The UK government has bowed to industry criticism and dropped plans to mandate key escrow in its forthcoming Electronic Commerce Bill. Instead, it proposes to introduce voluntary licensing of encryption service providers, and legislative changes that will give law enforcement bodies access to decryption keys on a case by case basis.
The clash is between industry bodies which claim mandatory key escrow is unworkable, and law enforcement bodies which claim that the inability to police electronic commerce posed a threat to national security and public safety. The disagreement had threatened to derail the government’s plans to create the best environment in the world for electronic business in the UK. Now, following a consultative process with industry and the publication of the Encryption and Law Enforcement report of the government’s Performance and Innovation Unit (PIU), Minister of State, Charles Faulkener, said the government has found a way to balance the interests of e-commerce with the interests of law enforcement.
There will be no third party key escrow said Faulkener. Instead the Electronic Commerce Bill will contain provision to assist the unlocking of codes in e-commerce business. In practice this is likely to mean changes to the Police and Criminal Evidence Act 1984 (PACE). At the moment PACE empowers police to seize materials, including data, either under warrant granted by the courts or on the basis of believing that reasonable grounds exist to do so. However, the law as it stands does not empower the police to force encryption providers to hand over keys to their own data, or to the encrypted data of their customers. The proposed legislative changes would make this possible, effectively obliging ISPs to decrypt customers’ data on demand from the courts, or from the police.
The new proposals may still stick in the throat of civil liberties lobbies, but the system of voluntary licensing of encryption providers and new powers of police seizure should satisfy the law and order camp, while also allowing industry to adopt a more cooperative stance with government. The proposals are certainly less draconian than mandatory key escrow, which would have required all encryption providers to lodge public keys with a trusted third party; effectively the government. And, said Home Secretary Jack Straw, they are less burdensome than the anti money-laundering measures which have already been accepted by the UK banking community. These measures require banks to proactively notify law enforcement bodies of any unexpected or unusual monetary transfers.
