Consultation and Contemplation: Resounding Openness at
The London School of Economics
Response to the Public Consultation Paper
Licensing of Trusted Third Parties for the Provision of Encryption Services
Presented to the Department of Trade and Industry
Abstract
The following is a submission to the Department of Trade and Industry of the UK
Government in response to their consultation paper on the policies and legislation for
cryptography and encryption services. I argue that their proposal is insufficient in its goals,
its means and results. For a responsible process the UK Government will be required to
operate more under its promise of open processes. Otherwise, the UK Government runs the
risk of not only being a lesson in precedence, but also minimizing its role in the decisions that
are essential to the future of the Information Society.
Ian Hosein
Computer Security Research Centre
The London School of Economics
June 1997
Consultation and Contemplation: Resounding Openness at
The London School of Economics
The CSRC was very concerned about the apparent polarisation of the debate regarding
cryptography and that there was no true opportunity for academics, practitioners and the
general public to come together to share thoughts and ideas for this DTI Proposal. The
meeting was organized to create a forum for organised and cultured debate in the hope of
building understanding within the UK cryptographic community and industry.
The following is a submission in response to the March 1997 Public Consultation Paper from
the Department of Trade and Industry, and should be considered as an individual submission
in the light of my experiences in organising and attending the conference, in independent
research, as well as being part of the CSRC. This is not an attempt to represent the views of
the Computer Security Research Centre as such, or the London School of Economics.
Background to this Response
Cryptography is the mathematical art of keeping information secure. It allows for the
securing of a message using an algorithm and a key, producing a resultant ciphertext that is of
no use to anyone with the exception the holders of the key. There are three mainstream
methods of cryptography: conventional (symmetric), public-key (anti-symmetric), and hybrid
(combination). Public Key encryption was introduced in the later half of the 1970s by Diffie
and Hellman, independently developed by Merckle, and this began a considerable shift
towards publicly available encryption algorithms. The development of public key encryption
also introduced the notion of authentication. That is, normally to encrypt the sender would
use the recipient's public key, and to decrypt the receiver would use their individual private
key. If this process is somewhat reversed, that is a sender uses their individual private key to
sign the message, and when the recipient receives the message, the recipient can use the
sender's public key to perform an authentication of the digital signature that only the sender
could create. This process of authentication is one of the driving forces of electronic
commerce, replacing the need for manual signatures that are susceptible to forgery, with
digital signatures that can only be done by the holder of the secret private key.
What the DTI is currently proposing is to resolve three challenges associated with
cryptography. The first challenge is that of key management. Conventional encryption has
only one key for the encryption and decryption process. Sharing this key with two people is a
difficult task. Even public key cryptography, which has two keys, one for encrypting and the
other for decrypting and signing messages, has the problem of properly distributing the
appropriate public keys. The DTI proposes the use of Trusted Third Parties who will collect
all the public keys, and share them with users who wish to communicate using encryption.
The second challenge with encryption is the loss of decryption keys. Encryption is a
powerful process that is quite challenging to circumvent if properly done. The loss of a key
could very well prevent the owner of the data from ever recovering the encrypted ciphertext.
The DTI proposes that the TTPs also have on hand copies of the decryption keys, or the
private keys of the users to be returned to their owners in case of the loss of the original.
Finally, the last challenge with encryption is that it can be used by people to maintain the
confidentiality of information, preventing interception by all parties, including the
Government and law enforcement agencies. The DTI proposes that the TTPs have copies of
the private decryption keys in order permit law enforcement to preserve their current rights in
intercepting communications under warrant, as legislated in the Interception of
Communications Act 1985.
Out of that last challenge, arises a significant amount of controversy. Cryptography has
within recent debate been labelled a double edged sword, in the sense that it protects the
users, but it is inherently anti-social, and is thus detrimental to law enforcement and
government. Governments consider it a tool for their own information, while it can be a
weapon against law enforcement and national security when improperly used. Opponents to
the law enforcement access to individual's private keys consider cryptography a weapon
against divulging secrets from those we wish to protect information, such as governments,
adversaries, and organisations. Cryptography, however is merely an algorithm and a defense.
