| Previous Section | Index | Home Page |
6.1 pm
Mr. Brian White (Milton Keynes, North-East): Given that my wife used to work at Bletchley Park, it is appropriate for me to contribute to the debate on the Bill. Before I commence, I should declare that Caspar Bowden, who is a director of the Foundation for Information Policy Research, is a researcher of mine. However, the comments and views he has advanced under the FIPR banner are his own and have nothing to do with me. I shall not detain the House long, but I want to raise a couple of points that cause me concern. In part, they echo points raised by the hon. Member for Esher and Walton (Mr. Taylor). However, I should make it clear that I support the principle of the Bill.
The Bill started life as part III of the Electronic Communications Bill. At that time, I wrote to my right hon. Friend the Home Secretary expressing my concern. Despite his reply to that letter and his response to my intervention earlier today, I still have doubts. My main concern about the Bill's construction is that it will be impractical because of technological change, and unfair because innocent parties who happen to operate the technology will be caught by it, not criminals. It has the
potential to damage e-commerce in this country, although that is because of the perception it will create, not the reality. Finally, the Bill does not really address e-crime. However, I hope that my hon. Friend the Minister shares my belief that amendments in Committee will alleviate my concerns and turn the Bill into a good one.
Mr. Heald:
Does the hon. Gentleman accept the analysis by Caspar Bowden of the FIPR of clause 12, which deals with interception capability on the internet? He says that it will be extremely difficult to find a way to intercept communications sent using split-packet technology, which sends many messages in small parts in many different directions at once.
Mr. White:
I would not say that it is impossible, but it will be extremely difficult. One of my concerns is that changing technology means that the armoury available to law enforcement agencies will not be up to the job.
Before addressing part III, I have one comment to make on part II. The data protection commissioner has regularly criticised blanket national security exemptions that preclude any inspection or enforcement. The Bill does not rectify that problem, as I hope Ministers have noted.
Under the Bill as currently constructed, an individual is presumed guilty if he is properly served with a notice with which he does not comply. I accept that some improvements have been made since similar proposals were made under the Electronic Communications Bill, but the basic problem remains. The Minister will say that there is a statutory defence, whereby that individual demonstrates that he does not have possession of the key. The difficulty is that, even among computer professionals, it is a frequent and almost inevitable occurrence that keys are lost, forgotten or destroyed, either inadvertently or deliberately.
My right hon. Friend the Home Secretary appears to think that loss of keys is rare, but I have lost count of the number of internet services to which I have subscribed but subsequently forgotten my password. I regularly visit Amazon.com, but the last time I did so, I found that I had forgotten my password, so I had to go through the rigmarole of re-establishing myself. How am I to convince a judge, who might not even have heard of a PC, let alone the newer technologies, that I am not lying--that I cannot remember my key and that I am not deliberately concealing it? A criminal who is prepared to risk a six-month jail sentence to conceal a key will be in a better position than an innocent person who is faced with having to try to prove a negative--that he has a sieve-like memory and that he is not deliberately concealing a key.
The Bill will change people's habits. Most people remember their keys by making them a word or a date that is easy for them to recall, but such keys are easy to crack. To make them harder to crack, people are advised to use random sets of numbers and letters, but such combinations are much easier to forget. I recently participated in an online discussion which included some sensitive material. I cannot now remember the password, although it is probably written down somewhere and I might be able to recover it. However, if the police start to
investigate the matter, suspecting subversion, how am I to prove that I have a defective memory and that I am not deliberately withholding anything?
Mr. Ian Taylor:
I do not want to get into a debate about whether the burden of proof is the wrong way around, but we should not lose sight of the fact that a sensible honest business will not lose its keys, which are the secret of its commercial success, and that the people who have "lost" their key might well be those who have something to hide.
Mr. White:
My argument is about people's defence in such circumstances, but the hon. Gentleman makes a valid point: businesses will treat the key like they do a spare safe key and deposit it with a trusted third party.
That brings me to my main concern. If depositing a key with a trusted third party to avoid such problems becomes the norm, the Government will have effectively reintroduced voluntary key escrow by using subtle pressure and exploiting human nature. That subject was debated a year ago and my right hon. Friend the Prime Minister said that voluntary key escrow--not mandatory key escrow, as the Conservatives had originally proposed--was wrong and that the Government would not return to it. If I were cynical, I would argue that that will be the outcome of the Bill being enacted. My hon. Friend the Minister has the chance tonight to state clearly that key escrow, whether voluntary or not, is not on the agenda; and that the fact that trusted third parties may be used to ensure compliance with the provisions of the Bill will not be exploited to reintroduce the concept.
The Confederation of British Industry parliamentary briefing states that the Bill will
Along with other hon. Members now present, I am a member of EURIM--the European Informatics Market--which exists to provide advice to parliamentarians. It says in respect of part III:
Mr. Ian Bruce:
Has the hon. Gentleman, like me, seen many spy films in which a single key is used to get into
Mr. White:
I am not sure that the best way to avoid the security services is to watch James Bond, but the point about one-off keys is a serious one, to which I shall return.
It is critical to achieve the right balance between privacy and investigation. We need the law to tackle criminals, not ordinary businesses. I am worried that the way in which the Bill is phrased will allow criminals to make use of the loophole which still permits encryption at source. Investigation will focus on the end of the process.
