Peter Ford
First Assistant Secretary
Security Division, Commonwealth Attorney-General's Department
Canberra, Australia
June, 1996
Paper presented at the AIC 'I.T. in Government' Conference, Hyatt Hotel, Canberra, 19 June 1996
Within the OECD framework and elsewhere, governments are considering what policies they should adopt in response to technological developments leading to the creation of a Global Information Infrastructure. Issues of security and privacy in electronic commerce, censorship, law enforcement and national security have an international, as well as a national, dimension and the technological developments that are currently taking place need to be addressed at the international level. A transfer of cryptographic technology from the national security environment to the commercial environment is under way and is offering the prospect of greatly enhanced security and privacy protection but is also bringing with it new problems for the administration of civil and criminal law. Supporting legislation could be developed to set a framework for achieving creative solutions to the problems that need to be faced.
Early in February an international conference took place in Canberra which was jointly hosted by the Australian Government and the OECD. The theme of the conference was `Security, Privacy and Intellectual Property Protection in the Global Information Infrastructure'. Speakers from North America, Asia, Europe, New Zealand and Australia addressed a range of topics in a way that recognized areas of commonality between the three main subject areas as well as the tensions that can arise between different interests, particularly those of security and privacy.
This paper will follow up particular proposals relating to security and privacy that have emerged recently from a number of sources and will examine their possible application to aspects of the debate over censorship.
A fundamental question is what is the role of government in relation to technological developments of this kind? On one view canvassed at the joint conference, government should not attempt any sort of prescriptive action since it will only succeed in stifling innovation. The difficulties with this approach are: first, that, in the absence of any government requirement, security interests are usually ignored in technological developments (particularly in the communications area) and, unless governments take an interest from the earliest stages of development, expensive retrofits of security solutions are required; secondly, censorship is an area which involves important political issues; and finally, privacy protection has, in recent years, acquired the status of one of government's most important social objectives.
A competing view, also prominent at the conference, is that governments should be at the cutting edge of all social developments and should seek to shape their direction in ways that meet the public interest. This approach underlies the report of the Broadband Services Expert Group, Networking Australia's Future. A difficulty with it is that many of the issues in this area require the exercise of commercial judgment and government is not always well placed to make judgments in matters which are, at their heart, commercial. It is also sometimes argued that governments tend to favour comprehensive solutions which promise the world whereas real progress comes about from each commercial enterprise or government agency making decisions which best suit its circumstances.
My own view is that the truth lies somewhere between these positions. Government does have a responsibility to protect the public interest by requiring systems to be secure, to accommodate law enforcement's legitimate interests and to afford adequate protection against invasions of privacy and the transmission of objectionable material. At the same time, any measures it puts in place must conform to generally accepted norms about freedom of communication and civil liberties. It should also be recognised that a rule based approach, or one which seeks an overall solution to technological problems at the expense of individual initiative, is not likely to offer the best solution and is likely to create other more serious problems. The starting point for government action in this area is, I suggest, through participation in the work of standard setting bodies.
The development of commercial standards applicable to encryption within Australia is the responsibility of Standards Australia, which comprises experts from the public and private sectors. A standard based on OECD principles on IT security has been drafted and is currently being settled. The main focus is on technical issues such as connections between systems and on the implementation of international standards.
Of particular importance in this connection are the OECD Guidelines for the Security of Information Systems which were adopted by the Council of the OECD in November 1992. Justice Michael Kirby, chaired the Expert Group that prepared the Guidelines. Following their adoption, Justice Kirby wrote:
`The recommendations of the OECD Council recognize that the Guidelines do not affect the sovereign rights of national governments on matters such as national security determined in accordance with national law. There is also a recognition (relevant to countries such as Australia, Canada, the United States and Germany) that, in Federal countries, observance of the Guidelines may be affected by the local constitutional division of powers. This said, the recommendations now adopted by the OECD Council recommend that member countries establish measures, practices and procedures to reflect the principles contained in the Guidelines; that they consult, coordinate and cooperate in their implementation; that they agree as expeditiously as possible on specific initiatives; and that they disseminate the principles of the Guidelines widely and review the guidelines every five years with a view to improving international cooperation.'1
The Security Objective, which is pivotal to the principles, is stated in the following terms:
`The objective of security of information systems is the protection of the interests of those relying on information systems from harm resulting from failures of availability, confidentiality and integrity.'
`Availability' means the characteristic of data, information and information systems being accessible and useable on a timely basis in the required manner.
