Police want power to seize encryption keys

Summary:Hundreds of computers belonging to suspected terrorists or paedophiles are gathering dust as investigators are unable to decrypt the data on their hard drives, claim police

The fact that law-enforcement officers don't have the powers to seize encryption keys means an increasing number of criminals are able to evade justice, a senior police officer warned on Monday.

Detective chief inspector Matt Sarti told a public meeting in London that suspected terrorists, paedophiles and burglars have all walked free because encrypted data couldn't be opened and the resulting information brought before the courts.

"There are more than 200 PCs sitting in property cupboards which contain encrypted data, for which we have considerable evidence that they contain data that relates to a serious crime," revealed Sarti. "Not one of those suspects has claimed that the files are business-related, and in many cases the names of the files indicate that they are important to our investigations."

Earlier this summer, the Government announced that it plans to activate Part III of the Regulations of Investigatory Powers (RIP) Act, which will give the police the power, in some circumstances, to demand an encryption key from a suspect.

Part III of the RIP Act has been heavily criticised in the past by security professionals and academics, who believe that it is a dangerous and badly written piece of legislation that cannot be properly implemented.

Sarti was speaking at an open meeting to discuss the Home Office consultation about the draft code of practice for Part III of the RIP Act, which will govern how its powers can be used.

The meeting was organised by the Foundation for Information Policy Research (FIPR).

Caspar Bowden, a former director of the FIPR who led the fight against the introduction of the RIP Act several years ago, told the meeting that Part III was flawed because defendents could be prosecuted for simply losing an encryption key.

"The burden of proof is on the suspect to prove that they don't have the key, and if they fail they go to prison. But, if they can give an explanation for not having the key, then the prosecution must prove beyond reasonable doubt that they are lying," said Bowden.

Bowden explained that in circumstances when the police suspected someone had encrypted incriminating data, officers could issue an order under Section 49 of the Act, ordering the suspect to hand over the key. Failure to do so could lead to a prosecution under Section 53 of the Act.

Dr Richard Clayton, an FIPR trustee and a computer security researcher at the University of Cambridge, told the meeting that the code of practice also lacked clear powers against officials who were guilty of making "deliberate mistakes" in their use of the RIP Act to obtain private data. Clayton also argued that businesses may take their encryption keys out of UK jurisdiction so that they can't be seized.

But Simon Watkin of the Home Office, who drafted the code of practice, insisted that the time was right to activate Part III of the Act as the police are now finding that their investigations are being thwarted by encryption

"The police have come to us and said that they need powers to get hold of encrypted data off suspects," said Watkin."We've got a law like this on the statute book, and we've been waiting for people like them to come and give us compelling reasons why they need it."

One police officer in the audience argued that, in the case of alleged child abuse, it was vital to access all the files on a suspect's machine so that the victims could be identified.

But Duncan Campbell, an investigative journalist who has served as an expert witness in many computer-related trials, insisted that Part 3 of the RIP Act could not be justified.

"A person who rapes and damages a 12-year-old is going to get a bloody long sentence, and bloody good too. What's the the point in the police saying we need a monstrous law so we can get to the rest of the data?" asked Campbell.

The consultation on the draft code of practice will run until 31 August, and Watkin indicated that submissions received after that date will still be considered. You can see the code of practice on the Home Office Web site.

Topics: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.