Government wants your view on encryption keys

The Home Office is getting ready to enforce Part III of the RIP Act, which will give police the power to demand encryption keys
Written by Tom Espiner, Contributor

The Government has launched a public consultation into a draft code of practice for a controversial UK law that critics have said could alienate big business and IT professionals.

Part III of the Regulation of Investigatory Powers Act 2000 (RIPA) will, as it stands, give police the authority to force organisations and individuals to disclose encryption keys.

The Government issued the public consultation on the code of practice for Part III, which will regulate how police and the courts use powers under the legislation, on Wednesday.

"The Home Office has today issued a public consultation on the investigation of protected electronic data, which invites comments on a draft code of practice relating to the exercise of powers under Part III of the Regulation of Investigatory Powers Act 2000 (RIPA)," said Simon Watkin of the Home Office Covert Investigation Policy Team.

The closing date for the consultation is 30 August.

Cambridge University security expert Richard Clayton told ZDNet UK that any company that was concerned by Part III of RIPA would be "foolish to pass up the opportunity" of voicing their concerns.

"Although in theory the Government's mind is made up, the proposals are so incomplete and confused that they may have a rethink anyway," said Clayton.

The security expert said that there were "a lot of complexities not addressed" by the code of practice, including the rules which will govern how access to keys can be demanded. Clayton predicted in May that financial institutions would consider moving to countries without encryption key disclosure laws.

"The Home Office appear sensitive to the suggestion that every financial institution will remove their keys (and hence a lot of jobs) from the country," said Clayton.

"There is a brand new safeguard in that the head of the FSA [Financial Services Authority] must now countersign requests [for key disclosure]. But this only applies to "financial services" and not to, say, a company like Ebay, or a British competitor."

"It gets worse. There is a brand new suggestion that demanding keys might become commonplace — when there might otherwise be doubt as to whether a decryption has been done correctly. This means that instead of asking for keys being highly exceptional, as parliament clearly intended, it will in fact become common," said Clayton.

The security expert also raised the question of whether an arrested person should be allowed access to their laptop to decode encrypted files.

"If so, how should we avoid the authorities "cheating" and installing some keystroke logging software first?" Clayton said.

"The last issue is whether (when the police don't like your attitude) it should be suggested that your hard disk in fact contains encrypted copies of child pornography — because then they can lock you up for longer," Clayton added.

The code of practice has already been criticised by mathematician and encryption expert Peter Fairbrother.

"This isn't a code of practice — it's just a repetition of RIPA in different words," said Fairbrother on ukcrypto, a public email list.

The Act was passed six years ago, when Part III was held back from becoming law. The Home Office claims it now wants to bring Part III into law as "investigators have begun encountering encrypted and protected data with increasing frequency."

The Home Office also claimed that the law was needed due to the inclusion of encryption technologies in standard operating systems, such as Microsoft's Vista which will include an encryption tool called Bitlocker.

"This, and the rapidly growing availability of encryption products including the advent of encryption products as integrated security features in standard operating systems, has led the Government to judge that it is now timely to implement the provisions of Part III," said the Home Office on its Web site.

Businesses and individuals can raise concerns about the draft code of practice at: http://www.homeoffice.gov.uk/documents/cons-2006-ripa-part3/

Editorial standards