STAND SUBMISSION ON E-COMMERCE TO THE DTI SELECT COMMITTEE

INTRODUCTION

STAND (http://www.stand.org.uk) is an exercise in online participation in democracy. It consists of over three thousand volunteers from six hundred constituencies who have offered to assist members of Parliament in understanding the issues behind new information and communications technology. While STAND does not act as a platform for a single political viewpoint, participating members have expressed a broad consensus on a number of technical issues.

The following written submission expresses our concerns regarding the proposed E-Commerce Bill. We strongly believe it represents the concerns of many others who - like us - depend on the Internet for their business today, and are involved in creating the British technologies of tomorrow.

This document was perforce written before the full consultation paper was released by the Department of Trade and Industry. As such, many of our comments are based on the formal briefing provided by Stephen Pride of the DTI at the ICX conference in November[1]. We understand that some details may have changed in the interim - particularly as the consultation paper has now been delayed by several months. However, most of our objections are based on what we believe to be the misled grounding of the Bill rather than the implementation details. Whatever the final form of this document, the principles we express here should be applicable.

We will be releasing an updated version of this document, following the publication of the consultation document in mid-February. [2]

I. Government Support for Key Escrow

The proposals lend government support to the establishment of a voluntary key escrow system for public key encryption on the Internet. Key escrow systems require that the encryption keys used to protect data in transit are placed in trust with a third party. Suggested third parties include British Telecom, banks and other agencies that may already be considered trustworthy by the public.

The customary explanation for key escrow is that it permits law enforcement access to communications suspected of concealing criminal activities.

We believe the voluntary escrow of communications keys fails to live up to this expectation, and will have little effect on the control of illicit activities on the Internet.

We believe it may, by weakening Internet security for those who adopt it, actively increase criminal activity in the UK.

We believe that even voluntary support for such a system will damage British business interests.

And we believe that the government's proposals unacceptably affects the civil liberties of British citizens.

II. Failure to Deal with Stated Aims

Key Escrow and Law Enforcement

Government support for key escrow will have little effect on criminal activity on the Internet. There are many ways by which criminals will transparently circumvent the law, without fear of detection or prosecution.

Furthermore the implementation of a key escrow system provides numerous opportunities for criminal activity that would otherwise be impossible:

Finally, evidence has not been submitted to the public regarding scenarios in which the new key escrow system would aid the apprehension of criminals. In a recent announcement by the National Criminal Investigation Service [3], several case studies were presented of criminal activity which involved encryption. The NCIS Director General, John Abbott, implied that these cases would have been easier to solve within a key escrow regime. However, all the examples given involved local encryption of permanent data. Such encryption would be possible (and not unlawful) in the regime following the new law, and would be unaffected by the proposals.

III. Harmful Effects on British Business

Government support for key escrow profoundly impacts Britain's position in the global marketplace, not just for encryption products, but for all goods and services traded via electronic commerce. While the Government's proposals insist that the system will be voluntary, it must be understood that British companies providing encryption services will be encouraged to develop key escrow systems in preference to more secure methods.

  1. Damage to British Companies Creating Cryptographic Products

Despite the government's assurances, support for key escrow does favour one technical system over another.

Certain additional requirements being mooted (such as dual-ended access) effectively prescribe a particular encryption algorithm. Even if these are dropped, key escrow necessarily favours certain technical systems over others because most encryption systems in widespread use do not support key escrow. Furthermore, because key escrow is a political requirement that inherently reduces data security it is not incorporated into the strongest systems. It is therefore fair to say that the most effective systems are the ones most discriminated against by these proposals.

Moreover, Britain is currently one of the centres of excellence in non-escrow systems: Microsoft's centre at Cambridge for instance, was formed to take advantage of the cryptographic expertise there, and also of a legal export regime that was more welcoming than that of the competing United States. To settle on a key escrow system here when other countries are standardizing on stronger encryption will damage the ability of these companies to compete in the global market.

b. Damage to British Businesses Supporting E-Commerce

The Internet is a remarkably fluid and responsive marketplace, but most companies are understandably suspicious of its lack of in-built security controls. Our experience suggests that business will freely move to sites and software that gives security the highest priority. With the government proposals in place, these sites, this software, will not be created in Britain.

c. Damage to British Consumer Confidence in E-Commerce

Key escrow is a weak security system, both technically and in its appearance to the consumer. Internet users already express a lack of confidence in the security of their online transactions. The knowledge that the key to all their transactions is being sent to a third party will do nothing to improve that confidence.

d. Damage to the Competitiveness of E-Commerce Transactions

Enforcing a key escrow system is cumbersome and costly to maintain. This cost will, in the highly competitive world of electronic commerce, be passed onto the consumer. British products and services of all kinds will therefore incur excess costs beyond those of competing nations.

