By Steve Ranger, 15 August 2006 17:15
NEWS
The introduction of legislation to crack down on criminals using encryption to hide their tracks could also leave users open to new forms of electronic attacks, according to one expert.
The Regulation of Investigatory Powers Act (RIPA) provides the legal framework for various methods of surveillance and information gathering by police and other agencies.
But because criminals are now encrypting their email, files, folders, documents and pictures in an attempt to conceal their activities, the government plans to introduce Part III of the Act.
This requires people - when requested - to put protected or encrypted electronic information into an "intelligible" form, or to provide the encryption key. Failure to comply with can lead to between two and five years in jail.
Police have said they want the legislation in order to crack down on criminals using encryption. Detective Chief Inspector Matt Sarti told the a meeting organised by the Foundation for Information Policy Research (FIPR) that there are 200 computers sitting in police forensic centres and property cupboards with encypted data on them which are likely to hold evidence of crime.
But Caspar Bowden, former director of FIPR warned that introduction of the legislation could lead to a new wave of cyber-attacks.
For example criminals could create malware that was able to change the encryption key or password on an innocent user's machine. This virus would then delete itself and the criminals could threaten to tip of the police about the encrypted data, claiming it was information about criminal activity.
Without the key - which the virus deleted or changed - innocent users could find they have to defend themselves against this sort of blackmail.
Similarly, criminals could use these viruses against themselves, claiming "a virus ate my password (Vamp)" as an excuse for not providing the encryption key, he argued.
"The bad guys have an incentive for causing mayhem through Vamp-ware cases for cover," Bowden warned, and said there is a risk of deterring honest users from protecting themselves.
And he said that as a result the the UK could become a "proving ground" for these types of Vamp-ware.
Comments
There are 3 comments. Join the discussion
1. David Fletcher
Personally, if I were involved in such activities, I would use TrueCrypt with its "plausible deniability" feature for storing files on a computer, and steganography techniques for sending encrypted messages.
Then there is no way to prove that there is any interesting content present in the first place.
All you're doing is using an encrypted volume to store private records on the computer, to guard against identity theft if it were to be stolen or otherwise misappropriated, and sending some photographs to a friend.
And nobody can prove otherwise. When will legislators come to the realisation that technology is already miles ahead of anything they can do?
2. MusicFan
Is it me just being stupid here or....
The word "criminal" refers to a person who acts "outside the law" and just maybe has no care about legislations and "doing the right thing"?
Why would it make any difference to a "criminal" if we pass this legislation?
Why dont we just pass legislation that all criminals must wear black and white striped jumpers and carrya bag marked swag, with "theif" tattoed accross their forehead?
Im sure that would work just aswell.
There must be another objective with this, if not, one has to deeply worry about the intelligence of our leaders!
3. Too cynical sometimes
Can I point a huge flaw in MusicFan's comment, they used in correct grammar, you can't use "intelligent" and "leaders" in the same sentence, it's not good english.