Yaman AKDENIZ <email@example.com>
Clive WALKER <firstname.lastname@example.org>
University of Leeds
In common with the modes of communication it succeeds and to some extent supplants, the Internet entails both positive and negative consequences for personal privacy. Among the negative impacts are the ability to gather and transfer data concerning subjects in ways that at best commodify the personality of the individual and at worst facilitate unaccountable and even mistaken interferences with autonomy. These concerns are reflected in data protection laws that, more so in Europe than the United States, restrict the free market in data use for the sake of subject privacy. More positively, the technological mode of delivery of Internet communications can be used to afford protection for communications, especially through the use of strong encryption tools.
At the outset, it must be explained why encryption can produce positive goods. There are two fields of activity that will be explored. The first is that encryption technology is a fundamental element for the development of a global electronic commercial system. For financial transactions to be securely transmitted and conducted, there must be confidence that the mode of communication delivers both secrecy and verification. We shall describe and discuss a number of governmental reports that have recognized this claim for encryption and its existing use by commercial Internet users, especially financial institutions. Second, the same encryption technology can be used for securing true private communications concerning public affairs. It has enabled the use of the Internet as a mode of information gathering and dissemination concerning, for example, human rights abuses, a mode of communication that allows them to operate even against repressive regimes that have closed other avenues of communication for dissent.
In response to these two sets of needs for encryption, our survey of official policy in the United Kingdom, on the one hand, and European Union, on the other, will reveal some marked variation. There is certainly a common concern among many policymakers that encryption can make the Internet secure for illegal and harmful uses. As a result, the association of encryption with, for example, fraud, child pornography, or terrorism, engenders the fear that nation states will not be able to conduct effective investigations. Therefore, there are calls for law enforcement agencies to have a backdoor to encryption keys (key escrow or key recovery techniques) so that messages can be decrypted by the police when needed. Broadly, our research shows that the responses to these fears and the demands for access have varied markedly. We examine the driving forces behind the policing demands that, we speculate, relate to more underlying geopolicies, cultural stances in regard to the value of privacy (also reflected in the data protection laws), and forms of moral entrepreneurship on the part of some of the policing organizations.
The paper will finally argue that government access to encryption keys would undermine and hold back both the development of e-commerce and the political use of the Internet in pursuit of free expression rights. Any "key escrow" mechanism could result in loss of confidence among potential user groups and individuals. We shall also suggest, in the light of some case studies of Internet "misuse" that have been processed by the police in the United Kingdom, that there is no compelling state interest in such an invasion of privacy, as the perpetrators of Internet-related crimes have been detected and evidence gathered without any new powers to intrude or search.
In common with the modes of communication it succeeds and to some extent supplants, the Internet entails both positive and negative consequences for personal privacy. At the outset it must be admitted that the very concept of privacy is highly contested. Its boundaries have been stated perhaps most authoritatively in international law by the European Convention on Human Rights and Fundamental Freedoms (1950), article 8(1), as comprising a right "to respect for...private and family life,...home and ...correspondence," though subject, under article 8(2), to interferences such as might be necessary in a democratic society:
"...in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others."
The relationship between the positive statement of right and derogations therefrom under article 8 is far from straightforward (Harris, O'Boyle, and Warbrick, 1995). Reflecting similar difficulties at a national level within Europe, for example, the U.K. government (Government Response, 1995) recently abandoned attempts to devise a legislative formula for the special protection of privacy. Problems of definition and the concern that privacy protection would be at the cost of free speech were the primary reasons cited. Instead, the U.K. government has opted simply to incorporate the European Convention into domestic law -- not only its privacy protections but also its concern under article 10 for free speech (Human Rights Act, 1998). This is a neat sidestep, but it will have the effect of juridifying the future development of privacy laws in the U.K. The U.S. precedents of Roe v. Wade and the confirmation hearings surrounding Judge Robert Bork suggest this will not offer a free home run for those wishing to smooth the path to the protection of privacy and that legislative solutions from the political system may eventually prove necessary (Global Internet Liberty Campaign, 1998a).
So, the polycentric problems arising from privacy are difficult enough to manage, and no easier solutions are evident when we turn to the relationship between privacy and the Internet. As mentioned above, those relationships can be both positive and negative. Although the advancement of technology means that "privacy rights" are more and more in danger and open to abuse, the Internet does not create new privacy issues. It makes the existing ones -- like confidentiality, authentication, and integrity of the information circulated -- difficult to control and secure.
