Use encryption, go to jail?

Use encryption, go to jail?

July 29, 1999

by Douglas F. Gray

LONDON (IDG) -- Encryption users could face up to two years in prison for refusing to hand over the keys to their code, according to Britain's proposed Electronic Communications Bill.

The bill is causing concern among privacy advocates and opposition parties, who say the bill gives law enforcement wide-reaching power over private Internet communications.

Most aggravating, the bill calls for a possible two years in prison for anyone refusing to turn over the encryption key or the message in plain text to law-enforcement officials. It also calls for a five-year prison term for tipping off senders that they are being investigated, according to Caspar Bowden, director of the London-based Foundation for Information Policy Research.

Even discussing an investigation in public, such as complaining about alleged abuses of law enforcement to the media, may also be punishable by imprisonment, said Bowden. "Let's say that someone under investigation sends me a message with encryption that can only be decrypted by the receiver. The authorities come to me and tell me that they are investigating someone, but won't tell me who, so they ask for all my private keys," Bowden said. Refusing this request from the authorities could get him two years in prison, said Bowden.

In such a case, the authorities would have all of Bowden's private keys, enabling law enforcement to read all encrypted correspondence that was sent to him. Bowden would then have no choice, he said, because by informing anyone of this, and asking them to change their key, he would break the "tipping off" clause of the bill and in turn and face five years imprisonment.

"I can't complain to the newspaper, otherwise it's five years in jail. All I can do is go to a secret tribunal," Bowden said. He's not joking: The tribunal is five judges, only two have to participate, and only one has to lay the groundwork, he added.

Bowden feels that the entire bill needs to be re-examined by the U.K.'s Department of Trade and Industry. "We would like to see the Electronic Communication Bill be about e-commerce, which is what they said; the law-enforcement section doesn't even belong in it," he added.

There is also another method of hiding messages, called steganography. It's not really clear to commentators such as Bowden whether or not steganography is covered by the bill. With steganography, users can "sprinkle an encrypted message" into a photographic format, such as JPEG, or a music format such as MP3, both of which are very popular online. In actuality, the message does not necessarily need to be encrypted, just concealed within the file, according to Bowden.

Although the bill does not mention technologies such as steganography, Bowden speculated that the authorities could enforce regulations in those cases by proving that there was a reason to search, such as the existence of a steganography program on the suspect's computer.

Douglas F. Gray writes for the IDG News Service.