Webtrends Tracking Code
 
UK Home >  Legal Info About... >  Email >  Encryption and digital signatures

Encryption and digital signatures

Overview

Cryptography has caused some controversy in the UK . It is basically the use of an algorithm to encode or 'encrypt' data so that only the intended recipient, armed with a special key, can decrypt and understand the data. It was not invented in the computer age – in fact, it was used by the ancient Greeks. But computers have made cryptography an advanced science. A message encrypted with today's state of the art software is virtually impossible to decode without the key. And this can make governments nervous. Nervous about, for example, terrorists or criminals exchanging information without detection. So governments put restrictions on the use of and trade in encryption products.

Export controls and encryption

The UK has many export controls which are necessary to fulfil its international obligations, such as those imposed by the United Nations and the European Union.

Such controls are targeted at goods which are for military use (or capable of dual use). Cryptographic software and know-how are restricted because they are capable of dual use. That said, there are a number of exemptions which result in most consumer cryptography software being capable of export to all but a handful of countries without restriction (although the export may still require notification). Incidentally, an exporter does not escape the rules by exporting over the internet: it's still export.

The rules are complex and expert advice should be sought, for example, to learn what information to provide on export documentation.

Export control is primarily the province of the Export Control Organisation, (which is part of the Department of Trade & Industry), but certain areas fall within the remit of the Foreign & Commonwealth Office.

Encryption within the UK

The Regulation of Investigatory Powers Act came into force in October 2000. The Act creates a new offence of intercepting communications and regulates the monitoring and interception of communications (including email) by authorities such as the police, intelligence services and customs and excise. The Act regulates such authorities' access to the codes that encrypt data sent over the internet.

Under the Act, the authorities can demand that the key is disclosed by a person if there are reasonable grounds for believing that a key is in the possession of the person and disclosure is necessary (e.g. to prevent a crime or for reasons of national security) and that the key cannot be obtained by other reasonable means. A key used solely for generating electronic signatures would not have to be disclosed. A person may, in response to a demand for a key, provide a plain text version of the protected data rather than the key itself, unless this is deemed insufficient.

Digital signatures

With all the fuss over the control of cryptography, it must not be forgotten that it serves a valuable security purpose for legitimate business dealings. The Electronic Communications Act (which was passed in June 2000 and came into force later that year) provides that electronic signatures and certificates of electronic signatures are to be admissible in court in evidence as to any question of authenticity of the message. However, the Act does not prescribe any particular form of electronic signature.

In December 2001, the Law Commission of England and Wales advised that a common-sense approach should be taken to electronic signatures. It considered four types of electronic signature: The commonest form is the digital signature which employs cryptography to give a message a unique identity and protect (and verify) its contents; secondly, a scanned manuscript signature incorporated into an email or other document; thirdly, the signatory can type his name (or initials) into an email or other document; lastly, a website button can be clicked to confirm an order is accepted.

The Law Commission concluded that legal requirements for "writing" and a "signature" are generally capable of being satisfied by these forms of signature and that an overhaul of UK legislation is not necessary.

The Electronic Communications Act also contains a regime for the registration and regulation of cryptography service providers. However, having proposed a statutory regime, the government announced that it would much prefer industry to regulate itself, and has indicated that the regime in the Act will not be brought into effect if industry can produce and operate a satisfactory scheme.

Any questions? Please contact mailto:jon.fell@pinsentmasons.com / 020 7490 4000 or one of our other contacts.

OUT-LAW star: link to the home page
Disclaimer | Privacy | Site Map | Accessibility
Disclaimer: This was printed from OUT-LAW.COM, a service of international law firm Pinsent Masons. We hope you find this content useful. However, please note that nothing in this document constitutes specific legal advice. You should consult a suitably qualified lawyer on any specific legal problem or matter. Any questions, please email info@out-law.com.