Among the negative impacts might be the ability to gather and transfer data concerning subjects in ways that at best commodify the personality of the individual and at worst facilitate unaccountable and even mistaken interferences with autonomy. These concerns are reflected in data protection laws which, more so in Europe than the United States, restrict the free market in data use for the sake of subject privacy. The European data protection legislation is, broadly speaking, based around article 8 of the European Convention, which in turn was the inspiration for the Council of Europe's Convention on Data Protection (1980). Arising from the patchy ratification of the Convention, the European communities have now issued the Directive on Data Protection (1995), the implementation of which becomes a matter of enforceable community law (Kosten and Pounder, 1996; Lloyd, 1996) Already, implementing legislation has begun to appear within the Member States, such as the U.K.'s Data Protection Act 1998 (Home Office, 1997). Lurking behind this impetus towards ever more widespread regulation of datasets is the fear that it is technology that threatens privacy. The ability of technological devices to facilitate the collection, processing, and distribution of personal data is a major factor behind the public concern about losses of privacy, and so action against technology is at one level very popular (Lindop Report, 1978; Younger Report, 1972).
The Internet cannot absolve itself of all responsibility for mass technophobia. Though it has increasing allure for the individual sitting in the sanctity of the home, there are major concerns about the vehicle it provides for personal snooping not only by commercial institutions but also (and more seriously) by governmental organizations, all of which may be able to keep track of the use of the Internet by the individual for the purposes of marketing, policing,. or otherwise.
More positively from the point of view of privacy interests, the technological mode of delivery of Internet communications can be used to afford effective protection for communications, especially through the use of strong encryption tools. In many respects, the technically aware Internet user can indeed achieve a greater degree of privacy in correspondence than available through the postal service or many other forms of telecommunications (JUSTICE, 1998). Facilities such as anonymous remailers and encryption (for example Pretty Good Privacy) can be so effective against oversight that law enforcement agencies have begun to voice concerns about the viability of future crime detection in cyberspace (Freeh, 1997, 1998; NCIS, 1999; Davies, 1998b). These concerns remind us that all rights can be exercised in ways that become abusive of other rights (whether to property in the cases of fraud or theft, or to life and liberty in the cases of terrorism and racism).
Among the many advantages of computer-mediated communications systems are their offer of privacy and security for their users. Encryption is one technique that can be used to achieve secrecy for the contents of a message, but there are other methods of hiding identities and information that will not be covered in this paper, including steganography, remailers, account cloning, and spoofing. Although encryption and cryptography had a long tradition in the military defense field, encryption technologies are increasingly integrated into commercial systems and applications and the "exclusive" military character of encryption belongs to the past.
Encryption can provide confidentiality, integrity, and authenticity of the information transferred from A to B. It can for example provide a secret transmission of content, ensuring that the message's integrity has not been tampered. Furthermore, with the use of encryption technology, B can authenticate that the information was sent by A. All these points may be important for different reasons for the transmission of data over the Internet. While for example, military and secret services will require a confidential and secret communication, others will only be interested with the accuracy of the information transmitted or received. Digital signatures can be created by the use of encryption and these can authenticate the sender of the information as they cannot be forged. A further possible advantage is that e-mail and other forms of electronic communication can incorporate encryption technology that allows users to ensure that messages and data can be read only by intended recipients.
In this way, encryption has the potential to protect information and commercial transactions as it is transmitted through the Internet and, despite the mathematical sophistication of the techniques being used (Bowden and Akdeniz, 1999), does so by procedures that can be increasingly used by nonexperts. This is due to the desktop computer revolution that has made it possible for cryptographic techniques to become widely used and accessible to nonexperts (even though the science of cryptography is very old). Nowadays, it is possible to buy cheap but strong encryption software from local computer shops. Moreover, one of the most popular encryption software, the Pretty Good Privacy (PGP) is freely available over the Internet for personal use.
However, the use of encryption seems to give rise to an element of suspicion -- it is often assumed that the use of secret codes is associated with the world of spies and industrial espionage. Nevertheless, there are many legitimate purposes of secrecy in general and encryption in particular (Bok, 1982). Many are connected with business transactions and the desire to keep financial information away from the prying eyes of third parties who might then use the intercepted information for fraudulent purposes. In this way, encryption technology is a fundamental element for the development of a global electronic commercial system. For financial transactions to be securely transmitted and conducted, there must be confidence that the mode of communication delivers both secrecy and verification. We shall describe and discuss a number of governmental reports that have recognized the need for encryption and its existing use by commercial Internet users, especially financial institutions.
