be a duty on the ISP to provide the data to law enforcement authorities on production of a police notice, without a requirement for judicial authorisation.

Government has announced a joint government-industry forum to discuss law-enforcement requirements and means by which industry could assist law enforcement to gain access to encrypted data. However there is as yet no provision for participation by civil liberties or human rights organisations in this forum.

I'd like to just mention some projects and areas FIPR is working on in connection with these subjects.

• A library of responses to official Government consultation exercises (5 in 3 years, 3 in this year alone)

• A web site to consolidate information about the use of Privacy Enhancing Technologies (PETs) by government. We believe there is huge potential for cryptography to provide anonymisation of personal identifiable data arising from online e-commerce transactions, whilst still providing necessary authentication to guard against fraud. We see these technological methods as a means of implementing privacy and data protection legislation, not as a replacement for, or reason to weaken, statutory protection and legal recourse for individual citizens and consumers.

• A long-term project to examine the implications for political oversight and public accountability of new methods of surveillance, for example the use of special software or hardware to defeat encryption at the end-points. The fallout from the death of key escrow may be that the government gets into the business of writing viruses which can steal decryption keys or otherwise interfere with computer security mechanisms. There has already been enabling legislation in Australia to permit this. Our initial analysis is that this may already be permitted in the UK under intrusive surveillance powers in a 1996 Act of Parliament, self-authorised by local police forces without the requirement for a judicial or executive warrant.

• We have concerns about the use of identity certificates envisaged by the draft EU Electronic Signature Directive: we think that the provision for pseudonymised certificates does not of itself protect privacy sufficiently. If identity certificates or pseudonymised identity certificates became routinely used for authentication purposes online, this could have the effect of rendering a large class of online transactions traceable and identifiable. Notwithstanding Data Protection principles and legislation, we believe that this could vastly expand the risks to privacy in the EU, without justification or necessity.

We are deeply committed to public education about these areas of technology - most people both on and off-line are still unaware of the issues - we need much better public understanding of privacy rights and risks.

I hope that that this review of UK government proposals has been useful - it is meant to some degree as a "cautionary tale", an illustration of what can happen when legislation is attempted without reconciling tensions between departments. I'd be happy to discuss this further with any of you over the next couple of days. The legislative proposals have already proved extremely controversial not only with civil liberties and human rights groups, but also with business and industry. It is possible that when these proposals emerge in their final form, they will have been very substantially modified as a result of feedback from public consultation.

You can find further details on most of these subjects on our Web site - thank you."