Time to get moving on encryption

Some misguided decisions taken by the British government last week regarding the hot issue of encryption the encoding of data…

Some misguided decisions taken by the British government last week regarding the hot issue of encryption the encoding of data sent over the Internet so that a third party cannot read it has given Ireland the opportunity to aggressively accelerate its growing position as a major player in the new digitally-driven world.

In a move contrary to its original preelection promises, Tony Blair's government has decided to introduce two laws which would set controls on the use of encryption. The ability to encrypt data is seen as a cornerstone of e-commerce for customers and merchants as well as between business trading partners.

In the first instance, consumers want to be able safely to send credit card details, "electronic signatures" (which would act as the online equivalent of a written signature), and have correspondence remain private. From a business point of view, online trading partners want to conduct transactions and send correspondence which cannot be hacked into by a third party. Then, there are individuals who want to use encryption for their private correspondence.

US and many European law enforcement and government authorities have insisted that they should have access to a "key" which would enable them to decode encrypted information in the interests of national and international security.

READ MORE

One proposal recommends that every manufacturer of encryption products should hand over such a key to government agencies. As things stand at the moment, the US government will not even allow American software companies to export any product which uses so-called "strong encryption" the most secure and complex form of computerised encoding outside the US.

While this has provided opportunities for non-US encryption companies to market strong-encrypted products outside and even, ironically, back into the US, it introduces international complications which continue to throw up barriers on the road to true ecommerce.

Last week's decisions by the British government were not as restrictive as the Tory proposals that were on the table before the May elections (they wanted a central data bank where all keys would be held, so that law enforcement could gain access to communications). What New Labour has proposed is a system whereby law officials will have to obtain a warrant to compel a manufacturer to turn over keys so that they can decode communications.

The problem is that warrants need only be "judicial warrants", which may be easily obtained from local justices. This makes Internet users rightly nervous. And while the British government is also saying that encryption companies aren't compelled to hand over keys, one part of the proposed laws implies that "licensed" encryption service providers must make keys available.

While giving access to encrypted communications might seem like a good idea and law enforcement argues that it's necessary in order to control terrorism, drug smuggling, money laundering, child pornography, and so forth it's important to see such control in context.

As this column has stated before, handing over keys to encrypted messages is like giving the Garda (and international law enforcement) a copy of your business and house keys, "just in case". It's like agreeing that, if law enforcement grows suspicious of your business dealings, you give them advanced permission to tap your phones and open all mail.

While search warrants of some type may offer a working compromise to the stand-off between privacy advocates and law agencies, the British model seems useless. Privacy protections are just too weak. products already exist which can circumvent the laws as they would stand.

But back to Ireland. The Government is considering these issues at the moment, as is the European Commission. The EU has formally stated it will impose no restrictions on the use of strong encryption, but unless those intentions are formalised into a Directive, they are toothless guidelines for member-states.

In the past, the Government has usually chosen to follow Britain's lead legally. But there are, according to Trinity lecturer and Internet law expert Eoin O'Dell, indications that the Government is taking stock of Ireland's strength in the software industry (the second-largest exporter of software after the US). "The Irish Government is listening to industry and accepting the idea that we're a software hub," he believes.

Ireland would be "shooting itself in the foot" if it allowed the regulation that both the computer industry and the commercial world strongly oppose. On the other hand, and especially in light of Minister Mary O'Rourke's current closed-door soundings on whether Ireland could establish itself as an international e-commerce centre, "it would be a competitive advantage for the Irish economy if the Irish Government were to create a space for strong encryption", says Mr O'Dell.

The digital world is a complicated place and what isn't understood is often feared. As Mr O'Dell notes, it leads to the misguided mindset that "technology is dangerous, therefore we have to regulate it". Certainly, some structures for the conduct of business need to be there, just as they are in the day-to-day business world. But blindly to restrict Ireland's buoyant digital economy would be a mistake. To enable it could allow Ireland to further solidify its techenabled strong economy and strenuously outpace its European competitors.

Karlin Lillington is at klillington@irish- times.ie

Karlin Lillington

Karlin Lillington

Karlin Lillington, a contributor to The Irish Times, writes about technology