U.K. proposes prison term for failing to turn over crypto keys

www.computerworld.com –

LONDON -- The Electronic Communications Bill, if passed into U.K. law, could result in encryption users getting two years imprisonment for refusing to hand over the keys.

This reading of the bill is causing concern among privacy advocates and opposition parties, who worry that the bill gives law enforcement officials wide-reaching power over private Internet communications.

The clause in the bill that has upset some of the U.K.'s online community calls for a possible two-year prison term for anyone who refuses to turn over an encryption key or a message in plain text to law enforcement officials. It also calls for a five-year prison term for tipping off senders that they are being investigated, according to Caspar Bowden, director of the London-based Foundation for Information Policy Research.

Even discussing an investigation in public, such as complaining about alleged abuses of law enforcement to the media, may also be punishable by imprisonment, Bowden said.

"Let's say that someone under investigation sends me a message with encryption that can only be decrypted by the receiver. The authorities come to me and tell me that they are investigating someone but won't tell me who, so they ask for all my private keys," Bowden said. Refusing this request from the authorities could get him two years in prison, Bowden said.

In this case, the authorities would have all of Bowden's private keys, enabling law enforcement officials to read all encrypted correspondence that was sent to him. Bowden would then have no choice, he said, because by informing anyone of this and asking them to change their key, he would break the "tipping off" clause of the bill and, in turn, face five years imprisonment.

"I can't complain to the newspaper, otherwise it's five years in jail. All I can do is go to a secret tribunal," Bowden said. The tribunal is five judges; only two have to participate, and only one has to lay the groundwork, he added.

Bowden said the entire bill needs to be re-examined by the Department of Trade and Industry. "We would like to see the Electronic Communications Bill be about e-commerce, which is what they said. The law enforcement section doesn't even belong in it," he added.

There is also another method of hiding messages, called steganography. It's not clear to commentators, such as Bowden, whether or not steganography is covered by the bill. Using steganography, a user can "sprinkle an encrypted message" into a photographic format such as JPEG or a music format such as MP3, both of which are popular online. In actuality, the message doesn't necessarily need to be encrypted, just concealed within the file, according to Bowden.

Although the bill doesn't mention technologies such as steganography, Bowden speculated that the authorities could enforce regulations in those cases by proving that there was a reason to search, such as the existence of a steganography program on the suspect's computer.

The text of the Electronic Communications Bill can be found on the Department of Trade and Industry's Web site.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon