RIPA could cause new wave of cyber attacks

Security expert warns that malware could lead to mayhem through 'virus ate my password' claims or innocent users being targeted
Written by Steve Ranger, Global News Director

The introduction of legislation to crack down on criminals using encryption to hide their tracks could also leave users open to new forms of electronic attacks, according to one expert.

The Regulation of Investigatory Powers Act (RIPA) provides the legal framework for various methods of surveillance and information gathering by police and other agencies.

But because criminals are now encrypting their email, files, folders, documents and pictures in an attempt to conceal their activities, the Government plans to introduce Part III of the Act.

This requires people — when requested — to put protected or encrypted electronic information into an "intelligible" form, or to provide the encryption key. Failure to comply can lead to between two and five years in jail.

Police have said they want the legislation in order to crack down on criminals using encryption. Detective Chief Inspector Matt Sarti told a meeting organised by the Foundation for Information Policy Research (FIPR) that there are 200 computers sitting in police forensic centres and property cupboards with encrypted data on them that are likely to hold evidence of crime.

But Caspar Bowden, former director of FIPR, warned that introduction of the legislation could lead to a new wave of cyber attacks.

For example, criminals could create malware that was able to change the encryption key or password on an innocent user's machine. This virus would then delete itself and the criminals could threaten to tip off the police about the encrypted data, claiming it was information about criminal activity.

Without the key — which the virus deleted or changed — innocent users could find they have to defend themselves against this sort of blackmail.

Similarly, criminals could use these viruses against themselves, claiming "a virus ate my password [Vamp]" as an excuse for not providing the encryption key, he argued.

"The bad guys have an incentive for causing mayhem through Vamp-ware cases for cover," Bowden warned, and said there is a risk of deterring honest users from protecting themselves.

And he said that as a result the UK could become a "proving ground" for these types of Vamp-ware.

Editorial standards