Response to the Department of Trade and Industry's
"Licensing of Trusted Third Parties for the Provision of
Encryption Services"
The Key Escrow Working Group of the Information Security Committee, Section of
Science and Technology, American Bar Association, offers the following
observations, comments, and suggestions to the Department of Trade and
Industry's (DTI's) "Licensing of Trusted Third Parties for the Provision of Encryption
Services." Please note that the views expressed herein have not been approved
by the Information Security Committee, the Council of the Section of Science and
Technology, the House of Delegates or the Board of Governors of the American Bar
Association and, accordingly, should not be construed as representing the position
of the American Bar Association.
The Information Security Committee (ISC) is working to create a legally sound and
technically viable framework for the emerging global public key infrastructure. The
ISC is composed of lawyers and technologists representing state and federal
agencies, private industry, and firms. It includes lawyers, barristers, notaries, and
technologists from several countries in Europe and Asia. Among the ISC's
accomplishments is the Digital Signature Guidelines, which were released in June
1996.
The Key Escrow Working Group (KEWG) within the Information Security Committee
is engaged in the development of guidelines to support the commercial use of key
escrow mechanisms.
The KEWG offers four points in this comment. Two refer specifically to subsections
of the DTI's proposal, and two are general observations about the nature of the
proposal.
Paragraph 60: Mandatory Licensing by a Centralized Licensing Authority.
The United Kingdom proposes its model as a base for nations that choose
to join the global public key infrastructure. The national Licensing Authority is
proposed to be a governmental function.
Five points of concern arise from this configuration.
Business Function. Many proponents of cryptography oppose a centralized,
governmental management system. It is acknowledged that the rise of
Internet cryptography is primarily for personal and business use; military
or national security uses will remain concealed from the public eye and
will not be managed in conjunction with the keys this plan addresses.
The use, then, being privately oriented, should also be managed by a
private entity. We recommend that the United Kingdom make it clear that
the Licensing Authority need not be a centralized, governmental
operation. In addition, mandatory licensing of Trusted Third Parties
(TTPs) will not serve to optimally facilitate electronic commerce; if the
United Kingdom in fact opts for licensing TTPs, a voluntary licensing
program is preferable. Unlike the global communications system by
satellite (Intelsat), the Internet uses a variety of networks and
technologies to create an open and sometimes difficult to manage
enterprise. Mandatory certification would artificially attempt to resolve
complex techno-legal issues in ways that may injure, rather than
promote, the growth of international electronic commerce. The United
Kingdom could institute a program of incentives, that might include
benefits such as limits on liability, to encourage TTPs to register with the
government. Under a system of voluntary registration, participants in the
public key infrastructure would be encouraged to register with the
government where that closely suits their operations. Other systems,
however, would be allowed to develop where they were most appropriate.
By offering a "carrot" instead of a "stick," creativity and development of
Internet commerce would be facilitated instead of circumscribed.
International Industrial Espionage. There are, in fact, certain situations in
which a non-governmental entity might be the preferred Licensing
Authority. If a rogue nation sets up a governmental Licensing Authority
that purports to meet standards set by an international convention, the
international business community will probably remain trepidacious about
the extent to which such an entity can be trusted. If such a rogue
government, for instance, were to obtain an order to access the large
body of tremendously useful information passing encrypted through its
channels, for the purpose of obtaining industrial technical secrets from
critical multinational corporations, it would be extremely difficult for a
governmentally operated entity to deny the order. In some countries, the
goals toward which the key recovery plan reaches might be better
achieved if the Licensing Authority were a completely independent body.
Potential for Abuse by Authorities. Covert wiretapping and decryption
without notice are not processes that encourage accountability on the
part of authorities. It is true that the use of strong cryptography presents
something almost unparalleled in history: the ability to fashion an
impregnable container, one that will keep its contents secure no matter
how much force is applied. In the past, a sufficient amount of canonry
eventually permitted a breach of even the sturdiest fortress. The use of
strong cryptography may significantly change this equation, and thus the
argument that more extreme measures are required, akin to requiring
citizens to deposit keys to their homes with the local police force. If the
people decide that for their own protection they should surrender their
ability to have impenetrable security through the use of cryptography,
then it would seem they have the right to require more accountability on
the part of those with access to what has been protected. There are
ways to address this, such as requiring that two judges independently
approve covert wiretaps, or by publishing the number, goal, and results
of such wiretaps after the fact (or both). This subtle public policy
equation does not appear to be recognized or addressed in the
Department of Trade and Industry's proposal.