`Confidentiality' means the characteristic of data and information being disclosed only to authorised persons, entities and processes at authorised times and in the authorised manner.
`Integrity' means the characteristic of data and information being accurate and complete and the preservation of accuracy and completeness.
Some have suggested the addition of a fourth element `authentication', to highlight the need to ensure that the person at the other end of a communication is who he or she claims to be. As the Explanatory Memorandum points out, in the absence of sufficient security, information systems and, more generally, information and communications technologies, may not be used to their full potential. The Principles of the Guidelines, which follow the Security Objective, express nine concepts which are considered to be essential to protecting information systems. Shortly stated, they deal with accountability, awareness, respect for the rights of others, the need for a multidisciplinary approach, proportionality of security measures to threats and risks, the co-ordination and integration of security systems, the need for international co-operation and co-operation between various parties to deal with security challenges, the need to keep pace with technological and social developments and the need to ensure that security systems are compatible with the legitimate use and flow of data in a democratic society.
Australia has adopted these guidelines.
The Australian Standard, which is substantially based on the British Code of Practice, addresses issues such as management's obligations to set corporate information security policies, assets control, training of staff, physical and environmental security, computer and network management and system access control.
Within Australia, an inter-agency working group has been developing a proposal for a Public Key Authentication Framework (`PKAF') primarily to ensure that in electronic commerce the parties are who they say they are. The proposal calls for a management structure to verify various key generation systems, supervise the issue of key pairs and maintain a directory of the public keys. The PKAF proposal has been referred to Standards Australia for further examination. It is likely that the final product will depend for its efficacy on public and commercial support. A legislative approach in this area would be fraught with difficulties.
Policy formulation in the area of encryption, which is receiving increasing attention in the media,2 is central to the debate over security. This subject has received a great deal of attention in the United States at the highest levels and is now being addressed by the Council of Europe and the OECD.
Within the OECD framework, meetings on encryption policy have been held at the working level in Paris in December last year, in Canberra in February and in Washington in May. An OECD group of experts is now engaged in the task of drafting international Cryptography Policy Guidelines. Other meetings will be held in Paris later this Month and in September with a view to finishing the task by February next year. It has been recognised within the OECD that there is an urgent need for international cooperation since incompatible national solutions would not meet the requirements of global technologies and applications. It has also been agreed that policies must strike the appropriate balance among the needs of, for example, corporate users, manufacturers, individuals, law enforcement, national security, protection of privacy, and preservation of fundamental human rights and liberties. Delegates have discussed a number of possible approaches to encryption which could meet these needs.
In December, 1995 and in May of this year, the OECD experts meetings have been associated with forums on global cryptography policy, attended by more than 100 government and business representatives. The forums were co-sponsored by the International Chamber of Commerce, the Business and Industry Advisory Committee to the OECD and the OECD. The second forum held in Washington was also sponsored by the US Council of International Business. At the first forum, Ms Nanette Di Tosto, Vice-President of Bankers Trust, said: `There has to be a global policy on cryptography from which industry can develop standards. The market will then decide the solutions - what is the best technology to apply. Without such a policy the Global Information Infrastructure will not realise its full potential.' Describing encryption as a vital tool for business, Ms Di Tosto told the conference: `International business is demanding seamless web communications networks whereby information can flow in a free and secure manner. Secure worldwide communications are critically important as intruders, criminals and other unauthorised parties find increasingly sophisticated tools to violate the privacy and security of communications.' At the second forum, a draft of international cryptography guidelines was put forward for consideration by the OECD expert group.
Australia has been represented by the Attorney-General's Department in the expert group and also at the forums.
While we are taking an active role in these international discussions, one of our basic national objectives should be to encourage the development and success of Australian industry which, although small, is well established and very competitive.
From a security perspective there are two fundamental objectives.
These basic objectives are, I suggest, independent of technology in the sense that they should be equally relevant to any proposals relating to current technology, including the Internet, as to the coming broadband services.
At present, several security measures are available to protect electronic data and transactions but significant gaps exist in both the public and private sectors where information that should be protected is vulnerable.