In the world of computer security, cryptography does not provide a solution, merely a tool. It
does not prevent aggression, it merely disorganizes and hinders it. Cryptography merely
prevents access to information, irrespective of what the information is. The issue with the use
of cryptography by individuals questions not the right of them to bear arms, but instead
questions the right of individuals to shield their data, and thus to provide defenses and
obstacles to accessing the information within a context. The issue is now about the right to
protection, and whether the individual right to protection supercedes that of the society and
state.
Resounding Openness
The Scrambling for Safety conference was a demonstration of the importance of the issues
related to cryptography, electronic commerce, privacy, and the ability to maintain effective
law enforcement, to all members of the public. Many issues were raised on the 19th of May,
and this document does not attempt to relay the ideas that were presented; instead this is an
attempt to extract the general trends from the conference, and offer some ideas on what is
necessary for future consideration and action.
The clearest trend was the wavering patterns of discussion, from enabling electronic
commerce, to upholding privacy, to maintaining law enforcement, and to the licensing of
Trusted Third Parties. The effort to discuss these factors together is one of the greatest
strengths and weaknesses of the DTI report. Cryptography is at the base of all these factors,
as a driving or enabling force. The DTI made a wise decision to discuss electronic commerce
in tandem with regulation on Trusted Third Parties and law enforcement access. Note,
however, this can be extremely dangerous to the promotion of fair debate. The equal
importance and value of each factor can easily be lost as some factors inadvertently lose
prevalence because they become disguised by the more pressing and political issues of the
day. Privacy can easily be left by the wayside as law enforcement and national security are
considered, while it would be convenient to merely gauge the effects of this on electronic
commerce, rather than the consequences and the interdependencies. To prioritize within this
structure of interdependent entities is tempting, and dangerous.
To acknowledge the pressing needs for today's policies in laying tomorrow's foundations,
this response to the DTI Proposal will be divided into these factors. The interdependencies
will not be ignored throughout this analysis, while the individual importance of each trend
will not be devalued, and their synergy will be protected.
Groundwork for a Market
The global electronic market is the most appealing and yet sensitive characteristic of the
Internet. It is appealing because it promises a large consumer base, international supplies for
international demands, and minimal overhead costs. It is sensitive, because consumers place
demands and expectations on creating this new market, particularly within security measures,
and the future of this market hinges on satisfying their needs. The current obstacles within
electronic market are: maintaining the privacy, ensuring the integrity, verifying the
authenticity, identifying the fabrication, and enabling the non-repudiation of transactions. At
the base of these obstacles lies trust.
In Section II, paragraph 14 of the DTI Proposal, the importance of security within electronic commerce is stated, and quite carefully:
[...] (B)usinesses in particular have raised legitimate concerns about the adequacy of security measures for protecting the integrity and confidentiality of information transmitted on public telecommunication networks. It is clear that increasingly the concerns of users are not about the availability of the technology and its benefits, but about the level of trust that both business and the public can place in such technology. These concerns represent a significant obstacle to the continued take up of electronic commerce in the UK. Hence the issue of how best to facilitate the provision of secure electronic commerce has become a key component of the Government's objectives for building the information society.
Ultimately, the above statement claims that security of the information infrastructure is key to
the creation of electronic commerce. Then the report continues to say that integrity and
confidentiality are the keys to meeting the requirements of security by using technical means.
Trust is important, according to the DTI Proposal, but this trust is merely about trust within
technology. Therefore the Proposal creates an allusion to cryptography as an effective
security tool for protecting the information on networks. Out of this, arguably, comes the
electronic market.
This reasoning is excessively linear in its logic and misses a great deal of the issue and the
resulting opportunity for the DTI. The technical measures are not enough.
The public is concerned about security over the Internet, but this concern is misguided. A
large proportion of users search through the Internet in order to find a product of their choice,
but then choose to perform the transaction in the physical and real world, as opposed to the
virtual transaction. Why? Because the consumers do not trust the technology. They fear that
their credit cards will be stolen by ever-present hackers, just waiting, watching, and waiting
until they release their credit card numbers to the Internet. While this threat it apparent, its
apparent use is not worth the amount of discussion that has arisen. While the use of
cryptography is a pressing tool for the development of electronic commerce, it is
irresponsible to expect that security through cryptography is sufficient.
