1.  This is a submission in response to the Committee's Notice of 25 November 2005. It seeks to assist by providing some technical background to two issues:

—  the need to decrypt computer files; and

—  the length of time needed to obtain and analyse data from mobile phones.

  I am Professor and Head of Department of Information Systems at Cranfield University based at the Defence College of Management and Technology (previously known as RMCS) at Shrivenham.

  2.  For the avoidance of doubt, this is a personal submission. I have added commentary on the submission of Dr Peter Sommer within my text and referenced his submission accordingly.

  3.  The first question on which commentary is made is that to do with the time taken to decrypt computer files. The time that will be taken to decrypt a file or set of files is unpredictable. If material concerned with the encrypted material (keys, plain text, implementation details showing poor implementation) is found, the decryption times will be of the order of a few minutes in most cases. Historically, as stated by Dr Sommer (paras 14 to 17) decryption processes have worked in most cases for these reasons and in reasonable times (hours at most). What is unclear is whether these times are increasing and the number of cases for which decryption proves impossible is also increasing. I support Dr Sommer in his suggestion that these facts are gleaned from relevant witnesses. (para 17).

  4.  What is clear from the knowledge I have is that the use of encryption processes to protect information on hard disks is becoming more available and indeed is being encouraged for legitimate law abiding users in order to protect themselves from identity theft, spyware and phishing attacks. (Cf http://www.getsafeonline.org/nqcontent.cfm?a_id=1104 published by the Central Sponsor for Information Assurance within the Cabinet Office.)

  5.  Thus I do not agree with Dr Sommer's assertion made in paragraph 15 that the "use of encryption . . . on a hard disk without reason . . . are grounds for suspicion and applications for extended detention". If encryption of material on hard disks becomes the norm as is suggested by Cabinet Office, then it could be seen as necessary for us all to carry justification of doing so. This is tantamount to carrying justification for having on us the keys to our houses and cars, they being the means of protection of our physical assets as encryption keys are the means to protect our information assets. This is unlikely.

  6.  Therefore detection of the presence of the use of encryption will no longer be an indicator of possible malfeasance by itself. Indeed were it to be so, it is likely a rapidly increasing number of legitimate users would be suspected of malfeasance. Furthermore if the use of encryption for legitimate reasons grows as the Cabinet Office, in my view rightly, asserts is desirable, then law enforcement agencies, in the absence of any other indicators of suspicion, will need to decrypt that material to find evidence of possible malfeasance. This tension in Government policy between law enforcement and supporting secure business practices has existed for many years but is only now, due to technological advances, becoming significant. Looking first for other suspicious indicators to justify subsequent decryption may be a more profitable route under these circumstances.

  7.  The case that is made by Assistant Commisioner Andy Hayman for extended detention to allow a greater probability of decryption of computer files then seems to me to rest on two factors; one that the decryption process is more likely to provide significantly more evidence in 90 days than 30 and two on the likelihood that encrypted material hides suspicious activity in the first place. It is my view that if decryption works at all it will work in hours, and if it does not work in that time then the unpredictability of decryption processes based on brute force techniques (cf Peter Sommer para 16 last bullet with which I agree) is at best a weak justification for an increase in detention time. Without the statistics for decryption times, resources available and numbers of concurrent cases it is not possible to work out the advantage of 90 days over 30 days. The Committee may choose to enquire whether such statistics are available.

  8.  The second factor of encryption hiding suspicious activity as a justification for extension seems to me to be even more tenuous. It is more likely that other evidence would make the case for detention in the first place and that encryption is included as a secondary factor. If the use of encryption for legitimate purposes becomes more widespread using its existence on storage media as a prima facia case seems to me to be ill founded.

  9.  The second question on which my opinion was sought is the length of time needed to obtain and analyse data from mobile phones. The question breaks into a number of parts (1) the nature of the data, calling information (traffic analysis) or content (see Peter Sommer paras 22 to 24), (2) the means by which it is "obtained" and (3) the depth to which it is analysed. These will be treated in turn.

  10.  One of the factors involved in determining the time taken to obtain the requisite data of any type is how much "metadata" is available to help the "finding process". Examples might include number called, number calling, location, time etc. It is to be noted that in 2004 the useage of mobile phones in UK was 62 billion minutes per year (http://www.mobilemastinfo.com/information/history.htm)

  11.  The elapsed time for the finding process in this volume of data depends critically on reducing the "search volume" with prior "metadata" and on the resources (computers, networks and advanced software) allocated to this process by the owners (strictly collectors) of the data, that is the mobile operators.

  12.  It will also depend upon how many operators are involved and what jurisdictions they are in (this influences how quickly they can start and what authorities they need to do so).

  13.  The nature of the data requested will also affect how long it takes to acquire it; traffic flow data is distributed throughout the systems of the operators concerned and may take some time to acquire, but is not seen as a major invasion of privacy by end users so collation of it could start as soon as the metadata to support the finding process is assembled; content on the other hand will probably only reside in the systems of the two operators with which the end users have accounts; but content of a call is regarded as sensitive by end users and hence warrants may be necessary for access depending upon the jurisdiction in which it is stored.

  14.  It is clear therefore that predicting the time to obtain the data of whatever type is not possible. What is clear is that the volume of data within which the desired information resides is increasing rapidly and that the complexity of the data structures is increasing also. Without improvements in finding techniques it is clear that finding times will go up also. Hence there appears to be a reasonable case for increasing detention times whilst this process is completed. However, the Committee might like to enquire whether the Home Office is exploiting current research aimed at finding new and much faster ways of finding information in large volumes of data as an alternative to the need for increased detention times. (eg Exploitation of AKT: www.aktors.org/akt/objectives)

  15.  The time taken for analysis will depend upon how many staff with the requisite expertise and experience are allocated to any given case. It is impossible to predict how long this element of the overall process will take, but it is clear that as the complexity of material goes up so will the time for analysis; again, development of advanced tools and their widespread use would ameliorate the situation to some extent, but this also depends upon trained individuals in some considerable numbers being available.

  16.  The issues raised by Peter Sommer in para 28 of his submission are also particularly important. Most telecommunications systems and data communications systems will converge on to one global infrastructure in the next few years. The separation of what is content and what is traffic information will (and is already) becoming very difficult. This has legal as well as technical implications. Without global agreements on all aspects of law enforcement, use of intercepted material obtained by whatever means will become more and more problematic. The case for extended detention periods based on technology innovation outstripping legal instruments will then look ill founded, unless technology in support of law enforcement is used effectively.

30 January 2006