By Tom Espiner, 4 October 2007 08:56
NEWS
The police have been given powers to demand that businesses' data is decrypted.
Earlier this week, Part III of the Regulation of Investigatory Powers Act 2000 (Ripa) came into effect. Under Section 49 of Ripa Part III, police can serve a notice that requires encrypted data to be "put into an intelligible form" or, in other words, decrypted.
Failure to comply with a Section 49 notice can result in a two-year jail sentence, and failure to hand over an encryption key to the police can result in a five-year sentence.
The law is intended to make it more difficult for criminals and terrorists to use encryption to hide data.
However, a security researcher from the University of Cambridge's Computer Laboratory, Richard Clayton, warned that the law could have unintended consequences for businesses. "Once you hand over the key, it's risky because confidential documents could be exposed. Those documents may not contain evidence of wrongdoing but the police may find more than they're entitled to," said Clayton, who is also an adviser to the House of Lords Science and Technology Committee.
Given the choice, security professionals will not keep their encryption keys in the UK, argued Clayton. He added that those companies using SSL encryption keys that only have premises in the UK may have no choice but to comply with a Section 49 notice.
He said: "The security profession is all about reducing risks. International companies [such as banks] will keep it in Zurich."
According to Clayton's blog, there are some defences in the statute to failing to comply with a notice - one of which is that you can claim to have forgotten the passphrase for the decryption key.
He said: "It's a perfectly sane argument. It's certainly true that a lot of people forget a lot of keys. Whether you are being truthful is a matter for a jury to decide in the end."
In some scenarios it would be obvious if a defendant were lying about having forgotten a key, said the expert: "Try asking a bank if they've forgotten their master key." But he added: "This will not be a widely used law, or be very effective when it is used. It's just going to make everyone a bit twitchy."
The Home Office said encryption keys would be demanded only if a business wasn't able to provide the corresponding data. A spokesman said: "The police can't just ask for a password - they do have to take into account the needs of the business and their security processes."
The spokesman argued that the process was adequate because it will be overseen by the National Technical Assistance Centre (NTAC), a decryption agency.
But civil liberties campaigners have previously criticised NTAC, branding it unaccountable.
Tom Espiner writes for ZDNet UK
Comments
There are 7 comments. Join the discussion
1. Jeremy Wickins
This should not be overseen by anyone other than a high-court judge. Whilst there may be a few situations where encrypted data need to be accessed, it will be very rare. The police should have to explain the case for encryption to a judge, or it will become a routine thing - "Just hand over the keys, chummy. We'll decide whether it was neccessary *after* we've had a look through". Of course, if we have nothing to hide, we have nothing to fear ... <cough>
2. Roger Huffadine
Too simplistic --- all you need to do if you are hiding something is use a plain language document that looks authentic as a key to another level of encryption - nesting encryption isn't anything new.
So when Mr Plod asks for a key you give him one and he discovers a virtual World of information that in reality is protecting the 'real' World.
How is anyone to know the depth of encryption?
OK you would need to be doing something fairly nasty to go to these lengths - but the point is that forcing people to give you a key isn't going to achieve anything.
3. Graham Coles
With the amount of internet blackmail going around where a worm or virus can compromise a system, encrypts files then the owner gets an e-mail requesting money to decrypt the files, I wonder how feasible this is?
If a business computer gets infected this way and the virus is removed, will they be able to jail the owner for not being able to decrypt the files to which they have no key?
One for the legal boffins, no doubt.
4. Patrick Stasko
You can do this with programs such as TrueCrypt. Hidden containers within encrypted containers. Does it without any header information in the container
5. Joe Whitehead
A rather pecular situation would be if the encryption key is a multipart key. What happens if the parts are distributed such that you need at least 50% of the keys? All? Just 2?
It seems that secret key systems are what the law is intended for. How about public-private key pair (asymetric) systems? If they're strictly for reading documents, then it should suffice to have the documents decrypted with witnesses signing to prove authenticity? Or document formats that are themselves a kind of encoding to make it hard to read them except in the program that made them. What about hash generating private keys, which would allow forgery and threaten the security infranstructure (especially trust networks)? What about systems where no single individual has keys to all the encrypted files, such as the FreeNet P2P (peer-to-peer) project?
Maybe a follow up article is to be called for when these other issues come up. Also, I think this has been mentioned, but what if the crime is murder/bank robbery/hijacking/pedophilia/organized crime/etc? These are the kinds of crimes that NO ONE would give up the key for, even if there's upto a 5-year sentance! It's sad that the penalty is the most effective against petty/nonviolent offenses which tend to have shorter sentences anyways.
Wow, I could write a book and make some money, heh.
6. anonymous
Is it true or just urban myth that if a key is not forthcoming then it’s the CIO not the CEO that "cops" it?
7. Julian Nicholls
To Graham:-
There was a virus which did exactly what you described, last year. It encrypted files on your PC, and you then had to pay a ransom to get the key.
The encryption was very quickly broken by the antivirus people, after all decryption is their bread and butter.