Encrypting credit card numbers will not provide a solution to the problem of illegitimate
store-fronts on the Internet, where anyone can pretend to be a reputable vendor. The fact that
users have such faith in technology to solve this problem will be failure of the system, not a
lack of trust in it. The DTI's role in electronic commerce could be in assessing how it can
develop a trusting relationship, with technology, instead between consumers and businesses.
This trusting relationship would be the first step towards securing electronic commerce, let
alone enabling it. Certification can play the largest role here, where small and medium sized
businesses can be promoted on the Internet through assuring consumers that these
organisations are trustworthy. While the US Better Business Bureau has placed its database
of complaints online for access in order to limit the consumer's risks, this trend must be
extended. New companies that operate only in the sphere of the Internet must be ensured to
provide the same quality of service as required in the physical world. The importance of data
protection is now increasing, as some vendors collect credit card numbers and consumer's
personal information in a database that is available for access on the Internet -- this situation
is problematic, in accordance with and beyond the Data Protection Act of 1984. With
certification, consumers will know that the businesses are worthy of trust, and in addition,
that the businesses will maintain the privacy of the transaction, ensure the non-fabrication of
the trade, and resolve the problem with repudiation of transactions.
Undoubtedly, encryption does cover many of these issues as well, but only together, technical
and formal means will provide consumers and businesses with a truly secure and trustworthy
environment that is needed for electronic commerce to flourish. The issues that should be
discussed for enforcement is not whether cryptography should be permitted to be used, but
rather this discussion is about whether we can use it along with other measures and
safeguards in order to counter the apparent threats to this new market. In developing this
market the DTI's mission can be met, and not by regulating the uses of cryptography in the
name of electronic commerce.
Encrypting Privately
The continuous growth of electronic communications has been mirrored with the growing
need for security. Security is becoming a necessity as individuals and organisations become
aware of the importance of their information assets. Thus we expect cryptography to provide
some measure of security, resulting in safety.
In using cryptography, however, there is a cross to bear -- responsibility. Cryptography
transforms large secrets into small secrets, which are in turn called keys. The problem arises
when this small secret is lost, or compromised -- the secret will either be unrecoverably lost,
or the confidentiality uncovered.
It is logical to propose some type of infrastructure for users to escrow their keys. In returning
to the original meaning of escrow, it may be necessary that some legal process be
implemented in order for users to place their private keys in trusts, akin to a safe deposit box
or a will with a lawyer for future access only under the appropriate personal authorities.
Otherwise, users may face the consequence of losing their encrypted information; this risk
can be avoided by creating backups that are securely stored on the user's behalf.
Within organisations, the dynamics are completely different. The dangers here are even more
apparent than for private users of cryptography. Organisations are at risk of losing
information through lost keys due to employee sickness, death, or mischief. Even worse, the
protection of trade secrets is complexified as users become the greatest weakness for the
security of the organisation as they can easily transfer all the information outside the
organisation to a competitor, shielded using cryptography. Legal issues need to be decided,
such as who is the owner of the key produced by a user for the user's needs as an employee?
These threats and fears may drive organisations to a central storage of private keys, if not the
entire process of generating key pairs in order to avoid conflicts of ownership.
Somewhere within the process of organisational key escrow, it will be important for the DTI
to establish guidelines, akin to a code of practice for this type of escrowing procedure. It is
essential to ensure that organisations do not encroach on the individual's right to secure
communications and privacy, even within the work environment, unless it is stated within an
employment contract. Reserving the right to decrypt information when the employee is
unavailable is favourable, but reserving the right to intercept communications of the
employees and monitor their transactions is surveillance. Securing the organisation is one
action, but asserting firm authoritarian control is something entirely different.
