[Moderator: Back in town from a 4 day trip, expect some traffic again. :)]
Forwarded From: Kjell Wooding <kwooding@codetalker.com>
http://www.wired.com/news/news/politics/story/12492.html
UK Encryption Wars
by Yaman Akdeniz
4:04am 25.May.98.PDT
Britain's postal service has announced plans to offer public key recovery
services later this year, in an effort to overcome criticism of the
government's previously proposed "trusted third party" cryptography
initiatives.
The UK government has been struggling for two years to find a policy that
balances privacy concerns against those of law enforcement agencies.
Indeed, Royal Mail's announcement on 19 May comes in the wake of the
British government's April introduction of a new encryption policy, the
Secure Electronic Commerce Statement. This policy is the third in a series
of widely criticized Department of Trade and Industry key recovery
documents.
Unlike the government's first two plans, this latest policy favors
voluntary rather than mandatory licensing of so-called "trusted third
parties." But the requirement that third parties be government-approved
leaves British privacy advocates jittery about the Royal Mail's
announcement.
In describing the new plan on Tuesday, Jim Pang, director of Royal Mail)'s
Electronic Services, took a conventional -- and unimpeachable -- line on
the need for encryption. "Users of the Internet do not have a guarantee of
privacy and confidentiality, source of origin, or proof of receipt," he
said. "At the moment it is relatively easy either to read someone else's
Internet email or to pretend to be someone else sending email."
Ian Walker, technical director of Entrust Technologies, which is supplying
the software, continued down the same path in an interview: "[Encryption]
is a straightforward commercial need, regardless of government desires. It
is a separate issue to key escrow."
Maybe so, say privacy advocates, but the heart of the Royal Mail proposal
is the use of key recovery systems. Critics the world over voice the same
concerns: Voluntary or not, third party keys raise unprecedented privacy
risks and governments should not be so easily granted a technical
capability for mass surveillance.
Pang has attempted to pre-empt such fears about privacy by saying that
"using advanced cryptographic technology ... will be the electronic
equivalent of sending a signed document in a sealed Royal Mail Special
Delivery envelope" and "will enable anyone to send and receive data on the
Internet in the knowledge that their messages are totally secure."
Some privacy advocates, however, remain skeptical. "None of the trusted
third parties -- including the very reputable Royal Mail -- will be able
to provide confidentiality and privacy of communications with key recovery
systems unless their relationships with the law enforcement authorities
are clarified and subjected to due process," argues Clive Walker of the
CyberLAW Research Unit at the University of Leeds.
Other critics, moreover, note that the Royal Mail and Entrust may be
promising a service they cannot deliver. Brian Gladman, a former Minister
of Defense and technical director for NATO believes that the technical
security challenges posed by such a large-scale project well beyond the
current state of the art.
"These plans will impact on the security and safety of the British
public," says Gladman. "It will be important that the Royal Mail provides
... a commitment to support independent, publicly visible scrutiny of
their approach."
-o-
Subscribe: mail majordomo@sekurity.org with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Fri May 29 09:33:24 1998