Other personal purposes include being able to obtain advice or counseling in private and perhaps even without identification. Thus, the technology has been used by the Samaritans organization in the U.K. as part of its voluntary counseling service. Second, the same encryption technology can be used for securing true private communications concerning public affairs. It has enabled the use of the Internet as a mode of information gathering and dissemination concerning, for example, human rights abuses. Organizations such as Amnesty International and Human Rights Watch do communicate with dissidents all around the world with the use encryption technology that ensures not only secrecy of the content of messages but also authenticity of their authors (Network Week, 1998).
In response to the needs for establishing trust and confidence through the use of encryption technology in the Information Age, there is a need for a regulatory framework at the national, supranational, and international levels. However, far from having a consensus, there are considerable differences between the various regulatory framework initiatives offered in both the European Union and the United States. Furthermore, there are even completely different policy initiatives among the European Union member states (for example, the United Kingdom and France). All these differences not only hamper and hold back the growth and development of e-commerce, but also the possibility of providing a secure environment for netizens.
At the European Union (EU) member state level, there is no doubt that there is a strong commitment, based on global economic competition but equally political populism, to embrace in principle "the age of the Information Society" (House of Lords, 1996, paras.1.1, 1.6.). Yet, because of cultural, historical, and sociopolitical diversity, there will inevitably be divergent approaches to the growth and governance of the Internet in different European societies. Faced with the fragmentation of both the Internet and the all-purpose nation state, and having regard to the cardinal principles of respect for difference and subsidiarity, it is not surprising that the European Union has sought to avoid domineering stances and the imposition of monopolistic forms of governmentality.
As early as 1994, the Bangemann Report to the European Commission dealt with the use of encryption tools and stated that a solution at a national (member states) level will inevitably prove to be insufficient because communications reach beyond national frontiers and because the principles of the internal market prohibit measures such as import bans on decoding equipment. Therefore, according to Bangemann a solution at the European level was needed "which provides a global answer to the problem of protection of encrypted signals and security. Based on the principles of the internal market it would create parity of conditions for the protection of encrypted services as well as the legal framework for the development of these new services" (Bangemann Report, 1994).
In October 1997, the European Commission published a communication paper, Towards A European Framework for Digital Signatures And Encryption (European Commission, 1997), which in contrast to many member state initiatives (including the U.K. initiatives and the French restrictions up until January 1999) and despite years of U.S. attempts to push the "government access to keys" idea overseas, found key escrow and key recovery systems to be inefficient and ineffective. Furthermore, Bangemann's ideas in this field were followed by the Commission in their October 1997 paper:
"Divergent legal and technical approaches would constitute a serious obstacle to the Internal Market and would hinder the development of new economic activities linked to electronic commerce. An EU policy framework for ensuring security and trust in electronic communication and safeguarding the functioning of the Internal Market is therefore urgently needed." (European Commission, 1997)
The EU communication paper on encryption further stated that "most of the (few) criminal cases involving encryption that are quoted as examples for the need of regulation concern 'professional' use of encryption. It seems unlikely that in such cases the use of encryption could be effectively controlled by regulation" (European Commission, 1997). This view is echoed in Principle 5 of the OECD Guidelines on Cryptography Policy, which states that "the fundamental rights of individuals to privacy, including secrecy of communications and protection of personal data, should be respected in national cryptography policies and in the implementation and use of cryptographic methods" (OECD, 1997). In addition to the OECD Guidelines, the European Commission's Communication on Encryption and Electronic Signatures points out that:
"International treaties, constitutions and laws guarantee the fundamental right to privacy including secrecy of communications (Art. 12 Universal Declaration of Human Rights, Art. 17 International Covenant on Civil and Political Rights, Art. 8 European Convention on Human Rights, Art. F(2) Treaty on EU, EU Data Protection Directive)... Therefore, the debate about the prohibition or limitation of the use of encryption directly affects the right to privacy, its effective exercise and the harmonisation of data protection laws in the Internal Market." (European Commission, 1997)
The Commision's conclusion is most important as some of the national initiatives and proposals like the U.K. policy on encryption (see below) fall short of such an important recognition for the importance of encryption for individual rights such as privacy.
As far as the digital signatures are concerned, the Commission decided to separate the need for a regulatory framework for the use of digital signatures from that of the use of encryption. The Commission also dismissed the claims that the use of digital signatures would create problems for the law enforcement. For the purpose of creating a legal framework for the use of digital signatures, the European Commission, in May 1998, published a proposed Directive on a Common Framework for Electronic Signatures (European Commission, 1998). The draft directive was finalized in October 1998 and highlighted the problem that "...different initiatives in the Member States lead to a divergent legal situation.... the relevant regulations, or the lack of them, will be different to the extent that the functioning of the Internal Market in the field of electronic signatures is going to be endangered."