In the words of some of the most respected experts in this field, including two of the creators of the public key encryption system, as well as experts at Microsoft, AT&T, Cambridge University, MIT, and the Stanford Research Institute:

The deployment of key-recovery-based encryption infrastructures to meet law enforcement's stated specifications will result in substantial sacrifices in security and greatly increased costs to the end-user. Building the secure computer-communication infrastructures necessary to provide adequate technological underpinnings demanded by these requirements would be enormously complex and is far beyond the experience and current competency of the field. Even if such infrastructures could be built, the risks and costs of such an operating environment may ultimately prove unacceptable. In addition, these infrastructures would generally require extraordinary levels of human trustworthiness. [4]

e. Damage to the Standardisation of Internet Commerce

Standards for secure communication on the Internet already exist [5]. Support for these standards by the British Government would help build confidence. No currently promoted system for secure communication advocates key escrow, nor is it likely to, given the overwhelming objection to such systems by computer security experts. Encouraging companies to develop new standards, incompatible with the accepted protocols of the Internet, will slow market growth. At best, the Government's support for voluntary key escrow will be ignored by business. At worst, it will confuse matters irrevocably, and retard Internet e-commerce in this country well into the next century.

If, as seems likely, Britain accepts the inevitable insecurities of key escrow while the wider Internet adopts truly secure e-commerce protocols, then a British business's software for accepting money simply will not be compatible with an international customer's software for spending it; that customer will go elsewhere.

IV. Harmful Effects on Civil Liberties

STAND is concerned that within the initial DTI discussion it was proposed that the new Bill "clarify" certain powers of law enforcement with regard to obtaining encryption keys. Although these clarifications are somewhat unclear to us at the moment, we would like to highlight our objections to some of the suggested contents.

This implies that they are to be treated as stored data, rather than as part of a communication - which would require a Home Secretary's warrant under the Interception of Communications Act. We would believe the natural interpretation is the exact opposite. An encrypted message is a communication. Access to its key demonstrates an ability (and intent) to intercept that communication. If law enforcement wishes to obtain communication encryption keys, they must be subject to the same level of parliamentary scrutiny as would occur if they were tapping a telephone. The privacy of e-mail and the privacy of a private phone call is, in our belief, equivalent.

While we understand the reasoning beyond such a move, we find it disquieting that no parallel obligation has been included, requiring the such surveillance to be revealed as having occurred after the case has been closed (and a suitably short period of time has elapsed). Given the ease by which key escrow allows the transparent surveillance of a large number of suspects, we believe that such a check is an absolute necessity.

We strongly believe that these measures do not clarify existing practice; they place electronic communications and commerce under a different, and more oppressive framework than the status quo.

Moreover, they have no place in a Bill intended to primarily encourage, standardise, and promote electronic commerce. We do, however, recognize that a formal statement of the powers of enforcement officers in this area would benefit the police and civil service compliance officers, business interests, and civil liberties. We suggest that a better placing for these issues is in a Bill devoted to lawful access to traffic, namely the Home Office's current consultations on an updating of the 1985 Interception of Communications Act.

V. Summary

STAND members represent a broad cross-section of political opinion, but we are all united in our practical understanding of how the Internet is used today in business and everyday affairs.

Our combined experience suggests that government support for a key escrow system will damage the fledgling Internet business in this country, and harm the civil liberties of innocent British citizens, while doing nothing to assist law enforcement in apprehending criminals.

APPENDIX I


Contacting a STAND expert in your area

Members may wish to obtain free advice on Internet and computing technology in their own constituency. STAND holds a database of volunteers who will be happy to provide briefings on the Internet in general, and its use in their area - including local success stories and newsworthy activities. Interested parties can either e-mail us at <mp@stand.org.uk> or telephone 07050 605010, and we will put you in contact.

APPENDIX II


Bibliography

The cited sources in this document are available for free access on the World Wide Web. Copies available from STAND on request (Tel: 07050 605010)

[1] "Building Confidence in Electronic Commerce: The UK Government Initiative", 19th October 1998, http://www.icx.org/

[2] The updated submission will be passed on to the Committee Secretary, and available for public viewing at http://www.stand.org.uk/select.html
The Web copy also has the advantage of having links directly to the referenced documents.

[3] "NCIS calls upon Government to ensure law enforcement powers do not fall behind technology in fight against crypto criminals" http://www.ncis.co.uk/web/Press%20Releases/encryption.htm

[4] "The Risks of Key Recovery, Key Escrow, and Trusted Third Party Encryption", Abelson et al, July 98
http://www.cdt.org/crypto/risks98/

[5] The Internet Engineering Task Force, the principal standards authority for the Internet, provides for a number of encryption standards - S/MIME for secure e-mail, and the SSH and SSL protocols for secure communications. All are already in common use. See http://www.ietf.org/ for more details. The IETF's senior committee, the Internet Architecture Board, has taken a strong technical position against key escrow and restrictions on key lengths, documented in detail at ftp://ftp.isi.edu/in-notes/rfc1984.txt

APPENDIX III

This submission is itself an example of how the Internet is being used today to speed business and public undertakings in the United Kingdom. The paper document was written, vetted, corrected and authorised by the three thousand or so members of STAND, in less than one week.

Many contributors expressed a wish to add personal comments to the document. We understand that the committee desire written statements to be brief, but we hope that they will forgive this expansive appendix of very brief statements. We feel that it conveys the widespread concerns of ordinary Internet users and businessmen in a way that a single document might not.

Committee members can omit this section if they are primarily concerned with the details of the STAND case. They may wish to peruse it to understand the force in which those details are felt. The editors have also taken the liberty of highlighting what we felt to be particularly significant contributions.

Corporate affiliations are given as an indication of expertise only. Unless stated, all views expressed are personal, and do not necessarily reflect that of the company mentioned. E-mail addresses are available on request, although we do ask permission of the contributor before releasing personal details.

***

A UK or European key escrow scheme would make life very hard for us. As a software house working mainly for US companies we depend upon strong cryptographic email and encrypted network connections. The US commercial world will have no faith in the UK government proposals. We will lose business, and in fact may well have to move the company to the USA to remain viable. I do not believe we are an unusual case.

Alan Cox, Director, Building #3 Ltd, Cardiff


I am a senior web producer for the biggest Web design agency in the world (AGENCY.com), and am appalled by the lack of security key escrow displays. I am now actively advising all my e-commerce clients (to date including Prudential Corporation, Virgin Direct, Hodder & Stoughton, The Economist, EMAP Finance, Zurich Reinsurance, International Risk Management Magazine & Reinsurance Review Magazine) in the strongest possible terms that they should postpone indefinitely all plans for e-commerce if key escrow is implemented, as this scheme represents unacceptable and uninsurable levels of risk both to themselves and to their clients.

Jim Curry, Web Producer, London


I work for one of the largest interactive advertising agencies in the world - gratifyingly a British owned company.

It seems to me that the key escrow notion is misconceived. One effect may be to cause the UK to lag even further behind the USA in e-commerce, and to erase any advantage we would normally enjoy in this area as an English-speaking country.

Rory Sutherland, OgilvyInteractive


I find the current approach to key encryption extremely concerning, for two entirely different reasons.

From a commercial perspective, I believe that foreign businesses, who necessarily conduct a number of their activities in conditions of commercial secrecy, will be deterred from transacting some types of perfectly legitimate business within, with, or through the UK due to concerns over the possible access to and misuse of this information by individuals or government agents with an interest in such transactions. As a result, I believe the approach suggested will be severely detrimental to the UK over a period of time, given the exponential growth of Internet-based commerce.

From a personal perspective, I have grave concerns over the approach of a government - any government - which feels that the ability of any of its citizens to act of their own volition in manners which cannot be monitored by such a government is a matter of national concern. This is an intrusion into the privacy of the individual and an infringement of civil liberties (already poorly protected by law in this country), and is reminiscent of the bad days of the Soviet Union, or possibly the Orwellian visions of 1984.

As a result, I urge most strongly a review of the current government approach.

Nicholas Coote, Principal, Mazro Consulting


The whole concept of key-escrow is abhorrent to any free-thinking society. I view the whole proposal as an avoidance of the real problems which are used by the DTI to support key-escrow. I fully support the STAND's campaign against the move.

Andrew Gretton, ISDN Advisor, Edinburgh, Scotland


Whilst I appreciate the concerns for valid law enforcement, I am utterly opposed to key escrow. There is an effective, tried and tested method for obtaining personal and confidential information in a criminal investigation: judicial warrant. This is, in my opinion, the ONLY system which will maintain the balance between legal access and personal privacy.

Ian Lowe, Managing Director, Wintermute Consultancy Ltd.


I am a computer professional and the designer and builder of mass market word-processing software in the 80s and mass market Internet access software in the 90s. Millions of people have used my software. If they asked my opinion of key escrow I would have to tell them that using such a system was a totally unnecessary risk. Usually when the government endorses a technology you know it is good. Since they only propose to license escrowed schemes you'll still have a measure of quality, and that will be to avoid the official schemes. Keys will hemorrhage from escrow holders through mistakes, system failure and outright corruption. I call it "licensed to leak" and advise everyone to use a reliable encryption system instead.

Richard Clayton, Internet Expert, Demon Internet Ltd


Any plans by the DTI to sponsor the key escrow system is the equivalent of handing your door keys, passwords, and all your communications to the government. In my opinion such a proposal is a threat to civil liberties as no "trusted third parties" exist. Information Systems are insecure by nature, and there will always be people with access to such systems from within so-called "trusted" organizations.

Sebastien Lahtinen, Director, NetConnex Ltd.