Trust in Parties
The use of Trusted Third Parties could very well promote and assist the use of cryptography
in communications and electronic commerce. However the licensing requirements outlined
by the DTI are geared only to promote large organisations as TTPs. It would be irresponsible
for the Government to not show support for organisations of all sizes to seize the opportunity
presented by this new age of communications, in the same way that it would be irresponsible
to neglect the needs of small and medium sized enterprises within electronic commerce.
The responsibilities and liabilities placed upon these TTPs by the DTI are enormous, and this
will only be escalated by the insistence of law enforcement agencies that the private keys be
in trust, and readily available for warranted use. This will be a hindrance for small
organizations to start up in order to operate as a TTP. Large organisations such as banks and
corporations can not be trusted with keys because of their size and difficulties in developing
secure systems. The larger the system, the more complex and the more difficult it is to
implement security safeguards, and the more trust that is required, within the organisation
and without.
The TTP will have to rise out of the ground immediately into a virtual world where it will
have to seek the trust of its clients, without having enjoyed the transition that most
organisations are permitted. Banks were once local establishments, with familiar faces and
familiar services. Stores were traditionally operated by familiar clerks who knew the
consumers, and the consumers trusted the stores. Within their previous states, these
organisations developed a trusting relationship with their customers because of this
familiarity -- the trust-engendering process unfortunately can not be distributed or
modernised as easily. The challenge of the modern organisation will be to understand the
necessity of trusting relationships, and the consequent predicament. It is alarming the amount
of responsibility that the UK Government expects these organisations to bear, while
managing to develop trusting relationships with the users and clients. The likelihood of
organisations meeting these demands is contestable, and the Government's understanding of
the risks is questionable.
The requirements for licensing proposed by the DTI find their strength in acknowledging the
need for the trustworthiness of the personnel within the TTP. If these organisations are to be
extensions of existing organisations, there will exist the problem of inserting extraordinarily
high levels of security into marginally secure existing environments, which is by no means an
easy task. The simplest method would be to develop a new organisation, a new business, that
would build security from the bottom up, from specifications to requirements, keeping
security as the organisation's mission, and not some afterthought as it is in the majority of
organisations. Even this does not ensure security as, with banks being a prime case, it
becomes evident that although security is assumed, it should not be expected. These TTPs
must be secure organisations -- and this goes well beyond the technical problems that are
usually addressed, and the DTI Proposal recognizes this; however mere recognition is not
enough.
These organisations that will become TTPs will require incentive to be secure. Licensing is
one thing, but government legislation is another. Perhaps another type of Banking Act, to
ensure secure safeguards? A good start, but this is not enough. The level of security and
auditability of the system, i.e. the hardware, software, people and organisation, need to be
under the greatest amount of scrutiny ever ensured in legislation. Constant supervision of the
system is required as under the Civil Evidence Act of 1968 and Police and Criminal Evidence
Act of 1984, audits constantly performed akin to the National Audit Office Act, due care
under the Local Government and Finance Act 1983 and the NHS and Community Care Act of
1990, strict internal controls such as those that are required under the Financial Services Act,
information assurance as under the Companies Act. This type of legislation is to be
extraordinarily important because of the high level of responsibility commissioned to the
TTPs, where they are the bridges and basis of the electronic market, and the obligatory
passage point towards a secure information society.
The risks that the TTPs will find within their environment necessitates that legislation and
licensing requirements do not suffice. TTPs are actually increasing the risk of disclosure, and
this risk must be mitigated, dispersed, or minimized. Requiring trustworthy personnel and
competent management is only one step in the right direction. These organisations are
predicted to be under attack, because that is where the key to the information economy is.
