Would you trust Whitehall with your PKI?

One of the biggest brakes on public and private sector IT expansion is security.

No one is going to send case notes from broadband connections or school results from a mobile phone if there is a serious risk of interception.

The government's work with the industry to establish confidence in digital certificate-based security may be among its most lasting legacies.

In April, successful trials resulted in the government approving public key infrastructure (PKI) for secure email, and early indications point to the NHS as the likely first adopter. Some form of the technology may also be used for a future entitlement card scheme.

But PKI is effectively unbreakable, and governments here and abroad have a problem with that.

For a government, the ideal communications technology is one that's secure, but not so secure that it can't be tapped by its own security services.

PKI doesn't have a trap-door. So the government tried to build one. The initial solution was trusted third parties. Everyone using PKI would store their keys with an organisation, which would pass them to the security services when required, and the end-user would never know.

But this didn't go down well. On reaching office, Labour revised the legislation so that key-holders would be their own trusted third parties.

The security services can demand an encryption key (on issuance of a warrant from the Home Secretary), on pain of a prison sentence. You can also be punished for handing over a key and not keeping it secret.

This also goes for access to 'traffic data', as opposed to the content covered by the rules on producing keys.

Under the Regulation of Investigatory Powers (RIP) Act, the police and security services can get at this with a self-issued warrant. But this process conflicts with data protection legislation, which demands deletion of the traffic data when it becomes redundant.

BT holds traffic data for seven years, justifying this by its usage for billing. But internet service providers (ISPs), which don't charge per email, tend to hold on to email traffic data for only a few months.

The government hasn't suggested tracking every envelope in the post office, but following new anti-terrorism legislation last year, some ISPs have increased their email traffic data retention period. Freeserve used to keep it for three months, but now has at least seven months' worth.

Communications providers are in limbo, waiting for firm guidance from the Information Commissioner.

With both traffic and content data, there is a tension between individual privacy and national security. This government often says it is keen to promote the former, as this would help persuade more citizens to use state services online. But in practice, it tends to prefer the latter.

All the security legislation and guidance that has emerged from this government started in a tougher form, before being tilted back towards individual liberties by select committees and the House of Lords.

If technology firms want to resist being turned into a branch of the security services, they need to put their case vigorously, both to the government and to the parliamentarians who have revised such legislation before.