As a long term Internet user, who takes a keen interest in legislation affecting citizens rights I view with increasing concern the DTI's plans to sponsor the escrow of private keys. This proposal is, in my opinion, a dangerous threat to civil liberties and could well hinder the development of e-commerce in the U.K. to the detriment of British companies and entrepreneurs. It is already the case that extremely powerful software providing unbreakable encryption is already in widespread use on the Internet, for business and for personal use. This software is readily available, and costs nothing. It is extremely unlikely that government support will encourage criminals to switch to commercial software that deliberately leaks their private keys to a third party. This being the case I hope you will think again about the proposed bill which is unlikely to solve any of the problems it was designed to deal with.

Christopher Eden, English Language teacher


As a senior IT and business consultant to a major British international investment bank, I am extremely concerned about the proposed legislation. In particular I believe that Britain is now in a perfect position to profit from the growing Internet commerce - so long as no ill-considered bills such as this are passed. Please read the STAND document, and please listen to knowledgeable and concerned constituents such as myself.

This bill will, categorically, catch no criminals. It will, categorically, drive commerce away from this country.

Peter Stephenson, Marylebone


I suggest that MPs do the following: (1) place all of their bank account and credit card details, including PIN numbers, into one database held on the computer of a trusted third party, (2) announce that this had been done, (3) see how long it was before a hacker had gained access and put himself in a position to defraud any MP at will.

Should this proposal seem worrisome then the Key Escrow proposal should be absolutely alarming.

I transact business on the Internet on an almost daily basis and I certainly would not do business with any company which put the encryption key into a third party database which would, in practice, be begging to be broken into.

Dr John Brown, Greenford, Middlesex


I am a professional communications systems designer, who represents my "Queens Award for Export" winning company, on the global panel creating the "Universal Mobile Telecoms System". I am not going to comment on the other problems with the DTI's position, other than to say that I do of course agree with STAND. I am simply going to say that I don't understand how a responsible organization like the DTI can ignore such an overwhelming deluge of common sense from so many different and diverse organizations. Please have the courage to re-examine your opinions and think again about condemning our country to the backwaters of the new world order.

Andrew Meredith, BEng AMIEE


As the owner and managing director of Magnum Solutions, a company which specialists in providing tailor made Internet solutions, I am extremely worried by the DTI's plans regarding the escrow of private encryption keys. I believe that the proposals are a major threat to Internet business and am extremely concerned about the detrimental effects that they will have on my company and our customers.

Dave Cross, Owner, Magnum Solutions Limited, London.


As an information technology professional, I have viewed with increasing concern the DTI's promotion of key escrow technology, for the following reasons:
1. I believe that the key recovery systems suggested constitute an unwarranted infringement on the individual's right to privacy. 2. I believe that they will damage electronic rather than promote electronic commerce in the UK.
3. I believe that they will promote opportunities for crime rather than prevent it as suggested.

Alex D. Baxter, Data Manager, ACST


I have been using the Internet for several years, in a professional as well as personal capacity. I feel that the current plans by the DTI to hand control of private keys for encryption over to a third party or parties is flawed, as well as pointless.

I personally would not feel safe entrusting, what is in effect, my email privacy to a third party. What would happen if a hacker group or terrorist organization was to gain access to one of the master computers?

Please take these views into consideration,

Tom Buck, tom@atari.co.uk


As a consultant working on Internet projects, I view with increasing concern the DTI's plans to sponsor the escrow of private keys. This proposal is flawed and a threat to the new economy. It can only hinder the development of Internet commerce in the UK.

Salim Fadhley, Internet Marketing Consultant, East Dulwich


It is with great concern that I hear of the DTI's plans to sponsor the escrow of private keys for public key encryption systems. While it is true that I rarely have the need to send encrypted e-mail, it nevertheless strikes me as a fundamental blow to civil liberties and personal privacy to attempt to control it. Moreover, I can see no defensible argument which would indicate that such a move is likely to reduce criminal activity on the Internet. The only thing it might achieve is to severely hamper the growth of Internet commerce, a new and important potential contributor to our economy. Unfortunately, it is all too indicative of an increasingly over-weening state, where the freedom of the individual is becoming subservient to government and police, and where the law-abiding citizen is treated as guilty by implication, simply from a desire for privacy. It is a direct attack on our ancient rights, where the citizen is presumed to be innocent until proven guilty. I would contend that any government which attempts to restrict freedom in this way is infringing on basic civil liberties, and I would expect the legality of such a move to be challenged in the courts, as it was, successfully, in the USA.

Paul Spring, Software Consultant, Cambridge


As a company that provides services to users of the Internet, I strongly disagree with any involvement by the UK or any other government to encourage organizations to supply security key information to any third party.

It is the responsibility of each user of the Internet to prepare sufficient security procedures to govern any materials which are either broadcast via the Internet or made available on the Internet.

To rely on third party controls could lead to both misuse and potential abuse of security control.

