Government to force handover of encryption keys
Summary: Businesses and individuals may soon have to release their encryption keys to the police or face imprisonment, when Part 3 of the RIP Act comes into effect
The UK Government is preparing to give the police the authority to force organisations and individuals to disclose encryption keys, a move which has outraged some security and civil rights experts.
The powers are contained within Part 3 of the Regulation of Investigatory Powers Act (RIPA). RIPA was introduced in 2000, but the government has held back from bringing Part 3 into effect. Now, more than five years after the original act was passed, the Home Office is seeking to exercise the powers within Part Three of RIPA.
Some security experts are concerned that the plan could criminalise innocent people and drive businesses out of the UK. But the Home Office, which has just launched a consultation process, says the powers contained in Part 3 are needed to combat an increased use of encryption by criminals, paedophiles, and terrorists.
"The use of encryption is... proliferating," Liam Byrne, Home Office minister of state told Parliament last week. "Encryption products are more widely available and are integrated as security features in standard operating systems, so the Government has concluded that it is now right to implement the provisions of Part 3 of RIPA... which is not presently in force."
Part 3 of RIPA gives the police powers to order the disclosure of encryption keys, or force suspects to decrypt encrypted data.
Anyone who refuses to hand over a key to the police would face up to two years' imprisonment. Under current anti-terrorism legislation, terrorist suspects now face up to five years for withholding keys.
If Part 3 is passed, financial institutions could be compelled to give up the encryption keys they use for banking transactions, experts have warned.
[? /*CMS poll(20004187) */ ?]
"The controversy here [lies in] seizing keys, not in forcing people to decrypt. The power to seize encryption keys is spooking big business," Cambridge University security expert Richard Clayton told ZDNet UK on Wednesday.
"The notion that international bankers would be wary of bringing master keys into UK if they could be seized as part of legitimate police operations, or by a corrupt chief constable, has quite a lot of traction," Clayton added. "With the appropriate paperwork, keys can be seized. If you're an international banker you'll plonk your headquarters in Zurich."
Opponents of the RIP Act have argued that the police could struggle to enforce Part 3, as people can argue that they don't possess the key to unlock encrypted data in their possession.
"It is, as ever, almost impossible to prove 'beyond a reasonable doubt' that some random-looking data is in fact ciphertext, and then prove that the accused actually has the key for it, and that he has refused a proper order to divulge it," pointed out encryption expert Peter Fairbrother on ukcrypto, a public email discussion list.
Clayton backed up this point. "The police can say 'We think he's a terrorist' or 'We think he's trading in kiddie porn', and the suspect can say, 'No, they're love letters, sorry, I've lost the key'. How much evidence do you need [to convict]? If you can't decrypt [the data], then by definition you don't know what it is," said Clayton.
The Home Office on Wednesday told ZDNet UK that it would not reach a decision about whether Part 3 will be amended until the consultation process has been completed.
"We are in consultation, and [are] looking into proposals on amendments to RIPA," said a Home Office spokeswoman. "The Home Office is waiting for the results of the consultation" before making any decisions, she said.
The Home Office said last week that the focus on key disclosure and forced decryption was necessary due to "the threat to public safety posed by terrorist use of encryption technology".
Clayton, on the other hand, argues that terrorist cells do not use master keys in the same way as governments and businesses.
"Terrorist cells use master keys on a one-to-one basis, rather than using them to generate pass keys for a series of communications. With a one-to-one key, you may as well just force the terrorist suspect to decrypt that communication, or use other methods of decryption," said Clayton.
"My suggestion is to turn on all of Part 3, except the part about trying to seize keys. That won't create such a furore in financial circles," he said.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
Just to start things off here is a link to defeat the proposed law....
http://iq.org/~proff/rubberhose.org/
Quote "Rubberhose transparently and deniably encrypts disk data, minimising the effectiveness of warrants, coersive interrogations and other compulsive mechanims, such as U.K RIP legislation."
Enjoy
If countires like Britain would follow such course of action, its almost like moving backward rather than towards a more liberal and open society.
Moreover, I dont get it, how could this rule even apply to financial institutions to get there encryption code. It might be applied to an individual to get encryption code of a file on his machine. But asking the banks to do it is insane.
Its like locking up my vault as deposit the key in the police station :-)
Maybe everyone will be required to hand over their encryption keys beforehand? And to make sure that such privy information won't get into the wrong hands law enforcement will install DRM or something? As if that will help preventing unauthorised leakage but who knows what IT clueless law enforcers take for granted anyway.
Another observation. What if law enforcement requires me to hand over the encryption keys of data that's protected by copy protection laws? A form of copy protection is encryption. May I then reverse engineer or try to bypass the copy protection security in question? Or do I, at that time, have to choose between going to jail for not (trying to) delivering the encryption keys or going to jail for (trying to) breaking (copy)protection? You see, without opening up the data down to the level where the actual data resides there's no way to know for sure what's really inside the data. Who's going to determine that how and based on what evidence?
Oh wait, there's an idea. When I want to hide data I first encrypt it and then wrap it inside some form of copy protection protected by law. Now let's see if law enforcement can make me reveal that.
Will this prevent terrorists from communicating effectively? Not at all. Remember WWII? Plenty of encrypted messages delivered without whatever electronic means whatsoever. And plenty of intercepted encrypted messages the enemy didn't had a clue about in a way to respond in time meaningfull until it was too late. D-Day for example.
If that was possible so long ago then what more would be possible today?
So whatever this, yet another, "protection" law is about. It isn't really concerned about public safety and security. Obviously. Simply because the real criminals can find too many ways around it yet the price to pay for the average IT clueless innocent is real and high enough.
The real sad story of course is that because of the greedy drive for more power and control by those that are really behind "laws" like this is that it's becoming easier and easier for individuals to really hurt someone they don't like. Simply have their PC hacked (But the ISP records will show that! Yeah, right. Each and every case will be investigated by battle hardened expert veterans looking to see if some experienced cracker is trying to frame someone. And we all like coughing up the amount of tax money that'll cost.) and made to appear like a child porn, terrorist communication and/or RIAA/BSA protected data distribution center for a few weeks or longer (simply installing and enabling a rootkit protected P2P program could be enough) and then inform the right authorities, politicians and press. They'll finish the job. Since everybody knows that any child abuser or terrorist tries to blame anything and anyone then themselves. What lame excuse like "I didn't install that rootkit to try to hide my real intentions. I don't even know how to securely install Windows." will they think of next?
Front page headlines like "Respected public figure turns out to be ....", "New boss says: I would never have imagined ...", "Rumors of terrorist cell inside government department. Exclusive.", etc, etc. will provide for plenty of political motivation to come with public satisfying results fast. Congrats, you've been Oswalded.
So no need to hire a few muscle men nowedays. They only break bones anyway which leave obvious signs of external influence outside the control of the victim. Rather get in touch with a skilled geek who's services can be bought without question and your opponent will be done plenty times
Ban cameras! They can be used for making child porn pictures!
Ban airplanes, they can be hijacked annnnnnd used to dessssctruct buildings!
And finally, collect all private keys, which can be used to hide your comms.
Seem fair.
If the goverment think they have the right to everything I think they are wrong. Anyhows what about communication that automatically encrypts such as VPNs and mobile phones? Maybe they want everyone to be a criminal, especially those that use computers.
Police enter Bank demanding encryption keys to account data.
Manager, clueless but knows the Chief Constable via various secret societies, passes the buck to the equally clueless and spotty 21year old Account Manager.
He/She blames the even more clueless and spotty 18 year old counter operative (teller).
He/She blames the New Computer system.
Computer system wont say anything because nobody knows the right password.
Now enters the Banks IT manager - after double parking his new BMW alongside a battered Jam Sandwich - and after a brief, but private, discussion with the Bank Manager states "My Contract of employment strictly forbids me to reveal any information which might endanger my employers or their clients business activities" (so piss off you morons).
IT Manager is arrested, tried, convicted and released six months later for good behavior (after hacking the Home Secretarys computer and fixing the governors salary for the next ten years) and returns to a very healthy six figure bank balance and a new home in the South of France.
Long live the ultimate deterrent!!
If it is only the decrypted data that is handed over, the company can continue to use the existing keys, assuming that the algorithm does not allow the keys to be deduced from clear and cipher text.
Once the keys are handed over, however, EVERY single transaction is exposed and keys would have to be changed.
Does this actually safeguard ANYONE?
What prevents people from just generating thousands upon thousands of keys? Perhaps millions of keys?
Officer: I need to access your protected data... please give me your key.
Individual: Sure. Here is a hard drive filled with all of the keys I use. Not sure which goes where, but here are my keys. (300GB hard drive with over a hundred million keys)
Imagine that data is encrypted 1-3 times by each key(100-300 million times encrypted) and even one key is wrong/missing? What then? How long would it take to access the data?
Worse... what prevents criminals and terrorists from deliberately generating such overly encrypted data with mind numbingly large numbers of keys? Just downright bog down the workflow of data decryption.
This kind of "blind reasoning" or "panic reasoning" is hurtful to the local economy and over time, erodes faith in the governing body's ability to think rationally and plan for the country's safety.
This kind of thing will discourage businesses from:
- travelling there
- setting up shop there
- accepting customers from there or who travel there
Imagine the headache when even 1% of your customer base requests a new key to be generated because their existing one got seized and they no longer feel their information is safe?
What if this happened on a daily basis?
The other question is whether the police officers are qualified to handle the keys themselves? Are they trained and certified as people who are capable of handling encrypted keys?
If I was a company, I would immediately move my business out of that region. It is a legal liability to me and my customers to have personal keys revealed.
So does this give the police the power to take peoples' passwords to online accounts as well? To corporate accounts? In the event "terrorist" or "criminal" data is stored there?
Do the people making these laws even think about the consequences!?
I found this page where one can contact the conservative party, and think people here may want to make a comment.
https://www.conservatives.com/tile.do?def=contact.us.page
Jamie
Get real.. No one would ever be so stupid to let them have it