Edgar Allan Poe may have thought that "human ingenuity cannot concoct a cipher which human ingenuity cannot resolve" but recently the wide availability of significant computing power has shifted the balance in the struggle for secrecy from governments in favour of individuals.
At the same time, e-commerce demands products that allow secure Internet transactions and is turning to cryptography to provide them.
National security and law enforcement interests motivate governments to try to control individual use of encryption, sometimes by direct restrictions on the technology itself and more often by controlling its export. While national rules are increasingly being harmonised (in particular to implement the Wassenaar Arrangement), differences remain.
Use Of Encryption In The UK
There are no specific rules on the use of encryption within the UK (although encrypted material may be unlawful as a result of its content, for example if it is obscene or defamatory). Individuals and companies are free to use the encryption products they want.
While encryption itself is not controlled, the Regulation of Investigatory Powers Act 2000 ("RIPA") has implications for its use. RIPA is not yet fully in force but will allow the authorities to serve a disclosure notice requiring anyone holding keys to encrypted information obtained lawfully by the authority (eg under a warrant) to either decrypt the text, give the plaintext or in "special circumstances" disclose the keys that they have. Where a person does not have the message or all required keys they must disclose any keys that they do have.
Failure to comply or "tipping off" a third party about the existence of the notice will be an offence. All encryption keys are covered unless used only to create electronic signatures.
As a result, anyone who generates an encryption key needs to be able to disclose it if served with a notice (or, if there are more than one key, give sufficient keys to decrypt the text). If this is not possible (for example, if a key is lost) the person must show that the key is no longer in their possession.
RIPA assumes that anyone proved to have a key is taken to continue to have it unless "sufficient evidence" shows that this is not the case and this evidence is not disproved beyond reasonable doubt. Individuals will need careful key management to avoid the need to show that a key has been forgotten or cannot be located. Other systems (eg an ISPs' facilities) could be set up so that no keys are retained in the first place.
Export From The UK
There are no rules governing the sale of encryption products in the UK. However, the export of encryption products is regulated. These rules apply at both the EU and UK level but to encryption technology rather than encrypted data.
Encryption technology is regulated as a "dual use item" - intended for civilian use but which can also be used for military or security purposes. Special controls also apply where an item is intended for use in areas such as chemical, biological or nuclear weapons.
The EU Regulations1 apply to exports from the EU and cover the control dual use items listed in Annex I2 , other dual use items relating to chemical, biological or nuclear weapons or exports to embargoed countries3 . A licence is needed to export any of the Annex I4 items. This Annex covers information security software meeting a set technical definition or any other software connected with items that are themselves controlled elsewhere in the Annex (eg nuclear facilities) provided that this software is not generally available to the public. The Regulations specifically apply to export by electronic transmission and would cover any download of software from an EU website.
Information security software is any software using described forms of cryptography (most importantly software using a symmetric key with over 56 bits or listed asymmetric keys (eg RSA)). It does not cover software solely used for authentication or digital signatures.
User-installed software that is generally available to the public (eg over the counter software) where the cryptography cannot be readily changed by the user is not controlled unless it uses a symmetric algorithm over 64 bits (excluding parity bits). There are other specific exceptions, most importantly for personalised smart cards, some copy protection and banking payment software as well as certain civilian telephone technology.
A general exemption5 is given for all exports to listed countries6 other than the particularly sensitive technologies listed in Annex IV (eg cryptanalytic software or stealth and rocket technology). Other restricted exports need licences from the relevant Member State.
The UK regulations7 set out the licensing regime for EU exports from the UK and the specific UK rules that apply. Exports of regulated dual use products are allowed to other EU countries unless covered by Annex IV (where a licence is needed) or where the exporter knows that they will be re-exported outside the EU without any processing or working. For other exports, a licence is needed. Failure to comply with the regulations is an offence.
Licences can be general or individual and may have conditions. Open General Export Licences ("OGELs") have been granted and apply through the EU, for example for consumer cryptographic items8 (which covers software sold from stock on a retail basis where the user cannot change the cryptographic functionality and can install the software without substantial support) and certain cryptography development software9 (provided that it cannot perform cryptanalytic functions) which each allow exports to most countries other than identified states as listed in each OGEL (e.g. Afghanistan, Iraq, Libya, North Korea or China or countries covered by the general EU exemption).
Where exports are made under the EU general exemption or a UK licence the exporter must keep full records for at least three years. These can be inspected. A UK exporter under any licence must also register with the Department of Trade and Industry within 30 days of an export unless the licence says otherwise.
Conclusion
The UK allows use of encryption software and the sale of cryptographic products but anyone using encryption in the UK should be aware of their potential liability under RIPA if served with a disclosure notice.
For any export from the UK (including software downloads), the UK licence regime imposes detailed requirements but grants several general licences.
Footnotes
1
Council Regulation No 1334/2000, 22 June 20002
Summarised in the UK Control Listhttp://www.dti.gov.uk/export.control/legislation/controlist.htm
3
Applying EU, OSCE or UN embargos4
http://www.dti.gov.uk/export.control/legislation/ecreg.htm5
Community General Export Authorisation EU001, this applies to all dual use items except those listed in Annex II or IV of the EU regulation6
Australia, Canada, Czech Republic, Hungary, Japan, New Zealand, Norway, Poland, Switzerland and the US7
The Dual-Use Items (Export Control) Regulations 20008
8 December 2000, http://www.dti.gov.uk/export.control/pdfs/ogels/ccg.pdf9
28 September 2000. http://www.dti.gov.uk/export.control/pdfs/ogels/cdev.pdfThe content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