The ethos of the Internet is: "a free and open environment for people to share ideas and information". As more and more people use the Internet it is necessary to maintain this freedom to allow natural growth in the forms of usage. Any government involvement to inhibit access or to stem this growth will prove both counter-productive and potentially inhibitive to the nation's access to such an exciting and innovating environment.

Jeff Turner, Middleworld Limited


As a computer consultant, I work with a lot of companies in implementing their e-commerce and security strategies. Key escrow is a concern to these companies from a commercial standpoint, and also worries me personally.

Central to any computer security strategy is the notion of trust. Key escrow makes legitimate security impossible for companies as they are obliged to greatly increase the risk of their keys falling into hostile hands. In addition, it is very unlikely that key escrow will have any affect on criminal activity other than to make it simpler for criminals to obtain the keys belonging to legitimate businesses.

The proposed e-commerce legislation will affect me on a daily basis. It is in the nature of e-commerce that the business can be situated anywhere in the world, so long as it has a suitable IP feed. The proposed legislation will make it impossible for me to recommend the UK as a base for e-commerce, as international businesses will find it far easier to guarantee the security of their transactions abroad than in the UK.

Sean Hunter, Consultant


What the authorities seem to be failing to grasp, or at least appearing to, is that someone involved in criminal activities will not hesitate for a moment to add the offence of using a possibly unlicensed and/or prohibited encryption systems to any other offences they may have committed or intend to commit.

Forcing consumers and businesses to use any particular encryption systems will damage the ability of the UK to compete in the worldwide marketplace that is the Internet, and will not in anyway pose any threat to the well organized and funded criminal.

Also, the challenge to the basic civil liberties of the UK electorate is far too direct to be ignored.

Peter Galbavy, Director, Knowledge Matters Ltd.


In my capacity as an IT Professional and Internet Consultant, I feel it my duty to voice my opinions regarding the DTI's proposed sponsorship of a key-escrow based encryption technology for any and all Internet transactions from e-mail to the transmission of business sensitive financial data and stock orders, just some aspects of e-commerce. This proposal will support what I believe strongly to be a flawed, insecure and frankly financially dangerous to industry, method of securing electronic data for transmission via a global, public medium. The idea that this could help in Criminal Investigation strikes me as being optimistic at best. Criminals won't stop to think "Oh, but I must use a government approved encryption system to encrypt my email to the IRA about next week's bombing attempt". Those criminal elements who have things to hide aren't going to be put off by a bill saying "Using non-approved encryption systems will be a criminal offence" because they already are committing a criminal offence, and they don't want to be caught at it.

Christian Adams, Senior Consultant, Logitools Software Ltd, Lewisham North.


As an accountant with a national public house company I view with increasing concern the DTI's plans to sponsor the escrow of private keys. This proposal in my opinion is a dangerous threat to both civil liberties and the development of electronic exchange of information. I regularly communicate with members of my company and my home e-mail address sending information I would be uncomfortable knowing others could see it as a matter of right. Whilst I accept that it is by no means a 100% safe method of communication at least currently only the most determined can access this data.

Robert Brown, Financial Accountant, Punch Taverns Ltd, South Derbyshire


As the system administrator and head developer of a company involved in developing E-commerce systems for several overseas and multinational companies, I am deeply concerned that the key escrow policy threatened in the DTI's E-commerce bill, which would lose us our clients to fears that their confidential data may be read by a foreign (to them) government, by criminals (e.g. insider traders) briefed by leaked information, or by crackers (aka hackers) who have compromised the trusted third parties' systems.

Secondly any government restriction in our choice of encryption systems would affect our competitiveness in terms of costs but more importantly in our ability to react to the rapidly changing state of the art in encryption technology and science.

Dr Barry Adams, Systems Administrator, Magus Research


The DTI's proposals to ensure wide-spread key escrow are of great concern to me - as a product architect for software that absolutely requires the use of encryption for secure management of data networks, I am convinced that limits on encryption can only damage the growth of this and other software markets. In addition, I am a frequent user of e-commerce, where key escrow will make it impossible to trust the encryption used for secure transactions, with the result that the UK's fledgling e-commerce sector will be forced off-shore.

Richard Donkin, Product Architect, London


As a long standing Internet user, and as a technology analyst for a large international investment bank, I am personally and professionally concerned by the DTI's plans to sponsor the escrow of private keys.

This proposal in my opinion is theoretically and practically flawed and will affect me and industry I work in on a daily basis.

Richard Dickens, Technology Analyst


This Bill seems to miss the stated aim while ignoring the global nature of the Internet. However, my main concern is that such costly, impractical and parochial measures can only drive E-commerce systems elsewhere. I cannot imagine advising clients to implement E-commerce systems in the UK under these measures while it would be cheaper and easier to go elsewhere.

