Key escrow is still a bad idea

The repercussions of the tragic events of 11 September are today being felt far beyond the streets of New York and the deserts of...

The repercussions of the tragic events of 11 September are today being felt far beyond the streets of New York and the deserts of the Middle East.

Airport authorities are reappraising their check-in procedures; airlines are tightening airplane cockpit security; and governments across the globe are reassessing the extent to which they conduct surveillance of communications carried out across the Internet.

Inevitably, talk is turning once again to controversial concepts such as ID cards and key escrow encryption requirements.

Here in the UK, the Government has plans to take advantage of the current wave of nausea at global terrorism to re-introduce the key escrow powers it was forced to drop from the Regulation of Investigatory Powers Bill last year.

Adoption of key escrow would require UK users of encryption software to lodge their private key with a trusted third party. The Government would have the power to demand that these third parties yield any private key held in escrow, in order to read e-mails sent by individuals it views with suspicion.

Far be it from us to cast aspersions upon any desire to harness technology to advance the global fight against terrorism. If Osama Bin Laden and his ilk are using technology to spread their messages of hatred, then technology must be used to thwart them.

It is worth pointing out, however, that when the Government tried to introduce key escrow last year, UK businesses and civil liberties campaigners were united in their opposition to it. Their combined arguments were compelling enough to force the Government to back down and scrap the plan.

Last year's opposition to key escrow was more than a simple knee-jerk rejection to an initiative that smacked of Big Brother. As well as the matter of confidentiality and privacy, more practical cost and infrastructure concerns were raised.

Even if the Government does choose to push though this legislation in the wake of events in the US, there is no guarantee that it will do anything to halt the activities of terrorists - or even that it will work effectively.

So far, no evidence has emerged to suggest that Bin Laden used encryption technologies to pass orders to his operatives around the world. Indeed, the likelihood is that he communicated with terrorist cells using plain text messages in order to avoid the unwanted attention that encrypted e-mails might have drawn.

And, even if the Government was to introduce key escrow, it is hard to imagine terrorists lodging their private keys with trusted third parties, when PGP and other encryption technologies that do not require third-party key holders are freely available.

The Government needs to do all it can to silence the whisperings of terrorists in the corridors of cyberspace. But it also needs to pay heed to the opinions of UK business, for whom key escrow, if it was a bad idea a year ago, is probably still a bad idea today.

Read more on IT legislation and regulation