Folly of draconian law on decryption

The proposed Bill on access to decryption keys could set back the UK's drive for e-commerce

The proposed Bill on access to decryption keys could set back the UK's drive for e-commerce

The Regulation of Interceptory Procedures Bill, currently before Parliament, is flawed: both commercially and in terms of civil liberties.

The law gives the police and courts the right to demand the decryption key for private Internet messages intercepted by the security services. It places the burden of proof on the defendant in cases where users claim they have lost or forgotten the key. It will make Britain the first country in the world where refusing to hand over your encryption key is a jailable offence.

Similar proposals were removed from the Electronic Communications Bill after user protests last summer. Among corporate users, pposition to the move has been driven not primarily by the rights issue, but by the damage the new powers could do to Britain as a global hub for e-commerce. Then, as now, there were dark mutterings in the financial sector about offshore relocation if the law went through.

The commercial objections to these proposals are even stronger today. The US has unbanned the export of strong encryption technology. And Windows 2000 is set to put encryption on the standard desktop.

With the onus on users to hand over the decryption key on the orders of a court, IT directors could soon find themselves involved in law enforcement.

ISPs at the sharp end of web-tapping will be offered unspecified grants from a presumably limited pot of public money to cover the top-line costs of allowing the police to tap the Web. The much greater costs in terms of skills, time and the general clutter of maintaining a "reasonable interception capability" are harder to quantify.

Most companies are inclined to co-operate with Web tapping law provided there is a fast, guaranteed way to identify that the tapping order is legitimate, and that all extra costs - including damage to corporate security - will be covered by the State.

However, many companies and IT user groups are not satisfied that the Bill provides this in its current form. Even more worrying, for the average IT director, is the prospect of being embroiled in a three-way fight between a defendant, the British government and the European Court of Human Rights.

Ireland, with its IT-heavy, export-oriented economy, is doing the exact opposite to the UK - prohibiting the security forces from demanding access to private keys.

As the Bill speeds through Parliament, it is once again left to IT professionals to tell the government what light-touch regulation really means.

More e-commerce news

Read more on IT risk management