Having secure technologies that will ensure both the validity and confidentiality of the
information that is available for use at all times is no simple task for technology. The formal
requirements, i.e., expecting that these organisations will have strong security policies, adhere
to the necessary legislation, have a secure management structure with separation of duties and
functions, with clear responsibilities and ownership of duties, are again a lot to expect out of
an organisation. However, both the technical and the formal safeguards are possible to
achieve with the necessary planning and vigilance. The Achilles heel of all organisations is
always the informal aspects, i.e. the way that the organisation truly operates in the face of the
formal and technical safeguards. Even in the most secure organisations, from military to
corporate, social engineering attacks are always effective. Security policies fail because of
their stringent controls, and the need of the employees to get the job done, thus requiring
safeguard circumvention. The TTP takes the fact that a large secret has been changed into a
small secret being the key, and this key is given to the TTP where it will be amongst other
small secrets, and together these small secrets amount to the key to all secrets. This key to all
secrets rests delicately on the informal organisation, on the responsibility, integrity, and trust
in the employees, procedures, and systems. Together, the informal, formal and technical
aspects of these organisations need to be addressed, and from the bottom up, because the
failure of a TTP could induce a general failure of the trust within the entire infrastructure.
One final note on the use of TTPs. It is interesting that encryption is considered as a privacy
enhancing technology because it enables users to attain secure communications or storage.
The role of the TTPs under the various proposed legislation is about maintaining audit trails
of all operations and transactions. However, the audit trails and the privacy requirements of
the transaction are going to be at odds with each other. The logical and simple solution
would be to enforce the Data Protection Act 1984 to its fullest capabilities to ensure that the
data kept on the individual users is kept at a minimum. Otherwise, every transaction, every
communication, and every key requested could be traced by the TTP's system, available to
the insiders, and sought after by the outside. This risk is greater than any risk incurred by the
credit companies, the banks, and telephone companies, because it is the aggregate of their
risks collectively.
This is the ultimate in security requirements, and should thus be discussed in forums of
industry, government and academia in order to truly understand and appreciate the required
rigour to develop the appropriate specifications. Otherwise, weak foundations will ensue
greater costs.
Law Enforcement
The needs of law enforcement are the requirements of vigilance. It is accepted that law
enforcement has certain requirements in order to ensure their ability to preserve the peace,
and to maintain order within society -- this is the duty with which they are charged, albeit a
difficult and trying task.
However, law enforcement has to participate in this process as much as the general public is
expected to. We no longer operate in a time of absolute rule, and the divine right of
governments -- we are now using democratic procedures, where decisions should not be
based on power, but instead on rational choice. Law enforcement needs to make its case clear
because as it is becoming apparent throughout this response, this shift in security in the
information infrastructure demands open discussion and consideration. Despite this, law
enforcement has not met their side of the bargain, and this was particularly noted in the
absence of a speaker for law enforcement at the conference.
The need for law enforcement access is not apparent. The US Government law enforcement
agencies have not made their case clear, and this is perhaps reflected in the fact that a
significant proportion of the individual states do not permit the interception of
communications. Federal agencies have attempted to offer popular examples, such as
terrorism, paedophilia, organised crime, and irresponsible governments; the four horsemen of
fear, terror, paranoia, and animosity. This does not suffice. In an effort to resolve this, the
US Government offered an independent tribunal to convene, and the members of the tribunal
were briefed on the needs of law enforcement in camera. The tribunal remained
unconvinced. Nonetheless, there is solace to be found in the very fact that this process
occurred, by which the US Government promoted an element of openness.
Fear, terror, paranoia and animosity are very powerful agents of change, and it would be
disappointing if the DTI does not act proactively to avoid having the public debate degenerate
into despair. It is essential that the DTI acknowledge and act responsibly on these dangerous
grounds; afterall governments can not appear to be soft on crime, particularly in the United
Kingdom. Although it is noted that the DTI has acted responsibly by presenting the Proposal
within the context of electronic commerce and law enforcement, as stated previously this is
exceedingly dangerous. To simply prioritize the four factors covered within this report on the
basis of social need is tempting, and detrimental to the process. To leave the issue of
cryptography hinging on law enforcement's needs would be the disservice to the work that
has been invested in the Proposal, but this appears to be the direction in which this process is
heading.