At the time of writing, the European Commission was yet to formulate a common policy on the use of encryption and this will be the more problematic task for the Commission as (again at the time of writing) there are completely different policy views within the member states of the European Union. We shall now explore one such member state, namely the United Kingdom.
The U.K. government has been trying to formulate a policy on encryption since 1994, and the many policy initiatives described below were caught up between two different governments (before and after the May 1997 General Election) and were also strongly affected by supranational (the European Union) and international (the OECD) policy initiatives on encryption.
The United Kingdom's Department of Trade and Industry (DTI) published a White Paper, On Regulatory Intent Concerning Use Of Encryption On Public Networks, in June 1996 to meet the growing demands to safeguard the integrity and confidentiality of information sent electronically over the Internet (Akdeniz, 1997a). The U.K. government proposed the introduction of the licensing of Trusted Third Parties (TTPs) to hold the copies of private encryption keys with the use of key recovery systems. This was followed by the Public Consultation Paper, Licensing of Trusted Third Parties for the Provision of Encryption Services, in March 1997. The DTI consultation paper addressed many issues that would have an impact on the use of encryption tools on the Internet but the issue of whether blanket escrow of encryption keys (the central policy being put forward both to encourage trust in the integrity of encryption and to allow for investigation of those criminals and terrorists who abuse its facilities) presents unique civil liberties dangers was not addressed (Akdeniz, 1998a). In addition to its refusal to examine the core of the controversy, the DTI paper is provincial and ahistorical. There was no mention of the four years of continual proposals for key escrow systems by the U.S. government (Schneier and Banisar, 1997; Diffie and Landau, 1998; ACLU, 1998), even though their proposals have much in common with the DTI proposal and clearly inspired the latter (Akdeniz, 1997b).
These publications were followed in February 1998 with the announcement by the Home Secretary of a plan to allow government access to encrypted communications for the prevention of crime. The European Union ministers at a meeting in Birmingham warned that unbreakable encryption systems would mean organized crime could pursue its activities unhindered (Akdeniz, 1998b).
A new repackaged version of the U.K. government policy was announced in spring 1998 by the Department of Trade and Industry (DTI) under the title of Secure Electronic Commerce Statement (DTI, 1998). This new policy statement follows from the previous government's Trusted Third Party initiatives, and the idea of the TTPs still remain but this time on a "voluntary basis." Even though the government proposals do not favor a mandatory scheme for the TTPs, it is a condition for the TTPs to use key recovery systems favored by the government and therefore the risks associated with the key recovery systems remain. The government also hopes that "organisations providing services to the public will see the benefit of adhering to a high standard, and the public confidence that this will bring." (paragraph 11). Phil Zimmerman, the creator of Pretty Good Privacy (PGP), stated after reviewing the government statement that "in principle it's voluntary; but, de facto, it's compulsory. This is exactly what so many of us in the U.S. have worked very hard to stop" (Campbell, 1998).
The DTI's Statement also now has a clear policy differentiation between digital signatures and the use of encryption. The Statement concentrates more on the use of digital signatures and therefore the emphasis is on the government's commitment to a safe and secure basis for the development of electronic commerce. Although this is welcome, it should be noted that these follow mainly from the Organization for \Economic Cooperation and Development (OECD) Guidelines on Cryptography Policy (OECD, 1997; with which the paper claims to be fully compatible) and with the European Commission's Communication on Encryption and Electronic Signatures (European Commission, 1997). So, to have taken any other position on digital signatures would have posed serious conflicts with emergent supranational policy.
These national and international developments, which express significant support for data privacy, should have significant implications for the treatment of encryption. It should therefore be prima facie respected and even encouraged by national policymakers. By contrast, the DTI paper should be criticized as being fixated on the value of encryption solely in connection with commerce and ignoring wider political and social uses of information technology that might legitimately require the use of encryption. Even the Internet industry does not favor the U.K. government's policy as the framework proposed does not provide the necessary confidence and trust for the development of e-commerce.