Steve George, blah@dircon.co.uk


As someone involved in human rights and international justice campaigns relating to the Middle East, secure transmission of information from people suffering abuses is essential, as is the distribution of news to organizations and individuals campaigning against oppression by their governments. ESCROW arrangements hinder the private communication taking place and puts people in other countries at risk, since the possibility of keys being transmitted to foreign governments would exist. It also a gross infringement to civil liberties and freedom in this country. It will seriously affect all Internet communications and damage faith in the practicality of this medium.

Name withheld on request.


I work within major financial institutions in the city helping develop secure environments for trading to take place in.

In a climate where increasingly countries worldwide are enshrining the right to secure encryption within their legal systems and the "security" standards of the only major power to evangelise key escrow are routinely broken as a demonstration of their weakness I have to state my vehement opinion that any move towards key escrow or limited encryption strengths of any kind can only undermine both expansion of trade and the rights of the individual, whilst doing nothing to prevent the use of strong encryption within the criminal fraternity. [1]

The companies I work for handle data worth hundreds of millions. When protecting data of that value the relatively tiny cost of breaking a weak link, whether it be by obtaining an escrowed key from a repository or building specialized "brute force" decryption / key recovery hardware for standards weakened in any way is well within viable spend of those who wish to obtain such data and are considerably more aware of the reality of data-security than those who appear to be driving the proposed legislation. [2]

These are not hypothetical situations or the concerns of a minority technological elite. They are the facts of a reality which affects, directly or no, this countries economic prosperity and as a result the majority of population.

[1] DES, The US data encryption standard, was broken within 24 hours recently. Third party key escrow itself placing an entire corporations data security within the hands of another corporation is simply not acceptable, for hopefully obvious reasons.

[2] The minimal investment of hundreds of thousands of pounds when dealing with values of this size is not a deterrent. Sums far higher are well within the bounds of economic viability.

Matt Collins, Consultant


As an Internet page design controller, and daily user of the Internet, I view with alarm the DTI's plans to sponsor the escrow of private keys. This proposal in my opinion presents a grave threat to civil liberties and a severe blow to Internet commerce, and will surely affect me and the growing number of Internet users, indefinitely.

Janice Wood, Third Party Design Controller (Web), http://www.scoot.co.uk


As a Chartered Accountant and long term Internet user I view with increasing horror the DTI's plans to sponsor the escrow of private encryption keys. This proposal in my opinion is an insult to the intelligence of the law abiding citizens of this country who still represent a majority of the population.

I have seen little evidence of commitment to catching criminals, serious or otherwise, and indeed political terrorism seems to carry a penalty on a par with serial burglary.

It would be better if time and energy were spent on both traditional and effective methods of law enforcement.

T G Wood, Accountant


As a qualified computer professional, Internet developer, long-term Internet user and technology commentator, I view with increasing concern the DTI's proposals for sponsoring the escrow of private keys. Not only do the mechanisms proposed not achieve the stated aims and have worrying implications for existing civil liberties without any corresponding benefits for law enforcement and national security, but I believe that in the form of the proposals already publicized it will severely damage the UK economy.

When the UK is at the forefront of technical development in a successful regulatory environment it seems illogical to cast aside that advantage. Price differentials for Internet commerce already favour other countries and crippling the potential for ecommerce in this way will leave the UK in a poor position to take advantage of new opportunities in the next millennium. These proposals will affect not only existing Internet users but all UK businesses and most consumers for many years to come.

Mary Branscombe, Producer, AOL UK


As a computer programmer and web-site designer, I view with increasing concern the DTI's plans to sponsor the escrow of private keys. This proposal, in my opinion, is basically flawed, and will adversely affect the growth of Internet commerce.

R. Horrix, Petersfield, HANTS.


I work in the research department of one of the UK's major commercial real estate consultancies. As such I use the Internet constantly in my work. It has developed from nothing into one of our most important research tools in the space of 2-3 years.

The Internet is our preferred delivery system for all our information suppliers, and at the moment we are probably spending in the order of £100,000 to £150,000 per annum on Internet delivered services. However, if they are to continue to be able to supply us in this way it is essential that the security of the data with which they supply us is maintained.

It is a simple fact that the more people who know something, the less secure it is. No amount of safeguards will change this. If Internet business are not able to maintain the tight security they need from the UK, then they will simply move somewhere that they can. At the moment nearly all our suppliers are based in the UK, but there is no technical reason why they should be.

Michael Haddock, GVA Grimley


As technical director of an accounting software company I find the current proposals for key escrow disturbing and somewhat pointless. I for one would not advise our customers to trust a key escrow service for security. Any system where the highest required authority is that of a senior police officer cannot be trusted to secure any data at all.

Any proposal for key escrow will do nothing to enhance the powers of law enforcement to read or intercept messages. If the requirement is made that all messages be encrypted with an escrow scheme all a criminal has to do is to encrypt an already encrypted message. This will have a commercial effect on software development for ecommerce in this country to condemn the UK to be a software backwater.

