Analysis of Part III of the (draft) Electronics Communications Act 1999

A summary of opinions

Introduction

Part III is the 'Home Office' part of the Bill under the heading 'Investigation of Protected Electronic Data'.

Clause 10 sets out the power to ask for an encryption key to be disclosed. Clause 11 allows the provision of information in place of a key, PROVIDED that the Section 10 notice doesn't forbid this. Clause 12 sets out the offence of failing to comply with a Section 10 notice and gives a series of defences to this offence. Clause 13 deals with a "tipping off" offence when a Section 10 notice makes a secret of the notice and things done in pursuance of it. Then Clause 14 sets out the penalties for the offences, up to two years for failure to comply with a notice and up to five years for tipping off.

Clause 15 sets out the safeguards to be given to disclosed keys, Clause 16 deals with a Code of Practice and Clause 17 with the appointment of a Commissioner to oversee the general workings of Part III. Clause 18 sets up a Tribunal for hearing complaints about Part III. Finally, Clause 19 provides a heap of useful definitions (presumably since the definitions in Clause 24 are from the DTI and were 'Not Invented Here').

Obscure note. Before they are passed, Acts of Parliament are called Bills. In the same vein, the constituent parts of a Bill are called Clauses and when passed they become Sections. For consistency with the language within the Bill these web pages will refer to a 'Section 10' notice although at present Section 10 is merely Clause 10.

Fundamental problems

This part of the Bill has generated a significant amount of analysis and objections to its content. These can be summarised under a series of headings - each of which leads to its own page of detailed analysis.

On the analysis pages a lot of material comes from UKCrypto. Please note that the various statements have been edited together to form a readable narrative. People did say all of these things but the 'conversation' was not necessarily in quite the order given. In several places, the original spelling has been improved to avoid distracting from the underlying message.

It's suggested that complying with a Section 10 notice is self-incrimination. This would make this part of the Bill contrary to the European Convention on Human Rights.

It is common for messages to be encoded with a 'session key' and it is only this key that is sent using 'Public Key Encryption' because PKE can be rather slow. Many people have called for the Bill to recognise that supplying the session key would be a suitable response to a Section 10 notice. Clause 11 allows plaintext to be provided instead of a decryption key. However, this is not the user's choice because the Section 10 notice can require the key be handed over.

The Clause 13 offence of Tipping Off seems to be deeply flawed and somewhat derided.

The way that Clause 12 is formulated seems to reverse the traditional Burden of Proof though the Home Office does seem to feel otherwise.

The meaning of rendering a message into an intelligible form is not a straightforward as it might at first appear.

There may be some real practical problems leading to a Failure to comply with a Section 10 notice, which go far beyond the proposed statutory defences.

Signature keys get special privileges under the Bill, but are these real or indeed appropriate. Where are the safeguards if a Section 10 order is for a signature key ?

There are some complex issues when one considers accessing an escrowed key that has been split into many parts. Apart from the difficulty of knowing who to prosecute if the key is not handed over, it highlights once again the difficulty that the "no tipping off" secrecy imposes. There is probably also a need for a "good faith" defence of believing one was acting in accordance with a Section 10 notice.

The Safeguards in Clause 15 have flaws, especially since people seem to be immune from prosecution for transgressions. The role of the Commissioner is far too restrictive and the Tribunal has been defined in such a way that some aspects of Part III will have no oversight whatsoever.

Others have remarked that IPSEC and other techniques will provide Perfect Forward Secrecy and their wiretappers and their need for Section 10 notices will become a historical curiousity.

Finally, there have been a number of constructive suggestions made on UKCrypto as to how Part III ought to be made to work. Let it never be said that all the commentary has been negative.

Back to the main page