The UK government published its long awaited encryption policy this week, backing down from earlier proposals that would have allowed all encrypted communications to be covertly tapped.
But the announcement provoked industry-wide disappointment as it became clear the government still wants to decode encrypted messages through a legal mechanism known as key recovery.
Businesses have expressed concern that they will be obliged to support a costly and unwieldy infrastructure. Key recovery, which the previous Major government wanted to be mandatory for all users, allows authorities access to keys, meaning encrypted data can be decoded. The new Blair-led Labour government favours voluntary key recovery.
Steve Thomas, head of security at banking industry body Apacs, said: "Banks would be far more willing to provide decrypted text than give up encryption keys."
Other organisations are concerned that the scheme gives easy access to confidential commercial or personal information.
Pieter van Dijken, head of information security services at Shell's information services arm, and an advisor to the OECD on cryptography policy, said: "For encryption to work, it will have to be trusted. Governments will have to respect this trust element, for example by making warrants to tap email difficult to obtain."
The insistence on key recovery breaks a pre-election promise by Labour, in a review of IT policy. "Attempts to control encryption are wrong in principle, unworkable in practice and damaging to the long term economic value of corporate networks," the review said.
Under the new scheme, bodies that provide encryption services to the public can choose to submit themselves to a licensing scheme. This system will include a requirement to "make the recovery of keys possible", said the government statement, published on Monday.
Despite key recovery being voluntary, law enforcement agencies can also force users to hand over keys.
Barbara Roche, junior minister at the DTI, justified legal access by saying: "The purpose of these new powers will be to protect the public from crime and terrorism." Digital signatures are also covered in the new policy. These signatures, which allow people trading electronically to prove their identity online, so preventing fraud, have finally achieved legal status. Certification authorities licensed by the government will validate digital signatures, giving them the same force in law as handwritten ones.
But different regulations will cover digital signatures and the use of software encryption keys. Many systems use a single key to encrypt data and generate digital signatures. Compromise one and you compromise both. Dan Sabbagh is a reporter on Computing.
Newbies will be thrown in with the big boys on Sanhok as Kar98 fodder
Data is the perfect intersection of logic and emotion
Support for RTX Technology and new version of GPU Boost algorithm coming in next-gen Nvidia GPUs
Is Sony's Xperia XZ2 Compact a big step forward against last year's XZ1 Compact?