The government's draft e-commerce bill has come under fire from experts who say it still contains room for key escrow, and forces users to give up their private keys to the police.
The draft bill also fails to tackle cryptography export laws, forced on the UK by the US-led Wassenar agreement, but does put digital signatures, used for authentication, on the same legal footing as written signatures.
Under the proposed measures, digital signatures would not be rebuttable, meaning that it would be up to the receiver to prove a signature was valid.
The bill will be put before Parliament in November and is expected to pass into law early next year.
Brian Gladman, an ex-NATO IT director with 30 years' experience as a security specialist at the Ministry of Defence, has been a vocal critic of the draft on the UK Cryptography Policy Discussion Group mailing list, UK-Crypto. He told PC Week that politicians simply do not understand the technology involved.
Section 13 of the draft calls for defendants to hand over their private key to decode an encrypted message, or prove they no longer have it in their possession. It imposes harsh sentences on those who tip off others that their key has been given to the police.
These measures are "absolutely pernicious", according to Gladman. "Users have to prove a correspondence between the encrypted and decrypted texts.
You use your private key to encrypt a session key, which is inextricably linked to the text and only used once. The police only need the session key."
The draft also provides for the voluntary licensing of cryptography providers.
Gladman called this key escrow by the back door, as it could then become mandatory to use licensed providers when dealing with the government, which would allow intelligence agencies to gain access to users' key.
Dr Kuan Hon criticises GDPR consent emails that will only eviscerate marketing databases and 'media misinformation'
Apple squashes Steam Link app on 'business conflicts' grounds
Philip Hammond wants to forget rules that the UK agreed with the EU to ban non-European companies from the satellites
Instapaper to 'go dark' in Europe until it can work out GDPR compliance