Government use of encryption technology is subject to administrative controls designed to ensure that appropriate standards of protection are provided for sensitive information. Information bearing a national security classification of `confidential' or above may only be transmitted via an encryption system supplied by the Defence Signals Directorate (DSD) which is available only to government agencies. Other categories of sensitive information, such as that relating to law enforcement, may be transmitted via other systems. DSD is the source of advice for government agencies on appropriate standards of protection by means of encryption technology. Outside the area of national security, the take up of encryption technologies by government agencies to protect sensitive information has been slow. It is used, for example, by Australia Post and the Australian Transactions Reports and Analysis Centre (which provides data on financial transactions to law enforcement agencies) but, according to a survey undertaken by the Privacy Commissioner, only 12% of government agencies have installed encryption protection on their national communication networks and only 4% on communications between regional or State offices.3 Some agencies do, however, require the use of encryption software on all computers that are used for work at home.4
The threat to Government communications and computer systems has been assessed by DSD, in conjunction with the Australian Security Intelligence Organization (ASIO), as very real. In October 1994 a senior Defence official wrote:
`The threat is not confined to foreign espionage. Over the past year two major hacking attacks and a virus attack against Government computer systems were detected, and it is not unreasonable to expect that the incidence of these attempted penetrations will increase. DSD will continue to work closely with its clients in attempting to forestall these activities. 5
Last year, the Attorney-General's Department's IT system was subjected to a hacking attack by one of its own officers which threatened our reputation as a responsible government agency which securely handles a wide variety of government and commercial information.
In North America and in Europe the benefits offered by encryption technologies for security and privacy have been recognized in many official statements. A Council of Europe Recommendation on the protection of personal data in the area of telecommunications devices, with particular reference to telephone services includes a proposal that `means of offering encryption possibilities or equivalent safeguards to subscribers to mobile telephone networks should be found'.6
There are no restrictions on the use of encryption technologies in Australia but there are export controls relating to encryption hardware and software which oblige any exporters to first apply to the Australian Customs Service and, if necessary, submit an end-use and non-transfer certificate or similar documentation. Under the paperless export clearance system, exporters are required to quote a valid Defence licence or permit number (as well as a PIN number verifying the permit number) to Customs to obtain the necessary export clearances. These controls should be maintained for national security reasons.
In the United States and Europe considerable attention is being given to forms of encryption which involve the dissemination and management of a number of `public keys' which are required to read the data or message transmitted by a person or company. The originator retains a secret key which is divulged to no other party. One of the characteristics of this system which makes it suitable for commercial application, as compared to systems which employ the one secret key at each end of a communication, is that it is more practical in an environment where there are a large number of recipients of a message or conversely, where a large number of people need to do business with a single entity (as is the case, for example, in the banking industry).
One way of managing a public key system is to require that the keys be managed by a third party. In the United States, this concept has become known as `commercial key escrow' encryption whereas in Europe it, or a variation of it, is spoken of more often as `Trusted Third Party' encryption. The `key escrow holder' or `Trusted Third Party' is in a position to act as a `data recovery centre' where the key is, for some reason, lost, so as to facilitate decryption of encrypted messages on a routine basis and also to provide back up facilities in the event of a disaster recovery plan having to be implemented. In some systems, this person or company is also in a position to act as an intermediary in business transactions in much the same way as two banks will transact business with each other on behalf of their clients.
In Australia, the use of the term `escrow' is misleading. In Australian law, a document held in escrow becomes binding on the author when some condition has been performed; this is not the sense in which the term is used in legal parlance in the United States or in the particular context of encryption. For this reason, it is better to speak here, as in Europe, of Trusted Third Party systems.
Trusted Third Party encryption provides users with their own private keys for authentication and public keys which they may give to other parties. The keys are held by a party of their choice. In practice, only large agencies with wide networks such as post offices, banks and telephone companies are likely to be in a position to offer these services.
In selecting Trusted Third Parties, large corporations are able to make commercial choices on the security systems most suited to their needs. Small businesses and the general public are also able to obtain a good basic level of encryption through any firm or agency willing to offer its services as a Trusted Third Party. There is no element of compulsion.
The services comprise backup and recovery facilities for small and medium enterprises, certificate issuing facilities and `yellow and white pages' directory services.
Of course, individual users may prefer encryption systems that do not require the deposit of keys with any Trusted Third Party. From one point of view, such systems may be considered more secure since they do not make users dependent on anyone else. Why entrust one's security to a post office, bank, telephone company, or other third party, when one's own employees (or better still, oneself) may be considered more trustworthy? Similarly, a person who uses encryption to protect criminal communications may be expected to have a strong preference for systems that do not involve third parties. Unless there are market or technical imperatives underlying the adoption of Trusted Third Party systems, their future may be limited.
