Privacy and Personal Data Protection
by Caspar Bowden, Director of the Foundation for Information Policy Research (email@example.com)
"I'd like to thank Marc (Rotenberg), Meryem (Marzouki), and John (Dryden) for the opportunity to address you today.
FIPR is an independent non-profit non-government organisation that studies the interaction between information technology and society, with special reference to the Internet; we do not (directly or indirectly) represent the interests of any trade-group. Our goal is to identify technical developments with significant social impact, commission research into public policy alternatives, and promote public understanding and dialogue between technologists and policy-makers in the UK and Europe. Our Advisory Council contain some of the leading authorities in the United Kingdom on computer security, cryptography, human rights and civil liberties, government use of IT, and privacy and data protection.
We're interested in a broad range of Information society issues, but I'm going to talk about privacy in the context of law-enforcement proposals for interception and regulation of cryptography.
We would like to inform you about some of the regulatory developments and legislative initiatives in the UK, so in what follows when I refer to "government" I will generally mean the UK government.
Three years after first announcing a policy to mandate key-escrow, the UK government confirmed a few months ago that there would be no compulsory key escrow requirement.
The Electronic Communications Bill - draft legislation which the Govt. wished to introduce last June, but was postponed because of a parliamentary technicality - was published in July for further public consultation. It is the second consultation this year, following the original proposals for mandatory key escrow consulted on in 1997. The consultation period has just ended, and the Government will be introducing the final bill this session in the Queen's Speech.
The Draft Bill contained very broad provisions for subordinate or secondary legislation, which would allow a future Government to re-introduce coercive key escrow or key recovery requirements, by means of regulatory incentives and penalties. We are not convinced that Ministers of affected departments yet fully understand the issues, and indeed some Agencies of Government believe it may be possible and desirable to introduce key escrow in future, if the international climate permits.
There are also broad and controversial powers to demand access to decryption keys, rather than plaintext.
Aside from issues of self-incrimination (such as those raised by the Saunders case at the Commission of Human Rights), if an individual genuinely lose a key, they will have to prove that they don't have the key, on penalty of two years imprisonment - a reversal of the normal burden of proof. We don't understand how this can be done, and questions on this point to the Home Office remain unanswered after two months.
There is also a provision to impose a total obligation of secrecy on persons served with a notice to disclose decryption keys. The notice need not (necessarily) have judicial or executive authorisation, and if any person divulges the existence of a secret decryption notice, the penalty is five years imprisonment. It is only possible to challenge a notice by recourse to a secret Tribunal, which can hear evidence in the absence of the complainant or their legal representative.
FIPR has commissioned a Queen's Counsel opinion that suggests that these proposals violate the European Convention on Human Rights. This will be available from our website (www.fipr.org) from October 20th.
The Home Office has also conducted a separate consultation on revising the Interception of Communications Act (IOCA 1985, see http://www.fipr.org/ioca/library.html) - it largely concerns "telephone tapping for the Internet".
Internet Serveice Providers (ISPs) must provide and pay for "reasonable interception facilities", but "interception" is not defined. "Reasonable" is also not defined, but is to be determined finally by the Executive - there is no independent, non-government, non-business component.
There is also a section dealing with law enforcement access to "traffic" or "communications" data: typically for the Internet this means logs of Web sites visited, address headers from e-mail, or user account details - as opposed to the "content" of e-mail. It appears that it is intended to abolish Data Protection safeguards which currently require the Data Controller to satisfy themselves that release of the data is necessary for the prevention or detection or crime. Instead there will merely be a duty on the ISP to provide the data to law enforcement authorities on production of a police notice, without a requirement for judicial authorisation.
Government has announced a joint government-industry forum to discuss law-enforcement requirements and means by which industry could assist law enforcement to gain access to encrypted data. However there is as yet no provision for participation by civil liberties or human rights organisations in this forum.
I'd like to just mention some projects and areas FIPR is working on in connection with these subjects.
I hope that that this review of UK government proposals has been useful - it is meant to some degree as a "cautionary tale", an illustration of what can happen when legislation is attempted without reconciling tensions between departments. I'd be happy to discuss this further with any of you over the next couple of days. The legislative proposals have already proved extremely controversial not only with civil liberties and human rights groups, but also with business and industry. It is possible that when these proposals emerge in their final form, they will have been very substantially modified as a result of feedback from public consultation.
You can find further details on most of these subjects on our Web site - thank you."