British law's encryption quagmire

It may be obscure, but a legal loophole could let cyber-criminals run free

An expert on computer security says he's come up against a little-known, but potentially serious stumbling block to catching cyber-criminals: namely, that Britain has no legal definition of encryption.

This may allow criminals, in some cases, to argue in court that they're not breaking the law. For example, in a recent case involving the manufacture of illegal cable TV equipment, the alleged criminals attempted to get around the law by questioning the notion that cable TV signals are encrypted.

Without a legal definition to point to, such cases depend on how a judge or jury react to an expert witness' explanation.

Neil Barrett of security firm Information Risk Management appeared as an expert witness in the TV equipment case. He points out that the lack of an encryption definition could make it difficult for the authorities to make encryption-related charges stick.

"We went to look it up and found that there isn't even a definition of encryption under British law," says Barrett, who is a regular witness in computer-related cases. "We had to come up with a fairly simple workable definition that the jury could agree on. This is a big issue and it is making it difficult to prove something in court."

The defence's argument was that because the encrypted format in which cable television is transmitted is relatively simple, it represents nothing more than a protocol. Therefore, the argument concluded, the accused weren't breaking the law, which only covers the illicit interception of encrypted transmissions.

New legislation on the way, such as the e-commerce bill published Friday, will likely change the playing field by legally defining encryption; but experts say such definitions are likely to make the situation even more convoluted with over-broad or vague interpretations.

Take me to the Hackers news special