Discussion of this issue in recent years has been dominated by the maintenance by the United States of export controls on encryption technology. This reflects the way in which encryption technologies have migrated from the national security area to commercial applications.7 While the U.S. Administration has sought to meet industry concerns by liberalising its export restrictions, high technology industries seek a longer and therefore more powerful encryption key than the Government is willing to grant and object to what they see as Government demands that law enforcement agencies have `back door' access to such transmissions that would allow them to intercept coded messages.8
The full range of techniques of protecting information is evident in discussions of electronic commerce. Uncertainty about the application of existing legal rules to transactions by means of electronic commerce appears to have impeded its widespread adoption in Australia. Chief among these is the technique of authentication, which , as the PKAF proposal outlined above makes clear, is the process used to verify identity so that one can make sure that other entities are who they say they are. The technical means of achieving authentication, however, may also facilitate the commercial acceptance of Trusted Third Party encryption even though different techniques are required to protect confidentiality. The need for authentication to be provided by a third party gives ground for a degree of optimism in the commercial viability of Trusted Third Party systems.
Advocates of such systems claim for them a greater degree of security for users and access by law enforcement, under warrant, to encrypted data relevant to criminal investigations (both by interception of communications and recovery of stored data). Whether governments should favour any particular form of encryption is a matter currently under discussion in a number of international forums.
In Australia, the best strategy, and that most consistent with civil liberties, would appear to be to leave the issue of which form of encryption should be adopted to the marketplace. It is not yet clear which is `the best' or whether any particular form will be suitable for all users. Small business, for example, may prefer a cheaper, but less effective, encryption system for its purposes than would be acceptable to the banks. Government agencies may prefer something else and need not necessarily all choose the same solution. It is, of course, important to ensure interoperability between systems in use overseas and within Australia but that can best be achieved through the work of Standards Australia.
Legislation could play a supporting role by providing a basis for the registration and certification of Trusted Third Parties, their international accreditation, the definition of their duties (towards the users of their services, law enforcement agencies and national security agencies), the limitation of their liabilities and the compensation of users who suffer a loss through the default of a Trusted Third Party who is unable to meet its obligations, thereby causing loss to the user. In order to encourage the development of industry wide solutions, legislation might also provide relief from Trade Practices legislation in this area. How such legislation might work in some particular cases is discussed later in this paper.
It is not yet clear whether, and if so to what extent, the legitimate interests of law enforcement may be protected through standards.
The use of encryption for criminal purposes has not yet become a significant problem for law enforcement agencies in Australia but is likely to do so in the near future.
The legitimate interests of law enforcement agencies in investigating criminal activity can be met by enabling them to demand, under judicial warrant, the decryption of encrypted data. This would be analogous to the power to search premises under warrant. A warranted power of this kind would be capable of applying to any form of encryption whether or not a third party is involved. Where the `key' to encrypted data is held by a third party the warrant would be served on that party. On current trends it could be anticipated that the third party will be located in Australia. If that is not the case there will, of course, be difficulties. In that event it may become necessary to seek remedies at an international level.9 Other proposed systems - for example, a system developed at the University of London and presented at the Brisbane Cryptography Conference in June 1995 10- would appear to meet all concerns at an international level by enabling law enforcement agencies to obtain access to encrypted data within their jurisdictions by serving a warrant on a trusted third party within their country without the need for any international arrangements. However, it is not yet clear whether that system, or anything similar, will gain international acceptance.
Desirable features of any Trusted Third Party encryption system from a law enforcement perspective, as suggested by the FBI11, are as follows (U.S. `key escrow' terminology is used):
Federal Bureau of Investigation
International Cryptography Institute 1995
9/22/95
To discuss Desirable Characteristics for Encryption Products and Key Escrow Services that:
This draft statement was put forward for discussion of policy issues in the United States but it may be also serve as a basis for discussion of what characteristics law enforcement agencies would seek from any international encryption systems.
If market developments favour encryption systems that do not involve third parties, the response of law enforcement agencies may be to rely on their traditional method of seeking search warrants. Search warrants could, in principle, be used to access encrypted electronic information in the same way as information on paper files. The difficulties of course, are first, that such access is not covert and is therefore of limited utility in a continuing investigation and, secondly, that the person served with a search warrant requiring decryption of his or her information may, conveniently `forget' the key. The law on self-incrimination may provide a further problem. This issue is also discussed later in this paper.
