The Regulation of Investigatory Powers Act will be modified
later this year to allow government agencies to force the handing
over of data keys after a consultation period announced on Monday.
The contentious section of the legislation lay dormant when
opponents argued that it could infringe on civil liberties, but the
Home Office has said that increasing use of encryption makes its
enaction necessary.
"The provisions have not yet been implemented because the
development and adoption of encryption and other information
protection technologies has been slower than was anticipated when
the Act was passed," said the Home Office consultation paper. "The
Government has, however, kept under review the need to implement
the provisions in Part III, by taking account of the extent to
which protection of electronic data has frustrated law enforcement
and obstructed the delivery of justice to victims."
"Over the last two to three years, investigators have begun
encountering encrypted and protected data with increasing
frequency," said the document.
Not all experts are convinced, however, that this has been the
case. Cambridge University Security Group researcher Dr Richard
Clayton believes that the enacting of the powers will actually
increase the amount of encryption used by criminals.
"I've never seen the figures that say that the amount of
encrypted material they come up against is increasing," said
Clayton. "In fact I think putting the powers on the statute book
will make it more, not less, likely that police will encounter
encrypted material because people will become aware of dual key
systems and see how easy they are to use."
If the Home Office implements the changes as currently
constituted, anyone using encryption to protect information can be
asked to decrypt it via the courts if the police suspect
criminality connected with the data. Anyone not complying can be
imprisoned for two years, or up to five years for a case involving
national security.
Enforcing the legislation will be difficult if accused people
pretend to have forgotten their passwords, said Clayton; it could
also prove controversial in cases where a person has actually
forgotten a password.
"There is also the question of whether or not decrypting
something for the police counts as incriminating yourself," Clayton
said. "The Home Office takes the view that the information is
there, it exists on its own, so the act of decrypting does not make
you incriminate yourself. It is the same argument as for DNA, that
you do not have the right to refuse it."
The legislation also forces the handing over of encryption keys,
something to which large corporations and City banks have objected,
because these keys keep sensitive information secret. New
safeguards have been introduced in that regard, including the need
to inform the head of the financial regulator the Financial
Services Authority before demanding a key.
"The trouble is that criminals do not build hierarchical key
structures; the only person who uses the key is the person whose
information it is and if they won't decrypt something they are not
going to hand over the key," said Clayton. "The only people who
have hierarchies like that are big business. This comes from a very
government view of the world, that everyone works the same
way."
Sue Cullen, an Associate with Pinsent Masons, the law firm
behind OUT-LAW.COM, said the problem is "not so much the
legislation – which has been with us for six years – as how it is
now being sold to the public."
She points to the 57-page consultation document. The
introduction is illustrated by gruesome examples of child sex abuse
cases in which evidence of even more horrific crime was not able to
be decrypted by the investigators.
"Nobody would object to encryption key disclosure in these
cases," she said. "But don't be misled into thinking that these
powers can be used only in such serious cases, or in the context of
terrorism, for instance. They are available for preventing or
detecting any crime, however minor, and for the 'economic
well-being of the UK', which might make you think differently about
them."
The consultation runs until 30th August, and also encompasses
two other proposals relating to the people who can access
communications data and the circumstances under which they can do
it.