The DTI's Statement was the inspiration for the announcement of proposed legislation in the form of the Electronic Commerce Bill within the Queen's Speech in November 1998, the aim of which was to make the make the United Kingdom the most propotious place in the world to trade online (BBC News, 1998). The then Trade and Industry Secretary of State, Peter Mandelson, told the Labour Party's annual conference in September 1998 that the country could become a new industrial and commercial power in the 21st century if it grasped the potential of the Information Age. Peter Mandelson added the caveat that "We need to make sure that all our laws and rules are e-commerce friendly." A consultation paper detailing the proposals was announced (DTI, 1998b), but at the time of writing (February 1999) the details of the Bill remain unknown. However, no surprises are expected as the DTI has been consistent in its policy so far and has been not much deflected by representations from lobbies such as civil liberties organizations and consumers. A document issued in October 1998 by the DTI, called Net Benefit: The Electronic Commerce Agenda for the UK (DTI, 1998c), still contends that "encryption, has a major drawback -- the same technology used to protect sensitive business communications can be used by criminals and terrorists to circumvent the legal powers of interception by governments." Therefore, the Net Benefit paper states that
"In the UK, the Government is proposing to encourage the establishment of Trusted Third Parties (TTPs) where users of encryption keys could deposit their private encryption keys with licensed organisations which would provide legal access by law enforcement agencies. Introducing legislation to license such bodies will give both the public and business confidence that they are dealing with organisations providing professional key management and storage facilities."
The DTI paper further states that "the dilemma is how to ensure that innovation and electronic business are not stifled while simultaneously taking law enforcement concerns into account." However, the real dilemma is to marry harmoniously the policy objectives of the DTI and their insistence on trying to balance two separate issues and needs. These are the development of e-commerce and the needs of the law enforcement. This paper will now address the issue of law enforcement and its balance with privacy rights.
Since the introduction of the White Paper in June 1996, the government through the DTI has consistently failed to attach any importance to privacy or to recognize the importance of encryption to private communications over the Internet. The attitude of the DTI is especially remarkable in light of other governmental initiatives, such as the Human Rights Act 1998 and the newly strenthened Data Protection Act 1998. This blindness is also evident in its position in regard to investigative powers in response to the risk that criminals and terrorists will exploit strong encryption techniques to protect their activities from detection by law enforcement agencies. Therefore the government favors judicial warrants and legal interception of communications on a case by case basis. The policy paper, Secure Elwectronic Commerce Statement, asserts that "the new powers will apply to those holding such information (whether licensed or not) and to users of encryption products" (paragraph 14). This is justified by the fact that warrants are regularly used for the interception of communications within Britain (paragraph 13), although there is no claim that the interception of encrypted messages through the use of the Internet arose in any single case out of the 2600 interception warrants issued during 1996-97 by the Home Secretary. Another important issue to be noted is that the number of such warrants has risen considerably in the past few years (1073 warrants issued in 1996 compared with 473 in 1990). This suggests both that the current powers are more than adequate and perhaps also that they are not being properly or strictly regulated (Walker and Taylor, 1996).
A further point to note is that the government is not wholly committed to searches purely under the authority of a judge (contrary to earlier promises). In the Statement, a vague distinction is made between judicial involvement in "criminal investigations" and other "interceptions" that will be by order of the Secretary of State (paragraph 14). To some extent, it must be admitted that this follows the lax pattern of earlier legislation (such as the Interception of Communications Act 1985, the Security Service Act 1989, the Intelligence Services Act 1994 and the Police Act 1997 Part III), but the replication of this absence of proper oversight should hardly be welcome. In any event, the access to a key in order to decode a message already sent should be treated as a different exercise to the original interception of a message as it is being transmitted.
The interception of messages is an important technique of modern law enforcement, but it should be remembered that terrorists and organized criminals are detected through a variety of techniques involving mainly informers and surveillance. It should also be remembered that encryption is a means to an end and that at some stage a decrypted message is quite likely to be produced and recorded. In addition, those who choose to exercise their "right to silence" by not disclosing information to unlock encrypted files will risk adverse inferences being drawn from their silence under sections 34 and 35 of the Criminal Justice and Public Order Act 1994. An even more draconian power to order an explanation of seized materials (such as a computer disk) exists in relation to terrorism investigations under Schedule 7, paragraph 6 of the Prevention of Terrorism (Temporary Provisions) Act 1989.
By contrast, the policy stances of the aspirant and emergent states look very different (Global Internet Liberty Campaign, 1998b), as represented by European Union and OECD policy statements as described above. There was even a dramatic turn away from encryption controls by the French government, when Prime Minister Lionel Jospin announced on January 19 that France was dropping its long-held restrictions on the use of cryptography (Jospin, 1999). The stances elsewhere often relate more to slower progress down the information superhighway than conscious and considered decisions about the appropriate role of encryption. Howevere, in order to explain the remaining differences between those information societies like the United States and United Kingdom that are favorably disposed towards regulation of encryption and those like the European Union (and France) that are less so inclined, we offer the following explanations.
In the first place, we would suggest that the U.K./U.S. official position is reflective of underlying geopolicies and tensions. Set in the context of the richest and most militarily powerful country in the world, the U.S. concerns about encryption seem strikingly implausible. There is no convincing evidence that the use of encryption has created significant new problems for law enforcement. The same is true in the United Kingdom, as the following sample case studies attest:
Our conclusion is that the perfect criminal could use encryption technology to make detection very difficult, just as the perfect criminal could use a fast car to make a speedy getaway or wear white overalls to avoid the deposit of DNA materials. In reality, criminals are rarely perfectly conscientious or error-free, and we value fast cars, white overalls -- and encryption -- for purposes other than their possible criminal applications.
Despite the absence of convincing security concerns, the U.S. government has continued to pursue what it perceives as national security interests. The most overt illustration of this policy was the attempted control of exports of encryption codes, especially as applied against Phil Zimmerman, though these attempts have now effectively foundered after the investigation of his alleged contravention of the U.S. International Traffic in Arms Regulations (22 C.F.R. ss 120-130) was dropped in 1996. National security must always remain of prime concern to the United States and to other world players like the United Kingdom, but there are other explanations for the official support for cryptography in those jurisdictions to which we now turn.
So, a second explanation is that the different approaches also reflect distinct cultural stances in regard to the value of privacy. The United Kingdom especially has had a tradition of being a privacy-free legal zone. The United States does recognize privacy at federal and state levels, but even so, the protection is at best patchy and is heavily tempered by the dominant value of First Amendment free speech. Only where encryption is uised in pursuance of political speech is there likely to be positive constitutional protection (McIntyre v. Ohio Elections Commission, 1995). In contrast, the more regulated and corporatist polities of Western Europe have long developed respect for privacy, and their lead in data protection laws are a prime indicator of the difference from the Anglo and especially the American position. Yet, these differences may now be diminishing as a result of harmonization of laws within Europe. With the Maastricht Treaty (1992) and the establishment of a Third Pillar including home affairs and justice, the European Union has been drawn into not only policing matters in the shape of EUROPOL but also is considering controversial plans for wide-ranging electronic surveillance (ENFOPOL, 1998), which seem at odds with its underlying respect for privacy.
Our third explanation is that the Anglo-American dalliance with encryption is also motivated by forms of moral entrepreneurship on the part of some of the policing and security organizations within those jurisdictions. As some forms of policing business diminish, whether through the end of the Cold War or through the endless incarceration of an ever-increasing proportion of the population, other forms of business will be sought. Set against recent falling crime rates, the invocation of the threat of boundless pornography, fraud, and vile racism has proven a useful well for the enterprising police or security officer to found a new empire and to secure funding for it. The threat may turn out to be exaggerated (Wall, 1998), but part of the exaggeration relates to encryption. In this way, the Internet provides a paradigm of a late modern (Giddens, 1990) subsociety, in which the traditional structures of class or other sociopolitical commonality are replaced by new élites whose privilege is measured in terms of knowledge and technological access (Castells, 1996; O'Malley & Palmer, 1996). In this case, the self-selecting élite are the cyber-cops who seek to claim better insights into the threats of the Internet than are understood by its users themselves.
This paper has tried to show that national government access to encryption keys would undermine and hold back both the development of e-commerce and the political use of the Internet in pursuit of free expression rights. Any "key escrow" mechanism could result in loss of confidence among potential user groups and individuals. We shall also suggest, in the light of some case studies of Internet "misuse" that have been processed by the police in the United Kingdom, that there is no compelling state interest in such an invasion of privacy, as the perpetrators have been detected and evidence gathered without any new powers to survey or search. Criminals cannot be entirely prevented from having access to strong encryption and from bypassing escrowed encryption. Benefits of regulation for crime fighting are therefore not easy to assess and often expressed in a fairly general language. However, the chilling effect on Internet use, especially for legitimate political purposes in opposition to states, is easier to discern.
