Webtrends Tracking Code
 
UK Home >  Legal Info About... >  Crime and Security >  Cryptography Enigma

The cryptography enigma

Introduction

Cryptography is all about information security, a services market which was last year valued at $6.7 billion by industry analysts IDC. By 2005, IDC forecasts that this figure will rise to $21 billion as businesses attach increasing importance to information security services.

The criminal element

The security offered by cryptography can be vital for businesses that demand confidentiality in their information access or exchange. The Data Protection Act requires all businesses holding data about individuals to take "appropriate technical and organisational measures" against unauthorised access to and use of that data. The Act doesn't specifically say that cryptography should be used to protect the data, but depending on the nature of the data and how it is held, industry practice may expect a certain level of security to comply with this.

However, cryptography also makes governments nervous because the technology can be used by terrorists to communicate without detection. Accordingly, governments put restrictions on the use of and trade in encryption products and, following the recent attacks in the US, tighter restrictions have been proposed.

What is the relevant law?

The EU passed a Directive on Electronic Signatures (a term which is broader than just digital signatures) which should have been fully implemented in Member States by 19th July. In fact, Member States are taking different approaches to the Directive. The UK has implemented a part of the Directive which provides that electronic signatures will be legally effective and admissible as evidence in courts. It has also implemented a requirement that digital signatures will have the same effect as manual signatures (although there are exceptions). The Directive also sets out the requirements for electronic signature certificates and certification services so as to ensure minimum levels of security for so-called advanced signatures and allow their free movement throughout the Internal Market.

In the UK , encryption is addressed by the Regulation of Investigatory Powers Act, a controversial law passed last year which allows for the issue of a warrant to intercept the communications of an individual or company. If, in doing so, a law enforcement agency intercepts an email that is unreadable because it is protected by encryption, the agency has the right to demand an intelligible copy of the email (or any encrypted file) and, if it thinks it necessary, a copy of the key itself. Failure to comply with such a demand is an offence which can lead to imprisonment. The presumption is that if you can be shown to have had the key in your possession then you will be deemed to still have the key or access to it. It may be very difficult to prove otherwise.

Critics point out that this is a dangerous law for innocent people who may have simply lost their key. Further, a real terrorist from whom a key is demanded could, in theory, claim to have lost his key to face prosecution for a lesser crime than that which he was plotting.

There have also been concerns that the UK Government is considering a proposal that would require every owner of a key to give a copy of that key to a trusted third party – known as "key escrow". The rationale behind this is that it gives law enforcement easy access to intercepted encrypted messages. Against this argument is a consequent compromise of security when the encryption is being used legitimately. Also, criminals are unlikely to comply – they will simply use non-compliant encryption products. The key escrow proposal was first made in the UK a few years ago but was withdrawn in response to industry criticism.

The recent terrorist attacks in the US have renewed the interest of lawmakers in both the US and UK in clamping down on cryptography, not just with key escrow proposals but also with an outright ban on strong encryption products. The risk to business in banning strong encryption would be enormous, and critics observe that criminals would still find the products they need elsewhere.

What should you do?

Consider the information your business holds or exchanges electronically. Next consider the risk to your business if that information were to be accessed by unauthorised individuals. This could be direct – e.g. the loss of your trade secrets – or indirect, e.g. the threat of legal action if you compromise a client's confidential information.

If the risk is at all significant, you could consider cryptography in some form. Inexpensive and easy to use digital signature services which can encrypt your email communications are widely available. However, you must balance this against the practicality: encrypting your email also puts requirements on the recipient to have compatible software and understanding.

What is cryptography?

Cryptography has many forms, the best known being encryption, which is the use of an algorithm to encode or "encrypt" data so that only the intended recipient, using a special key, can decrypt and understand the data. A message encrypted with state of the art software is virtually impossible to decode without the key. However, cryptography is not just about keeping information secret; it's also used for authentication, so that, for instance, a company's extranet has stronger protection than just the usual username and password, or so that individuals in that company can sign their emails with digital signatures.

What is a digital signature?

It's an electronic signature that authenticates the identity of the sender of a message. It can be used also to ensure that the content of a sent message is unchanged. If a digital signature is used, it is still possible for the recipient to see the message in plain text.

What is a digital certificate?

It is an electronic document issued by a certification authority (CA) and usually contains your name, a serial number, an expiration date and a copy of your public key (which anyone can use to encrypt messages to send to you – you then open the messages with your private key) and the digital signature of the CA. Use of a CA when doing business on-line allows anyone to check that you are who you say you are.

What is Public Key Infrastructure (PKI)?

A PKI can be used by a company to securely and privately exchange data and money. It involves a digital certificate being issued that can identify an individual or company – but also offers directory services that can store, allocate and revoke certificates as and when necessary. There are several vendors of business PKI solutions – see e.g. RSA.com, Baltimore.com or VeriSign.com.

OUT-LAW Recommends

Data Protection training
We offer training courses on Data Protection and Freedom of Information laws

Winner at 2008 Webby Awards

OUT-LAW star: link to the home page
Disclaimer | Privacy | Site Map | Accessibility
Disclaimer: This was printed from OUT-LAW.COM, a service of international law firm Pinsent Masons. We hope you find this content useful. However, please note that nothing in this document constitutes specific legal advice. You should consult a suitably qualified lawyer on any specific legal problem or matter. Any questions, please email info@out-law.com.