In June 1995, the House of Representatives Standing Committee on Legal and Constitutional Affairs tabled its Report: `In Confidence: A report of the inquiry into the Protection of Confidential, Personal and Commercial information held by the Commonwealth'. In general, the Committee found that the protections afforded to sensitive confidential third party information are `neither comprehensive nor reliable' and that `protection has not kept pace with the potential for abuse of the trust placed in the Commonwealth'.12
In relation to information technology security, the Committee said:
`An agency's security system for protecting computer based information should be designed to cope with all foreseeable threats. But not all risks can be foreseen. Precautions must be taken to detect those breaches which cannot be prevented. Security systems for computers need to be in place and need to be fully active. Senior managers need to take responsibility for the information technology security systems of their agencies and update them as the technology itself is updated. Systems standards should aim to prevent unauthorised disclosure. As a minimum, all agency security systems should be able to audit and identify wrongful access (and possible disclosure) and random `audit trails' should be implemented. The frequency of testing the adequacy of an agency's security system should be a function of the amount of confidential information held and the sensitivity of the information.'13
Similar injunctions are expressed in the Protective Security Manual.14
The Committee concluded that computer security is of critical importance to the protection of confidential information and recommended that all agencies adopt a comprehensive security system such as that provided by the Protective Security Manual, together with guidelines developed after incorporating advice from government agencies with expertise in computer security.15 The Committee recounted a case where a portable computer had been stolen from the home of a Comcare employee and noted that Comcare had since issued a directive to staff requiring approval of a member of the executive for any home based work and had decided that encryption software should be placed on all computers to be used for work from home.16 In noting this action, the Committee recommended that security manuals specifically address the process required to authorise work taken out of the fixed office site and the security features of portable computers.17
The Committee also examined legal safeguards applicable to the transfer of information between agencies and concluded that the heavy reliance on secrecy provisions in legislation specific to particular agencies is unsatisfactory. It observed that secrecy provisions have failed to meet the need for flexible regulation of the transfer of information between government agencies and that it is difficult to incorporate adequate privacy protection safeguards in secrecy provisions.18 In contrast the Privacy Act is structured so that it can regulate the information handling practices of Commonwealth agencies and the Committee considered that it should be used as the primary means to regulate the flow of confidential personal information between government agencies. It recommended that the Privacy Act should be reviewed and amended to ensure that the necessary degree of protection for transferred information is maintained. It also recommended:
`Recommendation 18: The Committee further recommends that each Commonwealth Government agency keep a record of authorised transfers of confidential personal information between agencies for the purpose of checking the legitimacy of access to such information. The record should include the names of individuals and organisations about whom information is transferred, the names of individuals and organisations to whom that transfer is made, and the date of the transfer.'19
A recommendation of this kind immediately raises the issue of practicality. In this connection, it will be important to consider what facilities are offered by information technology systems. Elsewhere, the Committee examined the performance of agencies in data matching and concluded that it was rigorous only where legislative requirements (the Data-matching Program Assistance and Tax Act 1900) were applicable. Consequently, it recommended:
`Recommendation 23: The Committee recommends that uniform controls for data-matching carried out by Commonwealth Government agencies be made a legal obligation and incorporated into the Privacy Act 1988. Recommendation 24: The Committee further recommends that major data-matching programs proceed with the authority of a clearly identified senior executive service officer who is, where practicable, at a level no lower than SES Band 2.'20
Again, the issue of practicality arises - particularly in relation to the issue of control by senior officers. Technology may assist in the area also.
It has often been said that the Internet is beyond regulation, if not in law then in practice. On the other hand, it is also possible that censorship in one country will , in effect, be imported into others and a recent report indicates that this may now be happening.21 Compuserve, a company that provides its global subscribers with access to the Internet, apparently shut off access by all its subscribers to certain sex related newsgroups because of warnings that some of these services violated Bavarian law. It seems that at the time the company had no technical means of isolating its action to Bavaria or Germany. Not surprisingly, this action caused considerable concern amongst those who fear that the the standard in censorship practice may be set by the `lowest common denominator'. Since then, however, there have been reports on the Internet that there is a technical solution to this problem.
In October 1994 a Bulletin Board Systems Task Force, which had been established in February 1994 by the Attorney-General, Mr Michael Lavarch, and the Minister for Communications and the Arts, Mr Michael Lee, reported on the regulation of computer bulletin boards. The Task Force Report, entitled Regulation of Computer Bulletin Board Systems, was published on 5 October 1994. Subsequently, a working party of officials was set up by Commonwealth, State and Territory Censorship Ministers to examine the implementation of the recommendations.
