Eyes only

EXE Magazine, April 1998

By the time you read this, the government should have announced its plans regarding encryption. An announcement was rumoured to happen at the end of February but it was cancelled due to ‘completely wrong announcements on the Internet’ (according to a DTI official). This is surprising, if there are some rumours or some confusion then surely an early clarification should be the rule? What has been leaked is that the Government would ban strong encryption and create a network of Trusted Third Parties (TTPs). These are organisations licensed to provide encryption to all and sundry – with a small catch. These TTPs will keep a key of all the software and services they sell. And the software will be engineered in a way that the keys cannot be modified.

As more and more communication is becoming electronic, any restriction on encryption is a threat to our personal privacy. With a ban on strong encryption all electronic communication between law-abiding citizens will be trivial to tap by any security agency, the police, and... criminals. Of course criminals are by definition not respectful of the law and will be the only individuals able to continue to use strong encryption.

By this point you might wonder why I'm writing this column. After all I haven't mentioned anything really related to software development. There are two reasons why you – EXE reader – should be particularly concerned by this issue. First, it does concern every UK resident and, second, the encryption technology is extremely complex. Software developers are among the few who could have the background to grasp all the consequences of such a ban.

For instance how can such a ban be enforceable? Look at all the hidden Easter egg credits hidden in many large pieces of software. Most of them managed to pass all the checks done by the Q&A department. And if you consider that this is more a reflection on the professionalism of Q&A teams, there are available on the net some simple (to use) steganography programs which let you hide information in graphic files. So everyone having electronic data could be believed to have some strong crypto hidden and hence become a suspect.

If you want to ensure the authenticity of your software you need to provide a digital certificate for it. If these certificates are based on weak crypto sooner or later they will be cracked and someone else will be able to masquerade some software as being issued by you. The same applies for digital signatures, with potentially even worse effects. When digital signatures become legally binding (it has already happened in some countries), anyone who can bypass the crypto will be able to impersonate you and possibly ruin your life.

I just hope it is not too late to react. Get a copy of PGP while you still can. Voice your opinion. If you have any suggestion for an effective opposition please send it to EXE and we will relay your ideas. My PGP key is available at http://www.exe.co.uk/panda/#PGP.

David Mery

(C)1998, Centaur Communications Ltd. Reproduced with the kind permission of EXE Magazine.