Key escrow in the UK

Gareth Bowker tgb at
Fri Jul 29 15:43:27 UTC 2005

On Fri, Jul 29, 2005 at 02:47:03PM +0200, Jeremiah Foster wrote:
> On Jul 29, 2005, at 2:40 PM, Gareth Bowker wrote:
> >What impetus would there be to move?
> They may feel compelled to use something to encrypt their conversations 
> perhaps.

But they can already encrypt their messages using existing tools, such
as GnuPG, which don't hand over your keys to the government. Why would
they (or indeed anyone else) switch from using a tool which makes
intercepting the communication/decrypting data on a hard disk a
computationally-expensive task, to a tool which makes the decryption
trivial for people who have access to the escrow key?

> >But again, why would they use it? There's *already* software which 
> >works
> >with no form of escrow. Why would anyone switch to using software which
> >allows anyone with the escrow key to decrypt their data, when there are
> >tools which work with no form of key escrow?
> >
> So your point is that since public key encryption software already 
> exists that belatedly forcing key escrow would have no effect, if I 
> understand you correctly?

It depends on what you mean by force, but essentially you're correct.
And if you're "forcing" people into using escrow through legislation, to
use your previous example, are terrorists really going to switch on fear
of breaking the law?

> I think there are technical details involved in recovering previously 
> created public keys which I know nothing about. But presumably the 
> police feel there is a way to recover these keys and place them in 
> escrow.

There are means of recovering private keys, such as examining the
memory/swap space etc., but in many cases there are far easier ways of
getting at passwords than using brute-force, such as finding post-it
notes with passwords scribbled on them, or tring the names of
pets/partners etc.

> What I am concerned about is how we as a Free Software community, 
> concerned with privacy, should create policy. Do we want to state that 
> the police are invading people's privacy too much to demand private key 
> escrow? Is it not technically feasible now that PKE is already "in the 
> wild"? Should the FSFE have a position on the police's request?

Do you have any references to the police's requests? I've not seen much
recently on this subject, other than references to the existing RIP
legislation which can mean jail if you can't hand over, when required,
your private key. Some recent examples of what the police are asking for
and/or any proposed legislation would be a good starting point.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <>

More information about the Discussion mailing list