Creating public paranoia and fear is irresponsible. Although the DTI's Proposal may be
based upon creating public awareness, a recent article in a British newspaper epitomised the
use of irrational public concern. Within this article, the National Crime Intelligence Service
is reported to have released the Project Trawler report for the Government discussing that
there is a possibility of terrorist use of the Internet. This report includes a recommendation
for an urgent review of police powers to intercept e-mail and other forms of Internet
communication. This was followed by a statement from the NCIS officials who believed that
it is a logical next step for terrorist groups to use the Internet. Further research into this report
logically necessitated searching for the NCIS web site which was disturbingly located at the
open.gov server for the UK Government. The reason that this is disturbing is because the
web site in itself has not been updated since June 1996, and after sifting through year old
press releases, upon locating the press release regarding Project Trawler on an unrelated site,
it was noted that the report for Project Trawler will not be released to the public because it is
only for law enforcement officials.
The law enforcement agencies are not presenting a rational quest for security, this is a
scrambling for safety using paranoia. The Project Trawler research criteria are: hacking and
its use in economic espionage, fraud, electronic payment systems such as smart cards and
electronic cash, paedophile use of the Internet, and software piracy. While these are worthy
of research, they are equally worthy of open discussion, hence living up to the term Open
Government. The NCIS and law enforcement around the world use these threads of
discussion for creating newsworthy announcements, rather than rationalising their need to
combat these crimes by risking the personal privacy of all citizens through circumventing
security safeguards and privacy enhancing technologies such as cryptography.
In the Interception of Communications Act 1985, the Government's law enforcement
agencies are permitted under a warrant to intercept communications. It seems that this is the
largest issue of contention with the Proposal. A key difference with the case for
cryptography in digital communications as opposed to the conventional telecommunications
infrastructure is that the requirements placed upon the users of the cryptography demand a
proactive step -- users must leave their keys, even under presumed innocence, for a time that
they are deemed suspicious. The public backlash against this supposed right of government
will not disappear, and Government must acknowledge this. The process outlined within the
Interceptions of Communications Act is being questioned constantly as we debate whether a
Secretary of State deserves the right to authorise these breaches of individual privacy and
civil rights. Should the process be more open as it is under Title III warrants within the
United States Code, should the process be decided under the unbiased authority of the
judicial arm of Government, should this process exist at all? These are all questions deserve
consideration within an open process. As the US Attorney General Janet Reno claims,
"Encryption, as a practical matter, diminishes the power of law enforcement to do its job, and
we seek only the way to maintain the original status quo." Entering the Information Society
is about improving the status quo, not maintaining it. These improvements and changes need
to be considered openly, and thus the need for a consultation process, and not some closed
session as the NCIS is conducting.
To rely on a new government to make a decision that can be cast as against law enforcement
is irresponsible. To cast this decision as a balance between privacy and security of the public
is an unnecessary polarisation of the issues, and allows for sensationalism. The public does
not regard its privacy until it is gone, and they do not respect security until there is a threat.
As long as law enforcement argues that terrorists and paedophiles will have their way with
new technology, privacy advocates will be forced to try to sway the public with images of
totalitarian regimes. As long as the notion of a balance is maintained, controversy will ensue,
and in the end compromise will only mean the loss of individual privacy. As long as we rely
on controversy, we are not operating within the realm of rational debate, but instead relying
on fear and paranoia, which are the keys to mob rule. Government is expected to promote
responsible decision making. The DTI demands responsible decision making, and that is
why the DTI Proposal has been made public, as a consultation effort. Continue this trend,
else we face the consequences of the polarised world we create. This process demands that
we not merely sway the public towards the necessary preconceived ends, but instead
rationalise the requirements, otherwise we will be merely massaging the general public as
their rights are stolen, coercing them to give up some of their rights in order to gain more
freedom.
Danger of Precedence
According to UK law in the Interception of Communications Act 1985, warrants to intercept
communications are granted under the need to protect the interests of national security, to
prevent or detect a serious crime, or to safeguard the economic well-being of the United
Kingdom.
The UK is playing with fire. The effects of a nation of influence making a decision in the
name of security has dangers of precedence. The French Government could easily quote the
Interception of Communications Act of 1985 as they continue to intercept communications
and gather intelligence from foreign companies within its national boundaries, "in order to
safeguard the economic well-being of [enter_country_name_here]". The Chinese
Government could argue that it is protecting national security as it repeatedly enforces strict
laws against privacy and freedom of thought in restraining subversive and dangerous notions,
such as democracy, and the free market. The Singaporean Government has already attempted
to prevent serious crimes by searching through all Internet accounts looking for pornographic
materials. Anthony Giddens argues that we should view surveillance not merely as a sort of
reflex of capitalism, or of the nation-state, but as a power generator in itself.
The African National Congress developed and used encrypted e-mail for years without it
being compromised by the South African Government. We can safely assume that reasons
such as national security and societal benefit are commonly used in all countries to convince
the citizens of the needs of government. Despotic regimes around the world often use the
term anti-social behaviour to describe their political opposition. Now countries can not only
justify their definitions and priorities, but they can use these to ensure that their control and
surveillance continue into the Information Society, using the United Kingdom as the example
and unknowing advocate. However, as Phil Zimmermann noted within his presentation,
governments can run the risk of implementing laws and measures that will be used against
them when they are no longer in power.
This can lead to an even more dangerous proposal with the change of government, and the US provides the perfect lesson in precedence here. Although the US had tried to implement the Clipper Chip with its Skipjack algorithm as an optional scheme, a document released from the US Government that was formerly confidential concluded that
This infers that a Government's claim that the freedom to choose to use key recovery can
easily be eroded, and in the US, this was planned to occur. As the previous UK Government
tried to increase the powers of law enforcement when it came to surveillance, a subsequent
UK Government can choose to expand the reaches of key recovery, and mandate the use of
the TTPs. Is it possible to create a policy now that is tamper-proof by future governments so
as to ensure the avoidance of power generation and abuse?
From Consultation Flows Contemplation
The transition and transformation of our institutions is a requirement for reaping the full
benefits of the revolution within our midst. This is the first such revolution that our
institutions have faced on such a grand scale since the Industrial Revolution, and is thus
requiring the redefinition and re-analysis of the roles and responsibilities of all sectors within
society. Government is also susceptible to this reformation process, and the only indication
from governments thus far is that they are scrambling.
The UK Government must decide the nature of the role it would like to play within the
Information Economy and Information Society. The role that has been presented thus far is
based on ambiguity, uncertainty, and obscurity, and this does not suffice. The policies and
statements that the Government has provided within the recent years with respect to
cryptography have been ambiguous, if not contradictory. The bundling of the factors towards
the information society within the Department of Trade and Industry Proposal, within the UK
Government's initiatives have not been proven to be fair and just, and are only creating
uncertainty. The silence of the law enforcement agencies reveal nothing but obscurity, while
it produces sensationalism.
In order to not walk blindly into this new millennium, as a community we must all
understand where we are heading. What are our current values, and which do we intend on
preserving in the future? It is essential to understand how we value privacy, whether it is
valued in tandem or in conflict with security. It is essential to understand the requirements of
preserving our safety as individuals, as communities, and as a nation-state in order to cater for
the needs of this preservation. It is essential to understand the changing nature of business
and how we can create growth within the electronic market in order to promote consumerism.
It is essential to understand the consequences of our technologies if we are to use them to
their fullest capabilities. The consequence of not understanding is an introduction to
confusion.
To alleviate the confusion, the LSE Computer Security Research Centre is planning on
continuing its role as a mediator within the consultation process. The CSRC is proposing
future meetings on the various factors involved within and beyond the DTI Proposal, with
dedicated conferences on law enforcement, electronic commerce, and the architectural issues
and licensing of Trusted Third Parties. The DTI's support for these events and participation
would be welcomed. The UK Government has not demonstrated any interest in promoting
discussion on these topics in public forums, but the CSRC considers it a complete necessity.
Just as the actions of the UK Government can have dangers of setting a precedent, the
inaction of the UK Government has the danger of resulting in future inability. This will
result in reducing the role of government in creating the foundations for tomorrow's markets,
community, and opportunities.
Further silence from the various government agencies can only further frustrate the
consultation process. Further discussions, however at worst, will create awareness. At best
they will develop consensus.
Acknowledgments
Thanks are due to Alistair Kelman for his dedication and expectations, Dave Banisar and
Simon Davies for their assistance, and Professor Ian Angell for his permission.