Previous Section Back to Table of Contents Lords Hansard Home Page

Lord Bach moved Amdt No. 137:

On Question, amendment agreed to.

[Amendment No. 138 not moved.]

Lord Bach moved Amendment No. 138A:

    Page 49, line 6, leave out subsection (7).

On Question, amendment agreed to.

Clause 45, as amended, agreed to.

28 Jun 2000 : Column 953

Clause 46 [Notices requiring disclosure of key]:

Lord Lucas moved amendment No. 139:

    Page 49, line 35, leave out (", or is likely to do so").

The noble Lord said: Here we come upon a clause that the Government have been kind enough to rewrite extensively and at the very last moment. I cannot pretend that I or anyone that I have talked to has had time to comprehend the details and effects of all these changes. Therefore, I intend to use my comments on this and subsequent amendments to explore what the Government have done and where we are now. It may be necessary. with the help of my colleagues on the Front Bench, to ask for a recommittal of this clause when we have had time to absorb the effect of all the changes, but for now I await advice and information from the Minister with great interest.

This whole clause is extraordinary. It addresses a problem that the Government imagine they might find their agencies in from time to time of being unable to decrypt information. In all the years that cryptography has been available, there has been only one case in the United Kingdom in which the Government could not decrypt all the files they needed on one particular pornographer's hard disk.

It is extraordinary that so much damage should have been done worldwide to the reputation of the United Kingdom as a place to do e-business, with anxieties and recriminations echoing round the globe from international lawyers to those who specialise in the Internet. I hope that we may reach a point with the Bill where we are able to allay some of the fears, but it will take a long time for all the damage that has been done to die away. It is extraordinary that it should be done, when there is so little need for this clause as a whole.

Encryption is in theory perfect. One can hide anything in a way that cannot be broken. Even if the clause were enacted in the way in which it was originally written, before the Government's latest amendments, it would be possible to hide anything one wanted. Internet communications will use ephemeral keys, and there will be no way of breaking that system. Cryptography has evolved in ways which have built-in deniability. The whole way in which the clause has been written assumes that there is only one key, which will reveal one set of information out of an encrypted file. But it is very easy to create a system whereby out of an encrypted file I can produce a Shakespeare sonnet or an order for hard drugs, depending on which key I use to unlock it. There is no way in which the Government can prove that there is a second key if I produce to them a first key.

One can hide whole file structures. One can hide the existence of files through the use of keys that go down in layers, so that the first key will reveal one file structure, but if one applied another key it would reveal hidden files below. If one uses suitable methods of hiding the files it is impossible to prove that the files even exist.

Cryptography using one-time pads is a technique we can remember from the war years. That is in theory perfect. There are still wartime codes that have not

28 Jun 2000 : Column 954

been broken because the one-time system was used perfectly. There is now the practice, which will doubtless be used more in future, of using data havens, of storing one's data remotely. Again, as long as one takes care to encrypt and hide one's links to it there can be no way of proving that one has it.

We are up against a system that is technically perfect, and the sort of attack envisaged by the Government will be useless against the serious and careful criminal. The sort of attack that works in practice, that has worked in all but one case to date, results from the fact that anyone doing cryptography is human, that hiding one's data in a consistent way is extremely tedious, and that people tend to take short cuts, and either as a result, or through the methods outlined in Part II--and there are plenty of them that can be used with computers--one can uncover the keys and the information needed to break people's cryptographic systems without going at it in the way envisaged in this part of the Bill.

What really frightens people about the way in which the clauses are drafted is that because they will be pretty useless against the serious criminal they will be used only against casual traffic, and, more important, will be available for use against messages received and communicated by substantial international businesses. Anyone who uses the Internet, which is essentially an open system--there is nothing secure about it--must use a high level of cryptography and assure clients, customers and associates that his systems are secure. Anything that puts that in doubt or makes business believe that by conducting this activity in the UK it lays itself open to international law suits or merely produces a loss of confidence that data stored in the UK is not as secure as data stored in a country which is not governed by this kind of legislation, even with the latest government amendments, will result in a substantial loss of business to this country.

I do not believe that business has had time to react to, and review, the latest amendments. We shall wait and see how it reacts to them and to today's debate. If, as I fear, the conclusion is that the Government have not gone nearly far enough, as suggested in today's Financial Times, we should either excise the clause from the Bill or insert a provision to say that it shall not come into effect until a further measure has been passed to authorise its implementation. A method must be found to ensure that the Government have those parts of the legislation that they require to comply with the Human Rights Act for the activities that they currently undertake but are denied the ability to trespass into areas where they have no present need to be, potentially at great cost to the UK's international business and its economic wellbeing, to use the famous definition. We should not imperil that for so little gain. If more time is needed to consider this matter and produce something with which everyone is content, we should provide the Government with a mechanism whereby that end can be achieved.

The amendment excises the words "or is likely to do so". That wording occurs also in several amendments to the subsections to Clause 46 tabled by the noble

28 Jun 2000 : Column 955

Lord, Lord McNally. I believe that I see what the Government intend. They want to be armed with an authorisation to demand the key if they find an encrypted file when they search someone's premises. I understand that. However, in effect the way that the provision is written means that they can demand the key to future communications that arrive in the course of the next few days. Therefore, any business that is subject to such a demand must keep its whole cryptographic system open for the investigating authorities. It must leave a gaping wound, as it were, in its security until the investigating authorities say that it can be closed. There is no way to supply the text of messages yet to come; one must supply the key. To leave in this particular phrase is very much against the spirit of what the Government say they want to achieve in tabling their new amendments unless the wording can be tightened up to cover a much shorter timescale and allow the authorities access only to files which they are about to discover in premises that they are about to raid. I beg to move.

6.30 p.m.

Lord McNally: I agree with much of what the noble Lord said. I added my name to the amendment because, as presently drafted, the provision seems to be "future proofing" gone mad on the part of the Government, as the noble Lord explained in his concluding remarks.

To save a repetitive speech, we have arrived at the crux of the Bill in terms of clearing the hurdle of business disquiet. We must all assess whether what the Government propose in Clauses 46 and 47 meets the concerns of business. I was interested in the initial reaction of one of the companies concerned, Vodafone. Its concern was that in seeking a proportionate response, to use a favourite expression of the noble Lord, Lord Bassam of Brighton, the provision leant too far towards the requirements of the relevant authorities and failed to take account of the needs of the businesses in question. A good deal of the debate on the clause will revolve around the question whether the powers that the Government seek are proportionate in terms of the real or imagined evils that they seek to counteract and the burdens that they place on business.

I am not one of those who believe that the new cyberspace technology is a zone that should be outside the rule of law. I still have sufficiently strong confidence in parliamentary democracy to believe that, as a necessary protection, all parliaments should be able to construct a framework within which people conduct their activities. I am not a member of the "cyberspace tendency" which believes that this is all beyond us. Who knows? Perhaps those countries which have not yet grappled with a legislative framework for e-commerce will regret it or look at our attempts as pioneering work in the field.

I hope that both sides will approach this matter in a constructive way. Industry, which has quite legitimately lobbied and stirred up media and political and parliamentary interests and obtained a response from the Government, should take a proper look at

28 Jun 2000 : Column 956

what this means for business. I also hope that, having emerged from its tetchy phase, the Government are now willing to listen to industry if further constructive points can be made. The context in which the noble Lord moved the amendment was extremely wise and constructive. If both sides approach this part of the Bill in that way we shall produce clauses that are acceptable to industry and provide a legislative framework for e-commerce in future.

Next Section Back to Table of Contents Lords Hansard Home Page