The Task Force recommended a coordinated approach to policy development. The Task Force Report stressed that issues concerning the development of Australia's information infrastructure should not be left to individual government agencies to consider within the context of narrow budget and program priorities. At the same time, it acknowledged that there are practical limits on regulation and that comprehensive government scrutiny of bulletin board content would be prohibitively costly and would leave governments open to accusations of `putting roadblocks on the information highway.'
The Task Force identified a number of options to regulate the content of material distributed by BBS. These ranged from voluntary adherence to an industry code of practice administered by an essentially private body to the complete application of a classification scheme similar to that for film and computer games coupled with an appropriate increase in law enforcement resources.
The 3 options that had the most support were:
At the present time, restriction of access to the Internet is largely a matter for self-regulation. Section 85ZE of the Criminal Code prohibits a person from, among other things, `knowingly or recklessly ... [using] a telecommunications service supplied by a carrier in such a way as would be regarded by reasonable persons as being, in all the circumstances, offensive'. However, the application of that provision to the operation of a bulletin board has never been tested. The varying degrees of control exercised by bulletin board operators would probably make it unsuitable as a means of overall regulation.
Self-regulation is also apparently the most practicable solution to the technical problems of censorship on the Internet. At a meeting in Paris last month, a consortium of Internet and computer firms released the specifications for a scheme - the `Platform for Internet Content Selection' (PICS). The scheme will allow content providers to label their offerings in much the same way as films are classified.22
If the legislative route is followed, the initial question is whether State or Commonwealth legislation is appropriate. The Task Force thought that since State and Territory law enforcement agencies have traditionally been responsible for the enforcement of censorship legislation, and will continue to be responsible under the new censorship regime which will apply to computer generated images not on bulletin boards, State and Territory laws would be more likely to be effectively policed by State and Territory agencies than would Commonwealth laws.
More recently, the Senate Select Committee on Community Standards Relevant to the Supply of Services Utilising Electronic Technologies concluded that on-line services should be regulated according to the censorship classifications applied to computer games.23 The Committee recommended that `it should be an offence to use a computer service to transmit, obtain possession of, demonstrate, advertise or request the transmission of material equivalent to the RC, R and X categories'24. The Committee also favoured the introduction of strong cryptographic signatures for Internet service providers to reduce difficulties in identifying the source of banned material25. Online service providers would be required to verify the identity of their clients and ensure that they are over 18.26
These recommendations have been criticised by PC User Groups27 as imposing too heavy a burden on Internet service providers and all online services. Whether or not this is so, the Committee's endorsement of cryptographic signatures to aid identification of sources has clear implications for the encryption debate. If legal obligations are impracticable, or Internet service providers and others feel they are subject to an unreasonably heavy burden in excluding objectionable material from their services, they may feel less inclined to opt for any system of encryption which would require them to give a key to a third party since to do so may expose oneself to a greater likelihood of prosecution. Also, it would be necessary to `fill out' the Committee's recommendations in legislation by specifying how keys are to be managed securely and in defining the circumstances in which a person would become liable for accessing prohibited material. The existing Criminal Code provision relating to improper use of telecommunications services, s. 85ZE, incorporates a test of `knowingly or recklessly' doing certain things. While these legal concepts have well accepted meanings, their application in the Internet environment is anything but clear.
The Committee's recommendation in favour of a mandatory use of encryption technologies for authentication purposes does not necessarily imply that the use of encryption technologies for the purpose of ensuring confidentiality should be similarly mandated but it does raise the question whether, if there is to be legislation on encryption, it should cover the whole area of its possible application.
Pressures of this kind may make it unlikely that Trusted Third Party encryption will succeed in the market place. On the other hand, Trusted Third Party services would offer advantages to consumers, as well as to commercial enterprises, of data recovery, administration of keys and so on that could not be matched by others forms of encryption. In order to gauge how a Trusted Third Party system might work legally, it may be useful to outline some circumstances in which legislation of the kind outlined above might operate.
The operation of legislation of the kind outlined in this paper may be illustrated by the following examples:
There are already companies in the United States to which other companies (and law enforcement) can turn to obtain software and services to gain access to encrypted data from which they have been locked out.28 The cause of the lock-out may be as simple as an employee departing and forgetting to leave his or her key or it may be the result of sabotage. Assistance may or may not be possible depending on the type of encryption used.