Fortunately, the underlying conditions of Internet governance are set firmly against national regulation (Walker and Akdeniz, 1998), as this is a medium that demands a global solution and agreement so as to have an effective regulatory framework. The steps taken by the European Union and the OECD seem to be in the right direction. Even though both fora are limited in membership, they remain influential and their initiatives will be taken into account and possibly followed by other governments. Now that the benefits of encryption have been widely recognized for the development of e-commerce and supported by regulators and the industry, it is time to recognize other beneficial and legitimate uses of such technology. So the debate about privacy versus law enforcement will continue and the authors foresee that there will be differences within the policies of individual nation-states in relation to the policing issues that are firmly connected to the cultural, political, and historical backgrounds of individual nation-states. However, we believe that access to the "private encryption keys" is not the solution for preventing cyber-crimes.
Mr. Yaman Akdeniz is also at the Centre for Criminal Justice Studies and he is also the founder of Cyber-Rights & Cyber-Liberties (UK), a nonprofit civil liberties organization. He can be contacted at email@example.com. Both authors research and write about the governance of the Internet and legal issues surrounding the global Internet.
Professor Clive Walker is the director of Centre for Criminal Justice Studies, University of Leeds, and can be contacted at firstname.lastname@example.org.
ACLU (1998), Special Report, Big Brother in the Wires: Wiretapping in the Digital Age, March, at http://www.aclu.org/issues/cyber/wiretap_brother.html
Akdeniz, Y. (1997a), "UK Government Encryption Policy," Web Journal of Current Legal Issues 1 (February)., at http://www.ncl.ac.uk/~nlawwww/1997/issue1/akdeniz1.html.
Akdeniz, Y. et al. (1997b), "Cryptography and Liberty: Can the Trusted Third Parties be Trusted? A Critique of the Recent UK Proposals," (2) Journal of Information, Law and Technology, at http://elj.warwick.ac.uk/jilt/cryptog/97_2akdz/
Akdeniz, Y. (1998a), "No Chance for Key Recovery: Encryption and International Principles of Human and Political Rights," Web Journal of Current Legal Issues 1, at http://webjcli.ncl.ac.uk/1998/issue1/akdeniz1.html
Akdeniz, Y. (1998b), "Global Internet Liberty Campaign Member Statement: New UK Encryption Policy Criticised," February, at http://www.cyber-rights.org/crypto/gilc-dti-statement-298.html
Akdeniz, Y., and Walker, C. (1998), "UK Government Policy on Encryption: Trust is the Key?" Journal of Civil Liberties 3(2), 110-116.
Bangemann Report (1994), Europe and the Global Information Society; (July ), at http://www.earn.net/EC/bangemann.html
BBC News (1998), "Reign of e-commerce declared," November 24, at http://news.bbc.co.uk/hi/english/special%5Freport/1998/11/98/queen%5Fspeech/newsid%5F218000/218380.stm
Bok, S. (1982), Secrets: on the ethics of concealment and revelation (Oxford: Oxford University Press).
Bowden, C., & Akdeniz, Y. (1999), "Cryptography and Democracy: Dilemmas of Freedom," in Liberty eds., Liberating Cyberspace: Civil Liberties, Human Rights, and the Internet, (London: Pluto Press), pp.81-125. An online version is at http://www.cyber-rights.org/reports/yacb.pdf
Campbell, D. (1998), "Coded Message," The Guardian (Online Section), April 30.
Castells, M. (1996), The Rise of Network Society (Blackwell, Oxford).
Council of Europe (1980), Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No. 108, Strasbourg).
Davies, D. (1998), "Criminal Law and the Internet," Criminal Law Review (Special edition, Sweet & Maxwell, London), pp.48-60.
Department of Trade and Industry (DTI) (1998a), Secure Electronic Commerce Statement (DTI, London), at http://www.dti.gov.uk/CII/ana27p.html
Department of Trade and Industry (1998b), Our competitive future: building the knowlege driven economy (Cm. 4176, Stationery Office, London), at http://www.dti.gov.uk/comp/competitive/
Department of Trade and Industry (1998c), Net Benefit: The Electronic Commerce Agenda for the UK, DTI/Pub 3619, October, at http://www.dti.gov.uk/CII/netbenefit.html
Diffie, W., & Landau, S. (1998), Privacy on the Line: The Politics of Wiretapping and Encryption (London: MIT Press).