International Trade. The licensing of cryptography imported into the United
Kingdom would force software producers to tailor their products to
licensing criteria, rather than to customer and industry demand. As a
recent report by the Electronic Frontier Foundation states, the
requirement of key escrow has important diseconomies with regard to
both cost and the effectiveness of key security. The possibilities for
criminal theft of keys increases exponentially when key escrow is
implemented. This type of effect will increase the cost of doing business
and may discourage high-technology investment in the United Kingdom
and in Internet commerce around the globe.
Exemption of Certain Classes. It seems plausible that certain classes of
uses or users should be completely exempt from public key recovery.
Those who benefit from evidentiary privileges under common law, such
as attorneys, physicians, and clergy, are probably most logically eligible
for exemption in a public key infrastructure, based on their long-accepted
need to avoid compromise of their respective privileges in order to
operate effectively. In a federal system, furthermore, questions about
state governmental business as an exempt category also arise.
Categories where exceptions or exemptions might properly apply are not
addressed in the United Kingdom's key recovery proposal.
Paragraph 87: Strict Liability of Trusted Third Parties.
The KEWG does not see it as advisable to impose strict liability on TTPs.
First, imposition of strict liability on TTPs would serve to discourage
companies from becoming TTPs. Such a regime would make it difficult or
impossible to obtain insurance, and equally difficult, in such a new and uncertain
industry, to self-insure.
Second, imposition of strict liability on TTPs would remove the incentive for
customers of a TTP to follow reasonable security procedures on their own behalf.
The potential liabilities for TTPs may in fact be so high that premiums would
be prohibitive, absent innovative mitigation measures.
Two ways in which TTPs might choose to address the liability problem are
key-splitting and separation of the encrypted key recovery keys from access to data.
In a key-splitting arrangement, a secret sharing technique is used to
effectively split the key into two or more pieces, so that no single KRA or TTP could
decrypt the information alone. By setting up a system whereby collusion would be
required to access keys, the risk of key compromise would be substantially
lessened. The anticipated result would be greater comfort on the part of users and
less potential liability for TTPs.
Another technique, closer to what the normal business practice is likely to be,
would be to provide the ability for the KRA or TTP to decrypt the key recovery keys,
but not the ability to possess or have access to the encrypted key recovery keys
themselves. To make this clear: the working keys, such as private keys, would be
encrypted in a one-time session key. The one-time session key would be encrypted
under the public key of the key recovery center (or TTP). The resulting doubly
encrypted user key would be stored on the user's server or in another physically
secure facility, where it would not be accessible to the TTP. If the user were to lose
his key, he would send his encrypted session key to the key recovery center. The
TTP would decrypt the user's encrypted session key with its private key, and return
the decrypted session key to the user via secure means. A TTP could only
compromise the user's data if a party with access to the physically secure,
encrypted working keys (for instance, law enforcement personnel), were to send the
encrypted data to the TTP.
We recommend that the above techniques and other innovative types of risk
management, yet to be developed, be explicitly permitted and encouraged by any
national key recovery plan adopted in the United Kingdom.
Further, in cases where liability may be imposed, the KEWG recommends
that there be an established per-incident and aggregate cap on a TTP's liability.
Establishing such caps does not of itself protect a TTP from the risks of doing
business, but it makes these risks more measurable and thereby permits a greater
number of entities to consider entering the business.
III. Immunity of Trusted Third Parties.
The KEWG recommends that TTPs be granted broad legal immunity from all
customer and third-party claims that relate to a good-faith disclosure by the TTP,
when that disclosure has occurred in reliance on a government (whether U.K. or
other) key or data request. Without this type of immunity, TTPs would face the
prospect of liability and costly litigation for actions taken in response to a
governmental request. Such a prospect would deter companies considering entry
into the TTP business.
IV. Concern about Unannounced Searches.
Annex F stipulates that searches are to be without notice. It is generally
accepted in the United States that, prior to a search, notice is given unless notice
is reasonably thought to jeopardize the existence or integrity of evidence sought.
It seems logical that such a protection should also be extended to the digital realm;
that those who are about to be subject to search should receive the benefit of the
knock-and-announce rule before the search begins.
Searches without notice threaten the basic civil liberties surrounding the right
to privacy and the right of free association. Civil republics value the right to
unencumbered actions in the private sphere. Encrypted communications and
transactions should not provide an excuse for governments to abrogate
longstanding, prized rights simply because new technology is involved.
Conclusion
The Key Escrow Working Group of the Information Security Committee of the
Section of Science and Technology, American Bar Association, respectfully
requests that these comments and suggestions on the United Kingdom's national
key recovery program be duly considered and acted upon in any such plan that the
United Kingdom adopts.
Sincerely,
Key Escrow Working Group Co-Chairs
Emily Frye
Dwight Olson