If the company's public keys are managed by a Trusted Third Party there should be no problem in accessing the data . If supporting legislation were in place it would be a basic requirement that the Trusted Third Party maintain sufficient information relating to its clients to enable it to recover the data within a specified time. In practice, it may also be necessary to set up some kind of inspection and accountability framework to ensure that sufficient resources are maintained for these purposes.
Data recovery services of this kind would also be called for in the event of fire or other natural disasters.
If access cannot be obtained to encrypted data there is a legal problem which, so far as I am aware, courts have not yet had to face. The evidence exists but noone can read it. In this situation it is likely that a court would base its judgment on whatever other evidence is available.
If on the other hand, the encrypted data is held by a Trusted Third Party, it would be a simple matter to require the third party, under subpoena or other form of legal process, to produce the key to the data and also the data itself in plain text. The position would be somewhat more complicated if the key were held outside Australia, as may be the case with a foreign company, but no more so than in other areas of civil litigation such as cases involving international bank transactions. Private international law has evolved rules for dealing with such situations.
It would be possible to set up a purely voluntary industry-based system which would rely on accreditation by an industry body of some kind under a procedure analogous to that of accreditation as master builder. Under such a system, consumers would be free to choose whoever they wished as a Trusted Third Party but would be on notice that if they were to deal with someone who was not accredited, certain safeguards would not apply. The legal obligations of a non-accredited Trusted Third Party would, however, be the same as those of an accredited one. Obligations would relate particularly to the interests of users and law enforcement. Provision could be made for the maintenance of a fund to compensate users who suffered loss through the default of a registered Trusted Third Party.
If a mandatory system were to be proposed, the conditions for registration would need to be set out in legislation and provision made for appeals against refusals to the Administrative Appeals Tribunal. Conditions might relate to matters such as good character, solvency and expertise.
Under s.10 of the Criminal Code, a Justice of the Peace may issue a search warrant upon being satisfied that there is reasonable ground for suspecting that there is `in any premises, aircraft, vehicle, vessel or place' anything relating to the commission of a Commonwealth offence. The Telecommunications (Interception) Act 1979 provides a more stringent regime for the issue of warrants to allow interception of telecommunications but the principle is the same. (Warrants may only be issued by nominated judge of a court created by the Federal Parliament, are available only in respect of specified offences which, generally speaking, carry a penalty of 7 years imprisonment or more and are subject to strict accountability requirements.)
It would be possible to adapt the search warrant power to specifically enable access to be obtained to data stored on a computer if, indeed, any adaptation is required. Although the existing search warrant power in the Criminal Code and equivalent State provisions, would already apply to information in electronic form, it would not require the holder of such information to decrypt encrypted data. Execution of a warrant served on the person being investigated would be subject to the law on self-incrimination which, in many circumstances, would allow that person to refuse to comply. The law could be modified to require production of the key but, if the person claims to have lost it, there is no simple answer.
In this respect a Trusted Third Party system would have clear advantages for law enforcement. A warrant served on a Trusted Third Party would be much less likely to encounter frustration tactics and the Trusted Third Party would be bound by legal rules, backed up by the court's power to punish for contempt, and possibly also by the prospect of its registration being cancelled.
The interception powers in the Telecommunications (Interception) Act 1979 are clearly available in respect of the transmission of data, whether in encrypted form or plain text, but those powers do not require anyone to decipher encrypted messages. If law enforcement agencies are unable themselves to break the encryption, they will need specific legal authority to obtain assistance from other sources. The legislation would prohibit the communication of intercepted information in encrypted form to a third party for the purpose of deciphering it. Again, if Trusted Third Party encryption is involved the problem is reduced. It would then be possible to obtain and serve a search warrant on the Trusted Third Party without compromising the covert investigation.
Under s.147 of the Evidence Act 1995, it is presumed, in effect, that in producing a document which is part of the records of a business, a device or process that is usually employed for that purpose (such as an automatic teller machine) worked properly. The presumption may be rebutted by evidence sufficient to raise doubts. In that case, it would be necessary to prove, by some other means, that the device or process worked properly. There are already indications in the lower courts that this burden of proof is becoming a significant problem, at least in the U.K.29 While there are no simple solutions to such problems, the usual way of dealing with them is to monitor judicial cases and, if the problem appears to require further legislation, to develop specific proposals for consideration by the Parliament. This problem would seem to call for the same response.
