The UK government has come under fire for its handling of encryption legislation for securing the Internet.
According to ecommerce software company JCP, the government is being too evasive over the measures it will introduce to help enforce its encryption policy. It claims the uncertainty is damaging trust and confidence.
Speaking at the ICX conference last week, Stephen Pride from the Department of Trade and Industry gave a sneak preview of the government?s plans for encryption regulation. He revealed that the telecomms regulator Oftel would regulate trusted third parties - which provide encryption services and hold on to security keys if required - and that these would require a licence in some cases.
While licensing would be voluntary, digital signatures would not be legally binding without it.
Pride also expanded on the policy laid out in April (see Newswire 29 April) where licensed TTPs would be required give up the keys to the police to recover data where needed for crime prevention. This has raised a similar conflict between the needs of consumer privacy and law enforcement that has caused controversy in the US.
?Recognising the need for a sensible licensing structure for trusted third parties is wise - and Oftel is a good a body as any for implementing this,? said Robin Wilton, principal consultant at JCP.
However, he believes that asking TTPs to allow law enforcement agencies access to authentication keys is unacceptable. "It undermines the basic service that TTPs trade on - the assurance that no-one else could have signed a given message," he said.
There is also the issue of how evidence found through key recovery should be used. Wilton believes there need to be the same strict procedures governing this as any other type of evidence.
The use of security keys for law enforcement also raises an issue for the software suppliers. If crypto providers like JCP have to include key recovery in their software they could be forced by the patent owners (IBM and TIS) to charge dearly for it, Wilton complained.
A secondary phase of legislation is due to finalise all the details, and here Wilton is concerned over secrecy and a lack of input from the industry. This could lead to the introduction of an unworkable system, he argued in his speech.
?Some of the measures proposed could be draconian or liberal depending on the implementation. The government is still stalling and keeps hinting at secondary legislation phase,? said Wilton. ?Consultation with the industry for the details of any secondary legislation is vital."
The government worked with the Confederation of British Industry, British Standards Institute and Alliance for Electronic Business for the primary phase of the security legislation, but it is not obliged to seek the same advice for a secondary phase.
Microsoft seizes control of phishing sites linked with Russian state hackers
Fitness trackers over-estimate the number of steps their users take, analysis of 67 research reports suggests
Everything we think we know about the imminent Apple iPhone 9, iPhone 11 and iPhone 11 Plus launches
All the latest rumours about Apple iPhone Displays, CPUs, launch dates and even prices
Nvidia brings Turing microarchitecture into the high-end gaming segment