Peter Ibbotson, Technical Director, Lakeview computers PLC


As an Internet software developer and long-time Internet user, I meet the DTI's plans to sponsor the escrow of private encryption keys with concern and scepticism.

Key escrow is not only unenforceable and impractical; it impinges upon the right of people to communicate privately (without affecting their ability to do so) and will severely harm the competitiveness of British companies in the electronic marketplace.

The DTI's plans will damage the industry in which I work without in any way limiting or impairing the use of strong encryption in fraud or terrorist activities.

Matthew Kirkwood, Software Developer, TECC Ltd, London


I'm a network manager for a small ISP who is into E-commerce in a big way. The escrow of private keys is a stupid idea. It won't help e-commerce one bit. In fact it is likely to damage the public's opinion of e-commerce at a time when we should be trying our hardest to convince them that e-commerce is a GOOD THING.

For goodness sake... France has just GIVEN UP its silly ideas about encryption. How can we be even vaguely interested in STARTING something that everyone else has realized is worth STOPPING?"

Nick Waterman, Network Manager, Leonet Ltd, Ilford South


Key escrow is a policy with no real technical or other justification. I am increasingly concerned about the DTI's proposals for the escrow of private keys. I am unconvinced that any criminal will voluntarily participate in a key escrow system when extremely strong encryption - not using escrow - will continue to be freely available for download from the Internet. I am furthermore concerned about the possibility for abuse of the escrow system, and the weakening of security surrounding it, particularly when related to financial transactions and systems security. Key Escrow presents severe obstacles to the governments' own policy, for example, secure public access to personal information, and transferral of information over public networks. I am further concerned about the safeguards and audit tracking to be implemented in an escrow system to preserve the privacy of the individual and avoid the potential for misuse. I am concerned that private keys should not be transferred by any means, physical or electronically, since in so doing they can be compromised. Finally, I am concerned that for the government to implement policies affecting such important issues as global trade and communication that are not unilaterally agreed and implemented may prove such policies to be by de facto ineffective or at the least damaging to the economic integrity of the country in the context of international communication and commerce. These proposals are undoubtedly dangerous for both the civil liberties of the wider public and the competitiveness of British industry.

Chris Pheby, Internet Strategy Consultant, ICE Labs


On behalf of the Board and membership of SWIM [South West Interactive Media Ltd] which represents the interactive media industry throughout the South West of England, please register our alarm at the DTI's plans to sponsor the escrow of private keys. This proposal is redundant in its conception and poses many threats to healthy and fair Internet commerce and competitive advantage, just as we're approaching an era when more and more businesses will depend on this means of transaction.

Beth Porter, Chair, SWIM.org.uk


I am a lecturer in law at the University of Bristol, and have been an active user of the Internet for the last six years. I am concerned that the plans of the Department of Trade and Industry to introduce legislation requiring or encouraging the escrow of private keys will infringe basic civil liberties and will do nothing to address the problems which the DTI has identified. In particular, it is basically wrong that one medium of communication (via computer) should be subjected to stricter controls than others (the post, telex, fax, or telephone). It is true that the Interception of Communications Act 1985 does not cover communications by means other than by post or public telecommunications system. However, the aim of that Act was to comply with Article 8 of the European Convention on Human Rights. Arguably, the right to privacy of communications guaranteed by that Article should be extended to communications undertaken by other means. To the extent that the proposed legislation does the opposite it is to be condemned.

Mark Gould, Lecturer in Law, University of Bristol


The DTI's plans to sponsor the escrow of private keys is a dangerously flawed concept. It will do nothing to ensure greater security or protection from criminals. It will infringe on the civil rights of honest individuals. And it will consign Britain to the also-rans of e-commerce. Brilliant.

Mike Robinson, Citizen


As an ex-patriate British citizen working on open international, standards for (amongst other things) electronic commerce, I view the rumoured proposals for key escrow in the UK with great concern. I participated in the last DTI public consultation exercise on encryption and key escrow, and I thought that a clear message emerged from the summary of all the many dozen responses sent out afterwards by the DTI - namely, that escrow would discourage British companies from participating in electronic commerce, and would drive multi-national companies to base their e-commerce activities elsewhere. I strongly recommend that the DTI study the responses to that consultation exercise again, and reflect on the damage it could do to the UK's international trade position if it attempts to introduce regulations mandating key escrow.

Andrew Watson


As an experienced Internet user I am seriously concerned for the future of British e-commerce if the DTI's plans to sponsor key escrow are realized. The Internet is one of the most potent technological innovations of our age, and it offers wonderful opportunities for businesses across the globe. Over time, from this fertile environment will emerge winners and losers and it should be every governments aim to encourage their country's participation in the e-commerce revolution. Businesses will thrive and flourish in the online arena if nurtured and encouraged by a sympathetic and enthusiastic legislature. Please ensure that Britain is free to create an Internet presence of which we can be proud. Do not adopt a key escrow system - instead work with business to develop safe, secure and effective e-commerce solutions.