There is a case in the United States involving a guy called, I think, David Smith. If I have got the name wrong, I apologise. He sent pornographic material to the first 50 e-mail addresses on various servers. That material is for ever on the recipients' hard disks. If the matter were investigated, action would be taken against them, and not necessarily against the sender, who caused the problem. I understand that he is awaiting sentence. The example illustrates some of the problems of which we should be aware.
Liberty considers that the Bill
The Police and Criminal Evidence Act 1984 requires
I am worried about the practicalities and the technology change. We run the risk of alienating companies that want to do business in the UK. I know of at least three banks that relocated their internet operations--one to Singapore, one to New York and one to Ireland--as a result of the original measure in the Electronic Communications Bill. That was done last summer, mainly from fear of the provision.
My hon. Friend the Minister may say that I am overreacting, that business is sanguine about the measure and that he has not received many complaints. If that is the case and I am wrong, I have made an idiot of myself, which does not matter. However, if I am right and there is a real danger, it is a serious matter, which I urge him to reconsider.
Improvements could be made to the Bill. We have heard reference to clause 49(1) and the burden of proof. The present wording should be changed to make it a requirement to take all practical steps to disclose a key or plaintext in a person's possession. Clause 50, dealing with the tipping-off offence, should be rewritten. I shall return to the matter.
The right hon. Member for Bridgwater (Mr. King) postulated a situation in which someone receives sensitive information which is then disclosed. The consequences can be severe, and the Bill should make provision for that.
The Government have underestimated the cost of protecting sensitive data, as is made clear in the report that was mentioned. The data may be commercially sensitive, or it may consist of intercepted discussions between freedom fighters or exiled politicians and people back home. Interception of such communications could endanger the lives of those people.
We are not dealing merely with a floppy disk in the Home Secretary's drawer or in a police station. I know how easy it is to hack into the files of the police and Customs. When I worked for Customs, a superb security system was installed, and every file was protected, except one. That was the security file, which someone had forgotten to password-protect, and all the codes were available.
I should hate to be part of an authority that had to ask the Home Secretary for extra money in its budget to put in extra protection for the commercial data in its systems, or a member of staff of the first authority to leak such information.
I spoke earlier of my concern that the Bill does not recognise the changing technologies. Embedded encryption will become the standard. The latest version of Microsoft addresses that key issue and has stronger security provisions than Microsoft has ever had.
We seem to be concentrating on cryptography, rather than on other security devices that may come on to the market. WAP--the wireless application protocol--technology used in third-generation mobile phones already has an encrypted message, although the user may not know where it comes from. Mobile phones are already changed frequently, and that will soon become common. By means of transitory encryption, the user does not know that a message has been encrypted, and the key is lost the moment the message is received. None of that is reflected in the Bill, and it is important for the Standing Committee to deal with it.
I said that I would return to clause 50 and the tipping-off provision. If someone knows that the security of his business has been breached, the first thing that he does is to change the password and the security system, yet the Bill prevents him from doing that. Perhaps I have misread the Bill, but the provision raises numerous concerns, particularly when we consider the global implications and whether or not we change the codes in this country, in accordance with the provisions of the Bill. The Bill can be altered to meet those concerns.
Shifting the balance of some of the clauses in part III would help to encourage e-commerce, rather than giving rise to the perception that a danger exists. I emphasise that it is a perception, rather than reality, but it could still drive business away.
It is widely recognised in other countries that a problem exists and that change is needed. As the right hon. Member for Bridgwater observed, if we do not change now, we will have to do so further down the line. Some countries are doing nothing, but that is not a valid option for us. There is a case for going along the route that we have chosen, with legislation that is way ahead of that in other countries.
Most other countries are adopting less onerous legislation. Germany will require disclosure of the information, rather than of the key itself. The United States is concentrating on international co-operation. Those are the approaches that we should consider. I am worried that in our efforts to get it right, we may shoot ourselves in the foot by creating unforeseen problems that damage our commercial interests, which should be at the heart of part III.
impose impractical and unacceptable burdens on business.
I do not necessarily accept that, but the CBI may be right. Those burdens can easily be alleviated by a company moving offshore--to Ireland, Holland or various other countries. The hon. Member for Esher and Walton spoke about global interconnections: a company need only relocate its communications headquarters to a different country. Such actions would be damaging to this country.
There are also real technical concerns that the intentions of this Part are not achievable in the real world. The user may enter a passphrase . . . to enable encryption . . . but that will not mean they have access to the actual keys. Possession of a key is itself a questionable concept--
especially where the nature of the communications technology used means that no record of the keys is kept. The password allows the individual to access the information, but the encryption key is never seen. EURIM advises that, often, it will be extremely difficult to recreate the technical environment in which the key was originally used, adding that
Decryption may only be possible on the originating system, which may belong to an innocent party caught up in an investigation by the nature of the technology.
I am concerned that an understanding of the technologies that may be involved is not fully reflected in part III. I would appreciate the Minister giving that matter serious consideration in Committee.
will enable serious infringements of privacy for no worthwhile gain.
That is a danger, and we need to demonstrate the gains that will be made through such infringement.
disclosure of information to be supplied in a legible and usable form.
That does not preclude key disclosure, and would be a better way of alleviating my concern.
| Next Section
| Index | Home Page |