Turning the tide against RIPA

Proper handling of encrypted evidence shouldn't mean throwing away the key
Written by Leader , Contributor

After six years on the shelf, the controversial Part III of the Regulation of Investigatory Powers (RIP) Act is about to be activated. This would make it illegal to fail to produce encryption keys on demand: should the suspect be unable to do so, they would have to prove that this is because they could not rather than they would not.

As those concerned with human rights have pointed out, this means proof of innocence rather than proof of guilt — a fundamental change in the way the law works. To be effective, the law must have penalties stronger than those of the laws it is seeking to back up — and as those include terrorism and paedophilia, this points to prison sentences of decades. That's unconscionably strong for the facts of the offence itself.

Then there are the technicalities of what RIP seeks to do. We have previously pointed out that with modern encryption, it is possible to have multiple keys unlocking multiple levels of security. The more secure levels can be made undetectable even after others have been revealed, leaving the suspect able to apparently comply with a request while retaining secrets. Such actions would be indistinguishable from someone complying in good faith — it is hard to prove the non-existence of something that cannot be shown to exist, even using Home Office logic. That isn't forensics, it is theology.

In short: the law is flawed in concept and implementation, and will be of dubious use in execution. It won't help the police open up the 200 encrypted computers they claim to have gathering dust, nor will it help to catch the determined, informed criminals who know enough to read up on the subject. It will doubtless be useful in persuading other, more hapless targets to do deals — as the amount of encrypted data on laptops, mobile phones and other devices increases, so does the opportunity to put the frighteners on.

The Code of Practice cannot by itself fix these flaws, but it's our last chance to make our concerns felt. It is in order to ask where the penalties for misuse of the Act are defined, what framework exists to detect such misuse, and why there is no review planned of such complex and fundamentally controversial legislation after it goes into effect. Even if we can't put down this rabid dog, we can at least ask for a muzzle.

Editorial standards