ENFOPOL (1998), http://www.telepolis.de/tp/deutsch/special/enfo/6329/1.html
European Commission Communication (1997), "Towards A European Framework for Digital Signatures and Encryption," Communication from the Commission to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions ensuring Security and Trust in Electronic Communication, COM (97) 503, October, at http://www.ispo.cec.be/eif/policy/97503toc.html
European Commission (1998), Proposal for a European Parliament and Council Directive on a common framework for electronic signatures: European Commission Communication from the Commission to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions COM, 297 final, Official Journal C 325, 23/10/98, at http://www.ispo.cec.be/ecommerce/docs/DigitalSignatures.pdf
European Communities (1995), Directive on Data Protection (95/46/EC, OJ L281, 23 Nov, p.31), at http://www2.echo.lu/legal/en/dataprot/dataprot.html
European Convention on Human Rights and Fundamental Freedoms (1950), Council of Europe, 87 UNTS 103, ETS 5 (Strasbourg), at http://www.coe.fr/eng/legaltxt/5e.htm
Freeh, L.(1997), "The Impact of Encryption on Public Safety," Director of Federal Bureau of Investigation before the Permanent Select Committee on Intelligence, United States House of Representatives, Washington, D.C. September 9, at http://www.fbi.gov/congress/encrypt4/encrypt4.htm
Freeh, L. (1998), "Threats to U.S. National Security Statement," Director of Federal Bureau of Investigation before the Senate Select Committee on Intelligence, Washington, D.C., January 28, at http://www.fbi.gov/congress/threats/threats.htm
Giddens, A. (1990), The Consequences Of Modernity (Cambridge: Polity Press).
Global Internet Liberty Campaign (1998a), Privacy and Human Rights: An International Survey of Privacy Laws and Practice (Washington, D.C.), at http://www.gilc.org/privacy/survey/
Global Internet Liberty Campaign (1998b), Cryptography and Liberty: An International Survey of Encryption Policy (Washington, D.C.), at http://www.gilc.org/crypto/crypto-survey.html
Government Response to the National Heritage Select Committee (1995), Privacy and Media Intrusion (Cm.2918, HMSO, London).
Harris, D.J., O'Boyle, M., and Warbrick, C. (1995), Law of the European Convention on Human Rights (London: Butterworths).
Home Office (1997), Data Protection: The Government Proposals (Cm.3725, Stationery Office, London).
House of Lords Select Comittee on Science and Technology (1995), Information Society (1995-96 HL 77, HMSO, London).
Jospin, L. (1999), at http://www.premier-ministre.gouv.fr/GB/INFO/FICHE1GB.HTM
Kosten, F., and Pounder, C. (1996), "The EC Data Protection Directive," 2 Web JCLI, available through http://www.ncl.ac.uk:80/~nlawwww/
JUSTICE (1998), Surveillance (London: JUSTICE).
Lindop Report (1978), Report of the Committee on Data Protection (Cmnd. 7341,HMSO, London).
Lloyd, I. (1996), "An outline of the European Data Protection Directive," 1 Journal of Information Law and Technology, available through http://jilt.law.strath.ac.uk/elj/jilt/
McIntyre v. Ohio Elections Commission, 514 U.S. 334 (1995).
Maastricht Treaty (1992), (Cm.1934, HMSO, London).
National Criminal Intelligence Service Press Release (1999), "NCIS calls upon Government to ensure law enforcement powers do not fall behind technology in fight against 'crypto criminals'," No: 02/99, January 26, at http://www.ncis.co.uk/web/Press%20Releases/encryption.htm
Network Week (1998), "From internal briefings to remote links, Amnesty International needs secure systems," December 9.
O'Malley, P., and Palmer, D. (1996), "Post-Keynsian policing," Economy and Society 25(2), 137.
OECD (1997), Cryptography Policy Guidelines: Recommendation of the Council Concerning Guidelines for Cryptography Policy, 27 March, at http://www.oecd.org/dsti/sti/it/secur/prod/e-crypto.htm
Poster, M., (ed.) (1988), Jean Baudrillard (Cambridge: Polity).
Roe v. Wade 410 US 113 (1973), further discussed at http://www.cnn.com/specials/1998/roe.wade/. Full text of the decision is at http://www.cnn.com/SPECIALS/1998/roe.wade/decision/
Schneier, B., & Banisar, D. (1997), The Electronic Privacy Papers: Documents on the Battle for Privacy in the Age of Surveillance (New York: John Wiley & Sons).
Walker, C., and Akdeniz, Y. (1998), "The governance of the Internet in Europe with special reference to illegal and harmful content" Criminal Law Review (Special edition, London: Sweet & Maxwell), pp.5-18.
Walker, C.P., and Taylor, N. (1996), "Bugs in the System", Journal of Civil Liberties (vol.1), pp.105-124.
Wall, D. (1998), "Policing and the regulation of the Internet" Criminal Law Review (Special edition, London: Sweet & Maxwell), pp.79-91.
Younger Report (1972), Report of the Committee on Privacy (Cmnd. 5012, HMSO, London).