Simon Whitaker, Cardiff East


I am deeply concerned that the DTI plans to implement a system of escrow keys for online identification. My primary concern is that this action will stifle the growth of electronic commerce by placing an extra layer of unwanted government intervention on top of the existing infrastructure.

The primary reason that seems to be cited - to prevent "cybercrime" - is half-baked at best. In reality cybercriminals will not use government approved encryption techniques, but will adopt their own from freely available software, still bypassing government controls.

The Internet grew and continues to grow by virtue of the people and businesses that live within it. Government should seek to embrace the commercial and private ventures online to address some of the issues this paper seeks to address rather than attempt to impose.

Ross Hall, eBusiness Practice Leader, Aptus Solutions Ltd, London


As a computer scientist, I regard the DTI's proposed support for the escrow of private encryption keys as theoretically and practically flawed, and a blunder which could have been easily avoided by consulting any expert in the field. In my opinion, the plans will have about as much effect on crime as a campaign asking people to confess at their local police station if they have broken the law recently, and they represent an unwarranted burden on innocent law-abiding citizens.

Martin Frost, Programmer, Dynamical Systems Research Ltd


The DTI's plans to sponsor the escrow of private keys in order to facilitate the police in their fight against cybercrime strikes me as being very ill-considered, not to say very naive. Apart from giving doughty old Inspector Knacker the right, on his own cognisance, to dip his digits in the stuff of private lives on suspicion that chummy is up to no good, Burglar Bill himself could not be very far behind.

I'm as concerned as most about the proliferation of paedophile material on the net, and no doubt as ignorant about other forms of crime perpetrated there, but this proposal sounds a very dangerous way of trying to tackle both. With the kind of expertise the DTI is able to call upon, far wiser methods could be devised.

John Hurst, Citizen, London


I work as a software engineer in the telecommunications industry, for the Canadian company Nortel Networks. I deal with Internet transactions on a daily basis as part of my job. These very often connect me to partners all over the world. We implement the highest possible standards of security in our Internet transactions. I am therefore very concerned with the up-coming government proposals for a state sponsored key escrow system. This would effect the way my company does business from this country immediately. The industry has a well known distrust of any form of key escrow and any lessening of trust in a business environment could deal a serious blow to on-line transactions.

Speaking for myself outside of work, I am also very concerned with other aspects of the upcoming bill. I wholeheartedly agree with each of the points in the STAND document, especially the availability of free high level encryption software from the Internet which would continue to be used by anyone who wanted to. In effect the government would be spending a very large sum of money to implement a system that would take years to build, putting us well behind the government's vision of leading the world in electronic commerce, and that in the long run would be used only by law-abiding citizens.

No one I have ever spoken to in the industry supports the idea of key escrow. Those that are not worried about the government having the easy ability to read all of their private email are still concerned that implementing the system would be very expensive, a cost that would no doubt be passed on to the end user, and actually lesson security according to all the experts in the field.

Lastly, if the system is put in place I am very concerned indeed that there is a proposal that it would be possible to retrieve the escrowed keys with a simple PACE warrant, unlike the current Home Secretary's warrant needed for the interception of data transmissions via telecommunications systems. I also very much agree with STAND that the best place to discuss the issue of electronic message interception is in the upcoming review of 1985 Interception of Communications act and not in a bill designed to promote electronic commerce.

The government stands a real chance of shooting itself in the foot if it publishes a document that businesses world-wide will see as the UK implementing a national system that has high cost and low security.

D. Durant, Nortel Network UK Ltd


I view this proposal with extreme distaste. The government might as well print our sensitive information in a weekly criminal publication.

Norman Peden, Network Engineer


As a computer professional with a responsibility for developing an E-Commerce strategy for a large life assurance company, I am concerned about the reports of the DTI plan to recommend the escrow of private keys. In my opinion, the proposal could provide a knife for unelected and non-accountable groups to hold to the jugular of the embryonic British E-Commerce community, reducing confidence and seriously threatening its growth potential.

Phil Todd, Strategy Development Analyst, CGU Life, York


I am concerned that the government's support for key escrow will prevent British business from competing effectively in the global marketplace of the 21st century. The fact that key escrow will also prove ineffectual in its intended role as a law enforcement tool only adds insult to injury.

Paul Harrison, Managing Director, Beta Software Limited, South West Surrey


As a computer scientist and long-term Internet user, I am very concerned by the DTI's plans to sponsor the escrow of private keys. This proposal will, in my opinion, seriously harm Internet commerce in this country and threaten civil liberties while providing little or no aid for criminal investigation.

Dr Martin Ward, Principal Consultant, Software Migrations Ltd.