The Foundation for Information Policy Research
(
FIPR
), an independent body that studies the
interaction between
IT
and society, said the expiry of
the rights marks the end of the "crypto wars." The
FIPR
says these wars began in the 1970s when the
US
government started treating cryptographic
algorithms and software as munitions and interfering with
university research in cryptography.
In the early 1990s, the Clinton administration tried to get
industry to adopt the US government's own encryption system – the
so-called Clipper chip – an encryption chip for which the
government had a back-door key. When this failed, they tried to
introduce key escrow – a policy that all encryption systems
providers should leave a spare key with a 'trusted third party'.
The third party would have to hand the key over to the
FBI
on demand. They tried to crack down on encryption
products that did not contain key escrow.
When software developer Phil Zimmermann developed
PGP
, the free mass-market encryption product for
e-mails and files, the US Government even began a prosecution
against him. The
FIPR
says the crypto wars were
eventually won in the US when Al Gore, the most outspoken advocate
of key escrow lost the presidential election of 2000.
Despite a number of proposals to introduce a compulsory key
escrow system in the UK, the Government finally conceded in 1999
that controls would be counterproductive. But the intelligence
agencies remained nervous about his decision, and in the Electronic
Communications Act passed in May 2000 the Home Office left in a
vestigial power to create a registration regime for encryption
services. That power was subject to a five year "sunset clause",
whose clock finally ran out today, 25th May 2005.
Ross Anderson, chair of the
FIPR
and a key
campaigner against government control of encryption, commented: "We
told government at the time that there was no real conflict between
privacy and security. On the encryption issue, time has proved us
right. The same applies to many other issues too – so long as
lawmakers take the trouble to understand a technology before they
regulate it."
Phil Zimmermann, an
FIPR
Advisory Council member
and the man whose role in developing
PGP
was crucial
to winning the crypto wars in the US, commented, "It's nice to see
the last remnant of the crypto wars in Great Britain finally laid
to rest, and I feel good about our win. Now we must focus on the
other erosions of privacy in the post-9/11 world."
Gavin McGinty, an IT lawyer with Pinsent Masons, the law firm
behind OUT-LAW.COM, also welcomed today's expiry of the provisions
for regulating the industry. But he warns that this does not mean
that there are no controls on the use of encryption software.
"There are still licensing requirements for the transfer of
encryption software, which could include encrypted material, to
other countries," he said.
While the UK's Export Control Act sets out the procedures for
transfer out of the UK, McGinty says it is important to also
consider the import restrictions in the country into which the
software or material is being transferred.
He also points to the powers potentially available to the
security services, the Police, the Courts and others under the
Regulation of Investigatory Powers Act, better known as RIPA.
"Part 3 of RIPA grants a
power which allows certain authorities to force the disclosure of
information that is stored in an encrypted form," said McGinty,
"and in certain circumstances it can force the disclosure of the
encryption key itself."
He added: "Although the relevant sections of RIPA have not been
brought into force, the existence of these powers will have given
the Government confidence to decide against enforcing the
regulatory measures in Part 1 of the Electronic Communications
Act."