In this area Trusted Third Party encryption would not be of much assistance. It would, however, have other advantages stemming from the independent role of the Trusted Third Party. Evidence given by a Trusted Third Party relating to the content of stored data or the meaning of encrypted messages could be relied upon to a much greater extent than evidence of the accused or of the relevant law enforcement agency.
This paper has put forward an approach which could be characterised as one primarily of self-regulation but relying on a legislative foundation to support a system of Trusted Third Party encryption.
Standards setting bodies would lead the way in determining what form should be taken by cryptographic solutions and the extent to which different solutions should be interoperable. Users should remain free to choose solutions which best fit their particular requirements.
Legislation of the kind outlined in this paper may be needed to support the accreditation of Trusted Third Parties and to define their duties and limit their liability. As indicated above, registration could be either voluntary or compulsory although a compulsory registration system would offer better consumer protection. Legislation may also be needed to ensure that court action in criminal and civil matters may proceed according to well established legal principles. Investigative action by law enforcement agencies should be authorised by warrant and the law on self-incrimination should be clarified to ensure that a lawful demand for the `key' to encrypted information must be satisfied. The law of evidence should be monitored to ensure that matters requiring proof can be satisfactorily dealt with.
1 Hon. Justice Michael Kirby, Security of Information Systems, `The Computer Law and Security Report' (1993) p.190.
2 See for example, `Piracy in cyberspace', The Bulletin 5 December 1995, p. 80.
3 Privacy Commissioner, Seventh Annual Report on the operation of the Privacy Act, 1994/95, p.88.
4 Parliament of the Commonwealth of Australia, House of Representatives Standing Committee on Legal and Constitutional Affairs, In Confidence: A Report of the Inquiry into the Protection of Confidential Personal and Commercial Information June 1995 pp. 41 and 52.
5 Ken Barnes, The Defence Signals Directorate- Its Role and Functions, Defence Force Journal. Oct. 1994.
6 Council of Europe Recommendations No. R(95) 4 of 7 February 1995, clause 7.20.
7 See, e.g. `Piracy in cyberspace: The Bulletin, 5 December, 1995, p. 81. A similar development is apparent in the United States - see e.g. Guy L. Copeland and Frederick G Tompkins, Computer Sciences Corporation, `A New Paradigm for the Development of U.S. Information Security Policy', September, 1995.
8 See, e.g. `Industry Group Rebuffs U.S. on Encryption', New York Times, 8 November, 1995
9 cf. proposed U.S. requirement for Key Escrow agents providing domestic services to reside and operate in the U.S. paras 2 and 4 of`Desirable Characteristics for Key Escrow Services' set out below. It may not be practicable for countries other than the United States to impose such a requirement.
10 Nigel Jeffries, Chris Mitchell and Michael Walker, A Proposed Architecture for Trusted Third Parties.
11 `Law Enforcement Requirements for Encryption' - paper presented at International Cryptography Institute Conference, September, 1995, Washington.
12 Parliament of the Commonwealth of Australia `House of Representatives Standing Committee on Legal and Constitutional Affairs June 1995 (iii).
13 ibid p.176
14 Attorney-General's Department Protective Service Manual para 6.40.
15 op cit. p.50-51.
16 ibid p.52
17 ibid p.53
18 ibid pp. 61,62.
19 ibid p. 63.
20 ibid pp 70,71
21 See `Sex on the Internet', The Economist January, 1996 p.20.
22 The Economist, May 18th 1996, p.94.
23 Senate Select Committee on Community Standards Relevant to the Supply of Services Utilising Electronic Technologies December 1995
24 ibid. Part 2 p.18
25 ibid. Part 2 p.20
26 ibid. Part 2 p.23
27 See eg. The Australian 5 December 1995, p.30
28 Dorothy E. Denning, "The Future of Cryptography", Internet Security Review, Oct 1995, pp.5-11.
29 Ross J. Anderson, Encrypt in Europe Markets, Law and Policy p.50, paper presented at Cryptography Policy and Algorithms Conference, Brisbane,
Go to Roger's Home Page.
Go to the contents-page for this segment.
Last Amended: 20 June 1996
| These community service pages are a joint offering of the Australian National University (which provides the infrastructure), and Roger Clarke (who provides the content). | |
| The Australian National University Visiting Fellow, Faculty of Engineering and Information Technology, Information Sciences Building Room 211 | Xamax Consultancy Pty
Ltd, ACN: 002 360 456 78 Sidaway St Chapman ACT 2611 AUSTRALIA Tel: +61 6 288 6916 Fax: +61 6 288 1472 |