Friday, 5 October 2007

UK Can now Demand Data Decryption on Penalty of Jail Time

By Ken
| Published: October 01, 2007 - 10:20PM CT

New laws going into effect today in the United Kingdom make it a crime to
refuse to decrypt almost any encrypted data requested by authorities as part of
a criminal or terror investigation. Individuals who are believed to have the
cryptographic keys necessary for such decryption will face up to 5 years in
prison for failing to comply with police or military orders to hand over either
the cryptographic keys, or the data in a decrypted form.

Part 3, Section 49 of the Regulation of Investigatory Powers Act (RIPA)
includes provisions for the decryption requirements, which are applied
differently based on the kind of investigation underway. As we reported last year, the
five-year imprisonment penalty is reserved for cases involving anti-terrorism
efforts. All other failures to comply can be met with a maximum two-year

The law can only be applied to data residing in the UK, hosted on UK servers,
or stored on devices located within the UK. The law does not authorize the UK
government to intercept encrypted materials in transit on the Internet via the
UK and to attempt to have them decrypted under the auspices of the jail time

The keys to the (United) Kingdom

The law has been criticized for the power its gives investigators, which is
seen as dangerously broad. Authorities tracking the movement of terrorist funds
could demand the encryption keys used by a financial institution, for instance,
thereby laying bare that bank's files on everything from financial transactions
to user data.

Cambridge University security expert Richard Clayton said in May of 2006 that such laws would
only encourage businesses to house their cryptography operations out of the
reach of UK investigators, potentially harming the country's economy. "The
controversy here [lies in] seizing keys, not in forcing people to decrypt. The
power to seize encryption keys is spooking big business," Clayton said.

"The notion that international bankers would be wary of bringing master keys
into UK if they could be seized as part of legitimate police operations, or by a
corrupt chief constable, has quite a lot of traction," he added. "With the
appropriate paperwork, keys can be seized. If you're an international banker
you'll plonk your headquarters in Zurich."

The law also allows authorities to compel individuals targeted in such
investigation to keep silent about their role in decrypting data. Though this
will be handled on a case-by-case basis, it's another worrisome facet of a law
that has been widely criticized for years. While RIPA was originally passed in
2000, the provisions detailing the handover of cryptographic keys and/or the
force decryption of protected content has not been tapped by the UK Home
Office—the division of the British government which oversees national security,
the justice system, immigration, and the police forces of England and Wales. As
we reported last year, the Home Office was slowly building its case to activate
Part 3, Section 49.

The Home Office has steadfastly proclaimed that the law is aimed at catching
terrorists, pedophiles, and hardened criminals—all parties which the UK
government contends are rather adept at using encryption to cover up their

Yet the law, in a strange way, almost gives criminals an "out," in that those
caught potentially committing serious crimes may opt to refuse to decrypt
incriminating data. A pedophile with a 2GB collection of encrypted kiddie porn
may find it easier to do two years in the slammer than expose what he's been up

Source: ars technica

Powered by ScribeFire.

No comments: