RIPA could cause new wave of cyber attacks

RIPA could cause new wave of cyber attacks

Summary: Security expert warns that malware could lead to mayhem through 'virus ate my password' claims or innocent users being targeted

TOPICS: Security

The introduction of legislation to crack down on criminals using encryption to hide their tracks could also leave users open to new forms of electronic attacks, according to one expert.

The Regulation of Investigatory Powers Act (RIPA) provides the legal framework for various methods of surveillance and information gathering by police and other agencies.

But because criminals are now encrypting their email, files, folders, documents and pictures in an attempt to conceal their activities, the Government plans to introduce Part III of the Act.

This requires people — when requested — to put protected or encrypted electronic information into an "intelligible" form, or to provide the encryption key. Failure to comply can lead to between two and five years in jail.

Police have said they want the legislation in order to crack down on criminals using encryption. Detective Chief Inspector Matt Sarti told a meeting organised by the Foundation for Information Policy Research (FIPR) that there are 200 computers sitting in police forensic centres and property cupboards with encrypted data on them that are likely to hold evidence of crime.

But Caspar Bowden, former director of FIPR, warned that introduction of the legislation could lead to a new wave of cyber attacks.

For example, criminals could create malware that was able to change the encryption key or password on an innocent user's machine. This virus would then delete itself and the criminals could threaten to tip off the police about the encrypted data, claiming it was information about criminal activity.

Without the key — which the virus deleted or changed — innocent users could find they have to defend themselves against this sort of blackmail.

Similarly, criminals could use these viruses against themselves, claiming "a virus ate my password [Vamp]" as an excuse for not providing the encryption key, he argued.

"The bad guys have an incentive for causing mayhem through Vamp-ware cases for cover," Bowden warned, and said there is a risk of deterring honest users from protecting themselves.

And he said that as a result the UK could become a "proving ground" for these types of Vamp-ware.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • This excuse was once used as a defence in a paedophilia case, it has now been ruled that

    "you are responsible for what you do and what happens on your own PC, if you do not make adequate protection available on your pc and you lose the passwords or have illegal / incriminating evidence on your PC even if you did not directly put it there it is your own fault and you are responsible, you can no longer use the defence "a virus put it there" it just wont stand up in court any more"

    Please delete this article.
  • Hi Myles,

    That's an interesting point - do you know when that ruling was made? We're aware of a couple of cases where people have been acquitted of charges after Trojan horses were found on their computers, but that was back in 2003.